Merge pull request #297 from fidelity/readonly-filesystem

feat: support read-only filesystem
fidelity · Nov 23, 2023 · 801ef54 · 801ef54
2 parents 3e58267 + 191f360
commit 801ef54
Showing 4 changed files with 30 additions and 22 deletions.
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -53,16 +53,6 @@ RUN chown -R nginx:nginx /usr/share/ca-certificates && \
         chown nginx:nginx /etc/ca-certificates.conf && \
         chown -R nginx:nginx /etc/ssl/certs
 
-# modify nginx related file permissions
-RUN chown -R nginx:nginx /var/log/nginx
-RUN mkdir -p /var/cache/nginx && \
-        chown -R nginx:nginx /var/cache/nginx 
-RUN touch /var/run/nginx.pid && \
-        chown -R nginx:nginx /var/run/nginx.pid
-
-# modify nginx file permissions
-RUN chown -R nginx:nginx /etc/nginx/
-
 COPY --from=build-go /go-service/main /app/server/
 COPY --from=build-node /app/dist/theliv /app/client/theliv
 

diff --git a/internal/investigators/pod_pending_investigator.go b/internal/investigators/pod_pending_investigator.go
@@ -45,7 +45,8 @@ const (
 	PendingNoHostPortSolution   = "%d. Available node(s) didn't have free ports for the requested pod ports. Please check the HostPort used in the Pod, change/remove it is suggested."
 	PVCNotFoundSolution         = "2. Pod {{ .ObjectMeta.Name }} is pending, used PVC not found." + KubectlPodAndPVC
 	PVCUnboundSolution          = "2. Pod {{ .ObjectMeta.Name }} is pending, due to use an unbound PVC." + KubectlPodAndPVC
-	KubectlPodAndPVC            = "3. Please check PVC used by the pod, create new or choose an existing PVC may solve this problem. Refer to: https://kubernetes.io/docs/concepts/storage/persistent-volumes/"
+	KubectlPodAndPVC            = `
+3. Please check PVC used by the pod, create new or choose an existing PVC may solve this problem. Refer to: https://kubernetes.io/docs/concepts/storage/persistent-volumes/`
 
 	ContainerFailMount         = "%d. Container failed mount, message is: %s."
 	ContainerFailMountSolution = "%d. Please check your volumes of the Pod, try to change to correct and existing resources may fix this problem."

diff --git a/web/nginx/nginx.conf b/web/nginx/nginx.conf
@@ -1,8 +1,7 @@
 worker_processes  1;
 
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
+error_log  /nginx/log/error.log warn;
+pid        /nginx/nginx.pid;
 
 events {
     worker_connections  1024;
@@ -35,7 +34,13 @@ http {
     '"$upstream_addr":"$upstream_addr"'
     '}';
 
-    access_log  /var/log/nginx/access.log  main;
+    access_log  /nginx/log/access.log  main;
+
+    client_body_temp_path /nginx/tmp/nginx-client-body;
+    proxy_temp_path       /nginx/tmp/nginx-proxy;
+    fastcgi_temp_path     /nginx/tmp/nginx-fastcgi;
+    uwsgi_temp_path       /nginx/tmp/nginx-uwsgi;
+    scgi_temp_path        /nginx/tmp/nginx-scgi;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -44,5 +49,5 @@ http {
 
     #gzip  on;
 
-    include /etc/nginx/conf.d/*.conf;
+    include /nginx/conf.d/*.conf;
 }
diff --git a/web/nginx/startup.sh b/web/nginx/startup.sh
@@ -4,15 +4,27 @@ export DNS_RESOLVER=$(cat /etc/resolv.conf | grep nameserver | cut -d' ' -f2)
 export EKS_DOMAIN=$(cat /etc/resolv.conf | grep search | cut -d' ' -f2)
 
 # generate nginx.conf
-export CERTS_PRIVATE=/etc/ssl/certs/theliv-private.pem
-export CERTS_PUBLIC=/etc/ssl/certs/theliv-public.crt
+export CERTS_PRIVATE=/nginx/theliv-private.pem
+export CERTS_PUBLIC=/nginx/theliv-public.crt
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERTS_PRIVATE} -out ${CERTS_PUBLIC} -subj "/CN=theliv.io"
-envsubst '$DNS_RESOLVER$CERTS_PRIVATE$CERTS_PUBLIC' </etc/nginx/nginx-temp.conf > /etc/nginx/nginx.conf
+
+mkdir -p /nginx/conf.d/
+mkdir -p /nginx/log/
+mkdir -p /nginx/cache/
+mkdir -p /nginx/run
+mkdir -p /nginx/tmp
+touch /nginx/run/nginx.pid
+
+cp /etc/nginx/conf.d/default-temp.conf /nginx/conf.d/
+cp /etc/nginx/nginx-temp.conf /nginx/
+cp /etc/nginx/conf.d/datadog.conf /nginx/conf.d/
+
+envsubst '$DNS_RESOLVER$CERTS_PRIVATE$CERTS_PUBLIC' </nginx/nginx-temp.conf > /nginx/nginx.conf
 
 # generate default.con
-envsubst '$EKS_DOMAIN$X_FORWARDED_PROTO$X_FORWARDED_HOST$ENVIRONMENT' </etc/nginx/conf.d/default-temp.conf > /etc/nginx/conf.d/default.conf
-rm /etc/nginx/conf.d/default-temp.conf
+envsubst '$EKS_DOMAIN$X_FORWARDED_PROTO$X_FORWARDED_HOST$ENVIRONMENT' </nginx/conf.d/default-temp.conf > /nginx/conf.d/default.conf
+rm /nginx/conf.d/default-temp.conf
 
 set -x
 /app/server/main -ca "${ETCD_CA}" -key "${ETCD_KEY}" -cert "${ETCD_CERT}" -endpoints "${ETCD_ENDPOINTS}" & 
-nginx -g 'daemon off;'
+nginx -g 'daemon off;' -c /nginx/nginx.conf