Title
Harden the docker container by running in read only.
Platform
Web-app
Is it related to an issue?
When setting read_only: true in docker compose, nginx.conf cannot be created:
termix | /entrypoint.sh: 41: cannot create /app/nginx/nginx.conf: Read-only file system
When setting /app/nginx as tmpfs then nginx.conf.template is not found:
termix | /entrypoint.sh: 41: cannot open /app/nginx/nginx.conf.template: No such file
The Solution
Adapt image in a way that it can be run read-only and maybe even root-less as a different docker compose user (not only CHOWNing to env vars PUID:GUID).
Additional Context
It would be nice to be able to harden the image more by allowing the least privileges needed.
docker-compose.yml
services:
termix:
# ...
user: 30000:30000
read_only: true
tty: false
stdin_open: false
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
Title
Harden the docker container by running in read only.
Platform
Web-app
Is it related to an issue?
When setting read_only: true in docker compose, nginx.conf cannot be created:
termix | /entrypoint.sh: 41: cannot create /app/nginx/nginx.conf: Read-only file systemWhen setting /app/nginx as tmpfs then nginx.conf.template is not found:
termix | /entrypoint.sh: 41: cannot open /app/nginx/nginx.conf.template: No such fileThe Solution
Adapt image in a way that it can be run read-only and maybe even root-less as a different docker compose user (not only CHOWNing to env vars PUID:GUID).
Additional Context
It would be nice to be able to harden the image more by allowing the least privileges needed.
docker-compose.yml