zyachel
commented
1 year ago I don't have much experience with docker so I hope you've tested it thoroughly.
Closed ghost closed 1 year ago
zyachel
commented
1 year ago I don't have much experience with docker so I hope you've tested it thoroughly.
ghost
commented
1 year ago It's currently running at https://libremdb.nullnet.services on this same branch.
If, for whatever reason, this is not building or there's issues, I can maintain the Docker image and submit fixes.
ghost
commented
1 year ago Actually, hang on.
ghost
commented
1 year ago Alright, good to merge!
zyachel
commented
1 year ago Thanks!
This PR hardens both the Dockerfile and the docker-compose file.
Dockerfile: switched to a distroless image.
Docker Compose (renamed to docker-compose.yml):
user: this is set to the UID:GID ofnobody, the least privileged account.read_only: this is set to true, this container doesn't write anything to the filesystem.security_opt: there's a lot of settings, but the important on is that the container doesn't get any privileges when asking for them.cap_drop: this drops all capabilities like CHOWN, SETUID, etc.tmpfs: this is essentially a volume in RAM. it gets wiped every container restart.networks: this putslibremdbin its own separate bridge network where it cannot talk to other containers.