harden docker-compose.yml (#760)
`user: nobody`: the least privileged account. `read_only: true`: this container doesn't write anything to the filesystem, this removes a vector. `security_opt`: disallows the container to grab more privileges. `cap_drop`: this container doesn't need any capabilities, drop them. `networks`: put `libreddit` into its own network so it cannot see other containers by default.
This commit is contained in:
parent
6bcc4aa368
commit
e25622dac2
1 changed files with 11 additions and 0 deletions
|
@ -7,7 +7,18 @@ services:
|
||||||
container_name: "libreddit"
|
container_name: "libreddit"
|
||||||
ports:
|
ports:
|
||||||
- 8080:8080
|
- 8080:8080
|
||||||
|
user: nobody
|
||||||
|
read_only: true
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
networks:
|
||||||
|
- libreddit
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"]
|
test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"]
|
||||||
interval: 5m
|
interval: 5m
|
||||||
timeout: 3s
|
timeout: 3s
|
||||||
|
|
||||||
|
networks:
|
||||||
|
libreddit:
|
||||||
|
|
Loading…
Reference in a new issue