zlacker

[parent] [thread] 8 comments
1. tracke+(OP)[view] [source] 2025-12-17 23:10:55
Another is running containers in read-only mode, assuming they support this configuration... will minimize a lot of potential attack surface.
replies(1): >>3eb798+wv
2. 3eb798+wv[view] [source] 2025-12-18 04:15:14
>>tracke+(OP)
Never looked into this. I would expect the majority of images would fail in this configuration. Or am I unduly pessimistic?
replies(4): >>s_ting+JC >>hxtk+wE >>flower+OH >>tracke+T03
◧◩
3. s_ting+JC[view] [source] [discussion] 2025-12-18 05:48:39
>>3eb798+wv
Depends on specific app use case. Nginx doesn't work with it but valkey will.
◧◩
4. hxtk+wE[view] [source] [discussion] 2025-12-18 06:07:32
>>3eb798+wv
Many fail if you do it without any additional configuration. In Kubernetes you can mostly get around it by mounting `emptyDir` volumes to the specific directories that need to be writable, `/tmp` being a common culprit. If they need to be writable and have content that exists in the base image, you'd usually mount an emptyDir to `/tmp` and copy the content into it in an `initContainer`, then mount the same `emptyDir` volume to the original location in the runtime container.

Unfortunately, there is no way to specify those `emptyDir` volumes as `noexec` [1].

I think the docker equivalent is `--tmpfs` for the `emptyDir` volumes.

1: https://github.com/kubernetes/kubernetes/issues/48912

◧◩
5. flower+OH[view] [source] [discussion] 2025-12-18 06:48:58
>>3eb798+wv
Readonly and rootless are my two requirements for Docker containers. Most images can't run readonly because they try to create a user in some startup script. Since I want my UIDs unique to isolate mounted directories, this is meaningless. I end up having to wrap or copy Dockerfiles to make them behave reasonably.

Having such a nice layered buildsystem with mountpoints, I'm amazed Docker made readonly an afterthought.

replies(1): >>subscr+AO
◧◩◪
6. subscr+AO[view] [source] [discussion] 2025-12-18 07:59:08
>>flower+OH
I like steering docker runs with docker-compose, especially with .env files - easy to store in repositories, easy to customise and have sane defaults.
replies(1): >>flower+Ad1
◧◩◪◨
7. flower+Ad1[view] [source] [discussion] 2025-12-18 11:53:47
>>subscr+AO
Yeah agreed. I use docker-compose. But it doesn't help if the Docker images try to update /etc/passwd, or force a hardcoded UID, or run some install.sh at runtime instead of buildtime.
replies(1): >>subscr+rfk
◧◩
8. tracke+T03[view] [source] [discussion] 2025-12-18 20:48:47
>>3eb798+wv
It's hit or miss... you sometimes have to make /tmp writable or another data directory... some images just don't operate right because of initialization steps that happen on first run. It's hit or miss and depends... but a lot of your own apps can definitely be made to work with limited, or no write surface.
◧◩◪◨⬒
9. subscr+rfk[view] [source] [discussion] 2025-12-25 14:50:30
>>flower+Ad1
Oh, absolutely. Some things some images try to do are just silly.
[go to top]