We're using the metabase/metabase docker image (currently v0.46.6.2) running in AWS ECS Fargate.
AWS Security Hub has a HIGH severity error triggered if you are running containers without a read-only root filesystem:
This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to ‘false’.
I have tried with mounting the /tmp directory as an updateable volume however it still fails.
If you try to run the docker container as read-only, it fails to run with the following errors:
addgroup: /etc/group: Read-only file systemadduser: unknown group metabasemkdir: can't create directory '//metabase.db': Read-only file systemchmod: /app/metabase.jar: Read-only file systemsu: unknown user metabaseaddgroup: /etc/group: Read-only file systemadduser: unknown group metabase
Is there a recommended/suggested way for how this container can be run in read-only mode so it meets AWS best practice for securing the root filesystem?
Thanks!