From 8f41168f8a976c2934faa2aa719f09542a7ed960 Mon Sep 17 00:00:00 2001 From: Marco Kundt Date: Fri, 21 May 2021 14:41:34 +0200 Subject: [PATCH] Add hardening options * no new capabilities * container root read-only (directories needed for rw are populated as tmpfs) * limit pids --- docker-compose.nginx.yml | 10 +++++++++- docker-compose.yml | 15 ++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/docker-compose.nginx.yml b/docker-compose.nginx.yml index 27340fe..cce0da1 100644 --- a/docker-compose.nginx.yml +++ b/docker-compose.nginx.yml @@ -1,4 +1,4 @@ -version: "3" +version: "2.4" services: nginx: @@ -7,6 +7,14 @@ services: container_name: nginx_mattermost image: nginx:${NGINX_IMAGE_TAG} restart: ${RESTART_POLICY} + security_opt: + - no-new-privileges:true + pids_limit: 100 + read_only: true + tmpfs: + - /var/run + - /var/cache + - /var/log/nginx volumes: - ${NGINX_CONFIG_PATH}:/etc/nginx/conf.d:ro - ${NGINX_DHPARAMS_FILE}:/dhparams4096.pem diff --git a/docker-compose.yml b/docker-compose.yml index 0f742f4..07b1a41 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,12 +1,19 @@ # https://docs.docker.com/compose/environment-variables/ -version: "3" +version: "2.4" services: postgres: container_name: postgres_mattermost image: postgres:${POSTGRES_IMAGE_TAG} restart: ${RESTART_POLICY} + security_opt: + - no-new-privileges:true + pids_limit: 100 + read_only: true + tmpfs: + - /tmp + - /var/run/postgresql volumes: - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data environment: @@ -24,6 +31,12 @@ services: container_name: mattermost image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG} restart: ${RESTART_POLICY} + security_opt: + - no-new-privileges:true + pids_limit: 200 + read_only: true + tmpfs: + - /tmp volumes: - ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw - ${MATTERMOST_DATA_PATH}:/mattermost/data:rw