The jetstream-controller v0.6.0 attempts to create a temp directory for caching purposes in the current working directory:

https://github.com/nats-io/nack/blob/main/controllers/jetstream/controller.go#L146

In the Dockerfile the working directory results in / by default. For security reasons containers may run in a constrained environment with a read-only root file-system. In this case creating a temp directory will fail.

It would be great if the base directory in which the temp directory will be created either will be the default OS location (by using os.MkdirTemp("", "nack")) or will be made configurable.

With readOnlyRootFilesystem set, it seems even writing files in the OS's default temp dir wouldn't be allowed, at least in my testing with Alpine.

The reason we used . for the temp dir is because we're using scratch as the base image. As a result, the container has almost nothing of an OS, not even a temp dir, and basically only holds our Go binary.

If we want to use readOnlyRootFilesystem, then I think we need to rethink where we keep that cache dir. Maybe we would need a separate volume to store the cache.

maybe we should change to the alpine image like in the nats-server?

With readOnlyRootFilesystem set, it seems even writing files in the OS's default temp dir wouldn't be allowed, at least in my testing with Alpine.

That's correct. To overcome that you can attach a volume with write permissions under the path of the temp dir.

I created a PR for @mionskowski-form3 suggestion ☝️