MRIQC security (?) recommendations

mriqc
docker
#1

Docker newbie here, apologies in advance if I’m way off course; I couldn’t find anything on the forums for this topic though.

I’m aiming to run MRIQC, but while reading the documentation at: https://mriqc.readthedocs.io/en/stable/docker.html
there is the following statement which seems to appear out-of-the-blue, referencing security concerns (of my data?, of my computer?, of hackers?) and recommending various flags which are not subsequently explained anywhere else:

“For security reasons, we recommend to run the docker command with the options --read-only --tmpfs /run --tmpfs /tmp . This will run the docker image in read-only mode, and map the temporary folders /run and /tmp to the temporal folder of the host.”

Looking for advice and any further explanation of (1) whether I should be using these flag, (2) how to run them, if so, and (3) what security vulnerabilities this is referencing. Thanks very much in advance for your help!

#2

Hi @Acinonyx,

I honestly can’t recall why this is currently recommended in the documentation. I’ll remove the warning asap.

Running a container with --read-only is recommended in production systems where we know we don’t want the container to overwrite anything. However, I honestly think it doesn’t make any big difference if you are running it on your PC. Some shared systems may enforce readonly containers, but it is not as standard.

Regarding --tmpfs I believe it can even be detrimental. That is going to map folders from the container directly to memory. Since MRIQC is already pretty memory-demanding, I wouldn’t recommend their use. Additionaly, --tmpfs has been deprecated in favor of --mount.

Thanks for pointing this out.

#3

Thanks very much for the clarification!

#4

sudo + MRIQC command worked for me