Metabase docker container with read-only root filesystem

We're using the metabase/metabase docker image (currently v0.46.6.2) running in AWS ECS Fargate.

AWS Security Hub has a HIGH severity error triggered if you are running containers without a read-only root filesystem:

This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to ‘false’.

I have tried with mounting the /tmp directory as an updateable volume however it still fails.

If you try to run the docker container as read-only, it fails to run with the following errors:

• addgroup: /etc/group: Read-only file system
• adduser: unknown group metabase
• mkdir: can't create directory '//metabase.db': Read-only file system
• chmod: /app/metabase.jar: Read-only file system
• su: unknown user metabase
• addgroup: /etc/group: Read-only file system
• adduser: unknown group metabase

Is there a recommended/suggested way for how this container can be run in read-only mode so it meets AWS best practice for securing the root filesystem?

Thanks!

You got solution for this?

It looks like this is failing when running commands that Metabase executes on startup.

You mounted an external writable volume for the '/tmp' directory but I don't think that’s quite enough. The logs show that this is failing on other directories the startup script requires write access to (like '/etc/group'). You could try mounting these other directories to the writable volume but that could get a little messy.

A simpler approach would be to build your own container such that the entry point is just: ["java", "-jar", "metabase.jar"] instead of the current one that runs the shell script. This would bypass the filesystem changes made by the startup script (so you can still run Metabase without the extra hassle).