With Docker volumes, the container's root filesystem can be made read-only. Read-only filesystems provide improved security through stronger isolation.
The work directory /home/airlock/work must always be writable. To make the config root directory /home/airlock/iam read-only, all writeable files must be configured to be stored outside this directory. This can be achieved by configuring the path settings in the instance.properties file.
Currently, only the optional .activated-configs directory would require the /home/airlock/iam directory to be writeable. The path to a writeable filesystem can be set in the instance.properties file (see code excerpt).
Code excerpt:
## Directory to store activated configurations and activation states (displayed in the config editor)
## Set to empty to not store the activated configurations nor the activation states.
## Otherwise it must be a writable directory (relative to the instance directory or as absolute path)
#iam.activated-configs.dir = .activated-configs
In IAM active-active setups, with multiple Airlock IAMs per instance, the activation status of the IAMs and their plugins would overwrite each other's files in the .activated-configs directory. In this case, we recommend configuring an empty iam.activated-configs.dir (see code excerpt above).
For the working directory, ephemeral tmpfs mounts can be used since their contents are always re-created during start-up.
Run the following in the Docker CLI:
docker run --rm --read-only --mount type=volume,target=/home/airlock/iam --mount type=tmpfs,target=/home/airlock/work quay.io/airlock/iam:8.2
Set the volumes and temporary file systems in the docker-compose.yml:
version: '3.7'
services:
iam:
image: quay.io/airlock/iam:8.2 read_only: true
volumes:
- type: volume
target: "/home/airlock/iam"
- type: tmpfs
target: "/home/airlock/work"You may also use type=volume instead of type=tmpfs to create an anonymous volume. See https://docs.docker.com/storage/ for a complete overview of all Docker storage options and how they differ.
