Set readOnlyRootFSEnabled Parameter to True

Be aware that configuring this step is entirely optional and should be undertaken exclusively if you seek to enhance the security of your containers.

To change the readOnlyRootfSEnabled setting from false to true, perform the following:

Set readOnlyRootFSEnabled: true in accelo.yml file.
Run the following command:

Bash
    
 
accelo admin database push-config
Copy

Restart accelo by running the following command:

Bash
    
 
accelo restart all -d
Copy

To ensure that all the containers are in ReadOnlyRootFileSystem, run the following command:

Bash
    
 
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'
Copy

In case any service requires additional paths to be mounted as tmpfs, you must add it to the <service>.yml file.

For example: ad-proxy.yml

Bash
    
 
version: "2"services:  ad-proxy:    image: ad-proxy    container_name: ""    environment: []    volumes:    - /etc/localtime:/etc/localtime:ro    - /data01/acceldata/config/proxy/traefik.toml:/etc/traefik/traefik.toml    - /data01/acceldata/config/proxy/config.toml:/etc/traefik/conf/config.toml    - /data01/acceldata/config/proxy/certs:/etc/acceldata    ulimits: {}    ports:    - 443:443    depends_on: []    opts: {}    restart: ""    extra_hosts: []    network_alias: []    tmpfs:      /tmp: rwlabel: Proxy
Copy

Last updated on

Was this page helpful?