See #8578 for background
We currently have a few places in Spring Boot where we create temporary folders without the ability to opt-out. We should review these for users that wish to create immutable containers.
We can't make any guarantees that it will always possible to run an immutable container, we can only ensure that Spring Boot itself can run without creating temporary files. For example, we could update UndertowServletWebServerFactory so that it doesn't call deployment.setTempDir, but we can't guarantee that DeploymentInfo.requireTempPath() isn't called when the container runs (e.g. because of multi-part uploads).
Comment From: wilkinsona
If we make it possible to opt in to temporary directories not being created, anyone using the servlet stack will no longer have a spec-compliant container. Section 4.8.1 of the Servlet 4 spec states the following:
A temporary storage directory is required for each servlet context. Servlet containers must provide a private temporary directory for each servlet context, and make it available via the javax.servlet.context.tempdir context attribute. The objects associated with the attribute must be of type java.io.File.
Jetty, for example, requires a temporary directory to be configured on the WebAppContext for the javax.servlet.context.tempdir attribute to be configured.
Comment From: jburke-godaddy
In the background issue 8578, the requester commented on the servlet stack compliance aspect. For people who want compliance, they need not opt-in. For those who don't need file creation, the security benefits of a read-only filesystem might be well worth not having a servlet stack which is not 100% compliant.
Comment From: ivankatliarchuk
2+ years to make a decision. Due of this feature/bug, we are not able to enforce in Kubernetes following security measures for all the Java applications.
securityContext:
readOnlyRootFilesystem: true
Read-only root filesystem helps to enforce an immutable infrastructure strategy. The container should only write on mounted volumes that can persist, even if the container exits.
Using an immutable root filesystem and a verified boot mechanism prevents against attackers from "owning" the machine through permanent local changes. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
Comment From: wilkinsona
@ivankatliarchuk A decision has been made and we intend to reduce our use of createTempFile. It is not, however, a high priority and the issue being in the general backlog reflects that.
As far as we know, there's nothing stopping you from configuring a Spring Boot application to use a read only root filesystem. You may need to use the java.io.tmpdir property to control the location of the temporary directory. Various options are discussed in #8578, this comment in particular may be of interest.