Hi,
I think I’ve discovered a bug and appreciate your feedback if I’m just doing it the wrong way or it really needs a fix 
.
Excerpt of docker-compose:
user: "XXXXXXX:XXXXXX"
read_only: true
security_opt:
- no-new-privileges=true
cap_drop:
- ALL
cap_add:
- XXXXXX
restart: unless-stopped
network_mode: XXXXXX
volumes:
# config, index and logs: rw
- ./config/config.xml:/var/syncthing/config/config.xml
- ./config/config.xml.tmp:/var/syncthing/config/config.xml.tmp
- ./data:/var/syncthing/data
- ./logs:/var/syncthing/logs
# config certs: ro
- ./config/cert.pem:/var/syncthing/config/cert.pem:ro
- ./config/key.pem:/var/syncthing/config/key.pem:ro
- ./config/https-cert.pem:/var/syncthing/config/https-cert.pem:ro
- ./config/https-key.pem:/var/syncthing/config/https-key.pem:ro
(ENV vars set accordingly in Dockerfile)
I observe this in the log when pausing a folder (or applying another config change through the web UI). Syncthing itself runs and does its job fine, still.
INF Pausing device (device=XXXXX log.pkg=model)
ERR Failed to save config (error="open /var/syncthing/config/.syncthing.tmp.035343045: read-only file system" log.pkg=api)
I see syncthing used the /config/ folder instead of the /config/config.xml.tmp/ folder it created when it beforehand had full write access to /config/. That’s why I mounted the folder /config/config.xml.tmp/ additionally after switching read-only.
Expectation: syncthing writes the tmp config to /config/config.xml.tmp/….. instead of /config/.syncthing.tmp.035343045 which it currently does.
Why don’t you simply mount the whole config folder?
You can’t map a file as a volume and expect to be able to replace it like Syncthing does when saving the config.
I’ll do so, thanks. I was just curious if I could distinguish the mounts between ro and rw .
1 Like