Update docker-compose security features (#208)

Co-authored-by: Sebastian Forst <sebastian.forst@posteo.de>
3 years ago · 48c8e9d14b
parent ecb7885a56
commit 48c8e9d14b
1 changed files with 18 additions and 1 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,9 +1,26 @@
-version: "3"
+# cant use mem_limit in a 3.x docker-compose file in non swarm mode
+# see https://github.com/docker/compose/issues/4513
+version: "2.4"

 services:
  whoogle-search:
    image: benbusby/whoogle-search
    container_name: whoogle-search
+    restart: on-failure:5
+    pids_limit: 50
+    mem_limit: 256mb
+    memswap_limit: 256mb
+    # user debian-tor from tor package
+    user: '102'
+    security_opt:
+      - no-new-privileges
+    cap_drop:
+      - ALL
+    read_only: true
+    tmpfs:
+      - /config/:size=10M,uid=102,gid=102,mode=1700
+      - /var/lib/tor/:size=10M,uid=102,gid=102,mode=1700
+      - /run/tor/:size=1M,uid=102,gid=102,mode=1700
    #environment: # Uncomment to configure environment variables
      # Basic auth configuration, uncomment to enable
      #- WHOOGLE_USER=<auth username>