What is the enhancement proposal? What problem are you trying to solve?
Description
Use Cases
- Organizations requiring BSI compliance
Technical Implementation
From what I see worker_wrapper must access the Docker daemon to spawn QGIS containers for job processing. This cannot be done without root or major architectural redesign. But BSI SYS.1.6.A17 allows exceptions for operational necessity if privileges are minimized which would be met with a minimal change in docker-compose.yml:
worker_wrapper:
user: root
cap_drop:
- ALL # Remove all Linux capabilities
security_opt:
- no-new-privileges:true # Prevent privilege escalation attacks
read_only: true # Read-only root filesystem
tmpfs:
- /run:rw,noexec,nosuid,size=512m # Temporary files (can't execute binaries)
volumes:
# ... existing mounts for /tmp, /app, etc.
All tests pass in my fork. But of course this needs to be tested carefully before used in production.
Find a nice overview regarding docker privilige settings here.
Agreements
Additional context
No response
What is the enhancement proposal? What problem are you trying to solve?
Description
Use Cases
Technical Implementation
From what I see
worker_wrappermust access the Docker daemon to spawn QGIS containers for job processing. This cannot be done without root or major architectural redesign. ButBSI SYS.1.6.A17allows exceptions for operational necessity if privileges are minimized which would be met with a minimal change indocker-compose.yml:All tests pass in my fork. But of course this needs to be tested carefully before used in production.
Find a nice overview regarding docker privilige settings here.
Agreements
masterbranch until my pull request is merged.Additional context
No response