security hardening
This commit is contained in:
Gerhard Scheikl
@@ -48,6 +48,25 @@ docker compose up -d --build
|
||||
|
||||
Append `Caddyfile.snippet` to your Caddy config and `docker exec caddy caddy reload --config /etc/caddy/Caddyfile`.
|
||||
|
||||
## Container runs as a non-root user (uid 1000)
|
||||
|
||||
The image runs as the unprivileged `node` user (uid/gid **1000**), not root. The
|
||||
SQLite database is written to the `/data` bind mount, so the **host** directory
|
||||
mounted at `/data` (e.g. `/docker/linumiq-invoice/dev/data` and
|
||||
`…/prod/data`) must be writable by uid 1000, otherwise `prisma migrate deploy`
|
||||
and DB writes fail on startup:
|
||||
|
||||
```bash
|
||||
sudo chown -R 1000:1000 /docker/linumiq-invoice/dev/data
|
||||
sudo chown -R 1000:1000 /docker/linumiq-invoice/prod/data
|
||||
```
|
||||
|
||||
The dev container additionally runs with a **read-only root filesystem**
|
||||
(`read_only: true` + `tmpfs: /tmp`), `no-new-privileges`, all Linux capabilities
|
||||
dropped, and memory/pids/cpu limits. The app only writes to the `/data` bind
|
||||
mount and the tmpfs `/tmp`, so this is safe. (The prod compose is intentionally
|
||||
left unchanged.)
|
||||
|
||||
## Day-to-day redeploy
|
||||
|
||||
```bash
|
||||
|
||||
Reference in New Issue
Block a user