Uploaded image for project: 'Server Deployments and Scale'
  1. Server Deployments and Scale
  2. SCALE-17

Provide a Test & Documents for Docker's "--read-only" flag for Jira

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • None
    • None
    • Docker
    • None

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Some Customers running Jira in a Docker container and would like to use the --read-only flag provided by Docker but there is no support nor documents provided for this flag as it's not officially supported.

      I would like Atlassian to provide a Test & Documents for Docker's --read-only flag for Jira.

      Benefits

      Checking the Docker Doc for Read-only command, it mentions

      Volumes can be used in combination with --read-only to control where a container writes files. The --read-only flag mounts the container’s root filesystem as read only prohibiting writes to locations other than the specified volumes for the container.

      Which is sometimes needed to provide a more secure environment as a part of STIG, it is to use read-only flag to prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.

      Further details

      The container's root filesystem should be treated as a 'golden image' by using Docker run's --read-only option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.

      Enabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.

      Enabling --read-only at container runtime may break some container OS packages if a data writing strategy is not defined. Define what the container's data should and should not persist at runtime to determine which recommendation procedure to utilize.
      Example:

      • Enable use --tmpfs for temporary file writes to /tmp
      • Use Docker shared data volumes for persistent data writes

      By default, a container will have its root filesystem writable allowing all container processes to write files owned by the container's runtime user.

      Note

      Here is a rough estimate on how the script should look like:

      This is an untested Script, kindly test on your own risk

      docker run -d \
    --name jiratest \
    --read-only \
    -v ~/Docker/jiratest/home:/var/atlassian/application-data/jira \
    -v ~/Docker/jiratest/temp:/opt/atlassian/jira/temp \
    -v ~/Docker/jiratest/logs:/opt/atlassian/jira/logs \
    -v ~/Docker/jiratest/work:/opt/atlassian/jira/work \
    -p 8080:8080 \
    atlassian/jira-software

      I would suggest you try testing the above script in your testing environment and see if that helps you start Jira.

      Attachments

        Activity

          People

            Unassigned Unassigned
            ahassanen@atlassian.com Ahmed Hassanen (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: