docker isolation update

2025-11-04 20:22:51 +04:00
parent cb346db783
commit 48c2b4dafd
11 changed files with 1215 additions and 13 deletions
--- a/compose.yaml
+++ b/compose.yaml
@@ -18,6 +18,11 @@
      - liquidcode-network
    depends_on:
      - worker
+    # Security hardening for Gateway
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL

  worker:
    image: liquidcode-tester-worker:latest
@@ -31,14 +36,23 @@
      - ASPNETCORE_ENVIRONMENT=Development
    networks:
      - liquidcode-network
-    # For better isolation in production, consider:
-    # security_opt:
-    #   - no-new-privileges:true
-    # cap_drop:
-    #   - ALL
-    # cap_add:
-    #   - SETUID
-    #   - SETGID
+    # Security hardening for Worker
+    security_opt:
+      - no-new-privileges:true
+      - apparmor=docker-default
+    cap_drop:
+      - ALL
+    cap_add:
+      - SYS_ADMIN  # Required for Isolate namespaces
+      - SETUID     # Required for Isolate to change user context
+      - SETGID     # Required for Isolate to change group context
+    # Temporary filesystem for compilation and testing
+    tmpfs:
+      - /tmp:exec,size=4G
+    # Resource limits to prevent DoS
+    ulimits:
+      nproc: 1024      # Max processes
+      nofile: 2048     # Max open files

 networks:
  liquidcode-network: