I'm putting my first Docker image to production and can't find clear documentation on this question. I'm implementing the OWASP Docker Security Cheat Sheet, working on RULE #8 - Set filesystem and volumes to read-only.
My app is Ruby on Rails, so my requirements (as I understand them) are:
- I need
/tmpto be writable /tmpis non-empty afterdocker build
So I want to...
docker --read-only --tmpfs /application/tmp ...
I think this makes the container as a whole read-only and makes /tmp writeable (for the duration of the container) and includes the contents of /tmp from the image.
Have I got this correct?