Enable Container run with readonly root filesystem

Therefore moved home directory into data volume and fix right of Erlang Cookie in case of reclaiming a volume on kubernetes. fixes: vernemq#243
hsudbrock · Feb 26, 2024 · 1130ba2 · 1130ba2
1 parent 38f2c67
commit 1130ba2
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ RUN apt-get update && \
     apt-get -y install bash procps openssl iproute2 curl jq libsnappy-dev net-tools nano && \
     rm -rf /var/lib/apt/lists/* && \
     addgroup --gid 10000 vernemq && \
-    adduser --uid 10000 --system --ingroup vernemq --home /vernemq --disabled-password vernemq
+    adduser --uid 10000 --system --ingroup vernemq --home /vernemq/data/home --disabled-password vernemq
 
 WORKDIR /vernemq
 

diff --git a/bin/vernemq.sh b/bin/vernemq.sh
@@ -244,6 +244,9 @@ if [ ! -z "$DOCKER_VERNEMQ_ERLANG__DISTRIBUTION_BUFFER_SIZE" ]; then
     sed -i.bak -r "s/\+zdbbl.+/\+zdbbl ${DOCKER_VERNEMQ_ERLANG__DISTRIBUTION_BUFFER_SIZE}/" ${VERNEMQ_VM_ARGS_FILE}
 fi
 
+mkdir -p /vernemq/data/home
+chmod g-rwx /vernemq/data/home/.erlang.cookie
+
 # Check configuration file
 /vernemq/bin/vernemq config generate 2>&1 > /dev/null | tee /tmp/config.out | grep error