[BUG] - Docker image incompatible with readOnlyRootFilesystem (Kubernetes security best practice)

[DaviPtrs]

Internal/External
External

Area
Other - Docker image / Nix wrapper / run-node script

Summary
The cardano-node Docker image (10.6.2) is incompatible with readOnlyRootFilesystem: true in Kubernetes due to two separate issues:

1. Scripts mode (NETWORK=mainnet): The Nix-generated wrapper hardcodes RTS option -tcardano-node.stats which tries to write to the current working directory
2. Custom mode (run arg): The /usr/local/bin/run-node script writes to /usr/local/bin/env

Running with readOnlyRootFilesystem: true is a Kubernetes security best practice recommended by CIS benchmarks.

Steps to reproduce

Issue 1 - Scripts mode:

docker run --read-only -e NETWORK=mainnet ghcr.io/intersectmbo/cardano-node:10.6.2

Error: cardano-node: Can't open stats file cardano-node.stats

Issue 2 - Custom mode:

docker run --read-only ghcr.io/intersectmbo/cardano-node:10.6.2 run

Error: /usr/local/bin/run-node: line 93: /usr/local/bin/env: Read-only file system

Expected behavior
The node should start successfully with readOnlyRootFilesystem: true.

System info:

• OS: Kubernetes (EKS) with containerd
• Node version: cardano-node 10.6.2
• Docker image: ghcr.io/intersectmbo/cardano-node:10.6.2

Logs - Issue 1 (Scripts mode)

Starting: exec /nix/store/.../cardano-node run
...
+RTS
--machine-readable
-tcardano-node.stats
...
-RTS

cardano-node: Can't open stats file cardano-node.stats

Logs - Issue 2 (Custom mode)

Running cardano node ...
CARDANO_BIND_ADDR=0.0.0.0
CARDANO_BLOCK_PRODUCER=false
CARDANO_CONFIG=/opt/cardano/config/mainnet/config.json
CARDANO_DATABASE_PATH=/data/db
CARDANO_LOG_DIR=/opt/cardano/logs
CARDANO_PORT=3001
CARDANO_SOCKET_PATH=/ipc/node.socket
CARDANO_TOPOLOGY=/configuration/topology.json
/usr/local/bin/run-node: line 93: /usr/local/bin/env: Read-only file system

Root Cause

1. The Nix wrapper at /nix/store/.../cardano-node-mainnet hardcodes -tcardano-node.stats RTS option
2. The run-node script's writeRootEnv() function writes to /usr/local/bin/env

Suggested Fix

1. Make the stats file path configurable or write to /tmp or /data
2. Write the env file to a writable location like /tmp/env instead of /usr/local/bin/env
3. Or provide a "minimal" mode that skips these writes entirely

Workaround
Disable readOnlyRootFilesystem (reduces security posture).

[DaviPtrs]

Additional note: The /usr/local/bin/env file written by writeRootEnv() in run-node doesn't appear to be sourced anywhere in the image. It seems to only exist for manual debugging convenience (exec into container and source it).

This means the write operation is not essential for the node to function, making it an unnecessary blocker for read-only container deployments.

[DaviPtrs]

Update: Root cause clarification

After further investigation, there are two related issues:

Issue 1 - File permissions (even without readOnlyRootFilesystem):

• The container runs as uid 1000 (non-root)
• The Nix wrapper writes cardano-node.stats to the current working directory (/)
• uid 1000 cannot write to / due to standard Unix permissions

Issue 2 - Read-only filesystem:

• Even with WORKDIR /tmp, enabling readOnlyRootFilesystem: true makes /tmp read-only
• Requires mounting /tmp as an emptyDir/tmpfs volume to work

Reproduction:

# Fails - non-root user can't write to /
docker run --rm -e NETWORK=mainnet --user 1000:1000 ghcr.io/intersectmbo/cardano-node:10.6.2

# Works - non-root user can write to /tmp
docker run --rm -e NETWORK=mainnet --user 1000:1000 --workdir /tmp ghcr.io/intersectmbo/cardano-node:10.6.2

# Fails - /tmp is read-only
docker run --rm -e NETWORK=mainnet --user 1000:1000 --workdir /tmp --read-only ghcr.io/intersectmbo/cardano-node:10.6.2

# Works - /tmp mounted as tmpfs
docker run --rm -e NETWORK=mainnet --user 1000:1000 --workdir /tmp --read-only --tmpfs /tmp ghcr.io/intersectmbo/cardano-node:10.6.2

Workaround:

Option A - Custom Dockerfile:

FROM ghcr.io/intersectmbo/cardano-node:10.6.2
WORKDIR /tmp

Option B - Using official image directly (Kubernetes):

containers:
  - name: cardano-node
    image: ghcr.io/intersectmbo/cardano-node:10.6.2
    command: ["sh", "-c", "cd /tmp && exec entrypoint"]
    volumeMounts:
      - name: tmp
        mountPath: /tmp
volumes:
  - name: tmp
    emptyDir: {}

Option C - Using official image directly (Docker):

docker run --workdir /tmp --tmpfs /tmp ghcr.io/intersectmbo/cardano-node:10.6.2

Suggested fix:
Make the stats file path configurable, or write to a volume-mounted path like /data.