harden docker implementation

[HookedBehemoth]

Hi I'm not super familiar with docker. Could you explain what these changes do? Also we should probably document the ports being bound to.

[ghost]

Sure.

I'm sure you're familiar with the general basics of Docker. If not, I can explain further.

Dockerfile: This incorporates a "distroless" image. A distroless image is an extremely stripped down environment. No package manager, no shell, nothing except the bare essentials needed to run your program. This, in turn, slims down the final Docker image so you save space, and is more secure. If there was a bug that granted a user RCE through neuters (not saying it exists, but just a thought experiment), they would not be able to do much because the system environment is just not there.

docker-compose.yml: user: 65534:65534: the least privileged account available on the system. read_only: true: this container doesn't write anything to the filesystem, this removes a vector of attack. security_opt: disallows the container to grab more privileges it doesn't need. cap_drop: this container doesn't need any capabilities, drop them. networks: put neuters into its own network so it cannot see other containers by default.

[ghost]

As far as the ports are concerned, you don't NEED to explicitly expose them.

Just so long as one port is used, it's fine, you can add that within the README. The docker-compose also explains it, albeit you'll need to understand how Docker Compose works.

[HookedBehemoth]

Sounds good to me. Thank you!