harden docker-compose.yml (#99)
`user: nobody`: the least privileged account. `read_only: true`: this container doesn't write anything to the filesystem, this removes a vector. `security_opt`: disallows the container to grab more privileges. `cap_drop`: this container doesn't need any capabilities, drop them. `networks`: put `rimgo` into its own network so it cannot see other containers by default. Reviewed-on: https://codeberg.org/video-prize-ranch/rimgo/pulls/99 Co-authored-by: kuantum <kuantum@noreply.codeberg.org> Co-committed-by: kuantum <kuantum@noreply.codeberg.org>
This commit is contained in:
kuantum
video-prize-ranch
parent
4e065bf455
commit
9b5af0aeb6
|
|
@ -8,3 +8,14 @@ services:
|
||||||
ports:
|
ports:
|
||||||
- 3000:3000
|
- 3000:3000
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
user: 65534:65534 # equivalent to `nobody`
|
||||||
|
read_only: true
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges: true
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
networks:
|
||||||
|
- rimgo
|
||||||
|
|
||||||
|
networks:
|
||||||
|
- rimgo
|
||||||
Loading…
Reference in New Issue