search

SteveLTN / https-portal

A fully automated HTTPS server powered by Nginx, Let's Encrypt and Docker.
MIT License
4.41k stars 295 forks source link

Problems with setting read_only:true #343

Open hieuhgt opened 7 months ago

hieuhgt commented 7 months ago

My AWS Security Hub was failed with ECS containers must restrict access to the root file system to read-only so i want to add read_only to my Docker compose file but it make the container can not build! I have many problem with s6 Here is my docker-compose.yaml

  https-portal:
    read_only: true
    image: steveltn/https-portal:1
    ports:
      - '8081:443'
    environment:
      DOMAINS: 'localhost -> http://host.docker.internal:8080'
      STAGE: local
    volumes:
      - s6-overlay:/var/run/s6:rw

And the error => 

backend-https-portal-1  | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
backend-https-portal-1  | [s6-init] ensuring user provided files have correct perms...s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/20-setup: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/30-set-docker-gen-status: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/00-welcome: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/cont-init.d/30-set-docker-gen-status: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/cont-init.d/20-setup: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/cont-init.d/00-welcome: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/20-crond/run: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/30-dynamic-env/run: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/10-docker-gen/run: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/00-nginx/run: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/20-crond/run: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/30-dynamic-env/run: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/10-docker-gen/run: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/00-nginx/run: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/30-dynamic-env/finish: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/20-crond/finish: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/10-docker-gen/finish: Read-only file system
backend-https-portal-1  | s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/00-nginx/finish: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/30-dynamic-env/finish: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/20-crond/finish: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/10-docker-gen/finish: Read-only file system
backend-https-portal-1  | s6-chmod: fatal: unable to change mode of /var/run/s6/etc/services.d/00-nginx/finish: Read-only file system
backend-https-portal-1  | exited 0.
backend-https-portal-1  | [fix-attrs.d] applying ownership & permissions fixes...
backend-https-portal-1  | [fix-attrs.d] done.
backend-https-portal-1  | [cont-init.d] executing container initialization scripts...
backend-https-portal-1  | [cont-init.d] 00-welcome: executing... 
backend-https-portal-1  | foreground: warning: unable to spawn /var/run/s6/etc/cont-init.d/00-welcome: Permission denied
backend-https-portal-1  | [cont-init.d] 00-welcome: exited 127.
backend-https-portal-1  | [cont-finish.d] executing container finish scripts...
backend-https-portal-1  | [cont-finish.d] done.
backend-https-portal-1  | [s6-finish] waiting for services.
backend-https-portal-1  | [s6-finish] sending all processes the TERM signal.
backend-https-portal-1  | [s6-finish] sending all processes the KILL signal and exiting.
backend-https-portal-1 exited with code 1

When i set the volume to s6-overlay:/var/run/s6/etc:rw, it lead to another problems

backend-https-portal-1  | s6-rmrf: fatal: unable to remove /var/run/s6/container_environment: Read-only file system

I am newbie with docker so I'm having quite a bit of difficulty with this part. Thank you for supporting me