Basically, I’m trying to conform to some of the rules declared in the CIS Docker Benchmark v1.2.0 document (https://www.cisecurity.org/benchmark/docker/).
4.1 Ensure that a user for the container has been created
5.12 Ensure that the container’s root filesystem is mounted as read only
For rule 4.1, I’ve tried 2 things, the first (going through Dockerfile):
FROM gitlab/gitlab-ce:13.3.8-ce.0 RUN useradd -m newuser USER newuser
and the second (just by using the -u option):
docker run -it --rm -u 1234:1234 -P gitlab/gitlab-ce:13.3.8-ce.0
Both of them will exit with:
cp: cannot create regular file ‘/etc/gitlab/gitlab.rb’: Permission denied
For rule 5.12, another team member is getting (the following when enabling read_only, and after manually mapping out some other volumes out (i.e like /tmp)):
/opt/gitlab/embedded/bin/runsvdir-start: line 24: ulimit: pending signals: cannot modify limit: Operation not permitted /opt/gitlab/embedded/bin/runsvdir-start: line 37: /proc/sys/fs/file-max: Read-only file system
Has anyone else tried doing those 2 things before?
Thank you for your time.