From e8867805feb7d9568b68743dd7af48cb7988e483 Mon Sep 17 00:00:00 2001 From: Marco Kundt Date: Tue, 11 May 2021 15:08:48 +0200 Subject: [PATCH] hardening options --- docker-compose.nginx.yml | 8 +++++++- docker-compose.yml | 14 +++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/docker-compose.nginx.yml b/docker-compose.nginx.yml index 27340fe..8f695dd 100644 --- a/docker-compose.nginx.yml +++ b/docker-compose.nginx.yml @@ -1,4 +1,4 @@ -version: "3" +version: "2.4" services: nginx: @@ -6,7 +6,13 @@ services: - mattermost container_name: nginx_mattermost image: nginx:${NGINX_IMAGE_TAG} + pids_limit: 10 restart: ${RESTART_POLICY} + read_only: true + tmpfs: + - /var/run + - /var/cache + - /var/log/nginx volumes: - ${NGINX_CONFIG_PATH}:/etc/nginx/conf.d:ro - ${NGINX_DHPARAMS_FILE}:/dhparams4096.pem diff --git a/docker-compose.yml b/docker-compose.yml index 0f742f4..c273fac 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,12 +1,17 @@ # https://docs.docker.com/compose/environment-variables/ -version: "3" +version: "2.4" services: postgres: container_name: postgres_mattermost image: postgres:${POSTGRES_IMAGE_TAG} + pids_limit: 10 restart: ${RESTART_POLICY} + read_only: true + tmpfs: + - /tmp + - /var/run/postgresql volumes: - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data environment: @@ -23,7 +28,11 @@ services: - postgres container_name: mattermost image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG} + pids_limit: 15 restart: ${RESTART_POLICY} + read_only: true + tmpfs: + - /tmp volumes: - ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw - ${MATTERMOST_DATA_PATH}:/mattermost/data:rw @@ -49,5 +58,8 @@ services: # container_name: watchtower # image: containrrr/watchtower:latest # restart: unless-stopped +# read_only: true +# tmpfs: +# - /tmp # volumes: # - /var/run/docker.sock:/var/run/docker.sock