The Subscription Tracker Docker container now fully supports read-only filesystems and user directives for maximum security compliance.
# Full read-only support with tmpfs for temporary files
docker run -d \
--read-only \
--tmpfs /tmp:size=100M,mode=1777 \
--tmpfs /var/tmp:size=10M,mode=1777 \
-v ./data:/app/instance:rw \
subscription-tracker# Run as specific user without privilege escalation
docker run -d \
--user 1000:1000 \
--read-only \
--cap-drop ALL \
--cap-add NET_BIND_SERVICE \
--security-opt no-new-privileges:true \
-v ./data:/app/instance:rw \
subscription-trackerversion: '3.8'
services:
web:
build: .
user: "1000:1000"
read_only: true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp:size=100M,mode=1777
- /var/tmp:size=10M,mode=1777
volumes:
- ./data:/app/instance:rw
ports:
- "5000:5000"The container automatically detects and adapts to:
- 🔒 Read-Only Filesystems - Detects when
/is mounted read-only - 👤 User Directives - Detects when started with
--userflag - 📁 Restricted Permissions - Handles when
/etc/passwdis not writable - 🛡️ Security Contexts - Works with Kubernetes security policies
# Full PUID/GUID support with user creation
PUID=1000 GUID=1000 docker-compose upFeatures:
- ✅ Creates custom users/groups
- ✅ Full PUID/GUID functionality
- ✅ Automatic permission fixing
- ✅ Database ownership management
# Security-hardened with read-only filesystem
docker run --read-only --user 1000:1000 subscription-trackerFeatures:
- ✅ No user creation attempts
- ✅ Works with existing user ID
- ✅ Database permissions via mount ownership
- ✅ Compatible with security scanners
# Kubernetes-compatible with security context
docker run --user 1000:1000 subscription-trackerFeatures:
- ✅ Runs as specified user from start
- ✅ No privilege escalation
- ✅ Compatible with security policies
- ✅ Works in restricted environments
🔧 Setting up user mapping...
🔧 Standard PUID/GUID mode: Setting up mapping 1000:1000
✅ Created group appgroup with GID 1000
✅ Created user appuser with UID 1000
✅ User mapping configured: 1000:1000
🎯 Deployment mode: STANDARD
🔑 Running as root - fixing ownership and permissions
✅ Set /app/instance ownership to 1000:1000 with 755 permissions
🔽 Dropping privileges to 1000:1000
🔧 Setting up user mapping...
🔒 Read-only filesystem or restricted user management detected
🔒 Read-only filesystem mode
⚠️ Running as root but cannot create users in read-only filesystem
💡 For PUID/GUID support in read-only mode, use:
docker run --user 1000:1000 --read-only ...
🎯 Deployment mode: READ-ONLY
ℹ️ Directory permissions unchanged (read-only filesystem)
🔧 Setting up user mapping...
👤 Container started with user directive (--user flag)
📋 User directive mode: Running as 1000:1000
ℹ️ PUID/GUID variables ignored in user directive mode
✅ Using container's current user for all operations
🎯 Deployment mode: STANDARD + USER-DIRECTIVE
👤 User directive mode: Running directly as 1000:1000
- Container can run entirely as non-root
- No
sudoorsetuidoperations required - Compatible with
no-new-privileges:true
- Application data isolated to mounted volumes
- No writes to container filesystem
- Prevents runtime tampering
- Minimal capabilities required
- Only
NET_BIND_SERVICEneeded for port binding - All other capabilities can be dropped
- Works with Docker user namespace remapping
- Compatible with rootless Docker
- Supports Kubernetes security contexts
Your existing setup continues to work:
# This still works exactly the same
environment:
- PUID=1000
- GUID=1000Add security hardening:
# Enhanced security version
user: "1000:1000"
read_only: true
cap_drop: [ALL]
cap_add: [NET_BIND_SERVICE]
security_opt: [no-new-privileges:true]
tmpfs:
- /tmp:size=100M,mode=1777
- /var/tmp:size=10M,mode=1777This error no longer occurs! The container now detects read-only filesystems and avoids user creation attempts.
Fixed! Container detects when /etc/group is not writable and uses alternative approaches.
Ensure data directory has correct ownership:
# Set ownership to match --user directive
sudo chown -R 1000:1000 ./data
docker run --user 1000:1000 subscription-trackerEnsure volume mount has correct ownership:
# Fix volume ownership before mounting
sudo chown -R 1000:1000 ./data
chmod 755 ./data| Security Feature | Standard Mode | Read-Only Mode | User Directive |
|---|---|---|---|
| Read-Only Root FS | ✅ Required | ✅ Compatible | |
| No Privilege Escalation | ✅ Native | ✅ Native | |
| User Creation | ✅ Dynamic | ❌ None | ❌ None |
| PUID/GUID Support | ✅ Full | ||
| Security Scanners | ✅ Clean | ✅ Clean | |
| Kubernetes Ready | ✅ Ready | ✅ Ready | |
| Container Hardening | ✅ Built-in | ✅ Built-in |
- ✅ Zero Security Violations - No more permission denied errors
- ✅ Scanner Compatibility - Passes security scanning tools
- ✅ Kubernetes Ready - Works with security policies out of the box
- ✅ Backward Compatible - Existing setups continue to work
- ✅ Future Proof - Ready for evolving security requirements
- ✅ Compliance Ready - Meets enterprise security standards
The container now supports every security scenario while maintaining full functionality! 🔒🚀