Avoid service with writable filesystem

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: docker-best-practices/service-writable-filesystem

Language: YAML

Severity: Warning

Category: Security

CWE: 732

Description

This rule advises against configuring services with a writable filesystem in Docker Compose files. Allowing a writable filesystem can increase the attack surface by enabling potential attackers or malicious processes to modify the container’s file system, which could lead to unauthorized changes or persistence of malicious code.

Ensuring that services run with a read-only filesystem enhances security by preventing in-container modifications during runtime. This practice helps maintain the integrity of the container environment and reduces the risk of accidental or intentional file tampering.

To comply with this rule, explicitly set read_only: true for your service definitions in the Docker Compose YAML file. For example, use read_only: true under the service configuration to enforce a read-only root filesystem.

By adopting this approach, you improve the overall security posture of your containerized applications and make them more resilient against attacks or unintended changes.

Non-Compliant Code Examples

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine

  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |
      wait-for postgres:5432 -- python run.py      

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine
    read_only: false

  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |
      wait-for postgres:5432 -- python run.py

Compliant Code Examples

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine
    read_only: true

  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |
      wait-for postgres:5432 -- python run.py
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security