File System Security and Read-Only Containers

File System Security and Read-Only Containers

Read-only root filesystems prevent many attacks by making runtime modifications impossible. Applications requiring temporary storage can use explicitly mounted temporary filesystems. This approach prevents malware installation, configuration tampering, and persistent backdoors. Combined with proper volume permissions, read-only containers significantly reduce attack surfaces.

Volume security requires careful permission management. Containers should access volumes with minimal required permissions. Shared volumes between containers need careful access control to prevent privilege escalation. Sensitive data volumes should use encryption at rest. Volume drivers may provide additional security features requiring configuration.

# Example: Dockerfile for read-only container
FROM alpine:3.18

# Install packages during build
RUN apk add --no-cache \
    nginx \
    tini && \
    rm -rf /var/cache/apk/*

# Create necessary directories
RUN mkdir -p /var/cache/nginx /var/run /var/log/nginx && \
    chown -R nginx:nginx /var/cache/nginx /var/run /var/log/nginx

# Copy configuration
COPY --chown=nginx:nginx nginx.conf /etc/nginx/nginx.conf
COPY --chown=nginx:nginx site.conf /etc/nginx/conf.d/default.conf

# Copy static content
COPY --chown=nginx:nginx --chmod=444 ./public /usr/share/nginx/html

# Remove unnecessary files
RUN find /usr/share/nginx/html -type d -exec chmod 555 {} \; && \
    find /usr/share/nginx/html -type f -exec chmod 444 {} \; && \
    rm -rf /etc/nginx/conf.d/default.conf.bak

# Switch to non-root user
USER nginx

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s \
    CMD wget --no-verbose --tries=1 --spider http://localhost/ || exit 1

# Use tini for proper signal handling
ENTRYPOINT ["/sbin/tini", "--"]

# Run nginx in foreground
CMD ["nginx", "-g", "daemon off;"]