Running the IBM MQ container with a read-only root file system

You can configure the IBM® MQ container to run with a read-only root file system. This prevents attackers from copying and running malicious code in the container.

About this task

Enabling the read-only root file system makes the container files immutable. That is, on the container file system, files can be viewed but not modified and no new files can be created. Files can only be modified or created on a mounted file system.

Scratch and Tmp volumes

Data to be written or modified is divided into two ephemeral volumes: Scratch and Tmp. These volumes are created and mounted into the /run and /tmp directories respectively, in the queue manager container.

The Scratch volume contains the files, keystores, and other files that are used for configuring the queue manager.
The Tmp volume contains diagnostic files, for example the queue manager RAS files.

When a read-only root file system is enabled and the enabled property of the Scratch or Tmp volume is set to true (the default value), an ephemeral volume of type emptyDir is created and mounted to the queue manager container for the respective ephemeral data.

[MQ 10.0.0 Jun 2026] You can disable the Scratch and Tmp volumes. When you set the enabled property of the Scratch or Tmp volume to false, a sub-directory of the queue manager data volume (/scratch or /tmp) is mounted to the queue manager container for the respective ephemeral data. If the queue manager data volume is of type persistent-claim, the queue manager data volume is a Persistent Volume Claim. If the type is set to ephemeral, the volume is an emptyDir volume.

When an emptyDir ephemeral volume is created and used for Scratch, Tmp, or the queue manager data, any files on this volume are lost on pod restart. If the size of the data in any of these volumes exceeds the value specified for the volume's sizeLimit property, Kubernetes can eject the container and create a new one. The sizeLimit property applies only to emptyDir ephemeral volumes.

[MQ 10.0.0 Jun 2026] When Scratch or Tmp data is stored on the queue manager data volume (when the enabled property is set to false), and the data volume is a Persistent Volume Claim, this data is by default considered ephemeral because the queue manager container erases this data on startup. You can disable the deletion of Tmp data by setting the MQ_ENABLE_CLEAN_TMP_ON_START environment variable to false. For information about setting queue manager environment variables, see Example: Supplying additional environment variables for a queue manager.

Considerations for choosing a backing volume

Data for an emptyDir volume is stored on the backing medium of the node the associated pod is running on. Although the aforementioned sizeLimit property can limit the use of this storage, the emptyDir volume might run out of capacity before this limit is reached, if the backing medium is filled from another source. [MQ 10.0.0 Jun 2026] If the size of the backing medium for the node is insufficient, you might want to store Scratch and Tmp data on the queue manager data volume.

[MQ 10.0.0 Jun 2026] Storing Scratch and Tmp data on the queue manager data volume has other consequences. This storage might be accessed over the network, which means access to Scratch and Tmp data is slower. The default size of this volume is 2Gi. The default sizeLimit for Scratch and Tmp volumes are 100M and 2Gi respectively, so you should increase the size of the data volume when storing this additional data. If the size of the volume is not large enough, Scratch and Tmp data might consume the volume, preventing the queue manager from functioning normally. Setting MQ_ENABLE_CLEAN_TMP_ON_START to false might also lead to this problem, if the data in /tmp is added to over time.

Procedure

A read-only root file system is not enabled by default. To enable it, complete one of the following procedures:

Enable a read-only root file system with emptyDir ephemeral volumes.
1. Enable a read-only root file system by setting the readOnlyRootFilesystem property under .spec.securityContext to true:
```
apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
...
spec:
  securityContext:
    readOnlyRootFilesystem: true
```
2. Optional: Set or change the queue manager data storage type.
  
  By default, a Persistent Volume Claim is mounted at /mnt/mqm. Or, if the type property is set to ephemeral in .spec.queueManager.storage.queueManager, an ephemeral volume is created and mounted.
3. For each ephemeral volume, carefully consider by how much the data might grow. Set the value of the sizeLimit property accordingly, including SI units.
  - For the Scratch ephemeral volume, set the sizeLimit property in .spec.queueManager.storage.scratch. The default value is 100M.
  - For the Tmp ephemeral volume, set the sizeLimit property in .spec.queueManager.storage.tmp. The default value is 2Gi.
  - If the type of queue manager volume is set to ephemeral, set the sizeLimit property in .spec.queueManager.storage.queueManager. The default value is 2Gi.
4. Optional: Although the default value of the enabled property for both .spec.queueManager.storage.scratch and .spec.queueManager.storage.tmp is true, you can also explicitly set the value to true.
  In either case, emptyDir ephemeral volumes are created and used.

Enable a read-only root file system by using the queue manager data volume.
1. Enable a read-only root file system by setting the readOnlyRootFilesystem property under .spec.securityContext to true:
```
apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
...
spec:
  securityContext:
    readOnlyRootFilesystem: true
```
2. Configure the queue manager data volume.
  - Set the type to persistent-claim to ensure that the queue manager data volume is not an emptyDir ephemeral volume.
  - Set the class to be a StorageClass of type ReadWriteOnce because Security-Enhanced Linux (SELinux) might prevent sockets from being written to other types of storage.
  - Carefully consider by how much the data might grow on the volume. Account for the queue manager data and Scratch and Tmp data. The default value for size is 2Gi, so set a larger value that includes Scratch and Tmp requirements. Set the value of size accordingly, including SI units.
  - Refer to .spec.queueManager.storage.queueManager to set any additional values for the data volume.
  For example:
```
apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
...
spec:
  queueManager:
    storage:
      queueManager:
        type: persistent-claim
        size: 5Gi
```
3. Set the enabled property for both .spec.queueManager.storage.scratch and .spec.queueManager.storage.tmp to false.
  For example:
```
apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
...
spec:
  queueManager:
    storage:
      queueManager:
        type: persistent-claim
        size: 5Gi
      scratch:
        enabled: false
      tmp:
        enabled: false
```
  The queue manager data volume has the sub-directories of /scratch and /tmp mounted into the queue manager container.