You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Regarding the docker-aptly container: To implement the Docker CIS security benchmark (item 5.12 in the benchmark) we need to be able to run the aptly container with read-only "/" filesystem. However, it appears aptly requires "/" to be mounted rw on container startup, or else it fails as follows:
Aug 15 14:43:41 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: IOError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: gpg: fatal: can't create directory `/root/.gnupg': Read-only file system
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: secmem usage: 0/0 bytes in 0/0 blocks of pool 0/65536
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: gpg: fatal: can't create directory `/root/.gnupg': Read-only file system
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: secmem usage: 0/0 bytes in 0/0 blocks of pool 0/65536
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: gpg: fatal: can't create directory `/root/.gnupg': Read-only file system
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: secmem usage: 0/0 bytes in 0/0 blocks of pool 0/65536
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: ln: failed to create symbolic link '/root/.gnupg/secring.gpg': No such file or directory
a) Can the aptly docker container be configured to work with read-only "/" (i.e docker run with --read-only) flag?
b) If not, what are the technical reasons for this (which can be used to justify it under a security analysis)?
The text was updated successfully, but these errors were encountered:
Regarding the docker-aptly container: To implement the Docker CIS security benchmark (item 5.12 in the benchmark) we need to be able to run the aptly container with read-only "/" filesystem. However, it appears aptly requires "/" to be mounted rw on container startup, or else it fails as follows:
The container is run as follows:
a) Can the aptly docker container be configured to work with read-only "/" (i.e docker run with --read-only) flag?
b) If not, what are the technical reasons for this (which can be used to justify it under a security analysis)?
The text was updated successfully, but these errors were encountered: