Think about making mastercontainer read-only

[szaimen]

Follow-up to #2506

• needs improve webserver conf mastercontainer #3069

TODO:

• Create anonymous volumes in Dockerfile that are automatically created for all directories that need to be writeable
• watchtower - remove anonymous volumes #3215
• put www-data into root group by default so that we dont need to add it to a group during runtimes
• adjust docs to reflect read-only setting
• more?

[szaimen]

• put www-data into root group by default so that we dont need to add it to a group during runtimes? Does it come with security problems?

@Zoey2936 do you know if this comes with security draw-backs?

[Zoey2936]

• put www-data into root group by default so that we dont need to add it to a group during runtimes? Does it come with security problems?

@Zoey2936 do you know if this comes with security draw-backs?

not sure, but it could cause that the www-data user can access all files

[szaimen]

I see but would that be a security problem? I mean it runs in a dedicated and soon read-only container. The most important files in /mnt/docker-aio-config are already readable by the user anyway... So do you think it would be fine to do this?

[Zoey2936]

also not sure

[szaimen]

I asked if the idea makes sense internally and it makes sense to do this 👍

[szaimen]

I've changed my mind. I decided to not do this for now as it will also make testing (much) harder which is of course not cool from a maintenance perspective.