beenull/libreddit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

harden docker-compose.yml (#760)

Browse source 
`user: nobody`: the least privileged account.
`read_only: true`: this container doesn't write anything to the filesystem, this removes a vector.
`security_opt`: disallows the container to grab more privileges.
`cap_drop`: this container doesn't need any capabilities, drop them.
`networks`: put `libreddit` into its own network so it cannot see other containers by default.
This commit is contained in:
kuanhulio 2023-03-17 12:17:01 -04:00 committed by GitHub
parent 6bcc4aa368
commit e25622dac2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docker-compose.yml
View file

@ -7,7 +7,18 @@ services:
container_name: "libreddit"
ports:
- 8080:8080
user: nobody
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
networks:
- libreddit
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"]
interval: 5m
timeout: 3s
networks:
libreddit: