-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: enable running nginx containers with read-only root fs #210
base: main
Are you sure you want to change the base?
Conversation
@ne20002 @enibache This PR enables the use of read-only root fs. It's certainly not perfect but I din't want to rewrite the entire build setup and documentation. So for now you can run this image as follows with Docker: docker run \
--rm \
--readonly \
--tmpfs /etc/nginx:rw,mode=777 \
--tmpfs /etc/modsecurity.d:rw,mode=777 \
--tmpfs /opt/owasp-crs:rw,mode=777 \
--tmpfs /tmp:rw,mode=777 \
--tmpfs /var/cache/nginx:rw,mode=777 \
owasp/modsecurity-crs:nginx The container will copy files at startup to those I'd appreciate some feedback. You can build the image from this PR with (for example): docker buildx bake --load --set "*.platform=linux/amd64" nginx |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably adding some documentation to the readme file would make sense for this case?
Yes. I just wanted to get feedback first. |
Sorry. I'm still fiddling with the 3.3.5 and can't get my exclusion for local ips get to work. Also, it seems as if there is no version 4 docker image available at hub.docker.com. I'd need to get it working first before I try to use it with a readonly setup. |
Thanks for the hint @ne20002. We thought we had published the images but really didn't. I've created the PR to fix that. |
@ne20002 The 4.0 images are now available. |
Can we close this now? |
Would be awesome, as im currently trying to enable Modsecurity correctly in k8s (before it was sadly copied from a default nginx, eg Else i would to need to implement the workaroundish things myself |
Well, I don't want to merge this without proper testing. Unless we create a root-only image variant, so that the other images continue to work. Maybe that would be the better approach anyway? |
Hi @theseion |
Refs #172