-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Think about switching some containers to readonlyrootfs #2506
Comments
Redis is now read-only which is released with v6.1.0 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel |
Borg, imaginary, watchtower and clamav are now also read-only which is released with v6.2.0 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel |
Apache, domaincheck, postgresql, talk and talk-recording are now also read-only which is released with v6.3.0 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel |
Hmm, by curiositry, what's the goal for the containers to be read only ? What are the advantages for this ? |
Hello @szaimen, Oh, thanks for the link. Sounds great indeed. Kind regards |
Mastercontainer will be done in #3137 |
in order to improve the security
Important:
All locations where tmpfs are mounted need to have 777 applied beforehand (if running as non-root user). Otherwise it will not work.
Possible:
FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']
Make borgbackup read-only #2812ln: /var/lock/lock: Read-only file system
) make clamav read-only #2813collabora (probably no as they copy some stuff internally, but they copy to /opt/coll/child-roots so could be investigated) (make collabora container read-only #2872)Not possible without huge effort. Reverted with Revert "make collabora container read-only" #2952fulltextsearch (make FTS read-only #3048)Not possible without huge effort. Reverted with Revert "make FTS read-only" #3117nextcloud (no as we would not be abke to add dependencies anymore)onlyoffice (no)/var/run/postgresql/.s.PGSQL.5432.lock": Read-only file system
) make postgresql container read-only #2871The text was updated successfully, but these errors were encountered: