From a40a504f941d42aae66a2b6ad750c7a50397c818 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Thu, 31 Aug 2023 21:23:51 -0400
Subject: [PATCH] Switch to using read-only root in docker containers.

---
 Makefile                                 | 4 ++--
 docker/cargo_fmt/Makefile                | 4 ++--
 docker/organic_build/Makefile            | 4 ++--
 docker/organic_test/Makefile             | 4 ++--
 scripts/run_docker_compare.bash          | 3 ++-
 scripts/run_docker_integration_test.bash | 4 ++--
 scripts/run_integration_test.bash        | 2 +-
 7 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/Makefile b/Makefile
index 0f6eee1..d8a2b07 100644
--- a/Makefile
+++ b/Makefile
@@ -40,7 +40,7 @@ test:
 .PHONY: dockertest
 dockertest:
 > $(MAKE) -C docker/organic_test
-> docker run --init --rm -i -t -v "$$(readlink -f ./):/source:ro" --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target -w /source organic-test --no-default-features --features compare --no-fail-fast --lib --test test_loader -- --test-threads $(TESTJOBS)
+> docker run --init --rm -i -t --read-only -v "$$(readlink -f ./):/source:ro" --mount type=tmpfs,destination=/tmp --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target -w /source organic-test --no-default-features --features compare --no-fail-fast --lib --test test_loader -- --test-threads $(TESTJOBS)
 
 .PHONY: dockerclean
 dockerclean:
@@ -60,7 +60,7 @@ jaeger:
 # 4317 for OTLP gRPC, 4318 for OTLP HTTP. We currently use gRPC but I forward both ports regardless.
 #
 # These flags didn't help even though they seem like they would: --collector.queue-size=20000 --collector.num-workers=100
-> docker run -d --rm --name organicdocker -p 4317:4317 -p 4318:4318 -p 16686:16686 -e COLLECTOR_OTLP_ENABLED=true jaegertracing/all-in-one:1.47 --collector.grpc-server.max-message-size=20000000 --collector.otlp.grpc.max-message-size=20000000
+> docker run -d --rm --name organicdocker --read-only -p 4317:4317 -p 4318:4318 -p 16686:16686 -e COLLECTOR_OTLP_ENABLED=true jaegertracing/all-in-one:1.47 --collector.grpc-server.max-message-size=20000000 --collector.otlp.grpc.max-message-size=20000000
 
 .PHONY: jaegerweb
 jaegerweb:
diff --git a/docker/cargo_fmt/Makefile b/docker/cargo_fmt/Makefile
index 68bb409..8d50935 100644
--- a/docker/cargo_fmt/Makefile
+++ b/docker/cargo_fmt/Makefile
@@ -29,8 +29,8 @@ endif
 # NOTE: This target will write to folders underneath the git-root
 .PHONY: run
 run: build
-	docker run --rm --init -v "$$(readlink -f ../../):/source" --workdir=/source $(IMAGE_NAME)
+	docker run --rm --init --read-only --mount type=tmpfs,destination=/tmp -v "$$(readlink -f ../../):/source" --workdir=/source $(IMAGE_NAME)
 
 .PHONY: shell
 shell: build
-	docker run --rm -i -t --entrypoint /bin/sh -v "$$(readlink -f ../../):/source" --workdir=/source $(IMAGE_NAME)
+	docker run --rm -i -t --entrypoint /bin/sh --mount type=tmpfs,destination=/tmp -v "$$(readlink -f ../../):/source" --workdir=/source $(IMAGE_NAME)
diff --git a/docker/organic_build/Makefile b/docker/organic_build/Makefile
index 80bcb9c..c933de6 100644
--- a/docker/organic_build/Makefile
+++ b/docker/organic_build/Makefile
@@ -30,8 +30,8 @@ endif
 # NOTE: This target will write to folders underneath the git-root
 .PHONY: run
 run: build
-	docker run --rm --init -v "$$(readlink -f ../../):/source" --workdir=/source --mount source=cargo-cache,target=/usr/local/cargo/registry $(IMAGE_NAME)
+	docker run --rm --init --read-only --mount type=tmpfs,destination=/tmp -v "$$(readlink -f ../../):/source" --workdir=/source --mount source=cargo-cache,target=/usr/local/cargo/registry $(IMAGE_NAME)
 
 .PHONY: shell
 shell: build
-	docker run --rm -i -t --entrypoint /bin/sh -v "$$(readlink -f ../../):/source" --workdir=/source --mount source=cargo-cache,target=/usr/local/cargo/registry $(IMAGE_NAME)
+	docker run --rm -i -t --entrypoint /bin/sh --mount type=tmpfs,destination=/tmp -v "$$(readlink -f ../../):/source" --workdir=/source --mount source=cargo-cache,target=/usr/local/cargo/registry $(IMAGE_NAME)
diff --git a/docker/organic_test/Makefile b/docker/organic_test/Makefile
index 568679b..f8133ad 100644
--- a/docker/organic_test/Makefile
+++ b/docker/organic_test/Makefile
@@ -29,8 +29,8 @@ endif
 
 .PHONY: run
 run: build
-	docker run --rm --init -v "$$(readlink -f ../../):/source:ro" --workdir=/source --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target $(IMAGE_NAME) --no-default-features --features compare --no-fail-fast --lib --test test_loader
+	docker run --rm --init --read-only --mount type=tmpfs,destination=/tmp -v "$$(readlink -f ../../):/source:ro" --workdir=/source --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target $(IMAGE_NAME) --no-default-features --features compare --no-fail-fast --lib --test test_loader
 
 .PHONY: shell
 shell: build
-	docker run --rm -i -t --entrypoint /bin/sh -v "$$(readlink -f ../../):/source:ro" --workdir=/source --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target $(IMAGE_NAME)
+	docker run --rm -i -t --entrypoint /bin/sh --mount type=tmpfs,destination=/tmp -v "$$(readlink -f ../../):/source:ro" --workdir=/source --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target $(IMAGE_NAME)
diff --git a/scripts/run_docker_compare.bash b/scripts/run_docker_compare.bash
index 5a785c1..30cdb92 100755
--- a/scripts/run_docker_compare.bash
+++ b/scripts/run_docker_compare.bash
@@ -41,6 +41,7 @@ function launch_container {
     if [ "$SHELL" != "YES" ]; then
         local features_joined=$(IFS=","; echo "${features[*]}")
         additional_args+=(cargo run --no-default-features --features "$features_joined")
+        additional_flags+=(--read-only)
     else
         additional_args+=(/bin/sh)
         additional_flags+=(-t)
@@ -50,7 +51,7 @@ function launch_container {
         additional_flags+=(--env RUST_BACKTRACE=full)
     fi
 
-    docker run "${additional_flags[@]}" --init --rm -i -v "$($REALPATH ./):/source:ro" --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target -w /source --entrypoint "" organic-test "${additional_args[@]}"
+    docker run "${additional_flags[@]}" --init --rm -i --mount type=tmpfs,destination=/tmp -v "$($REALPATH ./):/source:ro" --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target -w /source --entrypoint "" organic-test "${additional_args[@]}"
 }
 
 main "${@}"
diff --git a/scripts/run_docker_integration_test.bash b/scripts/run_docker_integration_test.bash
index 9fcea50..5ba5a37 100755
--- a/scripts/run_docker_integration_test.bash
+++ b/scripts/run_docker_integration_test.bash
@@ -33,7 +33,7 @@ function get_test_names {
             local test_file_full_path=$($REALPATH "$test_file")
             local relative_to_samples=$($REALPATH --relative-to "$samples_dir" "$test_file_full_path")
             local without_extension="${relative_to_samples%.org}"
-            echo "${without_extension/\//_}" | tr '[:upper:]' '[:lower:]'
+            echo "autogen_${without_extension//\//_}" | tr '[:upper:]' '[:lower:]'
         else
             echo "$test_file" | tr '[:upper:]' '[:lower:]'
         fi
@@ -56,7 +56,7 @@ cargo test --no-default-features --features compare --no-fail-fast --lib --test
 EOF
           )
 
-    docker run "${additional_flags[@]}" --init --rm -v "$($REALPATH ./):/source:ro" --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target -w /source --entrypoint "" organic-test sh -c "$init_script"
+    docker run "${additional_flags[@]}" --init --rm --read-only --mount type=tmpfs,destination=/tmp -v "$($REALPATH ./):/source:ro" --mount source=cargo-cache,target=/usr/local/cargo/registry --mount source=rust-cache,target=/target --env CARGO_TARGET_DIR=/target -w /source --entrypoint "" organic-test sh -c "$init_script"
 }
 
 
diff --git a/scripts/run_integration_test.bash b/scripts/run_integration_test.bash
index 752eba0..32da81d 100755
--- a/scripts/run_integration_test.bash
+++ b/scripts/run_integration_test.bash
@@ -25,7 +25,7 @@ function get_test_names {
             local test_file_full_path=$($REALPATH "$test_file")
             local relative_to_samples=$($REALPATH --relative-to "$samples_dir" "$test_file_full_path")
             local without_extension="${relative_to_samples%.org}"
-            echo "${without_extension/\//_}" | tr '[:upper:]' '[:lower:]'
+            echo "${without_extension//\//_}" | tr '[:upper:]' '[:lower:]'
         else
             echo "$test_file" | tr '[:upper:]' '[:lower:]'
         fi