readonly root inside container #7923

alberts · 2014-09-07T08:30:44Z

Fedora has supported the concept of a readonly root for a long time as way of making a system more stateless.

We have used this with boot-from-initramfs deployments to make sure that no service accidentally writes somewhere it shouldn't. I think this could also be useful within containers to make sure that services that run in the container are properly configured to either write data to tmpfs-backed temporary directories or to r/w volumes shared from outside with --volume and nowhere else.

The main Fedora script is here: https://git.fedorahosted.org/cgit/initscripts.git/tree/systemd/fedora-readonly

A writeup of how it works: https://warewolf.github.io/blog/2013/10/12/setting-up-a-read-only-rootfs-fedora-box/

In a Docker context, I think the main things that would carry over are flags for docker run:

roroot=true|false (mount root of container read-only)
rwtab=somefile (files and directories that should be bind-mounted so they are writable to a tmpfs)
statetab=somefile (files that should be writable to persistent storage
statemount=/some/dir (path to a directory passed through with --volume for state files)
rwoptions= (mount options for the tmpfs, size= is the main useful one)

Does this sound like something that's interesting to support in Docker? If so, I could start looking at putting together the start of a pull request.

crosbymichael · 2014-09-09T04:15:51Z

I am +1 for this and it's already able to be supported in libconatiner.

Do you think we need to have the ability to specify tmpfs mounts first though via docker before we can do this? There will be some applications that need to write in /tmp or /run and it would be nice to have these mounted in tmpfs.

alberts · 2014-09-10T17:27:21Z

I think you can take care of passing the equivalent of Fedora's RW_MOUNT=/var/lib/stateless/writable and STATE_MOUNT=/var/lib/stateless/state through to the container using --volume flags.

There's still some configuration required. I think this is probably something that should go in the Dockerfile, but maybe people want to be able to change their minds at docker run time.

Taking a look at Fedora's rwtab today, you have 3 types of configuration:

dirs /var/log
empty /tmp
files /etc/resolv.conf

dirs means take all the directories in the base image and make them available for read/write, either on top of a tmpfs or on top of the RW_MOUNT directory.

empty means the same for the directory, but ignore any subdirectories that might exist in the base image.

files gives you a read/write file with the initial contents from the image.

So if you do this in the Dockerfile, each of these might become a RWTAB line (need a better name) you'd also have a RW_MOUNT specifying a directory, where if it isn't set, means you get a tmpfs.

And then maybe docker run takes a --rwmount flag. Maybe you also need to be able to do rwtab entries on the command line. Maybe --rw-dir --rw-empty --rw-files?

From my perspective, the main reason it's nice to have this in the Dockerfile is that it simplifies the arguments needed to get one of these containers running with the right rw and state mounts and rwtab entries, without changing anything in the Mesos API for running Docker containers.

discordianfish · 2014-10-22T21:17:45Z

👍 Read-only rootfs would be very useful. It enforces usage of containers and guarantees you don't depend on the data stored in the container. It also make maintaining and cleaning up easier.

See also #2710

crosbymichael · 2014-10-23T18:53:28Z

@discordianfish this is already possible in libcontainer. Can you think of a proposal for a flag, maybe:
docker run --readonly ubuntu bash ?

discordianfish · 2014-10-24T17:09:29Z

@crosbymichael --readonly sounds good!

scf37 · 2015-01-10T17:43:33Z

Read-only containers are more secure as well.

discordianfish · 2015-01-11T13:36:04Z

@crosbymichael Is this something we want and just nobody has implemented it? If so, I can do that.

crosbymichael · 2015-01-12T18:53:01Z

@discordianfish it's implemented ( in libcontainer ), we just need some agreement on the flag.

Let me discuss with my fellow maintainers and see if we can get this sorted out and in for 1.5

crosbymichael · 2015-01-12T18:55:35Z

I think this will probably depend on tmpfs mounts also because /tmp will probably have to go into tmpfs

crosbymichael · 2015-01-13T01:34:18Z

@discordianfish go ahead and implement --readonly if you have time. For it to be in docker 1.5 it needs to be done this week, if you don't have time I can implement it.

discordianfish · 2015-01-14T11:23:03Z

@crosbymichael I would love to implement it, but have no time this week. So if you have time, go for it.

Add a --readonly flag to allow the container's root filesystem to be mounted as readonly. This can be used in combination with volumes to force a container's process to only write to locations that will be persisted. This is useful in many cases where the admin controls where they would like developers to write files and error on any other locations. Closes moby#7923 Closes moby#8752 Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

crosbymichael added this to the 1.5.0 milestone Jan 12, 2015

crosbymichael mentioned this issue Jan 14, 2015

Add --read-only for read only container rootfs #10093

Merged

LK4D4 closed this as completed in #10093 Jan 14, 2015

wking mentioned this issue Jun 25, 2015

Clarify readonlyRootfs opencontainers/runtime-spec#23

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

readonly root inside container #7923

readonly root inside container #7923

readonly root inside container #7923

readonly root inside container #7923

Comments