Приложение 9. Пример docker-compose.yml для контейнера AppSec.Hub
AppSec.Hub
version: '3.9'
services:
hub-core:
image: docker.swordfishsecurity.com/appsechub/hub-core:${hub_core_version}
container_name: hub-core
networks:
- net-hub
environment:
- UMASK=0022
- HUB_LOG_LEVEL=debug
- TZ=Europe/Moscow
tmpfs:
- /usr/local/tomcat/temp/:uid=2000,gid=2000
- /usr/local/tomcat/work/:uid=2000,gid=2000
volumes:
- ./logs/hub-core:/usr/local/tomcat/logs
- ./config/hub-core/app.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/app.properties
- ./config/hub-core/auth.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/auth.properties
#- ./certs/rootCA.crt:/etc/ssl/certs/self-signed/rootCA.crt
#- ./certs/cacerts:/usr/lib/jvm/java-11-amazon-corretto/lib/security/cacerts
pids_limit: 400
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
cpu_shares: 1024
deploy:
resources:
limits:
memory: 3000M
hub-ui:
image: docker.swordfishsecurity.com/appsechub/hub-ui:${hub_ui_version}
container_name: hub-ui
networks:
- net-hub
ports:
- ${IP_EXTERNAL}:80:8080/tcp
- ${IP_EXTERNAL}:443:4443/tcp
environment:
- TZ=Europe/Moscow
volumes:
- ./config/hub-ui/:/etc/nginx/conf.d/:ro
- ./logs/hub-ui/:/var/log/nginx
- ./ssl:/etc/ssl/certs/ssl-cert:ro
pids_limit: 100
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
tmpfs:
- /tmp
- /var/cache/nginx/
cpu_shares: 512
deploy:
resources:
limits:
memory: 100M
postgresql:
image: docker.swordfishsecurity.com/public/sfs-postgres:13.2.2-alpine
container_name: postgresql
volumes:
- /opt/apphub/postgresql/data:/data
# При первом запуске должны быть закомментированы, впоследствии можно использовать
#- ./config/postgresql/postgresql.conf:/data/postgresql.conf
#- ./logs/postgresql:/data/logs
networks:
- net-hub
environment:
- POSTGRES_PASSWORD=${pgsql_admin_password}
- TZ=Europe/Moscow
pids_limit: 100
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
tmpfs:
- /var/run/postgresql/
- /var/cache
cpu_shares: 1024
deploy:
resources:
limits:
memory: 300M
flyway-db:
image: docker.swordfishsecurity.com/appsechub/hub-db:${hub_db_version}
container_name: flyway-db
networks:
- net-hub
environment:
- hubadmPassword=${hub_adm_password}
- hubappPassword=${hub_app_password}
- hubbiPassword=${hub_bi_password}
- hubauthPassword=${hub_auth_password}
- hubdbName=${hub_db_name}
- PGPASSWORD=${pgsql_admin_password}
- PGUSER=postgres
- PG_URL=${pgsql_url}
- PG_PORT=${pgsql_port}
- REPAIR_DB_ENABLE=disable
- REPAIR_DW_ENABLE=disable
depends_on:
- postgresql
hub-air:
image: docker.swordfishsecurity.com/appsechub/hub-air:${hub_air_version}
container_name: hub-air
volumes:
- /opt/apphub/logs/hub-air:/opt/py-model/logs
- ./ml/local:/opt/py-model/ml/local
environment:
- TZ=Europe/Moscow
- LOG_LEVEL=DEBUG
- LOG_FILE=1
- LOG_BASE_PATH=/opt/py-model/logs/avc_prediction.log
- MODEL_USE_ENCRYPTION=${MODEL_USE_ENCRYPTION}
- MODEL_SECRET_KEY="${MODEL_SECRET_KEY}"
networks:
- net-hub
pids_limit: 100
tmpfs:
- /tmp/:uid=2000,gid=2000
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
cpu_shares: 512
deploy:
resources:
limits:
memory: 150M
networks:
net-hub:
driver: "bridge"
ipam:
driver: default
config:
- subnet: 172.20.0.0/16
AppSec.Hub на Astra Linux
version: '3.9'
services:
hub-core:
image: docker.swordfishsecurity.com/appsechub/hub-core:${hub_core_version}
container_name: hub-core
networks:
- net-hub
environment:
- UMASK=0022
- HUB_LOG_LEVEL=debug
- TZ=Europe/Moscow
tmpfs:
- /usr/local/tomcat/temp/:uid=2000,gid=2000
- /usr/local/tomcat/work/:uid=2000,gid=2000
volumes:
- ./logs/hub-core:/usr/local/tomcat/logs
- ./config/hub-core/app.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/app.properties
- ./config/hub-core/auth.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/auth.properties
#- ./certs/rootCA.crt:/etc/ssl/certs/self-signed/rootCA.crt
#- ./certs/cacerts:/etc/ssl/certs/java/cacerts
pids_limit: 400
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
cpu_shares: 1024
deploy:
resources:
limits:
memory: 3000M
hub-ui:
image: docker.swordfishsecurity.com/appsechub/hub-ui:${hub_ui_version}
container_name: hub-ui
networks:
- net-hub
ports:
- ${IP_EXTERNAL}:80:8080/tcp
- ${IP_EXTERNAL}:443:4443/tcp
environment:
- TZ=Europe/Moscow
volumes:
- ./config/hub-ui/:/etc/nginx/conf.d/:ro
- ./logs/hub-ui/:/var/log/nginx
- ./ssl:/etc/ssl/certs/ssl-cert:ro
pids_limit: 100
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
tmpfs:
- /tmp
- /var/cache/nginx/
cpu_shares: 512
deploy:
resources:
limits:
memory: 100M
postgresql:
image: docker.swordfishsecurity.com/public/sfs-postgresql-astra:11.15
container_name: postgresql
volumes:
- /opt/apphub/postgresql/data:/data
# при необходимости можно открыть после первого старта
# при первом старте должны быть закоментированы
#- ./config/postgresql/postgresql.conf:/data/postgresql.conf
#- ./logs/postgresql:/data/logs
networks:
- net-hub
environment:
- POSTGRES_PASSWORD=${pgsql_admin_password}
- TZ=Europe/Moscow
pids_limit: 100
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
tmpfs:
- /var/run/postgresql/
- /var/cache
cpu_shares: 1024
deploy:
resources:
limits:
memory: 300M
flyway-db:
image: docker.swordfishsecurity.com/appsechub/hub-db:${hub_db_version}
container_name: flyway-db
networks:
- net-hub
environment:
- hubadmPassword=${hub_adm_password}
- hubappPassword=${hub_app_password}
- hubbiPassword=${hub_bi_password}
- hubauthPassword=${hub_auth_password}
- hubdbName=${hub_db_name}
- PGPASSWORD=${pgsql_admin_password}
- PGUSER=postgres
- PG_URL=${pgsql_url}
- PG_PORT=${pgsql_port}
- REPAIR_DB_ENABLE=disable
- REPAIR_DW_ENABLE=disable
depends_on:
- postgresql
hub-air:
image: docker.swordfishsecurity.com/appsechub/hub-air:${hub_air_version}
container_name: hub-air
volumes:
- /opt/apphub/logs/hub-air:/opt/py-model/logs
- ./ml/local:/opt/py-model/ml/local
environment:
- TZ=Europe/Moscow
- LOG_LEVEL=DEBUG
- LOG_FILE=1
- LOG_BASE_PATH=/opt/py-model/logs/avc_prediction.log
- MODEL_USE_ENCRYPTION=${MODEL_USE_ENCRYPTION}
- MODEL_SECRET_KEY="${MODEL_SECRET_KEY}"
networks:
- net-hub
pids_limit: 100
tmpfs:
- /tmp/:uid=2000,gid=2000
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
cpu_shares: 512
deploy:
resources:
limits:
memory: 150M
networks:
net-hub:
driver: "bridge"
ipam:
driver: default
config:
- subnet: 172.20.0.0/16