5.12 Mount container's root filesystem as read only

Information

The container's root file system should be treated as a 'golden image' and any writes to the root filesystem should be avoided. You should explicitly define a container volume for writing.You should not be writing data within containers. The data volume belonging to a container should be explicitly defined and administered. This is useful in many cases where the admin controls wherethey would want developers to write files and errors. Also, this has other advantages such as below:
* This leads to an immutable infrastructure
* Since the container instance cannot be written to, there is no need to audit instance divergence
* Reduced security attack vectors since the instance cannot be tampered with or written to
* Ability to use a purely volume based backup without backing up anything from the instance

Solution

Add a '--read-only' flag to allow the container's root filesystem to bemounted as read only. This can be used in combination with volumes toforce a container's process to only write to locations that will bepersisted.

You should run the container as below-
$>docker run <Run arguments> --read-only -v <writable-volume> <Container Image Name or ID> <Command>
For example,
docker run --interactive --tty --read-only --volume /centdata centos /bin/bash
This would run the container with read-only root filesystem and would use 'centdata' as container volume for writing.
Impact-
The container root file system would not be writable. You should explicitly define a volume for the container for writing.
Default Value-
By default,a container will have its root filesystem writable allowing processesto write files anywhere.

See Also

https://workbench.cisecurity.org/files/516

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7

Plugin: Unix

Control ID: 44c891240a83aa4698495f6cb665f280f3f640a09b1cb1f3b2a1cd96b7d22799