x0rg/9x0rg.com
1
0
Fork 0
Code Releases Activity

add information for volumes

Browse Source
This commit is contained in:
Wonderfall 2022-04-03 07:02:41 +02:00
parent dbf0e2d3c3
commit 7be4501d83
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/posts/docker-hardening.md
View File

@ -161,7 +161,9 @@ The `--cgroup-parent` option should be avoided as it uses the host cgroup and no
### Read-only filesystem ### Read-only filesystem
It is good practice to treat the image as some refer to as the "golden image". It is good practice to treat the image as some refer to as the "golden image".
In other words, you'll run containers in *read-only* mode, with an immutable filesystem inherited from the image. Only the mounted volumes will be read/write accessible. However, the image may not be perfect and require read/write access to some parts of the filesystem, likely directories such as `/tmp`, `/run` or `/var`. You can make a **tmpfs** for those (a temporary filesystem in the container attributed memory), because they're not persistent data anyway. In other words, you'll run containers in *read-only* mode, with an immutable filesystem inherited from the image. Only the mounted volumes will be read/write accessible, and those should ideally be mounted with the `noexec`, `nosuid` and `nodev` options for extra security. If read/write access isn't needed, mount these volumes as read-only too.
However, the image may not be perfect and still require read/write access to some parts of the filesystem, likely directories such as `/tmp`, `/run` or `/var`. You can make a **tmpfs** for those (a temporary filesystem in the container attributed memory), because they're not persistent data anyway.
In a Compose file, that would look like the following settings: In a Compose file, that would look like the following settings: