when turn on this security context, the Linux /run FS inside the container is readonly as well, it is usually from the overlay on / from image.
For other directory like /var/log, user could mount an ephemeral or persistent volume depends on the requirement of data like logs file should be on ephemeral or persistent.
But anything is /run suppose to be “ephemeral” as always.
If running application directly on OS, the /run was mounted when the OS was booted up as “tmpfs”,
while in container, there is no boot up stage, the /run FS is kind of “static” from image.
Although the PID file path should be configurable on any application, but this create a scenario which running application in container is different from running application on OS, as the process encounter difference FS it “see” when the “readOnlyRootFilesystem” is on.
Can the /run be exempt from the “readOnlyRootFilesystem” just like “/proc” ?