Add hardening options

* no new capabilities * container root read-only (directories needed for rw are populated as tmpfs) * limit pids
2021-05-21 14:41:34 +02:00 · 2021-05-21 14:41:34 +02:00 · 8f41168f8a
commit 8f41168f8a
parent 23e6eaf212
2 changed files with 23 additions and 2 deletions
--- a/docker-compose.nginx.yml
+++ b/docker-compose.nginx.yml
@ -1,4 +1,4 @@
-version: "3"
+version: "2.4"

 services:
  nginx:
@ -7,6 +7,14 @@ services:
    container_name: nginx_mattermost
    image: nginx:${NGINX_IMAGE_TAG}
    restart: ${RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    pids_limit: 100
+    read_only: true
+    tmpfs:
+      - /var/run
+      - /var/cache
+      - /var/log/nginx
    volumes:
      - ${NGINX_CONFIG_PATH}:/etc/nginx/conf.d:ro
      - ${NGINX_DHPARAMS_FILE}:/dhparams4096.pem
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,12 +1,19 @@
 # https://docs.docker.com/compose/environment-variables/

-version: "3"
+version: "2.4"

 services:
  postgres:
    container_name: postgres_mattermost
    image: postgres:${POSTGRES_IMAGE_TAG}
    restart: ${RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    pids_limit: 100
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /var/run/postgresql
    volumes:
      - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
    environment:
@ -24,6 +31,12 @@ services:
    container_name: mattermost
    image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG}
    restart: ${RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    pids_limit: 200
+    read_only: true
+    tmpfs:
+      - /tmp
    volumes:
      - ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw
      - ${MATTERMOST_DATA_PATH}:/mattermost/data:rw