-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not running with readOnlyRootFilesystem set to true #172
Comments
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration |
There are two problems:
The second one can be solved by using a persistent volume like:
|
The nginx ingress controller solves the first part by ... copying everything to a mounted directory:
|
#191 solves the root user issue. |
Having the modsecurity-crs container being able to run in read-only mode would be a great improvement. |
Latest pushed images should include the fix (E.g. ghcr.io/coreruleset/modsecurity-crs:3.3.5-nginx-202402070602), so please check and come back if something is not working. |
You are right. Why I thought this was fixed? 🤔 Nevermind. Thanks for bringing this one back. |
Maybe we can add a similar chart with examples for k8s? |
What kind of chart are you thinking about? A Helm chart? Or are you talking about the examples for the ingress controller you gave above? |
I tried to run the container with --read-only parameter (aka readOnlyRootFileSystem) and found:
In my setup I use my own nginx.conf which is passed as nginx.conf.template to the container. A simple option to let a user run the container with read-only file system would be to provide a parameter that disables the creation of the config files leaving the user responsible for mounting the configuration manually (which is not really a hard thing to do). At least, it would solve it for my use case. A more general solution would be to move everything from I believe, this should do the trick. Running containers read-only is a big security improvement. |
I'm trying to run this image in my helm chart running in OCP4 whereby we have a quality gate that only allows pods with readOnlyRootFilesystem set to true. Is there perhaps hints on how to accomplish this using this image in my deployment.yaml?
The text was updated successfully, but these errors were encountered: