CatalogueRevamping
/
docker-ckan
14
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial Security updates 

- Update database user names and passwords
- The CKAN database is created with a new SQL script in the docker-entrypoint-initdb.d/ directory
- Remove host port for CKAN container
- now has a front-end network for NGINX and a back-end network for the rest of the containers, plus NGINX
This commit is contained in:
Brett 2023-05-31 14:26:56 +02:00
parent aeda97cfe2
commit d621fb62df
7 changed files with 37 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.env
View File

@ -13,13 +13,15 @@ NGINX_PORT_HOST=81
NGINX_SSLPORT_HOST=8443 NGINX_SSLPORT_HOST=8443
# CKAN databases # CKAN databases
POSTGRES_USER=ckan POSTGRES_USER=admindbuser
POSTGRES_PASSWORD=ckan POSTGRES_PASSWORD=admindbpassword
CKAN_DB_USER=ckandbuser
CKAN_DB_PASSWORD=ckandbpassword
DATASTORE_READONLY_USER=datastore_ro DATASTORE_READONLY_USER=datastore_ro
DATASTORE_READONLY_PASSWORD=datastore DATASTORE_READONLY_PASSWORD=datastore
POSTGRES_HOST=db POSTGRES_HOST=db
CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb
CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore
CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore
# Test database connections # Test database connections

23
docker-compose.yml
View File

@ -12,6 +12,9 @@ services:
build: build:
context: nginx/ context: nginx/
dockerfile: Dockerfile dockerfile: Dockerfile
networks:
- frontend
- backend
depends_on: depends_on:
ckan: ckan:
condition: service_healthy condition: service_healthy
@ -26,6 +29,8 @@ services:
dockerfile: Dockerfile dockerfile: Dockerfile
args: args:
- TZ=${TZ} - TZ=${TZ}
networks:
- backend
env_file: env_file:
- .env - .env
depends_on: depends_on:
@ -35,8 +40,6 @@ services:
condition: service_healthy condition: service_healthy
redis: redis:
condition: service_healthy condition: service_healthy
ports:
- "0.0.0.0:${CKAN_PORT_HOST}:${CKAN_PORT}"
volumes: volumes:
- ckan_storage:/var/lib/ckan - ckan_storage:/var/lib/ckan
restart: unless-stopped restart: unless-stopped
@ -45,6 +48,8 @@ services:
datapusher: datapusher:
container_name: ${DATAPUSHER_CONTAINER_NAME} container_name: ${DATAPUSHER_CONTAINER_NAME}
networks:
- backend
image: ckan/ckan-base-datapusher:${DATAPUSHER_VERSION} image: ckan/ckan-base-datapusher:${DATAPUSHER_VERSION}
restart: unless-stopped restart: unless-stopped
healthcheck: healthcheck:
@ -57,18 +62,24 @@ services:
args: args:
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD} - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- CKAN_DB_PASSWORD=${CKAN_DB_PASSWORD}
networks:
- backend
environment: environment:
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD} - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- CKAN_DB_PASSWORD=${CKAN_DB_PASSWORD}
- PGDATA=/var/lib/postgresql/data/db - PGDATA=/var/lib/postgresql/data/db
volumes: volumes:
- pg_data:/var/lib/postgresql/data - pg_data:/var/lib/postgresql/data
restart: unless-stopped restart: unless-stopped
healthcheck: healthcheck:
test: ["CMD", "pg_isready", "-U", "ckan"] test: ["CMD", "pg_isready", "-U", "admindbuser", "-d", "admindb"]
solr: solr:
container_name: ${SOLR_CONTAINER_NAME} container_name: ${SOLR_CONTAINER_NAME}
networks:
- backend
image: ckan/ckan-solr:${SOLR_IMAGE_VERSION} image: ckan/ckan-solr:${SOLR_IMAGE_VERSION}
volumes: volumes:
- solr_data:/var/solr - solr_data:/var/solr
@ -78,7 +89,13 @@ services:
redis: redis:
container_name: ${REDIS_CONTAINER_NAME} container_name: ${REDIS_CONTAINER_NAME}
networks:
- backend
image: redis:${REDIS_VERSION} image: redis:${REDIS_VERSION}
restart: unless-stopped restart: unless-stopped
healthcheck: healthcheck:
test: ["CMD", "redis-cli", "-e", "QUIT"] test: ["CMD", "redis-cli", "-e", "QUIT"]
networks:
frontend:
backend:

5
postgresql/Dockerfile
View File

@ -4,9 +4,10 @@ FROM postgres:12-alpine
RUN echo "host all all 0.0.0.0/0 md5" >> /var/lib/postgresql/data/pg_hba.conf RUN echo "host all all 0.0.0.0/0 md5" >> /var/lib/postgresql/data/pg_hba.conf
# Customize default user/pass/db # Customize default user/pass/db
ENV POSTGRES_DB ckan ENV POSTGRES_DB admindb
ENV POSTGRES_USER ckan ENV POSTGRES_USER admindbuser
ARG POSTGRES_PASSWORD ARG POSTGRES_PASSWORD
ARG CKAN_DB_PASSWORD
ARG DATASTORE_READONLY_PASSWORD ARG DATASTORE_READONLY_PASSWORD
# Include extra setup scripts (eg datastore) # Include extra setup scripts (eg datastore)

4
postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sql Executable file
View File

@ -0,0 +1,4 @@
\set ckan_db_password '\'' `echo $CKAN_DB_PASSWORD` '\''
CREATE ROLE ckandbuser NOSUPERUSER CREATEDB CREATEROLE LOGIN PASSWORD :ckan_db_password;
CREATE DATABASE ckandb OWNER ckandbuser ENCODING 'utf-8';

2
postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql → postgresql/docker-entrypoint-initdb.d/20_create_datastore.sql
View File

@ -1,4 +1,4 @@
\set datastore_ro_password '\'' `echo $DATASTORE_READONLY_PASSWORD` '\'' \set datastore_ro_password '\'' `echo $DATASTORE_READONLY_PASSWORD` '\''
CREATE ROLE datastore_ro NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD :datastore_ro_password; CREATE ROLE datastore_ro NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD :datastore_ro_password;
CREATE DATABASE datastore OWNER ckan ENCODING 'utf-8'; CREATE DATABASE datastore OWNER ckandbuser ENCODING 'utf-8';

2
postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql
View File

@ -1,2 +0,0 @@
CREATE DATABASE ckan_test OWNER ckan ENCODING 'utf-8';
CREATE DATABASE datastore_test OWNER ckan ENCODING 'utf-8';

2
postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql Executable file
View File

@ -0,0 +1,2 @@
CREATE DATABASE ckan_test OWNER ckandbuser ENCODING 'utf-8';
CREATE DATABASE datastore_test OWNER ckandbuser ENCODING 'utf-8';