It is an alternative image for those who prefer an Ubuntu based image and/or are dependent on certain tooling not available for Alpine. These images are based on Ubuntu, available in the Ubuntu official image. Grafana Open Source edition: grafana/grafana-oss:-ubuntu Grafana Enterprise edition: grafana/grafana-enterprise:-ubuntu Note: Grafana docker images were based on Ubuntu prior to version 6.4.0. However, most software don’t have an issue with this, so this variant is usually a very safe choice. The main caveat to note is that it uses musl libc instead of glibc and friends, so certain software might run into issues depending on the depth of their libc requirements. The Alpine variant is highly recommended when security and final image size being as small as possible is desired. Alpine Linux is much smaller than most distribution base images, and thus leads to slimmer and more secure images. The default images are based on the popular Alpine Linux project, available in the Alpine official image. Grafana Open Source edition: grafana/grafana-oss: Grafana Enterprise edition: grafana/grafana-enterprise: This topic also contains important information about migrating from earlier Docker image versions. See below.įor documentation regarding the configuration of a docker image, refer to configure a Grafana Docker image. Grafana Enterprise: grafana/grafana-enterpriseĮach edition is available in two variants: Alpine and Ubuntu. You can install and run Grafana using the official Docker images. Create a free account to get started, which includes free forever access to 10k metrics, 50GB logs, 50GB traces, & more. If ReadonlyRootfs=false, it means the container's root filesystem is writable and this is a finding.You can use Grafana Cloud to avoid installing, maintaining, and scaling your own instance of Grafana. Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:ĭocker ps -quiet -all | xargs -L 1 docker inspect -format '' This check should be executed on all nodes in a Docker Enterprise cluster. Utilizing Docker shared-storage volume plugins for Docker data volume to persist container data.ĭocker volume create -d convoy -opt o=size=20GB my-named-volumeĭocker run -interactive -tty -read-only -v my-named-volume:/run/app/data Check ContentsĮnsure all containers' root filesystem is mounted as read only. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem.ĭocker run -interactive -tty -read-only -v /opt/app/data:/run/app/data:rw ģ. Use the -tmpfs option to mount a temporary file system for non-persistent data writes.ĭocker run -interactive -tty -read-only -tmpfs "/run" -tmpfs "/tmp" Ģ. CCI-000381 - The organization configures the information system to provide only essential capabilities.Īdd a -read-only flag at a container's runtime to enforce the container's root filesystem to be mounted as read only.Įnabling the -read-only option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during the container's runtime.Įxamples of explicit storage locations during a container's runtime include, but are not limited to:ġ.STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: : All Docker Enterprise containers root filesystem must be mounted as read only.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |