How to protect the app in balena if volumes are mapped in RW mode?
/dev/hda6 on /mnt/data type ext4 (rw,relatime,data=ordered)
/dev/hda6 on /var/lib/docker type ext4 (rw,relatime,data=ordered)
I thought that the volumes must be mounted in RO mode
Hi, those partitions are mounted RW, because that’s used by the system (storing the images, volumes, etc). But those are host partitions, and they cannot be read-only from the host’s side. (on the host’s side, the root filesystem is read-only).
Do you mean that you want to protect your docker volumes that are attached to your application? If that, check out the volumes docs for docker-compose.yml, for example:
...
volumes:
- resin-data:/data:ro
...
which will make that volume read-only because of the :ro flag at the end.
Is this what you mean?
I want to protect an app (docker layers from the image)
I don’t want to protect a docker container
The data partition needs to be read-write, and the application image is only managed by the supervisor, so wondering what’s the problem you are trying to avoid? What are you protecting it against? Thanks!
I want to protect against power failure if there is a power shutdown during the data recording process
What data recording process? Inside your application? Because:
- your image is not changed there, once it is pulled, so power failure won’t change it
- if you are trying to protect during an application pull, your old image is still there, and power failure just affects the image that is being downloaded, but on reboot the device will repull the image. I’m guessing you don’t mean this.
- if your application records data, that goes into a volume, that is separate from the images, and it’s a subdirectory in that data partition. Power failure there during writes to the volume cannot affect your image.
Thus I cannot really think of a process at the moment, that would affect the application image you already have on the device. Are we missing anything or misunderstanding anything?
The last layer of the container is always RW
The last layer of the container is mounted in a directory with other RO layers from image
I want to protect the /dev/sdX
Hi there,
Can you detail a little bit more about the failure case you are concerned about? If you are concerned about the storage media (rightfully so), I’m not sure that mounting read-only will help you (due to the reasons imrehg outlined above). The more detailed you can be, the easier it will be for us to understand and recommend a workaround or alternative strategy!
That’s right
I’m worried about the image layers on the storage media
Thanks everyone for the answers
Hi,
As my colleague answered above, your application docker images will be protected in most cases. Does the answer resolve your concerns?
Please let us know if you need further support.
Thanks yes