Fix bug 58707: Mount emptyDir volume to /tmp for writable tempfiles #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
univention-ldapsearch fails in Kubernetes pods with read-only root filesystems because it cannot create temporary files in /tmp. This fix mounts an emptyDir volume to /tmp in all LDAP server deployments, ensuring the directory is writable even when the root filesystem is read-only. Bug: 58707
graememacpherson
approved these changes
Nov 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
univention-ldapsearch fails in Kubernetes pods with read-only root filesystems because it cannot create temporary files in /tmp. The script uses mktemp to create temporary files, but when the root filesystem is read-only (common in Kubernetes security contexts), /tmp is also read-only, causing the script to fail with errors like "cannot create tempfile".
Solution
This fix mounts an emptyDir volume to /tmp in all LDAP server deployments (primary, secondary, and proxy). This follows the standard Kubernetes pattern for handling temporary files in read-only container environments. The emptyDir volume provides a writable temporary directory that persists for the pod's lifetime.
Changes
Added tmp-volume emptyDir mount to /tmp in statefulset-primary.yaml
Added tmp-volume emptyDir mount to /tmp in statefulset-secondary.yaml
Added tmp-volume emptyDir mount to /tmp in deployment-proxy.yaml
Testing
Verified templates render correctly with the tmp-volume mount
Tested container environment with read-only rootfs and tmpfs mount to /tmp
Confirmed mktemp works correctly in the mounted /tmp directory
All tests pass
Related
Bug: 58707