From c80fbd77c8d92bdef24971d188358ba6078412e8 Mon Sep 17 00:00:00 2001
From: Stefan Agner <stefan@agner.ch>
Date: Thu, 22 May 2025 17:30:42 +0200
Subject: [PATCH] Use s6-overlay read-only mode by default (#5906)

To avoid accidential writes to the Supervisor root filesystem, we might
use the Docker read-only mode at one point. This is not yet the default,
but using s6-overlay with the read-only flag seems not to have any
downsides. So enable this by default.

To start Supervisor with read-only root file system teh following
arguments have to be used: `--read-only --tmpfs /run:exec`.
---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 4bab71774..f8f101990 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,7 @@ ARG BUILD_FROM
 FROM ${BUILD_FROM}
 
 ENV \
+    S6_READ_ONLY_ROOT=1 \
     S6_SERVICES_GRACETIME=10000 \
     SUPERVISOR_API=http://localhost \
     CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 \