Question: is it possible to run docker container with read-only filesystem

[stepanov1975]

As this app is supposed to be exposed to the world it makes sense to make it as secure as possible. So is it possible to run it with a read-only filesystem (docker run — read-only)? By default, it fails.

[AndrewPaglusch]

As-is, FlashPaper cannot run on a read-only filesystem. The application needs to be able to write to a SQLite database on disk (to store/delete secrets), along with generating an initial static AES key file on disk. If you can keep the DB r/w and let FlashPaper generate the key file initially, it should work as read-only afterwards.

[stepanov1975]

Yes, I understand that some directories should be writable. The question is what do I need to map to the volumes beside /var/www/html/data

[AndrewPaglusch]

The data directory is the only directory that FlashPaper needs to be able to write to. That's where the DB and the key file are stored and written. Everything else should be able to be read-only, in theory. I have not tested this yet, so I can not say that with certainty.

Would you mind sharing what you've tried so far?

[stepanov1975]

With this:

version: "3.5"
services:
  flashpaper:
    image: ghcr.io/andrewpaglusch/flashpaper:latest
    container_name: flashpaper
    read_only: true
    tmpfs:
      - /var/log
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    volumes:
      - './data:/var/www/html/data'
      - html:/var/www/html
    ports:
      - '6060:80'
    environment:
      SITE_TITLE: "FlashPaper :: Self-Destructing Message"
      RETURN_FULL_URL: "true"
      MAX_SECRET_LENGTH: "3000"
      ANNOUNCEMENT: ""
      MESSAGES_ERROR_SECRET_TOO_LONG: "Input length too long"
      MESSAGES_SUBMIT_SECRET_HEADER: "Create A Self-Destructing Message"
      MESSAGES_SUBMIT_SECRET_SUBHEADER: ""
      MESSAGES_SUBMIT_SECRET_BUTTON: "Encrypt Message"
      MESSAGES_VIEW_CODE_HEADER: "Self-Destructing URL"
      MESSAGES_VIEW_CODE_SUBHEADER: "Share this URL via email, chat, or another messaging service. It will self-destruct after being viewed once."
      MESSAGES_CONFIRM_VIEW_SECRET_HEADER: "View this secret?"
      MESSAGES_CONFIRM_VIEW_SECRET_BUTTON: "View Secret"
      MESSAGES_VIEW_SECRET_HEADER: "Self-Destructing Message"
      MESSAGES_VIEW_SECRET_SUBHEADER: "This message has been destroyed"
      PRUNE_ENABLED: "true"
      PRUNE_MIN_DAYS: 365
      PRUNE_MAX_DAYS: 730
volumes:
  html:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /docker_installs/flashpaper/html

I am getting:

Attaching to flashpaper
flashpaper    | Thu Oct 20 19:49:07 2022 (11): Fatal Error Unable to create lock file: Bad file descriptor (9)
flashpaper    | nginx: [alert] could not open error log file: open() "/var/lib/nginx/logs/error.log" failed (2: No such file or directory)
flashpaper    | 2022/10/20 19:49:07 [emerg] 12#12: mkdir() "/var/lib/nginx/tmp/client_body" failed (30: Read-only file system)
flashpaper    | Checking to see if FlashPaper is ready. (1 of 3)
flashpaper    | FlashPaper is not ready.
flashpaper    | Checking to see if FlashPaper is ready. (2 of 3)
flashpaper    | FlashPaper is not ready.
flashpaper    | Checking to see if FlashPaper is ready. (3 of 3)
flashpaper    | FlashPaper is not ready.
flashpaper    | Access logging is disabled for production use. Tailing error logs...
flashpaper    | tail: can't open '/var/log/nginx/error.log': No such file or directory
flashpaper    | tail: can't open '/var/log/php8/error.log': No such file or directory
flashpaper    | tail: no files

[AndrewPaglusch]

Hey @stepanov1975, after looking into this further with @mattburchett, we've determined that this will require a significant rework of the image to support running in read-only mode.

We think this would be a great feature to have, but we can't justify the time investment required to make it a reality. If you would like to submit a PR, we would be happy to review it and get it merged!