Storage and volumes

The Airlock IAM docker image is designed for containers to be ephemeral. For this reason, we have used --rm in the previous examples, which deletes the container storage upon completion.

To keep the configuration directory persistent, Docker volumes or bind mounts can be used. Inside the Docker image, Airlock IAM expects the configuration directory at /home/airlock/iam.

Creating and copying the complete configuration directory during the build phase is a viable alternative for production use.

During integration, using bind mounts is more convenient because config files can be edited locally.

Read-only root filesystem

With Docker volumes, the container's root filesystem can be made read-only. Read-only filesystems provide improved security through stronger isolation.

The work directory /home/airlock/work must always be writable. To make the config root directory /home/airlock/iam read-only, all writeable files must be configured to be stored outside this directory. This can be achieved by configuring the path settings in the instance.properties file.
Currently, only the optional .activated-configs directory would require the /home/airlock/iam directory to be writeable. The path to a writeable filesystem can be set in the instance.properties file (see code excerpt).

Code excerpt:

## Directory to store activated configurations and activation states (displayed in the config editor) 
## Set to empty to not store the activated configurations nor the activation states. 
## Otherwise it must be a writable directory (relative to the instance directory or as absolute path) 
#iam.activated-configs.dir = .activated-configs

In IAM active-active setups, with multiple Airlock IAMs per instance, the activation status of the IAMs and their plugins would overwrite each other's files in the .activated-configs directory. In this case, we recommend configuring an empty iam.activated-configs.dir (see code excerpt above).

For the working directory, ephemeral tmpfs mounts can be used since their contents are always re-created during start-up.

Run the following in the Docker CLI:

docker run --rm --read-only --mount type=volume,target=/home/airlock/iam --mount type=tmpfs,target=/home/airlock/work docker.io/ergon/airlock-iam:8.2

Set the volumes and temporary file systems in the docker-compose.yml:

version: '3.7'
services:
  iam:
    image: docker.io/ergon/airlock-iam:8.2    read_only: true
    volumes:
      - type: volume
        target: "/home/airlock/iam"
      - type: tmpfs
        target: "/home/airlock/work"

You may also use type=volume instead of type=tmpfs to create an anonymous volume. See https://docs.docker.com/storage/ for a complete overview of all Docker storage options and how they differ.