python-support-infra/stacks/cleanup/SECURITY.md

32 lines
1016 B
Markdown
Raw Normal View History

# Security
Here follows an explanation of security practices taken into account.
Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.
## Rootness
**The container process runs as `root`**.
Due to the deterministic, static nature of the container process, this is not an issue.
## Port Exposure
The container exposes no ports.
## Volume Access
**The container process has `docker.sock` access**.
Due to the deterministic, static nature of the container process, this is not an issue.
## Resource Limits
The service employs CPU/Memory usage limits in the `deploy` section.
This helps prevent any issues with the container process from crashing the entire host.
## Capabilities
All capabilities are dropped with `--cap_drop ALL`.
No capabilities need to be added back, so none are.
## Special Note: latest
Hosts are presumed to be kept up-to-date via the official `docker-ce` package.
Thus, uniquely, using `latest` tag in this container is warranted.