fix(guacamole): mount /home/guacamole instead of /home/guacamole/.guacamole (entrypoint rm fails on mount point)

The official Apache Guacamole image entrypoint runs `rm -rf $GUACAMOLE_HOME` (== `/home/guacamole/.guacamole`) before re-populating the directory on every start. When the chart mounted an emptyDir directly at `/home/guacamole/.guacamole`, that path was a mount point from the kernel's perspective, so `rm` failed with: rm: cannot remove '/home/guacamole/.guacamole': Read-only file system — the entrypoint exited non-zero and the Pod CrashLoopBackOff'd before the webapp ever started. (t20 debug matrix — Fix #5.) Mount the PARENT directory (`/home/guacamole`) instead. `.guacamole` becomes a regular subdirectory inside the emptyDir, which the entrypoint can freely `rm -rf` and recreate. The webapp's first-start writes still land in a writable location under readOnlyRootFilesystem. No Chart.yaml version bump per the t20 hard-rules contract — chart release will roll in the next blueprint-release wave. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 12:53:08 +02:00 · 2026-05-18 12:53:08 +02:00 · d45e8c17ab
commit d45e8c17ab
parent 3acb340b36
1 changed files with 14 additions and 5 deletions
--- a/platform/guacamole/chart/templates/guacamole-deployment.yaml
+++ b/platform/guacamole/chart/templates/guacamole-deployment.yaml
@ -81,12 +81,21 @@ spec:
            # state (logback marker file, optional auth state) to
            # ~/.guacamole on first start. With readOnlyRootFilesystem
            # the container cannot mkdir under $HOME unless we mount
-            # a writable emptyDir there. Pre-Fix-#39 follow-up the
-            # chart hadn't included this mount; pods crash-looped
-            # with `mkdir: cannot create directory
-            # '/home/guacamole/.guacamole': Read-only file system`.
+            # a writable emptyDir there.
+            #
+            # IMPORTANT: we mount the PARENT directory (/home/guacamole)
+            # rather than /home/guacamole/.guacamole itself. The official
+            # guacamole image entrypoint runs
+            # `rm -rf $GUACAMOLE_HOME` (== `/home/guacamole/.guacamole`)
+            # before re-populating it on every start. If we mounted the
+            # emptyDir at $GUACAMOLE_HOME directly the entrypoint would
+            # fail with `rm: cannot remove '/home/guacamole/.guacamole':
+            # Read-only file system` because you cannot unlink a mount
+            # point from inside the container. Mounting the parent
+            # makes .guacamole a regular subdirectory of the emptyDir
+            # which the entrypoint can freely rm and recreate.
            - name: guacamole-home
-              mountPath: /home/guacamole/.guacamole
+              mountPath: /home/guacamole
          resources:
            {{- toYaml .Values.guacamole.webapp.resources | nindent 12 }}
          securityContext: