From dc0fcee235741d1922a66a66300ab50f1effc392 Mon Sep 17 00:00:00 2001 From: Rhys Arkins Date: Wed, 4 Dec 2024 11:28:46 +0100 Subject: [PATCH] docs: Create read-only-fs.md (#592) * docs: Create read-only-fs.md * Update read-only-fs.md * Apply suggestions from code review Co-authored-by: Justin Clareburt <122523970+justo-mend@users.noreply.github.com> * Update read-only-fs.md * Update docs/read-only-fs.md --------- Co-authored-by: Justin Clareburt <122523970+justo-mend@users.noreply.github.com> Co-authored-by: Nabeel Saabna <48175656+nabeelsaabna@users.noreply.github.com> --- docs/read-only-fs.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 docs/read-only-fs.md diff --git a/docs/read-only-fs.md b/docs/read-only-fs.md new file mode 100644 index 0000000..80f31c4 --- /dev/null +++ b/docs/read-only-fs.md @@ -0,0 +1,30 @@ +# Read-only File Systems + +Support for read-only file systems is available from version 9.0.0 + +To test it, follow these steps: + +## Use the official release images: +* Community: `ghcr.io/mend/renovate-ce:9.0.0` +* Enterprise: `ghcr.io/mend/renovate-ee-server:9.0.0` and `ghcr.io/mend/renovate-ee-worker:9.0.0` + +## Run the images in read-only mode + +Set both the Server and Worker images to run with read-only file systems (e.g. `readOnlyRootFilesystem` in Kubernetes). + +## Map read-write volumes + +Ensure that the EE Server has a read-write `/tmp` volume. + +Ensure that the EE Worker has read-write `/tmp` and `/opt/containerbase` volumes. + +## Other volumes + +The main "risk" of a read-only FS for Renovate is that there are dozens of package managers that can be called, and those package managers can choose to write files into unexpected locations. + +When such cases are found, the best scenario is that the Renovate CLI can be enhanced to "coerce" managers into writing to `/tmp/renovate`, e.g. through the configuration of environment variables. +However, it may also be feasible to selectively map files or folders as a stopgap solution (e.g. `/home/ubuntu/.some-manager`). + +## Testing and release + +The measure of success is that all packager managers succeed (e.g. at updating lock files) using the read-write volumes only.