-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
None
Some Customers running Jira/Confluence/Crowd in a Docker container and would like to use the --read-only flag provided by Docker but there is no support nor documents provided for this flag as it's not officially supported.
I would like Atlassian to provide a Test & Documents for Docker's --read-only flag for Jira/Confluence/Crowd.
Benefits
Checking the Docker Doc for Read-only command, it mentions
Volumes can be used in combination with --read-only to control where a container writes files. The --read-only flag mounts the container’s root filesystem as read only prohibiting writes to locations other than the specified volumes for the container.
Which is sometimes needed to provide a more secure environment as a part of STIG, it is to use read-only flag to prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.
Further details
The container's root filesystem should be treated as a 'golden image' by using Docker run's --read-only option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.
Enabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.
Enabling --read-only at container runtime may break some container OS packages if a data writing strategy is not defined. Define what the container's data should and should not persist at runtime to determine which recommendation procedure to utilize.
Example:
- Enable use --tmpfs for temporary file writes to /tmp
- Use Docker shared data volumes for persistent data writes
By default, a container will have its root filesystem writable allowing all container processes to write files owned by the container's runtime user.
Here is a rough estimate on how the script should look like:
Jira:
This is an untested Script, kindly test on your own risk
docker run -d \
--name jiratest \
--read-only \
-v ~/Docker/jiratest/home:/var/atlassian/application-data/jira \
-v ~/Docker/jiratest/temp:/opt/atlassian/jira/temp \
-v ~/Docker/jiratest/logs:/opt/atlassian/jira/logs \
-v ~/Docker/jiratest/work:/opt/atlassian/jira/work \
-p 8080:8080 \
atlassian/jira-software
I would suggest you try testing the above script in your testing environment and see if that helps you start Jira.
Confluence:
The following will start Confluence Docker container as a non-root user with Docker read-only mode. Please test this thoroughly in test environment before implementing this in Production environment.
docker run \ -v ~/confluence-8.5.14:/var/atlassian/application-data/confluence \ -v ~/confluence-init.properties:/opt/atlassian/confluence/confluence/WEB-INF/classes/confluence-init.properties \ -v ~/seraph-config.xml:/opt/atlassian/confluence/confluence/WEB-INF/classes/seraph-config.xml \ -v ~/confluence-logs:/opt/atlassian/confluence/logs \ -v ~/server.xml:/opt/atlassian/confluence/conf/server.xml \ -v ~/confluence-work:/opt/atlassian/confluence/work/ \ -v ~/confluence-temp:/opt/atlassian/confluence/temp/ \ -v ~/confluence-shared:/var/atlassian/application-data/shared \ --name="confluence" -d --user 2002:2002 -p 0.0.0.0:8090:8090 -p 8091:8091 --read-only atlassian/confluence:<version>