Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running container in read-only mode #3

Open
PedroRegisPOAR opened this issue Apr 9, 2021 · 0 comments
Open

Running container in read-only mode #3

PedroRegisPOAR opened this issue Apr 9, 2021 · 0 comments

Comments

@PedroRegisPOAR
Copy link
Contributor

PedroRegisPOAR commented Apr 9, 2021

TODO: add idiomatic examples of --read-only flag, http://docs.podman.io/en/latest/markdown/podman-run.1.html#running-container-in-read-only-mode

About kubernets read only volumes:

TODO: it can be a good thing to be anabled: --no-allow-new-privileges in nix.

ubuntu@ip-*:~$ stat /root
  File: /root
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: ca01h/51713d    Inode: 3800        Links: 4
Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-06-11 19:37:20.799020157 +0000
Modify: 2021-04-19 22:36:43.596000000 +0000
Change: 2021-04-19 22:36:43.596000000 +0000
 Birth: -

Thanks! Yes, I also found the standard way to configure environments for services using that systemd command systemctl edit nix-daemon.service. I agree that given the common security practice of nonexecutable /tmp nix-daemon should have some configuration settings to set TMPDIR.
https://discourse.nixos.org/t/custom-tmpdir-for-nix-env/4696/3

We are blocking you based on Namespaced Capabilities. By default containers do not get CAP_SYS_ADMIN.
https://unix.stackexchange.com/a/619334

troubleshooting.md file from the oficial repository: podman run --rootfs link/to//read/only/dir does not work

Packaging microservices with nix - Jonas Chevalier

NYLUG Presents: Sneaking in Nix - Building Production Containers with Nix

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/finding_running_and_building_containers_with_podman_skopeo_and_buildah

https://github.com/containers/podman/blob/main/rootless.md

https://www.redhat.com/sysadmin/tiny-containers

Docker Capabilities and no-new-privileges

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant