Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enable running nginx containers with read-only root fs #210

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: enable running nginx containers with read-only root fs #210

wants to merge 2 commits into from
+142 −59

Conversation

theseion
Copy link
Contributor

@theseion theseion commented Feb 18, 2024
edited
Loading

Refs #172

@theseion theseion mentioned this pull request Feb 18, 2024
Open
@theseion
Copy link
Contributor Author

theseion commented Feb 18, 2024
edited
Loading

@ne20002 @enibache This PR enables the use of read-only root fs. It's certainly not perfect but I din't want to rewrite the entire build setup and documentation. So for now you can run this image as follows with Docker:

docker run \
  --rm \
  --readonly \
  --tmpfs /etc/nginx:rw,mode=777 \
  --tmpfs /etc/modsecurity.d:rw,mode=777 \
  --tmpfs /opt/owasp-crs:rw,mode=777 \
  --tmpfs /tmp:rw,mode=777 \
  --tmpfs /var/cache/nginx:rw,mode=777 \
  owasp/modsecurity-crs:nginx

The container will copy files at startup to those tmpfs directories. In writeble root fs mode, the container behaves the same as before, in read-only mode, the tmpfs are required and the files will be copied there.

I'd appreciate some feedback.

You can build the image from this PR with (for example):

docker buildx bake --load --set "*.platform=linux/amd64" nginx

@theseion theseion changed the title feat: enable running container with read-only root fs feat: enable running nginx containers with read-only root fs Feb 18, 2024
fzipi
fzipi reviewed Feb 19, 2024
View reviewed changes
Copy link
Member

@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably adding some documentation to the readme file would make sense for this case?

@theseion
Copy link
Contributor Author

Yes. I just wanted to get feedback first.

@ne20002
Copy link

ne20002 commented Feb 26, 2024

Sorry. I'm still fiddling with the 3.3.5 and can't get my exclusion for local ips get to work. Also, it seems as if there is no version 4 docker image available at hub.docker.com. I'd need to get it working first before I try to use it with a readonly setup.

@theseion
Copy link
Contributor Author

Thanks for the hint @ne20002. We thought we had published the images but really didn't. I've created the PR to fix that.

@theseion
Copy link
Contributor Author

@ne20002 The 4.0 images are now available.

@fzipi
Copy link
Member

fzipi commented Apr 15, 2024

Can we close this now?

@Serverfrog
Copy link

Would be awesome, as im currently trying to enable Modsecurity correctly in k8s (before it was sadly copied from a default nginx, eg nginx -g 'daemon off;', which did not enabled any rules and was just a plain nginx)

Else i would to need to implement the workaroundish things myself

@theseion
Copy link
Contributor Author

Well, I don't want to merge this without proper testing. Unless we create a root-only image variant, so that the other images continue to work. Maybe that would be the better approach anyway?

@ne20002
Copy link

ne20002 commented Apr 24, 2024

Hi @theseion
I'm currently a bit busy. I got my Friendica setup working so far (still a few things to opimize) and will continue to update my Nextcloud setup (which seems to have a number of changes with the new plugin mechanism).

@fzipi fzipi changed the base branch from develop to main May 8, 2024 22:39
@theseion
Copy link
Contributor Author

theseion commented Feb 8, 2025

@fzipi I think we should create a new image variant. Existing users may not want to or be able to switch anyway. Then it wouldn't be a tragedy if we still had some bugs in the new variant. What do you think?

@fzipi
Copy link
Member

fzipi commented Feb 8, 2025

Sounds a nice way to move forward.

@theseion theseion force-pushed the enable-readonly-root-fs branch 2 times, most recently from 353055e to d9addbb Compare February 9, 2025 16:44
@theseion
chore: make read-only FS a separate image variant
07cf2ac 
Use bake matrix to simplify target descriptions and add "read-only" as
new image variant.
@theseion theseion force-pushed the enable-readonly-root-fs branch from d9addbb to 07cf2ac Compare February 9, 2025 17:15
@theseion theseion requested a review from fzipi February 9, 2025 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fzipi fzipi Awaiting requested review from fzipi

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@theseion @ne20002 @fzipi @Serverfrog