docker-compose: read-only root filesystem

CHANGELOG.md

@@ -6,7 +6,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 ### Changed
-- docker-compose: use custom container name "ipfs" instead of auto-generated "\[PROJECT_NAME\]_ipfs_1"
+- docker-compose: use custom container name "ipfs" instead of auto-generated "\[PROJECT_NAME\]\_ipfs\_1"
+- docker-compose: read-only root filesystem
 - docker-compose: drop capabilities
 
 ## [0.2.2] - 2020-09-24

Dockerfile

@@ -1,7 +1,7 @@
 # on alpine with libc6-compat=1.1.24-r9:
 # > Error relocating /usr/local/bin/ipfs: __fprintf_chk: symbol not found
 # > Error relocating /usr/local/bin/ipfs: __vfprintf_chk: symbol not found
-FROM debian:buster-slim
+FROM debian:10.8-slim
 
 ARG JQ_PACKAGE_VERSION=1.5+dfsg-2+b1
 ARG TINI_PACKAGE_VERSION=0.18.0-1

docker-compose.yml

@@ -1,4 +1,4 @@
-version: '2'
+version: '2.3'
 
 volumes:
   ipfs_repo:
@@ -8,8 +8,18 @@ services:
     build: .
     image: docker.io/fphammerle/ipfs
     container_name: ipfs
+    read_only: true
     volumes:
-    - ipfs_repo:/ipfs-repo:rw
+    - type: volume
+      source: ipfs_repo
+      target: /ipfs-repo
+      read_only: no
+    - type: tmpfs
+      target: /tmp # entrypoint.sh
+      tmpfs:
+        # nosuid,nodev,noexec added by default
+        mode: '1777'
+        size: 16k # default config has approx 5kB
     ports:
     - '4001:4001'
     - '127.0.0.1:5001:5001'

entrypoint.sh

@@ -1,6 +1,8 @@
 #!/bin/sh
 set -eu
 
+# "sponge" also writes to /tmp
+# https://salsa.debian.org/nsc/moreutils/-/blob/debian/0.62-1/sponge.c#L262
 ipfs_config_jq_edit() {
     tmp=$(mktemp)
     (set -x; jq "$@" < "$IPFS_CONFIG_PATH" > "$tmp")