Read-only filesystem and run as non-root user

[wouttom]

Hello,

Currently the container-image for misp-core does not start if you set read_only: true or user: some-user. This is mostly caused by the fact that the entrypoint-scripts update several configuration-files inside the container at startup.

Running containers using read-only filesystems and with other users as root are security best-practices that are intended to limit the impact of a potential exploitation of the software in them. It would be a good thing to support that.

Would it be feasible to support read-only-fs and non-root users?

Thanks, Tom Wouters

[ostefano]

@wouttom not sure the entrypoint-scripts should own all the blame. Almost all of them end up modifying config.php which is hosted in a volume; MISP itself might not be read-only friendly unfortunately.

Feel free to use this issue to collect findings, and hopefully, to link a PR if you end up with something actionable.

[ostefano]

There are just too many places where MISP writes the file system.

I will close this since we can't do much from a docker image perspective, but feel free to re-open it in the right project (MISP)