I try to slap anything I’d face the Internet with with the read_only to further restrict exploit possibilities, would be abs great if you could make it work! I just follow all reqs on the security cheat sheet, with read_only being one of them: …owasp.org/…/Docker_Security_Cheat_Sheet.html
With how simple it is I guessed that running as a user and restricting cap_drop: all wouldn’t be a problem.
For read_only many containers just need tmpfs: /tmp in addition to the volume for the db. I think many containers just try to contain temporary file writing to one directory to make applying read_only easier.
So again, I’d abs use it with read_only when you get the time to tune it!!
SinTan1729@programming.dev 1 week ago
On further testing, this does actually work. You may set both
read_only: true
, andcap_drop: all
and it will work as long as you have a named volume. I had it mount a database file from the host system for my test config, which is why I was getting the errors. I don’t know how to make that work though i.e. when the db is bind mounted from the host system. Setting the mount:rw
doesn’t seem to fix it.glizzyguzzler@lemmy.blahaj.zone 6 days ago
Odd, I’ll try to deploy this when I can and see!
I’ve never had a problem with a volume being on the host system, except with user permissions messed up. But if you haven’t given it a user parameter it’s running as root and shouldn’t have a problem. So I’ll see sometime and get back to you!