-
Task
-
Resolution: Fixed
-
L3 - Default
-
None
-
Not defined
Following security recommendations containers should be run with a read only root file system. This comment describes the work remaining for each component.
The zeebe team did some work regarding that which might help us when exploring this task: camunda/zeebe#11876
Linked to epic camunda/product-hub#717
Testing Notes:
- Add read_only: true to the Optimize docker-compose container
- Start old version of Optimize
- Observe logged error:
- 15:36:41.804 [main] ERROR o.s.boot.SpringApplication - Application run failed
org.springframework.context.ApplicationContextException: Unable to start web server
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:164)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:602)
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:732)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:434)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:310)
at org.camunda.optimize.Main.main(Main.java:29)
Caused by: org.springframework.boot.web.server.WebServerException: Unable to create tempDir. java.io.tmpdir is set to /tmp
- 15:36:41.804 [main] ERROR o.s.boot.SpringApplication - Application run failed
- Try with new Optimize image
- Observe Optimize starting as expected