Add hardening options

* no new capabilities * container root read-only (directories needed for rw are populated as tmpfs) * limit pids
2021-05-21 14:41:34 +02:00 · 2021-05-21 14:41:34 +02:00 · 8f41168f8a
commit 8f41168f8a
parent 23e6eaf212
2 changed files with 23 additions and 2 deletions
--- a/docker-compose.nginx.yml
+++ b/docker-compose.nginx.yml
@ -1,4 +1,4 @@
-version: "3"
+version: "2.4"
 services:
  nginx:
@ -7,6 +7,14 @@ services:
    container_name: nginx_mattermost
    image: nginx:${NGINX_IMAGE_TAG}
    restart: ${RESTART_POLICY}
    security_opt:
      - no-new-privileges:true
    pids_limit: 100
    read_only: true
    tmpfs:
      - /var/run
      - /var/cache
      - /var/log/nginx
    volumes:
      - ${NGINX_CONFIG_PATH}:/etc/nginx/conf.d:ro
      - ${NGINX_DHPARAMS_FILE}:/dhparams4096.pem
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,12 +1,19 @@
 # https://docs.docker.com/compose/environment-variables/
-version: "3"
+version: "2.4"
 services:
  postgres:
    container_name: postgres_mattermost
    image: postgres:${POSTGRES_IMAGE_TAG}
    restart: ${RESTART_POLICY}
    security_opt:
      - no-new-privileges:true
    pids_limit: 100
    read_only: true
    tmpfs:
      - /tmp
      - /var/run/postgresql
    volumes:
      - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
    environment:
@ -24,6 +31,12 @@ services:
    container_name: mattermost
    image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG}
    restart: ${RESTART_POLICY}
    security_opt:
      - no-new-privileges:true
    pids_limit: 200
    read_only: true
    tmpfs:
      - /tmp
    volumes:
      - ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw
      - ${MATTERMOST_DATA_PATH}:/mattermost/data:rw