feat: harden security on docker compose examples
Signed-off-by: rare-magma <rare-magma@posteo.eu>
This commit is contained in:
parent
2f8f01b6d3
commit
a14774e33a
|
@ -17,9 +17,21 @@ services:
|
||||||
mariadb:
|
mariadb:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
## Security options for some restricted systems
|
## Security options for some restricted systems
|
||||||
|
read_only: true
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
security_opt:
|
security_opt:
|
||||||
- seccomp:unconfined
|
- no-new-privileges:true
|
||||||
- apparmor:unconfined
|
# not necessary since Docker Engine v20
|
||||||
|
# - seccomp:unconfined
|
||||||
|
# - apparmor:unconfined
|
||||||
|
## Uncomment to enforce resource usage limits
|
||||||
|
# deploy:
|
||||||
|
# resources:
|
||||||
|
# limits:
|
||||||
|
# cpus: "4"
|
||||||
|
# memory: 4g
|
||||||
|
# pids: 1024
|
||||||
environment:
|
environment:
|
||||||
PHOTOVIEW_DATABASE_DRIVER: ${PHOTOVIEW_DATABASE_DRIVER}
|
PHOTOVIEW_DATABASE_DRIVER: ${PHOTOVIEW_DATABASE_DRIVER}
|
||||||
## Comment out the next variable in the case PHOTOVIEW_DATABASE_DRIVER is set to `sqlite` or `postgres` in the .env
|
## Comment out the next variable in the case PHOTOVIEW_DATABASE_DRIVER is set to `sqlite` or `postgres` in the .env
|
||||||
|
@ -104,11 +116,26 @@ services:
|
||||||
container_name: photoview-mariadb
|
container_name: photoview-mariadb
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
stop_grace_period: 5s
|
stop_grace_period: 5s
|
||||||
|
user: "999:999"
|
||||||
## Optimized MariaDB startup command for better performance and compatibility
|
## Optimized MariaDB startup command for better performance and compatibility
|
||||||
command: mariadbd --innodb-buffer-pool-size=512M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
|
command: mariadbd --innodb-buffer-pool-size=512M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
|
||||||
security_opt: ## see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239
|
|
||||||
- seccomp:unconfined
|
## Security options for some restricted systems
|
||||||
- apparmor:unconfined
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
# not necessary since Docker Engine v20 see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239
|
||||||
|
# - seccomp:unconfined
|
||||||
|
# - apparmor:unconfined
|
||||||
|
|
||||||
|
## Uncomment to enforce resource usage limits
|
||||||
|
# deploy:
|
||||||
|
# resources:
|
||||||
|
# limits:
|
||||||
|
# cpus: "4"
|
||||||
|
# memory: 1g
|
||||||
|
# pids: 1024
|
||||||
## Uncomment next 2 lines if you want to access the database directly
|
## Uncomment next 2 lines if you want to access the database directly
|
||||||
# ports:
|
# ports:
|
||||||
# - "3306:3306"
|
# - "3306:3306"
|
||||||
|
@ -141,9 +168,9 @@ services:
|
||||||
# restart: unless-stopped
|
# restart: unless-stopped
|
||||||
# stop_grace_period: 5s
|
# stop_grace_period: 5s
|
||||||
# ## Security options for some restricted systems
|
# ## Security options for some restricted systems
|
||||||
# security_opt:
|
# # security_opt: # not necessary since Docker Engine v20
|
||||||
# - seccomp:unconfined
|
# # - seccomp:unconfined
|
||||||
# - apparmor:unconfined
|
# # - apparmor:unconfined
|
||||||
# ## Uncomment next 2 lines if you want to access the database directly
|
# ## Uncomment next 2 lines if you want to access the database directly
|
||||||
# # ports:
|
# # ports:
|
||||||
# # - 5432:5432
|
# # - 5432:5432
|
||||||
|
|
|
@ -13,9 +13,22 @@ services:
|
||||||
mariadb:
|
mariadb:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
## Security options for some restricted systems
|
## Security options for some restricted systems
|
||||||
|
read_only: true
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
security_opt:
|
security_opt:
|
||||||
- seccomp:unconfined
|
- no-new-privileges:true
|
||||||
- apparmor:unconfined
|
# not necessary since Docker Engine v20
|
||||||
|
# - seccomp:unconfined
|
||||||
|
# - apparmor:unconfined
|
||||||
|
|
||||||
|
## Uncomment to enforce resource usage limits
|
||||||
|
# deploy:
|
||||||
|
# resources:
|
||||||
|
# limits:
|
||||||
|
# cpus: "4"
|
||||||
|
# memory: 4g
|
||||||
|
# pids: 1024
|
||||||
environment:
|
environment:
|
||||||
PHOTOVIEW_DATABASE_DRIVER: ${PHOTOVIEW_DATABASE_DRIVER}
|
PHOTOVIEW_DATABASE_DRIVER: ${PHOTOVIEW_DATABASE_DRIVER}
|
||||||
## Comment out the next variable in the case PHOTOVIEW_DATABASE_DRIVER is set to `sqlite` or `postgres` in the .env
|
## Comment out the next variable in the case PHOTOVIEW_DATABASE_DRIVER is set to `sqlite` or `postgres` in the .env
|
||||||
|
@ -57,11 +70,24 @@ services:
|
||||||
container_name: photoview-mariadb
|
container_name: photoview-mariadb
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
stop_grace_period: 5s
|
stop_grace_period: 5s
|
||||||
|
user: "999:999"
|
||||||
## Optimized MariaDB startup command for better performance and compatibility
|
## Optimized MariaDB startup command for better performance and compatibility
|
||||||
command: mariadbd --innodb-buffer-pool-size=512M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
|
command: mariadbd --innodb-buffer-pool-size=512M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
|
||||||
security_opt: ## see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239
|
## Security options for some restricted systems
|
||||||
- seccomp:unconfined
|
cap_drop:
|
||||||
- apparmor:unconfined
|
- ALL
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
# not necessary since Docker Engine v20 see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239
|
||||||
|
# - seccomp:unconfined
|
||||||
|
# - apparmor:unconfined
|
||||||
|
## Uncomment to enforce resource usage limits
|
||||||
|
# deploy:
|
||||||
|
# resources:
|
||||||
|
# limits:
|
||||||
|
# cpus: "4"
|
||||||
|
# memory: 1g
|
||||||
|
# pids: 1024
|
||||||
environment:
|
environment:
|
||||||
MARIADB_AUTO_UPGRADE: "1"
|
MARIADB_AUTO_UPGRADE: "1"
|
||||||
MARIADB_DATABASE: ${MARIADB_DATABASE}
|
MARIADB_DATABASE: ${MARIADB_DATABASE}
|
||||||
|
|
Loading…
Reference in New Issue