GitHub - SinTan1729/chhoto-url: A simple, blazingly fast, selfhosted URL shortener with no unnecessary features; written in Rust.
-
A simple selfhosted URL shortener with no unnecessary features. Simplicity and speed are the main foci of this project. The docker image is ~6 MB (compressed), and it uses <5 MB of RAM under regular use.
-
A simple selfhosted URL shortener with no unnecessary features. Simplicity and speed are the main foci of this project. The docker image is ~6 MB (compressed), and it uses <5 MB of RAM under regular use.
Looks awesome and very efficient, does it also run with
read_only: true(with a db volume provided, of course!)? Many containers just need a /tmp, but not always -
Looks awesome and very efficient, does it also run with
read_only: true(with a db volume provided, of course!)? Many containers just need a /tmp, but not alwaysThanks. I had never tested this before. Seems like it throws errors. Of course, adding and deleting links don't work. But that's to be expected. But also link resolution fails since it cannot update the hit count properly. If this is a legitimate use case for you, I might work on making it work.
-
Thanks. I had never tested this before. Seems like it throws errors. Of course, adding and deleting links don't work. But that's to be expected. But also link resolution fails since it cannot update the hit count properly. If this is a legitimate use case for you, I might work on making it work.
I try to slap anything I’d face the Internet with with the read_only to further restrict exploit possibilities, would be abs great if you could make it work! I just follow all reqs on the security cheat sheet, with
read_onlybeing one of them: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.htmlWith how simple it is I guessed that running as a
userand restrictingcap_drop: allwouldn’t be a problem.For
read_onlymany containers just needtmpfs: /tmpin addition to the volume for the db. I think many containers just try to contain temporary file writing to one directory to make applyingread_onlyeasier.So again, I’d abs use it with
read_onlywhen you get the time to tune it!! -
I try to slap anything I’d face the Internet with with the read_only to further restrict exploit possibilities, would be abs great if you could make it work! I just follow all reqs on the security cheat sheet, with
read_onlybeing one of them: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.htmlWith how simple it is I guessed that running as a
userand restrictingcap_drop: allwouldn’t be a problem.For
read_onlymany containers just needtmpfs: /tmpin addition to the volume for the db. I think many containers just try to contain temporary file writing to one directory to make applyingread_onlyeasier.So again, I’d abs use it with
read_onlywhen you get the time to tune it!!Upon further testing, this does actually work. You may set both
read_only: true, andcap_drop: alland it will work as long as you have a named volume. I had it mount a database file from the host system for my test config, which is why I was getting the errors. I don't know how to make that work though i.e. when the db is bind mounted from the host system. Setting the mount:rwdoesn't seem to fix it. -
Upon further testing, this does actually work. You may set both
read_only: true, andcap_drop: alland it will work as long as you have a named volume. I had it mount a database file from the host system for my test config, which is why I was getting the errors. I don't know how to make that work though i.e. when the db is bind mounted from the host system. Setting the mount:rwdoesn't seem to fix it.Odd, I’ll try to deploy this when I can and see!
I’ve never had a problem with a volume being on the host system, except with user permissions messed up. But if you haven’t given it a user parameter it’s running as root and shouldn’t have a problem. So I’ll see sometime and get back to you!
-
Odd, I’ll try to deploy this when I can and see!
I’ve never had a problem with a volume being on the host system, except with user permissions messed up. But if you haven’t given it a user parameter it’s running as root and shouldn’t have a problem. So I’ll see sometime and get back to you!
It was just a matter of setting the correct user. In most cases,
user: 1000:1000should fix it.
