A simple selfhosted URL shortener with no unnecessary features. Simplicity and speed are the main foci of this project. The docker image is ~6 MB (compressed), and it uses <5 MB of RAM under regular use.
A simple selfhosted URL shortener with no unnecessary features. Simplicity and speed are the main foci of this project. The docker image is ~6 MB (compressed), and it uses <5 MB of RAM under regular use.
I try to slap anything I’d face the Internet with with the read_only to further restrict exploit possibilities, would be abs great if you could make it work! I just follow all reqs on the security cheat sheet, with read_only being one of them: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
With how simple it is I guessed that running as a user and restricting cap_drop: all wouldn’t be a problem.
For read_only many containers just need tmpfs: /tmp in addition to the volume for the db. I think many containers just try to contain temporary file writing to one directory to make applying read_only easier.
So again, I’d abs use it with read_only when you get the time to tune it!!
Upon further testing, this does actually work. You may set both
read_only: true, andcap_drop: alland it will work as long as you have a named volume. I had it mount a database file from the host system for my test config, which is why I was getting the errors. I don’t know how to make that work though i.e. when the db is bind mounted from the host system. Setting the mount:rwdoesn’t seem to fix it.Odd, I’ll try to deploy this when I can and see!
I’ve never had a problem with a volume being on the host system, except with user permissions messed up. But if you haven’t given it a user parameter it’s running as root and shouldn’t have a problem. So I’ll see sometime and get back to you!
It was just a matter of setting the correct user. In most cases,
user: 1000:1000should fix it.