Fluent bit fails to start due to readonlyRootFilesystem property in ECSΒ #928
Description
Describe the question/issue
Hi,
due to security requirements, my client force me to set the readonlyRootFilesystem property to true for all containers running in an ECS task, even the firelens container. The problem is that firelens fails to start the container for two reasons:
- firelens can download config files from S3 because the path "/init" is read only folder
- I tried to create a volume in path /init to allow firelens to download files in path "/init" but it overwrites the content of the folder and init fails due to bash script "/init/fluent_bit_init_entrypoint.sh" no longer exists.
Is it possible to set readonlyRootFilesystem to true? I searched for an issue related to this topic but I haven't seen anything. I apologize in advance if this topic has already been covered.
Thanks
Configuration
{
"name": "log_router",
"image": "906394416424.dkr.ecr.eu-west-1.amazonaws.com/aws-for-fluent-bit:init-2.27.0",
"cpu": 0,
"portMappings": [],
"essential": true,
"environment": [
{
"name": "CONTAINER_NAME",
"value": "firelens-log-router"
}
],
"mountPoints": [
{
"sourceVolume": "firelens-init",
"containerPath": "/init",
"readOnly": false
}
],
"volumesFrom": [],
"secrets": [],
"user": "0",
"readonlyRootFilesystem": true,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/firelens",
"awslogs-create-group": "true",
"awslogs-region": "eu-west-1",
"awslogs-stream-prefix": "myapp"
}
}
}Fluent Bit Log Output
This is the error I get:
/bin/sh: /init/fluent_bit_init_entrypoint.sh: No such file or directory
Fluent Bit Version Info
Cluster Details
I need to user fargate
Application Details
Steps to reproduce issue
set readonlyRootFilesystem property to true for firelens container in an ECS task definition