Run Mongo in Docker with read-only FS

Question

I want to start a Mongo container with a read-only fs for security reason according to 5.12.

I have the following docker-compose.yml:

version: '2'
services:
  mongodb:
    image: mongo:3.2
    command: -f /etc/mongo.conf
    volumes:
      - ./mongo/mongo.conf:/etc/mongo.conf:ro
      - /data/db
    user: mongodb
    read_only: true

On docker-compose up it fails with the error Failed to unlink socket file /tmp/mongodb-27017.sock errno:30 Read-only file system.

OK. No problem. I could add - /tmp to the volumes.

But is this good practice to add every path to the volumes? And are there some other paths to add? Like some log paths and so on?

Is there a list from Mongodb?

Answer 1

TL;DR case

You don't need have read-only container, you should only keep your user as non-root for host machine, mount only dirs that you really need and manage permisiions only for mounted dirs.

Full answer

From the official mongo docker image and best usage practices of docker much easier and convenient case is using gosu. In this case your MongoDB will be running by non-root user, that should be enough secure.

All directories that is not mounted from host to container could not be affected from container to host. As example, even if you remove root of you system inside of container where nothing is mounted, it will not affect host dirs (but it WILL affect all mounted dirs, so be careful if you decide to try it by yourself =)).

Also for MongoDB /data/db directory is where all db info stored it writes all info "schemas" etc., so while it is in read only mode, mongodb will not work in any case. This is why you could see chown -R mongodb:mongodb /data/db lines befor mongodb start in docker-entrypoint.sh from official mongodb docker image.