Issue with securityContext.readOnlyRootFilesystem=true in NGINX Docker Image (10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?))

[alican-uelger]

Describe the bug

When setting securityContext.readOnlyRootFilesystem to true, we encounter an issue with the NGINX Docker image version 1.27.1. The following info log appears:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration

/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/

/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh

10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)

To reproduce

Steps to reproduce the behavior:

Deploy the NGINX Docker image version nginx:1.27.1.
Set securityContext.readOnlyRootFilesystem to true.
Check the logs for the issue.

Expected behavior

The securityContext.readOnlyRootFilesystem=true should not cause any issues or prevent the scripts in /docker-entrypoint.d/ from running as expected.

Your environment

• NGINX Docker Image Version: nginx:1.27.1

• Deployment Platform: Kubernetes

• Version/release of Docker and method of installation (e.g. Docker Desktop / Docker Server)

• Version/tag of the NGINX Docker image (e.g. nginx:alpine)

• Target deployment platform (e.g. OpenShift / Kubernetes / Docker Compose / etc...)

Additional context

This issue seems related to the scripts in /docker-entrypoint.d/ trying to modify the filesystem, which is read-only when securityContext.readOnlyRootFilesystem=true is set.

[thresheek]

Those scripts are there to modify the configuration files in the early runtime of a container, which is obviously impossible for a read-only filesystem.

How do you propose to change this behaviour?