docs: Create read-only-fs.md (#592)

* docs: Create read-only-fs.md

* Update read-only-fs.md

* Apply suggestions from code review

Co-authored-by: Justin Clareburt <[email protected]>

* Update read-only-fs.md

* Update docs/read-only-fs.md

---------

Co-authored-by: Justin Clareburt <[email protected]>
Co-authored-by: Nabeel Saabna <[email protected]>

docs/read-only-fs.md

@@ -0,0 +1,30 @@
+# Read-only File Systems
+
+Support for read-only file systems is available from version 9.0.0
+
+To test it, follow these steps:
+
+## Use the official release images:
+* Community: `ghcr.io/mend/renovate-ce:9.0.0`
+* Enterprise: `ghcr.io/mend/renovate-ee-server:9.0.0` and `ghcr.io/mend/renovate-ee-worker:9.0.0`
+
+## Run the images in read-only mode
+
+Set both the Server and Worker images to run with read-only file systems (e.g. `readOnlyRootFilesystem` in Kubernetes).
+
+## Map read-write volumes
+
+Ensure that the EE Server has a read-write `/tmp` volume.
+
+Ensure that the EE Worker has read-write `/tmp` and `/opt/containerbase` volumes.
+
+## Other volumes
+
+The main "risk" of a read-only FS for Renovate is that there are dozens of package managers that can be called, and those package managers can choose to write files into unexpected locations.
+
+When such cases are found, the best scenario is that the Renovate CLI can be enhanced to "coerce" managers into writing to `/tmp/renovate`, e.g. through the configuration of environment variables.
+However, it may also be feasible to selectively map files or folders as a stopgap solution (e.g. `/home/ubuntu/.some-manager`).
+
+## Testing and release
+
+The measure of success is that all packager managers succeed (e.g. at updating lock files) using the read-write volumes only.