simplify and harden docker implementation (#5)

This PR fixes the currently broken Dockerfile. As referenced via #4, I have pinned the version at Python 3.10 currently due to an out-of-date LXML in the main SimplyTranslateWeb repository.

Dockerfile: instead of using a Debian-based image, we switch to Alpine. We don't need to update and upgrade a docker container usually so we can just pull what we need. In my tests, the current Dockerfile will result in a 1.46 GB image. With these patches, the new Dockerfile will result in a 262.59 MB image; a significant reduction in image size and a faster overall build time.

Docker Compose:
* `user`: this is set to `nobody`, the least privileged account.
* `read_only`: this is set to true, this container doesn't write anything to the filesystem.
* `security_opt`: there's a lot of settings, but the important on is that the container doesn't get any privileges when asking for them.
* `cap_drop`: this drops all capabilities like CHOWN, SETUID, etc.
* `networks`: this puts `simplytranslate` in its own separate bridge network where it cannot talk to other containers.

Co-authored-by: Nullnet Services Administrator <admin@nullnet.services>
Reviewed-on: https://codeberg.org/SimpleWeb/SimplyTranslate-Docker/pulls/5
Co-authored-by: kuantum <kuantum@noreply.codeberg.org>
Co-committed-by: kuantum <kuantum@noreply.codeberg.org>
master
kuantum 2 months ago committed by fattalion
parent 6cfdec7cdf
commit 6799c9d7e0

@ -1,6 +1,6 @@
FROM python:3-slim
FROM python:alpine
RUN apt update && apt -y upgrade && apt install -y git automake libtool g++-multilib-i686-linux-gnu zlib1g-dev build-essential gcc g++ libxml2 libxml2-dev libxslt1.1 libxslt1-dev
RUN apk add --no-cache git libxml2 libxml2-dev libxslt-dev gcc
RUN git clone "https://codeberg.org/SimpleWeb/SimplyTranslate-Engines" engines && \
git clone "https://codeberg.org/SimpleWeb/SimplyTranslate-Web" web

@ -2,9 +2,22 @@ version: "3.6"
services:
simplytranslate:
build: .
build:
context: .
dockerfile: Dockerfile
container_name: simplytranslate
ports:
- "127.0.0.1:5000:5000"
- 5000:5000
volumes:
- "./config.conf:/etc/simplytranslate/web.conf"
- ./config.conf:/etc/simplytranslate/web.conf:ro
user: nobody
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
networks:
- simplytranslate
networks:
simplytranslate:
Loading…
Cancel
Save