Problem Statement

Currently not all quadlet .container files explicitly declare their mount option as rw or ro.

Some compliance frameworks require these to be set explicitly (i.e. BSI SYS 1.6 A19)

as seen from the following list, iop-core-kafka and iop-service-vmaas do not explicitly define their mount options.

cat iop-* | grep Volume

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = iop-core-kafka-data:/var/lib/kafka/data

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = iop-service-vmaas-data:/data

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

Volume = /var/run/postgresql:/var/run/postgresql:rw

User Experience & Workflow

no changes

Requirements

[MVP] All Mounts explicitly use mount options.

Business Impact

Failure to meet compliance regulation makes the infrastructure ineligible for high-security deployments, government or regulated financial processing.