Skip to content

Add docker-compose security hardening #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
las7 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add docker-compose security hardening #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 39 additions & 14 deletions docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Tako VM Docker Compose
#
# Start everything:
# docker-compose up -d
# Production-ready configuration. This file is designed to work
# out-of-the-box for production deployments.
#
# Build and start:
# docker-compose up -d --build
# For local development, override settings using environment variables:
# TAKO_VM_PORTS=8000:8000,5432:5432 docker-compose up -d
#
# View logs:
# docker-compose logs -f tako-vm
# Or mount your custom config:
# docker-compose -f docker-compose.yaml -f /path/to/dev-compose.yaml up -d

services:
tako-vm:
Expand All @@ -17,19 +17,16 @@ services:
image: tako-vm-server:latest
container_name: tako-vm
ports:
- "8000:8000"
- "${TAKO_VM_PORTS:-8000:8000}"
volumes:
# Docker socket for spawning executor containers
- /var/run/docker.sock:/var/run/docker.sock
# Shared workspace for job files (must match host path for Docker mounts)
- /tmp/tako-vm-jobs:/tmp/tako-vm-jobs
# Config with scaled worker settings (16 workers, 500 queue)
# Workspace for job files (optional - comment out if not needed)
- "${TAKO_VM_WORKSPACE:-/tmp/tako-vm-jobs}:/tmp/tako-vm-jobs"
# Config file
- ./tako_vm.yaml:/app/tako_vm.yaml:ro
# Optional: persist data
# - tako-vm-data:/root/.tako_vm
environment:
- PYTHONUNBUFFERED=1
# Use shared workspace path for job files
- TAKO_VM_WORKSPACE=/tmp/tako-vm-jobs
- TAKO_VM_DATABASE_URL=postgresql://postgres:postgres@postgres:5432/tako_vm
depends_on:
Expand All @@ -41,6 +38,25 @@ services:
interval: 30s
timeout: 10s
retries: 3
# Production resource limits
deploy:
resources:
limits:
cpus: "2"
memory: 1G
pids: 100
reservations:
cpus: "0.5"
memory: 512M
# Security hardening
security_opt:
- no-new-privileges:true
user: "1000:1000"
read_only: true
tmpfs:
- /tmp:size=100m,mode=1777
# Production: disable ports (run behind reverse proxy)
# To expose ports for local dev, set environment: TAKO_VM_PORTS=8000:8000,5432:5432

postgres:
image: postgres:16-alpine
Expand All @@ -50,14 +66,23 @@ services:
- POSTGRES_PASSWORD=postgres
- POSTGRES_DB=tako_vm
ports:
- "5432:5432"
- "${TAKO_VM_POSTGRES_PORT:-5432:5432}"
volumes:
- tako-vm-postgres-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres -d tako_vm"]
interval: 10s
timeout: 5s
retries: 5
# Production resource limits
deploy:
resources:
limits:
cpus: "1"
memory: 512M
reservations:
cpus: "0.25"
memory: 128M

# Build executor image (run once, then remove)
executor-build:
Expand Down
41 changes: 35 additions & 6 deletions docs/deployment/production.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,18 +92,47 @@ docker-compose logs -f tako-vm
docker-compose down
```

To customize, mount your config file:
### Production Defaults

The `docker-compose.yaml` is configured with production-safe defaults:

- **Resource limits**: CPU and memory limits to prevent resource exhaustion
- **Security hardening**: `read_only: true`, `no-new-privileges`, `tmpfs` for /tmp
- **Health checks**: Automatic container health monitoring
- **Auto-restart**: Containers restart on failure

### Customizing for Local Development

Override settings using environment variables:

```bash
# Expose ports (default already exposes 8000)
TAKO_VM_PORTS=8000:8000,5432:5432 docker-compose up -d

# Or mount your custom config file
docker-compose -f docker-compose.yaml -f /path/to/dev-overrides.yaml up -d
```

For development, create a `docker-compose.dev.yaml`:

```yaml
# docker-compose.dev.yaml
services:
tako-vm:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./tako_vm.yaml:/app/tako_vm.yaml:ro # Add this line
environment:
- LOG_LEVEL=DEBUG
# Increase resources for development
deploy:
resources:
limits:
cpus: "4"
memory: 2G
```

!!! warning
Mounting the Docker socket gives Tako VM access to the Docker daemon. In high-security environments, consider using Docker-in-Docker or a separate Docker host.
Then run:
```bash
docker-compose -f docker-compose.yaml -f docker-compose.dev.yaml up -d
```

## Reverse Proxy (Nginx)

Expand Down