I'd like to propose that compose workloads are set to non-root and read-only by default - and then users should opt-in to enabling root or readable fs if the workloads strictly requires it.
This would ensure that workloads follow best practise by default, and are most broadly compatible by default. We tend to find that security constraints are the most common thing that customers "patch" into the output manifests for compose and k8s.
For compose, this would mean setting the read_only flag on output workload services (not on services generated by provisioners) and warning the user if their image does not contain a USER stanza. See https://docs.docker.com/reference/compose-file/services/#user. We could perhaps fail if the image does not contain this and the customer must provide the root override instead. However, I don't really know how we can efficiently determine if the container image contains an image stanza.. If we have the image locally we can inspect it using tar/oci image formats/docker inspect, however if the image is remote and will only be pulled on compose up, we won't have this information yet.
We also don't yet have a way of declaring the security section or extra capabilities that a workload requests.
I'd like to propose that compose workloads are set to non-root and read-only by default - and then users should opt-in to enabling root or readable fs if the workloads strictly requires it.
This would ensure that workloads follow best practise by default, and are most broadly compatible by default. We tend to find that security constraints are the most common thing that customers "patch" into the output manifests for compose and k8s.
For compose, this would mean setting the
read_onlyflag on output workload services (not on services generated by provisioners) and warning the user if their image does not contain aUSERstanza. See https://docs.docker.com/reference/compose-file/services/#user. We could perhaps fail if the image does not contain this and the customer must provide the root override instead. However, I don't really know how we can efficiently determine if the container image contains an image stanza.. If we have the image locally we can inspect it using tar/oci image formats/docker inspect, however if the image is remote and will only be pulled oncompose up, we won't have this information yet.We also don't yet have a way of declaring the security section or extra capabilities that a workload requests.