Conforming to CIS Docker Benchmark v1.2.0

Hi,

Basically, I’m trying to conform to some of the rules declared in the CIS Docker Benchmark v1.2.0 document (https://www.cisecurity.org/benchmark/docker/).

The rules:
4.1 Ensure that a user for the container has been created
and
5.12 Ensure that the container’s root filesystem is mounted as read only


For rule 4.1, I’ve tried 2 things, the first (going through Dockerfile):

FROM gitlab/gitlab-ce:13.3.8-ce.0
RUN useradd -m newuser
USER newuser

and the second (just by using the -u option):

docker run -it --rm -u 1234:1234 -P gitlab/gitlab-ce:13.3.8-ce.0

Both of them will exit with:

cp: cannot create regular file ‘/etc/gitlab/gitlab.rb’: Permission denied


For rule 5.12, another team member is getting (the following when enabling read_only, and after manually mapping out some other volumes out (i.e like /tmp)):

/opt/gitlab/embedded/bin/runsvdir-start: line 24: ulimit: pending signals: cannot modify limit: Operation not permitted
/opt/gitlab/embedded/bin/runsvdir-start: line 37: /proc/sys/fs/file-max: Read-only file system

Has anyone else tried doing those 2 things before?

Thank you for your time.