I’ve been experimenting with using immutable deployments for security (but also performance) reasons. None of my tests are able to generate a VM with a read-only root filesystem. My deployment tests consist of a simple Alpine-based Dockerfile that I run as follows:
fly m run . -a XXXXXX --kernel-arg "ro"
When I connect to the console, I can see that the root filesystem is mounted rw:
/dev/vda on / type ext4 (rw,relatime,stripe=64). I’ve been playing with running my own VMs using Firecracker, and it looks like there is a is_read_only boolean when specifying block devices, but it doesn’t look like Fly’s APIs support setting that parameter. Perhaps, and I’m just speculating here, the reason that Fly doesn’t allow read-only root filesystems is related to how the VM init process is started and then cleaned up.
I’ve searched the forum and documentation to see if running a read-only root is a supported or desired functionality, but I have yet to find anything relevant. Would fly support running VMs using a read-only root filesystem, and is this something that Fly might consider to be useful? If Fly would not consider; or due to technical challenges, would prevent running VMs with read-only root filesystems, then what about supporting other alternatives like read-only volumes?