Allow for read only container #23
Description
Some environments enforce read_only container deployment. Personally I like the harden any container that is exposed to the internet to limit the attack surface.
After looking at the docker diff the following changes are made in the container under normal operations
C /ovpn
C /ovpn/sock
A /ovpn/sock/sagent
A /ovpn/sock/sagent.api
A /ovpn/sock/sagent.localroot
C /ovpn/tmp
A /ovpn/tmp/wserv.pid
A /ovpn/tmp/openvpn.pid
A /ovpn/tmp/web
C /run
C /run/openvpn_as
C /run/openvpn_as/dev
C /run/openvpn_as/dev/null
C /run/openvpn_as/dev/random
C /run/openvpn_as/dev/urandom
C /usr
C /usr/local
C /usr/local/openvpn_as
C /usr/local/openvpn_as/etc
With a read only file system none of those changes are possible.
I got it working but it required some modifications:
I had to add 2 tmpfs folders to make those writable (just /ovpn wasn't enough because then it complained about not finding /ovpn/tmp):
tmpfs:
- /ovpn/tmp
- /ovpn/sock
The docker entrypoint removes the default etc folder and symlinks the one from the volume, that is no longer possible, so i patched it (copied over my own version with a COPY statement)
#rm -rf /usr/local/openvpn_as/etc
#ln -s /openvpn/etc /usr/local/openvpn_as/etc
FROM openvpn/openvpn-as:3.0.2-87c70987-Ubuntu24
COPY docker-entrypoint.sh /
Then added an extra volume mount to that etc folder directly to replace the symlink, as well as having the original volume mount so it becomes
volumes:
- /data/openvpn:/openvpn
- /data/openvpn/etc:/usr/local/openvpn_as/etc
And then let docker compose build the modified container:
services:
openvpn-as:
# image: openvpn/openvpn-as:3.0.2-87c70987-Ubuntu24
container_name: openvpn-as
build: .
read_only: true
This was enough for the container to start with a read only file system. I've tested a client connection and as far as I see the openvpn server behaves normally.
I've only tested this when my data volume was already initialized with a working configuration, not from scratch so initial setup might require more changes.