Writing to filesystem when uploading images

I’m trying to run my Diaspora pod inside a Docker (k8s, actually) container with readOnlyRootFilesystem enabled. Which means that I need to have writable directories anywhere the app decides to write. So far I have found the logs directory, the public/uploads directory, and the tmp and /tmp directories are used for writes. This works great.

Except…

When uploading photos, they appear to go someplace else I haven’t yet found. A quick find / -mtime -1 hasn’t revealed anything. Before I dive into the source code, I was wondering if anyone could tip me off.

Never mind, I figured out it uses public/uploads/tmp. That should have been more obvious to me.

I rejiggered a few things and now I think I have it running with a read-only root filesystem.

It’s probably overkill, but k8s lets me tighten down security to the point where the pod is firewall off from the rest of my infrastructure, and it was worth it to harden it a bit more.

The source code for my deployment is here; the source code for the docker image is here (now with SBOM!).

1 Like