A simple selfhosted URL shortener with no unnecessary features. Simplicity and speed are the main foci of this project. The docker image is ~6 MB (compressed), and it uses <5 MB of RAM under regular use.
A simple selfhosted URL shortener with no unnecessary features. Simplicity and speed are the main foci of this project. The docker image is ~6 MB (compressed), and it uses <5 MB of RAM under regular use.
I try to slap anything I’d face the Internet with with the read_only to further restrict exploit possibilities, would be abs great if you could make it work! I just follow all reqs on the security cheat sheet, with
read_onlybeing one of them: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.htmlWith how simple it is I guessed that running as a
userand restrictingcap_drop: allwouldn’t be a problem.For
read_onlymany containers just needtmpfs: /tmpin addition to the volume for the db. I think many containers just try to contain temporary file writing to one directory to make applyingread_onlyeasier.So again, I’d abs use it with
read_onlywhen you get the time to tune it!!Upon further testing, this does actually work. You may set both
read_only: true, andcap_drop: alland it will work as long as you have a named volume. I had it mount a database file from the host system for my test config, which is why I was getting the errors. I don’t know how to make that work though i.e. when the db is bind mounted from the host system. Setting the mount:rwdoesn’t seem to fix it.Odd, I’ll try to deploy this when I can and see!
I’ve never had a problem with a volume being on the host system, except with user permissions messed up. But if you haven’t given it a user parameter it’s running as root and shouldn’t have a problem. So I’ll see sometime and get back to you!