Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker: Allow running zeebe with a read-only root filesystem #11876

Closed
megglos opened this issue Mar 1, 2023 · 0 comments · Fixed by #11877
Closed

Docker: Allow running zeebe with a read-only root filesystem #11876

megglos opened this issue Mar 1, 2023 · 0 comments · Fixed by #11877
Assignees
@megglos
Labels
kind/feature Categorizes an issue or PR as a feature, i.e. new behavior support Marks an issue as related to a customer support request version:8.1.9 Marks an issue as being completely or in parts released in 8.1.9 version:8.2.0 Marks an issue as being completely or in parts released in 8.2.0

Comments

@megglos
Copy link
Contributor

megglos commented Mar 1, 2023
edited

Is your feature request related to a problem? Please describe.
Following security recommendations containers should be run with a read only root file system.
As of now running Zeebe with a read-only filesystem cause it to fail with errors such as:

Caused by: java.nio.file.FileSystemException: /tmp/tomcat.9600.15613282835628980530: Read-only file system

Describe the solution you'd like
/usr/local/zeebe/data, /usr/local/zeebe/logs and /tmp are defined as VOLUME in the Dockerfile to instruct docker to always create volumes for these paths.

Describe alternatives you've considered
At least documentation on container security should indicate that running zeebe with a read only root filesystem requires mounting /usr/local/zeebe/data, /usr/local/zeebe/logs and /tmp .

Relates to https://jira.camunda.com/browse/SUPPORT-14820
@megglos megglos added the kind/feature Categorizes an issue or PR as a feature, i.e. new behavior label Mar 1, 2023
@megglos megglos self-assigned this Mar 1, 2023
@megglos megglos mentioned this issue Mar 1, 2023
Merged
7 tasks
This was referenced Mar 2, 2023
Merged
Merged
@megglos megglos added support Marks an issue as related to a customer support request backport stable/8.0 labels Mar 2, 2023
zeebe-bors-camunda bot added a commit that referenced this issue Mar 2, 2023
@zeebe-bors-camunda @megglos
merge: #11888
2d95270 
11888: [Backport stable/8.1] feat(docker): read only root filesystem support r=megglos a=backport-action

# Description
Backport of #11877 to `stable/8.1`.

relates to #11876

Co-authored-by: Meggle (Sebastian Bathke) <sebastian.bathke@camunda.com>
zeebe-bors-camunda bot added a commit that referenced this issue Mar 2, 2023
@zeebe-bors-camunda @megglos
merge: #11887
7aae2dc 
11887: [Backport stable/8.0] feat(docker): read only root filesystem support r=megglos a=backport-action

# Description
Backport of #11877 to `stable/8.0`.

relates to #11876

Co-authored-by: Meggle (Sebastian Bathke) <sebastian.bathke@camunda.com>
zeebe-bors-camunda bot added a commit that referenced this issue Mar 2, 2023
@zeebe-bors-camunda @megglos
merge: #11887
60b2a4d 
11887: [Backport stable/8.0] feat(docker): read only root filesystem support r=megglos a=backport-action

# Description
Backport of #11877 to `stable/8.0`.

relates to #11876

Co-authored-by: Meggle (Sebastian Bathke) <sebastian.bathke@camunda.com>
zeebe-bors-camunda bot added a commit that referenced this issue Mar 2, 2023
@zeebe-bors-camunda @megglos
merge: #11887
7dc0268 
11887: [Backport stable/8.0] feat(docker): read only root filesystem support r=megglos a=backport-action

# Description
Backport of #11877 to `stable/8.0`.

relates to #11876

Co-authored-by: Meggle (Sebastian Bathke) <sebastian.bathke@camunda.com>
@megglos megglos added the version:8.1.9 Marks an issue as being completely or in parts released in 8.1.9 label Mar 13, 2023
@npepinpe npepinpe added the version:8.2.0 Marks an issue as being completely or in parts released in 8.2.0 label Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@megglos megglos

Labels
kind/feature Categorizes an issue or PR as a feature, i.e. new behavior support Marks an issue as related to a customer support request version:8.1.9 Marks an issue as being completely or in parts released in 8.1.9 version:8.2.0 Marks an issue as being completely or in parts released in 8.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(docker): read only root filesystem support camunda/camunda
3 participants
@npepinpe @megglos @deepthidevaki