starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 16:25:55 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #384] Support read-only /app filesystem #145

New issue
Closed
opened 2026-02-27 08:15:31 +03:00 by kerem · 3 comments
kerem commented 2026-02-27 08:15:31 +03:00
Owner
Copy link

Originally created by @RedlineTriad on GitHub (Nov 27, 2022).
Original GitHub issue: https://github.com/lldap/lldap/issues/384

I am unsure if this is feasible, but it would be nice to support read-only filesystems.
Currently, when starting lldap with a read-only filesystem, it will get to Setup permissions.. and then print a lot of chown errors:

[entrypoint] Copying the default config to /data/lldap_config.toml
[entrypoint] Edit this file to configure LLDAP.
> Setup permissions..
chown: /app: Read-only file system
chown: /app/app: Read-only file system
chown: /app/app/index.html: Read-only file system
...

The issue can be reproduced with the following docker-compose.yml file:

---
version: '3'

services:
  lldap:
    image: nitnelave/lldap:v0.4.1-alpine
    read_only: true
    ports:
      - 17170:17170
    volumes:
      - lldap-data:/data

volumes:
  lldap-data:

Read only filesystems are very useful for security, reducing data loss when forgetting to mount data directories, and to reduce disk usage.
It would probably also be nice if it was the default in docker-compose examples.

Originally created by @RedlineTriad on GitHub (Nov 27, 2022). Original GitHub issue: https://github.com/lldap/lldap/issues/384 I am unsure if this is feasible, but it would be nice to support read-only filesystems. Currently, when starting lldap with a read-only filesystem, it will get to `Setup permissions..` and then print a lot of `chown` errors: ```log [entrypoint] Copying the default config to /data/lldap_config.toml [entrypoint] Edit this file to configure LLDAP. > Setup permissions.. chown: /app: Read-only file system chown: /app/app: Read-only file system chown: /app/app/index.html: Read-only file system ... ``` The issue can be reproduced with the following `docker-compose.yml` file: ```yaml --- version: '3' services: lldap: image: nitnelave/lldap:v0.4.1-alpine read_only: true ports: - 17170:17170 volumes: - lldap-data:/data volumes: lldap-data: ``` Read only filesystems are very useful for security, reducing data loss when forgetting to mount data directories, and to reduce disk usage. It would probably also be nice if it was the default in docker-compose examples.
kerem 2026-02-27 08:15:31 +03:00
kerem commented 2026-02-27 08:15:32 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Nov 27, 2022):

Right now, the main problem with a read-only /app folder is that the SQlite DB is in that folder... So we need to write to it.

If you want to set up a read-only folder for the config and the static assets, you can do that by:

  • Overriding the entrypoint to just start lldap run (potentially with a couple of options)
  • Moving the DB to a different folder (that will be read-write) and changing the config to point to that folder.

I think with those 2 things, it should be enough. The entrypoint just sets up things by default for new users, for easier set up.

<!-- gh-comment-id:1328314158 --> @nitnelave commented on GitHub (Nov 27, 2022): Right now, the main problem with a read-only `/app` folder is that the SQlite DB is in that folder... So we need to write to it. If you want to set up a read-only folder for the config and the static assets, you can do that by: - Overriding the entrypoint to just start `lldap run` (potentially with a couple of options) - Moving the DB to a different folder (that will be read-write) and changing the config to point to that folder. I think with those 2 things, it should be enough. The entrypoint just sets up things by default for new users, for easier set up.
kerem commented 2026-02-27 08:15:32 +03:00
Author
Owner
Copy link

@RedlineTriad commented on GitHub (Nov 27, 2022):

I don't think that is correct?
The SQlite DB is stored in /data not /app, since I mount that, it is not an issue.

/data # ls -l
total 156
-rw-r--r--    1 lldap    lldap         5146 Nov 27 18:45 lldap_config.toml
-r--------    1 lldap    lldap          128 Nov 27 18:45 private_key
-rw-r--r--    1 lldap    lldap         4096 Nov 27 18:45 users.db
-rw-r--r--    1 lldap    lldap        32768 Nov 27 18:45 users.db-shm
-rw-r--r--    1 lldap    lldap       103032 Nov 27 18:45 users.db-wal

/app # ls -l
total 39236
drwxr-xr-x    1 lldap    lldap         4096 Oct 10 16:00 app
-rwxr-xr-x    1 lldap    lldap     26407896 Oct 10 16:00 lldap
-rw-r--r--    1 lldap    lldap         5146 Oct 10 16:00 lldap_config.docker_template.toml
-rwxr-xr-x    1 lldap    lldap     13746856 Oct 10 16:00 migration-tool
<!-- gh-comment-id:1328315457 --> @RedlineTriad commented on GitHub (Nov 27, 2022): I don't think that is correct? The SQlite DB is stored in `/data` not `/app`, since I mount that, it is not an issue. ``` /data # ls -l total 156 -rw-r--r-- 1 lldap lldap 5146 Nov 27 18:45 lldap_config.toml -r-------- 1 lldap lldap 128 Nov 27 18:45 private_key -rw-r--r-- 1 lldap lldap 4096 Nov 27 18:45 users.db -rw-r--r-- 1 lldap lldap 32768 Nov 27 18:45 users.db-shm -rw-r--r-- 1 lldap lldap 103032 Nov 27 18:45 users.db-wal ``` ``` /app # ls -l total 39236 drwxr-xr-x 1 lldap lldap 4096 Oct 10 16:00 app -rwxr-xr-x 1 lldap lldap 26407896 Oct 10 16:00 lldap -rw-r--r-- 1 lldap lldap 5146 Oct 10 16:00 lldap_config.docker_template.toml -rwxr-xr-x 1 lldap lldap 13746856 Oct 10 16:00 migration-tool ```
kerem commented 2026-02-27 08:15:32 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Nov 27, 2022):

Oh, right. Then you just need to override the entrypoint when you start the
container, you don't need the script at all.

On Sun, 27 Nov 2022, 19:48 RedlineTriad, @.***> wrote:

I don't think that is correct?
The SQlite DB is stored in /data not /app, since I mount that, it is not
an issue.

/data # ls -l
total 156
-rw-r--r-- 1 lldap lldap 5146 Nov 27 18:45 lldap_config.toml
-r-------- 1 lldap lldap 128 Nov 27 18:45 private_key
-rw-r--r-- 1 lldap lldap 4096 Nov 27 18:45 users.db
-rw-r--r-- 1 lldap lldap 32768 Nov 27 18:45 users.db-shm
-rw-r--r-- 1 lldap lldap 103032 Nov 27 18:45 users.db-wal

/app # ls -l
total 39236
drwxr-xr-x 1 lldap lldap 4096 Oct 10 16:00 app
-rwxr-xr-x 1 lldap lldap 26407896 Oct 10 16:00 lldap
-rw-r--r-- 1 lldap lldap 5146 Oct 10 16:00 lldap_config.docker_template.toml
-rwxr-xr-x 1 lldap lldap 13746856 Oct 10 16:00 migration-tool


Reply to this email directly, view it on GitHub
https://github.com/nitnelave/lldap/issues/384#issuecomment-1328315457,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWNRAROOJKMFFH5F5O3WKOUHVANCNFSM6AAAAAASMUMLUE
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1328322128 --> @nitnelave commented on GitHub (Nov 27, 2022): Oh, right. Then you just need to override the entrypoint when you start the container, you don't need the script at all. On Sun, 27 Nov 2022, 19:48 RedlineTriad, ***@***.***> wrote: > I don't think that is correct? > The SQlite DB is stored in /data not /app, since I mount that, it is not > an issue. > > /data # ls -l > total 156 > -rw-r--r-- 1 lldap lldap 5146 Nov 27 18:45 lldap_config.toml > -r-------- 1 lldap lldap 128 Nov 27 18:45 private_key > -rw-r--r-- 1 lldap lldap 4096 Nov 27 18:45 users.db > -rw-r--r-- 1 lldap lldap 32768 Nov 27 18:45 users.db-shm > -rw-r--r-- 1 lldap lldap 103032 Nov 27 18:45 users.db-wal > > /app # ls -l > total 39236 > drwxr-xr-x 1 lldap lldap 4096 Oct 10 16:00 app > -rwxr-xr-x 1 lldap lldap 26407896 Oct 10 16:00 lldap > -rw-r--r-- 1 lldap lldap 5146 Oct 10 16:00 lldap_config.docker_template.toml > -rwxr-xr-x 1 lldap lldap 13746856 Oct 10 16:00 migration-tool > > — > Reply to this email directly, view it on GitHub > <https://github.com/nitnelave/lldap/issues/384#issuecomment-1328315457>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAGCPWNRAROOJKMFFH5F5O3WKOUHVANCNFSM6AAAAAASMUMLUE> > . > You are receiving this because you commented.Message ID: > ***@***.***> >
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#145
No description provided.