32 lines
1016 B
Markdown
32 lines
1016 B
Markdown
|
# Security
|
||
|
|
Here follows an explanation of security practices taken into account.
|
||
|
|
|
||
|
|
Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.
|
||
|
|
|
||
|
|
## Rootness
|
||
|
|
**The container process runs as `root`**.
|
||
|
|
|
||
|
|
Due to the deterministic, static nature of the container process, this is not an issue.
|
||
|
|
|
||
|
|
## Port Exposure
|
||
|
|
The container exposes no ports.
|
||
|
|
|
||
|
|
## Volume Access
|
||
|
|
**The container process has `docker.sock` access**.
|
||
|
|
|
||
|
|
Due to the deterministic, static nature of the container process, this is not an issue.
|
||
|
|
|
||
|
|
## Resource Limits
|
||
|
|
The service employs CPU/Memory usage limits in the `deploy` section.
|
||
|
|
|
||
|
|
This helps prevent any issues with the container process from crashing the entire host.
|
||
|
|
|
||
|
|
## Capabilities
|
||
|
|
All capabilities are dropped with `--cap_drop ALL`.
|
||
|
|
|
||
|
|
No capabilities need to be added back, so none are.
|
||
|
|
|
||
|
|
## Special Note: latest
|
||
|
|
Hosts are presumed to be kept up-to-date via the official `docker-ce` package.
|
||
|
|
Thus, uniquely, using `latest` tag in this container is warranted.
|