Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

n8n fails to start with read-only root filesystem (like you would use in kubernetes clusters) due to cache directory: #8367

Closed
brokenjacobs opened this issue Jan 17, 2024 · 4 comments
Closed

n8n fails to start with read-only root filesystem (like you would use in kubernetes clusters) due to cache directory: #8367

brokenjacobs opened this issue Jan 17, 2024 · 4 comments

Comments

@brokenjacobs
Copy link

brokenjacobs commented Jan 17, 2024
edited
Loading

Originally here:
8gears/n8n-helm-chart#65

❯ docker run -v .../n8n:/home/node/.n8n --read-only --platform linux/amd64 -it n8nio/n8n:1.22.3
Initializing n8n process
n8n ready on 0.0.0.0, port 5678
Error: ENOENT: no such file or directory, mkdir '/home/node/.cache'
Error: Exiting due to an error.
Error: ENOENT: no such file or directory, mkdir '/home/node/.cache'

❯ docker run -v .../cache:/home/node/.cache -v .../n8n:/home/node/.n8n --read-only --platform linux/amd64 -it n8nio/n8n:1.22.3
Last session crashed
Initializing n8n process
n8n ready on 0.0.0.0, port 5678
Version: 1.22.3

Editor is now accessible via:
http:https://localhost:5678/

Press "o" to open in Browser.

And interestingly enough as a 'worker' the cache directory is not used:

❯ docker run -v.../n8n:/home/node/.n8n --read-only --platform linux/amd64 -it n8nio/n8n:1.22.3 worker
QUEUE_WORKER_TIMEOUT has been deprecated. Rename it to N8N_GRACEFUL_SHUTDOWN_TIMEOUT.
Redis unavailable - trying to reconnect...
@Joffcom
Copy link
Member

Joffcom commented Jan 17, 2024

Hey @brokenjacobs,

I don't fully understand what the issue is here, We run n8n as the node user adn we expect there to be full access to the users home directory.

Is there a reason why the the node directory would be restricted? Perhaps someone that knows more about k8s will be able to chip in on this one.

@netroy
Copy link
Member

netroy commented Jan 17, 2024
edited
Loading

The main API server needs /home/node to be writable to be able to generate certain static assets. This is why we expect /home/node to be writable by the node user.
You can still use a read-only root filesystem, but you need to mount a writable folder into /home/node/.cache.
Can you try adding --mount type=tmpfs,destination=/home/node/.cache to the docker run and see if that fixes the issue?

@netroy
Copy link
Member

netroy commented Jan 17, 2024
edited
Loading

That said, n8n does not support fully read-only filesystems, and expects certain paths to always be writable.
I'd probably be a good idea to eventually document all the folders n8n expects to write to, but that'd not on our radar right now.
I'll close this issue, as the workaround for anyone wanting to use a read-only filesystem is already in this thread, and there is nothing more we plan to do anytime soon to address this any further.

@netroy netroy closed this as completed Jan 17, 2024
@netroy netroy closed this as not planned Won't fix, can't repro, duplicate, stale Jan 17, 2024
@brokenjacobs
Copy link
Author

brokenjacobs commented Feb 12, 2024
edited
Loading

So the issue here is not that a read/write emptydir volume cannot be mounted, the issue is that the helm chart doesn't support adding volume mounts to the containers. Not allowing for readonly root fs, securitycontext, running as non-root, etc is an issue in many enterprise environments. Normally this is done by adding 'extraVolumes' 'extraVolumeMounts' or something similar to the helm chart.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@netroy @brokenjacobs @Joffcom