Metabase docker container with read-only root filesystem

We're using the metabase/metabase docker image (currently v0.46.6.2) running in AWS ECS Fargate.

AWS Security Hub has a HIGH severity error triggered if you are running containers without a read-only root filesystem:

This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to ‘false’.

I have tried with mounting the /tmp directory as an updateable volume however it still fails.

If you try to run the docker container as read-only, it fails to run with the following errors:

  • addgroup: /etc/group: Read-only file system
  • adduser: unknown group metabase
  • mkdir: can't create directory '//metabase.db': Read-only file system
  • chmod: /app/metabase.jar: Read-only file system
  • su: unknown user metabase
  • addgroup: /etc/group: Read-only file system
  • adduser: unknown group metabase

Is there a recommended/suggested way for how this container can be run in read-only mode so it meets AWS best practice for securing the root filesystem?

Thanks!