feat: Move /.firstRunComplete to /tmp to prepare readonly rootfs #80
Conversation
|
The |
|
I would be fine to move it completely elsewhere but having it inside the / (the root) is a really bad practice for the reason I mentioned above. Additional I'd like to ask why does something break if the "first run" is executed twice (in case |
|
@gbooker any update? |
|
As stated, moving this indicator to Perhaps there's an id or something which doesn't change across updates which could be used to indicate that it is in the same effective container and this be stored in a more permanent location in |
|
What ID do you mean? If you recreate the container from a container image (eg. on an update) its not the same container. In which cases should the firstRun be triggered? |
|
I was afraid the container id changes across updates. Ideally, the firstRun should be triggered when a fresh container is created but not when a container is upgraded. Additionally not when a configuration is changed (such as a volume map, etc) It's a tricky thing to accomplish since docker is really missing a mechanism to do this. The rationale is the first-run can perform some expensive operations but these should only be done once (such as chown a directory tree). |
|
What container upgrade are you talking about here? The root filesystem does not persist when a container is recreated (or upgraded as you state). |
|
As I am still affected of this issue, can we talk about it again? @gbooker is your idea that this script is only executed when plex is initialized for the first time or every time Plex is upgraded (and thus the container is replaced from a new container image)? /cc: @MarshallAsch as you implemented a helm chart for plex (PR #82) which could also benefit from this change. |
I previously stated:
The first run does some things (such as a recursive chown or signing in the PMS with the result stored in prefs) which should only be run once. However, if a server is migrated from one system to another (or potentially migrate to a new container), it likely should be run again. I don't like the idea of modifying the container root image that much (as it is antithetical to how docker is supposed to work) but I couldn't find any good mechanism to accomplish this. |
Its not a big deal. The real issue is, that this file should not live in a directory which contains other files. We can move it to wherever you want. Would you be okay with another location? |
|
Might be missing some context here, but what about a newer directory that we declare with the |
That would be great! |
There was a problem hiding this comment.
Moving to another directory would be fine (just not /tmp because of the meaning of that name) and users who wish to map a volume to that dir are welcome to do so. Just the if needs to check / as well for containers where this has already run before moving the firstRunComplete file.
| @@ -136,5 +136,5 @@ if [ -z "$(getPref "TranscoderTempDirectory")" ]; then | |||
| setPref "TranscoderTempDirectory" "/transcode" | |||
| fi | |||
|
|
|||
| touch /.firstRunComplete | |||
| touch /tmp/.firstRunComplete | |||
There was a problem hiding this comment.
If moving to another dir, this likely would need to run a mkdir for that dir first in case it doesn't already exist
I currently migrate all my Kubernetes workloads to containers with read-only rootfs.
The plex container is a bit tricky with the
/.firstRunCompletefile. If you'd move that file to/tmp, it would be possible to mount a temporary filesystem which is writable (KubernetesemptyDir) below /tmp.The s6 suite also have issues with read-only rootfs but it (officially) supports it by setting
S6_READ_ONLY_ROOT=1. Ref: https://github.com/just-containers/s6-overlay#read-only-root-filesystem