Перейти к содержанию

Приложение 9. Пример docker-compose.yml для контейнера AppSec.Hub

AppSec.Hub

version: '3.9'

services:
    hub-core:
        image: docker.swordfishsecurity.com/appsechub/hub-core:${hub_core_version}
        container_name: hub-core
        networks:
            - net-hub
        environment:
            - UMASK=0022
            - HUB_LOG_LEVEL=debug
            - TZ=Europe/Moscow
        tmpfs:
            - /usr/local/tomcat/temp/:uid=2000,gid=2000
            - /usr/local/tomcat/work/:uid=2000,gid=2000
        volumes:
            - ./logs/hub-core:/usr/local/tomcat/logs
            - ./config/hub-core/app.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/app.properties
            - ./config/hub-core/auth.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/auth.properties
            #- ./certs/rootCA.crt:/etc/ssl/certs/self-signed/rootCA.crt
            #- ./certs/cacerts:/usr/lib/jvm/java-11-amazon-corretto/lib/security/cacerts
        pids_limit: 400
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        cpu_shares: 1024
        deploy:
            resources:
                limits:
                    memory: 3000M

    hub-ui:
        image: docker.swordfishsecurity.com/appsechub/hub-ui:${hub_ui_version}
        container_name: hub-ui
        networks:
            - net-hub
        ports:
            - ${IP_EXTERNAL}:80:8080/tcp
            - ${IP_EXTERNAL}:443:4443/tcp
        environment:
            - TZ=Europe/Moscow
        volumes:
            - ./config/hub-ui/:/etc/nginx/conf.d/:ro
            - ./logs/hub-ui/:/var/log/nginx
            - ./ssl:/etc/ssl/certs/ssl-cert:ro
        pids_limit: 100
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        tmpfs:
            - /tmp
            - /var/cache/nginx/
        cpu_shares: 512
        deploy:
            resources:
                limits:
                    memory: 100M

    postgresql:
        image: docker.swordfishsecurity.com/public/sfs-postgres:13.2.2-alpine
        container_name: postgresql
        volumes:
            - /opt/apphub/postgresql/data:/data
            # При первом запуске должны быть закомментированы, впоследствии можно использовать
            #- ./config/postgresql/postgresql.conf:/data/postgresql.conf
            #- ./logs/postgresql:/data/logs
        networks:
            - net-hub
        environment:
            - POSTGRES_PASSWORD=${pgsql_admin_password}
            - TZ=Europe/Moscow
        pids_limit: 100
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        tmpfs:
            - /var/run/postgresql/
            - /var/cache
        cpu_shares: 1024
        deploy:
            resources:
                limits:
                    memory: 300M

    flyway-db:
        image: docker.swordfishsecurity.com/appsechub/hub-db:${hub_db_version}
        container_name: flyway-db
        networks:
            - net-hub
        environment:
            - hubadmPassword=${hub_adm_password}
            - hubappPassword=${hub_app_password}
            - hubbiPassword=${hub_bi_password}
            - hubauthPassword=${hub_auth_password}
            - hubdbName=${hub_db_name}
            - PGPASSWORD=${pgsql_admin_password}
            - PGUSER=postgres
            - PG_URL=${pgsql_url}
            - PG_PORT=${pgsql_port}
            - REPAIR_DB_ENABLE=disable
            - REPAIR_DW_ENABLE=disable
        depends_on:
            - postgresql

    hub-air:
        image: docker.swordfishsecurity.com/appsechub/hub-air:${hub_air_version}
        container_name: hub-air
        volumes:
            - /opt/apphub/logs/hub-air:/opt/py-model/logs
            - ./ml/local:/opt/py-model/ml/local
        environment:
            - TZ=Europe/Moscow
            - LOG_LEVEL=DEBUG
            - LOG_FILE=1
            - LOG_BASE_PATH=/opt/py-model/logs/avc_prediction.log
            - MODEL_USE_ENCRYPTION=${MODEL_USE_ENCRYPTION}
            - MODEL_SECRET_KEY="${MODEL_SECRET_KEY}"
        networks:
            - net-hub
        pids_limit: 100
        tmpfs:
            - /tmp/:uid=2000,gid=2000
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        cpu_shares: 512
        deploy:
            resources:
                limits:
                    memory: 150M
networks:
    net-hub:
        driver: "bridge"
        ipam:
            driver: default
            config:
                - subnet: 172.20.0.0/16

AppSec.Hub на Astra Linux

version: '3.9'

services:
    hub-core:
        image: docker.swordfishsecurity.com/appsechub/hub-core:${hub_core_version}
        container_name: hub-core
        networks:
            - net-hub
        environment:
            - UMASK=0022
            - HUB_LOG_LEVEL=debug
            - TZ=Europe/Moscow
        tmpfs:
            - /usr/local/tomcat/temp/:uid=2000,gid=2000
            - /usr/local/tomcat/work/:uid=2000,gid=2000
        volumes:
            - ./logs/hub-core:/usr/local/tomcat/logs
            - ./config/hub-core/app.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/app.properties
            - ./config/hub-core/auth.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/auth.properties
            #- ./certs/rootCA.crt:/etc/ssl/certs/self-signed/rootCA.crt
            #- ./certs/cacerts:/etc/ssl/certs/java/cacerts
        pids_limit: 400
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        cpu_shares: 1024
        deploy:
            resources:
                limits:
                    memory: 3000M

    hub-ui:
        image: docker.swordfishsecurity.com/appsechub/hub-ui:${hub_ui_version}
        container_name: hub-ui
        networks:
            - net-hub
        ports:
            - ${IP_EXTERNAL}:80:8080/tcp
            - ${IP_EXTERNAL}:443:4443/tcp
        environment:
            - TZ=Europe/Moscow
        volumes:
            - ./config/hub-ui/:/etc/nginx/conf.d/:ro
            - ./logs/hub-ui/:/var/log/nginx
            - ./ssl:/etc/ssl/certs/ssl-cert:ro
        pids_limit: 100
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        tmpfs:
            - /tmp
            - /var/cache/nginx/
        cpu_shares: 512
        deploy:
            resources:
                limits:
                    memory: 100M

    postgresql:
        image: docker.swordfishsecurity.com/public/sfs-postgresql-astra:11.15
        container_name: postgresql
        volumes:
            - /opt/apphub/postgresql/data:/data
            # при необходимости можно открыть после первого старта
            # при первом старте должны быть закоментированы
            #- ./config/postgresql/postgresql.conf:/data/postgresql.conf
            #- ./logs/postgresql:/data/logs
        networks:
            - net-hub
        environment:
            - POSTGRES_PASSWORD=${pgsql_admin_password}
            - TZ=Europe/Moscow
        pids_limit: 100
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        tmpfs:
            - /var/run/postgresql/
            - /var/cache
        cpu_shares: 1024
        deploy:
            resources:
                limits:
                    memory: 300M

    flyway-db:
        image: docker.swordfishsecurity.com/appsechub/hub-db:${hub_db_version}
        container_name: flyway-db
        networks:
            - net-hub
        environment:
            - hubadmPassword=${hub_adm_password}
            - hubappPassword=${hub_app_password}
            - hubbiPassword=${hub_bi_password}
            - hubauthPassword=${hub_auth_password}
            - hubdbName=${hub_db_name}
            - PGPASSWORD=${pgsql_admin_password}
            - PGUSER=postgres
            - PG_URL=${pgsql_url}
            - PG_PORT=${pgsql_port}
            - REPAIR_DB_ENABLE=disable
            - REPAIR_DW_ENABLE=disable
        depends_on:
            - postgresql

    hub-air:
        image: docker.swordfishsecurity.com/appsechub/hub-air:${hub_air_version}
        container_name: hub-air
        volumes:
            - /opt/apphub/logs/hub-air:/opt/py-model/logs
            - ./ml/local:/opt/py-model/ml/local
        environment:
            - TZ=Europe/Moscow
            - LOG_LEVEL=DEBUG
            - LOG_FILE=1
            - LOG_BASE_PATH=/opt/py-model/logs/avc_prediction.log
            - MODEL_USE_ENCRYPTION=${MODEL_USE_ENCRYPTION}
            - MODEL_SECRET_KEY="${MODEL_SECRET_KEY}"
        networks:
            - net-hub
        pids_limit: 100
        tmpfs:
            - /tmp/:uid=2000,gid=2000
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        cpu_shares: 512
        deploy:
            resources:
                limits:
                    memory: 150M
networks:
    net-hub:
        driver: "bridge"
        ipam:
            driver: default
            config:
                - subnet: 172.20.0.0/16
К началу