Running yarn in a container with a readonly root filesystem

[VeithBuergerhoff]

I hope this is the right place for a discussion of this kind.

Background

It is common to run containers on kubernetes with a immutable read-only root filesystem wherever possible to decrease the attack surface.

The issue with yarn

There are a couple of places where yarn wants to write to the filesystem. I am by no means an expert when it comes to yarn, but as far as I can tell they are:

• the cache directory
  It's rather difficult to find concrete documentation on this topic, but I have read a couple of discussions where people were having issues even with an immutable cache, since it was still required to be writeable - one can simply mount a cache volume to get around this issue so this is not that big of a problem.

• the log files (or at least the error log file in the app directory)
  Since this is a file in the app directory there is no good way to somehow trick yarn into writing this to a mounted volume. There was a stackoverflow discussion about there being an option to write the log into a meta directory with a reference to the correlating section in the code but I found no documentation of how to enable said meta directory. Maybe a symlink might work here but I have yet to try that and it seems rather hacky. I have even considered mounting the app as a volume but I feel like this defeats the entire point of having a read-only filesystem.

• yarn tmp files
  Yet more files so volumes are not a good solution. Since the tmp-dir/tmp-file names are not know before runtime even symlinks are not a good option here.

I am currently writing this on my phone but I will gladly add links upon request

Maybe these are all telltale signs that running yarn in a read-only container is simply not a good idea.
Regardless of my issues it might be beneficial for yarn to allow one to change the location of these files/directories.

I would greatly appreciate any kind of input regarding this topic.