Exercise 1.6 - Read Only Containers

Return to Workshop

readonly

Exercise 1.6 - Read Only Containers

Exercise Description

Let’s move on to "Read Only" Containers. This exercise will examine read-only containers and how to manage them.

Overview

Imagine a scenario where an application gets compromised. The first thing the bad guy wants to do is to patch a backdoor into the application, so that the next time the application starts up, it starts up with the backdoor in place. If the container was read-­only it would prevent leaving a backdoor in place and be forced to start the cycle from the beginning.

Docker added a read­only feature but it presents challenges since many applications need to write to temporary directories like /run or /tmp and when these directories are read­only, the apps fail. Red Hat’s approach leverages tmpfs.

From Wikipedia:

tmpfs is a common name for a temporary file storage facility on many Unix-like operating systems. It is intended to appear as a mounted file system, but stored in volatile memory instead of a persistent storage device.

It’s a nice solution to this problem because it eliminates data exposure on the host.

Bottom line: As a best practice, run all applications in production with this mode.

Step 1. Run a read-only container using the tmpfs option.

Run a read-only container and specify a few writable file systems using the ­tmpfs option.

sudo docker run --rm -it --name readonly --read-only --tmpfs=/run --tmpfs=/tmp rhel7.6 bash

Step 2. Test the following commands inside the container

Now, try the following. What fails and what succeeds? Why?

Inside the container try these commands
mkdir /newdir
mkdir /run/newdir
mkdir /tmp/newdir

Step 3. Exit the container

Exit the container
exit

Workshop Details

Domain
Workshop
Student ID

Return to Workshop