feat: enable running nginx containers with read-only root fs #210
Conversation
|
@ne20002 @enibache This PR enables the use of read-only root fs. It's certainly not perfect but I din't want to rewrite the entire build setup and documentation. So for now you can run this image as follows with Docker: docker run \
--rm \
--readonly \
--tmpfs /etc/nginx:rw,mode=777 \
--tmpfs /etc/modsecurity.d:rw,mode=777 \
--tmpfs /opt/owasp-crs:rw,mode=777 \
--tmpfs /tmp:rw,mode=777 \
--tmpfs /var/cache/nginx:rw,mode=777 \
owasp/modsecurity-crs:nginxThe container will copy files at startup to those I'd appreciate some feedback. You can build the image from this PR with (for example): docker buildx bake --load --set "*.platform=linux/amd64" nginx |
theseion
changed the title
|
Yes. I just wanted to get feedback first. |
|
Sorry. I'm still fiddling with the 3.3.5 and can't get my exclusion for local ips get to work. Also, it seems as if there is no version 4 docker image available at hub.docker.com. I'd need to get it working first before I try to use it with a readonly setup. |
|
Thanks for the hint @ne20002. We thought we had published the images but really didn't. I've created the PR to fix that. |
|
@ne20002 The 4.0 images are now available. |
|
Can we close this now? |
|
Would be awesome, as im currently trying to enable Modsecurity correctly in k8s (before it was sadly copied from a default nginx, eg Else i would to need to implement the workaroundish things myself |
|
Well, I don't want to merge this without proper testing. Unless we create a root-only image variant, so that the other images continue to work. Maybe that would be the better approach anyway? |
|
Hi @theseion |
Refs #172