glizzyguzzler@lemmy.blahaj.zone 1 week ago
Looks awesome and very efficient, does it also run with read_only: true
(with a db volume provided, of course!)? Many containers just need a /tmp, but not always
glizzyguzzler@lemmy.blahaj.zone 1 week ago
Looks awesome and very efficient, does it also run with read_only: true
(with a db volume provided, of course!)? Many containers just need a /tmp, but not always
SinTan1729@programming.dev 1 week ago
I had never tested this before. Seems like it throws errors. Of course, adding and deleting links don’t work. But that’s to be expected. But also link resolution fails since it cannot update the hit count properly. If this is a legitimate use case for you, I might work on making it work.
glizzyguzzler@lemmy.blahaj.zone 1 week ago
I try to slap anything I’d face the Internet with with the read_only to further restrict exploit possibilities, would be abs great if you could make it work! I just follow all reqs on the security cheat sheet, with read_only being one of them: …owasp.org/…/Docker_Security_Cheat_Sheet.html
With how simple it is I guessed that running as a user and restricting cap_drop: all wouldn’t be a problem.
For read_only many containers just need tmpfs: /tmp in addition to the volume for the db. I think many containers just try to contain temporary file writing to one directory to make applying read_only easier.
So again, I’d abs use it with read_only when you get the time to tune it!!
SinTan1729@programming.dev 1 week ago
On further testing, this does actually work. You may set both
read_only: true
, andcap_drop: all
and it will work as long as you have a named volume. I had it mount a database file from the host system for my test config, which is why I was getting the errors. I don’t know how to make that work though i.e. when the db is bind mounted from the host system. Setting the mount:rw
doesn’t seem to fix it.glizzyguzzler@lemmy.blahaj.zone 6 days ago
Odd, I’ll try to deploy this when I can and see!
I’ve never had a problem with a volume being on the host system, except with user permissions messed up. But if you haven’t given it a user parameter it’s running as root and shouldn’t have a problem. So I’ll see sometime and get back to you!