5.13 Mount container's root filesystem as read only

Information

The container's root file system should be treated as a 'golden image' and any writes to
the root filesystem should be avoided. You should explicitly define a container volume for
writing.

You should not be writing data within containers. The data volume belonging to a container
should be explicitly defined and administered. This is useful in many cases where the
admin controls where they would want developers to write files and errors. Also, this has
other advantages such as below-. This leads to an immutable infrastructure
. Since the container instance cannot be written to, there is no need to audit instance
divergence
. Reduced security attack vectors since the instance cannot be tampered with or
written to
. Ability to use a purely volume based backup without backing up anything from the
instance

Solution

Add a '--read-only' flag to allow the container's root filesystem to be mounted as read
only. This can be used in combination with volumes to force a container's process to only
write to locations that will be persisted.You should run the container as below-$> docker run <Run arguments> --read-only -v <writable-volume> <Container Image Name
or ID> <Command>For example,$> docker run -i -t --read-only -v /centdata centos /bin/bashThis would run the container with read-only root filesystem and would use 'centdata' as
container volume for writing.

Impact-The container root file system would not be writable. You should explicitly define a volume
for the container for writing.

Default Value-By default, a container will have its root filesystem writable allowing processes to write
files anywhere.

See Also

https://workbench.cisecurity.org/files/514