Error while running ECS container with read-only root filesystem

Question

We have a Java application with spring framework and I am trying to enable read-only root filesystem for the container. I have tried modifying the docker file to provide a writable path for the application but I keep getting the below error

{"dateTime":"2023-04-21T00:53:12.922Z","type":"ERROR","stage":"dev","logger":"org.springframework.boot.SpringApplication","class":"org.springframework.boot.SpringApplication","method":"reportFailure","file":"SpringApplication.java","line":865,"thread":"main","message":"Application run failed","stack_trace":"j.n.f.FileSystemException: /tmp/tomcat.8091.7261574515025557054: Read-only file system\n\tat s.n.fs.UnixException.translateToIOException(Unknown Source)\n\tat s.n.fs.UnixException.rethrowAsIOException(Unknown Source)\n\tat s.n.fs.UnixException.rethrowAsIOException(Unknown Source)\n\tat s.n.f.UnixFileSystemProvider.createDirectory(Unknown Source)\n\tat java.nio.file.Files.createDirectory(Unknown Source)\n\tat j.n.f.TempFileHelper.create(Unknown Source)\n\tat j.n.f.TempFileHelper.createTempDirectory(Unknown Source)\n\tat java.nio.file.Files.createTempDirectory(Unknown Source)\n\tat o.s.b.w.s.AbstractConfigurableWebServerFactory.createTempDir(AbstractConfigurableWebServerFactory.java:189)\n\t... 19 common frames omitted\nWrapped by: o.s.b.w.s.WebServerException: Unable to create tempDir. java.io.tmpdir is set to /tmp\n\tat o.s.b.w.s.AbstractConfigurableWebServerFactory.createTempDir(AbstractConfigurableWebServerFactory.java:195)\n\tat o.s.b.w.e.t.TomcatServletWebServerFactory.getWebServer(TomcatServletWebServerFactory.java:188)\n\tat o.s.b.w.s.c.ServletWebServerApplicationContext.createWebServer(ServletWebServerApplicationContext.java:182)\n\tat o.s.b.w.s.c.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:160)\n\t... 16 common frames omitted\nWrapped by: o.s.c.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Unable to create tempDir. java.io.tmpdir is set to /tmp\n\tat o.s.b.w.s.c.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:163)\n\tat o.s.c.s.AbstractApplicationContext.refresh(AbstractApplicationContext.java:577)\n\tat o.s.b.w.s.c.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145)\n\tat o.s.b.SpringApplication.refresh(SpringApplication.java:775)\n\tat o.s.b.SpringApplication.refreshContext(SpringApplication.java:448)\n\tat o.s.b.SpringApplication.run(SpringApplication.java:339)\n\tat o.s.b.SpringApplication.run(SpringApplication.java:1365)\n\tat o.s.b.SpringApplica...\n"}

The docker file config is

RUN addgroup -S spring && adduser -S spring -G spring
USER spring:spring
ARG JAR_FILE=target/*.jar
COPY ${JAR_FILE} xxx.jar

# Create a writable directory for temporary files
WORKDIR /usr/src/app/tmp && chown spring:spring /usr/src/app/tmp

# Configure the application to use the new directory for temporary files
ENV JAVA_OPTS="-Djava.io.tmpdir=/usr/src/app/tmp"

ENTRYPOINT ["java","-jar","/xxx.jar"]

Is there anything else I need to do within the application for it to use the path provided in the docker file?

Answer 1

You could utilize designated temporary directories like /tmp within the container for storing temporary files as defined https://repost.aws/questions/QUZufioV63TciPZZ0onYdsdA/unable-to-limit-ecs-containers-to-read-only-access-to-root-filesystem