You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks! Yes, I also found the standard way to configure environments for services using that systemd command systemctl edit nix-daemon.service. I agree that given the common security practice of nonexecutable /tmp nix-daemon should have some configuration settings to set TMPDIR. https://discourse.nixos.org/t/custom-tmpdir-for-nix-env/4696/3
TODO: add idiomatic examples of
--read-only
flag, http://docs.podman.io/en/latest/markdown/podman-run.1.html#running-container-in-read-only-modeAbout kubernets read only volumes:
readOnlyRootFilesystem
NSA, CISA release Kubernetes Hardening GuidanceTODO: it can be a good thing to be anabled:
--no-allow-new-privileges
in nix.troubleshooting.md file from the oficial repository: podman run --rootfs link/to//read/only/dir does not work
Packaging microservices with nix - Jonas Chevalier
NYLUG Presents: Sneaking in Nix - Building Production Containers with Nix
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/finding_running_and_building_containers_with_podman_skopeo_and_buildah
https://github.com/containers/podman/blob/main/rootless.md
https://www.redhat.com/sysadmin/tiny-containers
Docker Capabilities and no-new-privileges
The text was updated successfully, but these errors were encountered: