s6 overlay not working with read-only filesystem

[sysarch-repo]

Please provide a small Dockerfile that demonstrates your issue.

FROM alpine:3.18.3

RUN apk --no-cache add \
        ca-certificates \
        curl \
        tcpdump \
        libcap

# Install s6-overlay init
ARG S6_OVERLAY_VERSION=3.1.6.2
ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz
ENTRYPOINT ["/init"]

# Copy the Pre-built binary file from the previous stage
COPY --from=builder /app/main /usr/local/bin/dns-app
RUN chmod +x /usr/local/bin/dns-app

# Create directories
RUN mkdir /var/lib/nti
RUN chmod 777 /var/lib/nti

# Expose port 8080 to the outside world
EXPOSE 8080 

# Command to run the executable
CMD ["/usr/local/bin/dns-app"] 

The app log:

s6-overlay-suexec: warning: unable to gain root privileges (is the suid bit set?)
s6-rmrf: fatal: unable to remove /run/s6: Read-only file system
s6-overlay-suexec: fatal: child failed with exit code 111

Note, read-only file system is required to pass the CNTI tests for CNF: https://github.com/cnti-testcatalog/testsuite

[skarnet]

Is it still not working when you run your container with ENV S6_READ_ONLY_ROOT=1?

[sysarch-repo]

@skarnet Thanks for your suggestion. I have added the ENV to the helm chart overrides and the error has changed as follows:

s6-overlay-suexec: warning: unable to gain root privileges (is the suid bit set?)
/package/admin/s6-overlay/libexec/preinit: info: read-only root
/package/admin/s6-overlay-3.1.6.2/libexec/preinit: line 31: can't create /run/test of writability: Read-only file system
s6-overlay-suexec: fatal: child failed with exit code 1

[skarnet]

Yeah.

/run needs to be a writable filesystem, on any Linux system. You can mount / read-only, but /run needs to be a separate filesystem, typically a tmpfs.

Usually, when you try to run a container read-only, container managers pre-mount a tmpfs on /run before running the container. You should check your container manager configuration and see if you can achieve this.

When it's not the case, s6-overlay tries to mount a tmpfs on /run itself, but this requires root privileges, and you're apparently running your container in a configuration that cannot obtain root privileges whatsoever. So there's nothing that s6-overlay can do about it, and it detects that /run is not writable, and fails early because your system won't be viable anyway.

Configure your container manager so /run is a pre-mounted tmpfs.

[sysarch-repo]

@skarnet, thanks again - all understood. I have mounted /run as tmpfs. Here is the log:

s6-overlay-suexec: warning: unable to gain root privileges (is the suid bit set?)
/package/admin/s6-overlay/libexec/preinit: info: read-only root
/package/admin/s6-overlay/libexec/preinit: info: writable /run. Checking for executability.
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started

I am closing the ticket.