From b0214bdb9a6e1178a666fc4f3756d50181f48bf0 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:57:43 +0100 Subject: [PATCH] container security (#274) https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html Reviewed-on: https://git.mgrote.net/mg/homeserver/pulls/274 Co-authored-by: Michael Grote Co-committed-by: Michael Grote --- .../act-runner/docker-compose.yml.j2 | 7 +++++ docker-compose/authelia/docker-compose.yml.j2 | 21 ++++++++++++++ docker-compose/gramps/docker-compose.yml.j2 | 19 +++++++++++++ docker-compose/lldap/docker-compose.yml.j2 | 14 ++++++++++ docker-compose/miniflux/docker-compose.yml.j2 | 21 ++++++++++++++ .../navidrome/docker-compose.yml.j2 | 7 +++++ .../nextcloud/docker-compose.yml.j2 | 28 +++++++++++++++++++ docker-compose/postfix/docker-compose.yml.j2 | 7 +++++ docker-compose/registry/docker-compose.yml.j2 | 21 ++++++++++++++ .../routeros-config-export/docker-compose.yml | 7 +++++ docker-compose/traefik/docker-compose.yml.j2 | 5 ++++ .../docker-compose.yml.j2 | 14 ++++++++++ docker-compose/wiki/docker-compose.yml.j2 | 7 +++++ 13 files changed, 178 insertions(+) diff --git a/docker-compose/act-runner/docker-compose.yml.j2 b/docker-compose/act-runner/docker-compose.yml.j2 index af1e3268..ff76964a 100644 --- a/docker-compose/act-runner/docker-compose.yml.j2 +++ b/docker-compose/act-runner/docker-compose.yml.j2 @@ -6,6 +6,13 @@ services: image: gitea/act_runner:0.2.11 restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true volumes: - act_runner_data:/data - ./config.yml:/config.yml diff --git a/docker-compose/authelia/docker-compose.yml.j2 b/docker-compose/authelia/docker-compose.yml.j2 index 68227285..0b2676dd 100644 --- a/docker-compose/authelia/docker-compose.yml.j2 +++ b/docker-compose/authelia/docker-compose.yml.j2 @@ -7,6 +7,13 @@ services: container_name: authelia restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin volumes: @@ -42,6 +49,13 @@ services: container_name: authelia-redis restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin networks: @@ -59,6 +73,13 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index d9d09b88..59fe5dd5 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -5,6 +5,13 @@ services: image: ghcr.io/gramps-project/grampsweb:v24.12.2 # version restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "2048M" + security_opt: + - no-new-privileges=true ports: - "6483:5000" # host:docker environment: @@ -36,6 +43,11 @@ services: grampsweb_celery: <<: *grampsweb # YAML merge key copying the entire grampsweb service config ports: [] + deploy: + resources: + limits: + cpus: "2" + memory: "2048M" container_name: grampsweb-celery depends_on: - grampsweb_redis @@ -47,6 +59,13 @@ services: container_name: grampsweb-redis restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 30s diff --git a/docker-compose/lldap/docker-compose.yml.j2 b/docker-compose/lldap/docker-compose.yml.j2 index 2e916179..4c01b05a 100644 --- a/docker-compose/lldap/docker-compose.yml.j2 +++ b/docker-compose/lldap/docker-compose.yml.j2 @@ -4,6 +4,13 @@ services: container_name: lldap restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true ports: - "3890:3890" - "17170:17170" # front-end @@ -25,6 +32,13 @@ services: image: "postgres:17.2" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true environment: POSTGRES_USER: lldap POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}" diff --git a/docker-compose/miniflux/docker-compose.yml.j2 b/docker-compose/miniflux/docker-compose.yml.j2 index 20777648..4ce395ae 100644 --- a/docker-compose/miniflux/docker-compose.yml.j2 +++ b/docker-compose/miniflux/docker-compose.yml.j2 @@ -5,6 +5,13 @@ services: image: "ghcr.io/miniflux/miniflux:2.2.4" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true depends_on: - mf-db17 environment: @@ -37,6 +44,13 @@ services: image: "postgres:17.2" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true environment: POSTGRES_USER: miniflux POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_postgres_password', 'password') }}" @@ -58,6 +72,13 @@ services: - miniflux restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "4" + memory: "512M" + security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_auth_token', 'password') }}" diff --git a/docker-compose/navidrome/docker-compose.yml.j2 b/docker-compose/navidrome/docker-compose.yml.j2 index a6f18ad5..73dc9219 100644 --- a/docker-compose/navidrome/docker-compose.yml.j2 +++ b/docker-compose/navidrome/docker-compose.yml.j2 @@ -5,6 +5,13 @@ services: image: "deluan/navidrome:0.54.3" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "4" + memory: "512M" + security_opt: + - no-new-privileges=true environment: ND_AUTOIMPORTPLAYLISTS: true ND_BASEURL: /mg diff --git a/docker-compose/nextcloud/docker-compose.yml.j2 b/docker-compose/nextcloud/docker-compose.yml.j2 index 4dd8d9bb..32dda574 100644 --- a/docker-compose/nextcloud/docker-compose.yml.j2 +++ b/docker-compose/nextcloud/docker-compose.yml.j2 @@ -6,6 +6,13 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro @@ -39,6 +46,13 @@ services: - internal restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}" healthcheck: test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"] @@ -52,6 +66,13 @@ services: image: "registry.mgrote.net/nextcloud-cronjob:latest" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true network_mode: none volumes: - /var/run/docker.sock:/var/run/docker.sock:ro @@ -66,6 +87,13 @@ services: container_name: nextcloud-app restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "4" + memory: "1024M" + security_opt: + - no-new-privileges=true depends_on: - nextcloud-db - nextcloud-redis diff --git a/docker-compose/postfix/docker-compose.yml.j2 b/docker-compose/postfix/docker-compose.yml.j2 index dc005e5f..fe3aa906 100644 --- a/docker-compose/postfix/docker-compose.yml.j2 +++ b/docker-compose/postfix/docker-compose.yml.j2 @@ -4,6 +4,13 @@ services: container_name: postfix restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true ports: - 1025:25 environment: diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index eb8366c0..92a4d167 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -2,6 +2,13 @@ services: oci-registry: restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true container_name: oci-registry image: "registry:2.8.3" volumes: @@ -54,6 +61,13 @@ services: - internal restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true environment: REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}" MAXMEMORY POLICY: allkeys-lru @@ -66,6 +80,13 @@ services: oci-registry-ui: restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true image: "joxit/docker-registry-ui:2.5.7" container_name: oci-registry-ui ports: diff --git a/docker-compose/routeros-config-export/docker-compose.yml b/docker-compose/routeros-config-export/docker-compose.yml index eaebdaa4..afe7f88a 100644 --- a/docker-compose/routeros-config-export/docker-compose.yml +++ b/docker-compose/routeros-config-export/docker-compose.yml @@ -3,6 +3,13 @@ services: container_name: routeros-config-export restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true image: "registry.mgrote.net/routeros-config-export:latest" volumes: - ./key_rb5009:/key_rb5009:ro diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index b2f61d3d..531208d5 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -7,6 +7,11 @@ services: image: "traefik:v3.2.3" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true volumes: diff --git a/docker-compose/unifi-network-application/docker-compose.yml.j2 b/docker-compose/unifi-network-application/docker-compose.yml.j2 index eee06320..2a9eb4aa 100644 --- a/docker-compose/unifi-network-application/docker-compose.yml.j2 +++ b/docker-compose/unifi-network-application/docker-compose.yml.j2 @@ -28,6 +28,13 @@ services: - 5514:5514/udp #optional restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "1024M" + security_opt: + - no-new-privileges=true networks: - postfix - unifi-internal @@ -51,6 +58,13 @@ services: - db-data:/data/db restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true environment: MARIADB_AUTO_UPGRADE: "1" networks: diff --git a/docker-compose/wiki/docker-compose.yml.j2 b/docker-compose/wiki/docker-compose.yml.j2 index 4b1c26f3..5d683b0b 100644 --- a/docker-compose/wiki/docker-compose.yml.j2 +++ b/docker-compose/wiki/docker-compose.yml.j2 @@ -4,6 +4,13 @@ services: image: "registry.mgrote.net/httpd:latest" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" + security_opt: + - no-new-privileges=true networks: - traefik ports: