Initial Security updates
- Update database user names and passwords - The CKAN database is created with a new SQL script in the docker-entrypoint-initdb.d/ directory - Remove host port for CKAN container - now has a front-end network for NGINX and a back-end network for the rest of the containers, plus NGINX
This commit is contained in:
parent
aeda97cfe2
commit
d621fb62df
10
.env
10
.env
|
@ -13,13 +13,15 @@ NGINX_PORT_HOST=81
|
|||
NGINX_SSLPORT_HOST=8443
|
||||
|
||||
# CKAN databases
|
||||
POSTGRES_USER=ckan
|
||||
POSTGRES_PASSWORD=ckan
|
||||
POSTGRES_USER=admindbuser
|
||||
POSTGRES_PASSWORD=admindbpassword
|
||||
CKAN_DB_USER=ckandbuser
|
||||
CKAN_DB_PASSWORD=ckandbpassword
|
||||
DATASTORE_READONLY_USER=datastore_ro
|
||||
DATASTORE_READONLY_PASSWORD=datastore
|
||||
POSTGRES_HOST=db
|
||||
CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan
|
||||
CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore
|
||||
CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb
|
||||
CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore
|
||||
CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore
|
||||
|
||||
# Test database connections
|
||||
|
|
|
@ -12,6 +12,9 @@ services:
|
|||
build:
|
||||
context: nginx/
|
||||
dockerfile: Dockerfile
|
||||
networks:
|
||||
- frontend
|
||||
- backend
|
||||
depends_on:
|
||||
ckan:
|
||||
condition: service_healthy
|
||||
|
@ -26,6 +29,8 @@ services:
|
|||
dockerfile: Dockerfile
|
||||
args:
|
||||
- TZ=${TZ}
|
||||
networks:
|
||||
- backend
|
||||
env_file:
|
||||
- .env
|
||||
depends_on:
|
||||
|
@ -35,8 +40,6 @@ services:
|
|||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
ports:
|
||||
- "0.0.0.0:${CKAN_PORT_HOST}:${CKAN_PORT}"
|
||||
volumes:
|
||||
- ckan_storage:/var/lib/ckan
|
||||
restart: unless-stopped
|
||||
|
@ -45,6 +48,8 @@ services:
|
|||
|
||||
datapusher:
|
||||
container_name: ${DATAPUSHER_CONTAINER_NAME}
|
||||
networks:
|
||||
- backend
|
||||
image: ckan/ckan-base-datapusher:${DATAPUSHER_VERSION}
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
|
@ -57,18 +62,24 @@ services:
|
|||
args:
|
||||
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
|
||||
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
|
||||
- CKAN_DB_PASSWORD=${CKAN_DB_PASSWORD}
|
||||
networks:
|
||||
- backend
|
||||
environment:
|
||||
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
|
||||
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
|
||||
- CKAN_DB_PASSWORD=${CKAN_DB_PASSWORD}
|
||||
- PGDATA=/var/lib/postgresql/data/db
|
||||
volumes:
|
||||
- pg_data:/var/lib/postgresql/data
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD", "pg_isready", "-U", "ckan"]
|
||||
test: ["CMD", "pg_isready", "-U", "admindbuser", "-d", "admindb"]
|
||||
|
||||
solr:
|
||||
container_name: ${SOLR_CONTAINER_NAME}
|
||||
networks:
|
||||
- backend
|
||||
image: ckan/ckan-solr:${SOLR_IMAGE_VERSION}
|
||||
volumes:
|
||||
- solr_data:/var/solr
|
||||
|
@ -78,7 +89,13 @@ services:
|
|||
|
||||
redis:
|
||||
container_name: ${REDIS_CONTAINER_NAME}
|
||||
networks:
|
||||
- backend
|
||||
image: redis:${REDIS_VERSION}
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "-e", "QUIT"]
|
||||
|
||||
networks:
|
||||
frontend:
|
||||
backend:
|
||||
|
|
|
@ -4,10 +4,11 @@ FROM postgres:12-alpine
|
|||
RUN echo "host all all 0.0.0.0/0 md5" >> /var/lib/postgresql/data/pg_hba.conf
|
||||
|
||||
# Customize default user/pass/db
|
||||
ENV POSTGRES_DB ckan
|
||||
ENV POSTGRES_USER ckan
|
||||
ENV POSTGRES_DB admindb
|
||||
ENV POSTGRES_USER admindbuser
|
||||
ARG POSTGRES_PASSWORD
|
||||
ARG CKAN_DB_PASSWORD
|
||||
ARG DATASTORE_READONLY_PASSWORD
|
||||
|
||||
# Include extra setup scripts (eg datastore)
|
||||
ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
|
||||
ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
|
|
@ -0,0 +1,4 @@
|
|||
\set ckan_db_password '\'' `echo $CKAN_DB_PASSWORD` '\''
|
||||
|
||||
CREATE ROLE ckandbuser NOSUPERUSER CREATEDB CREATEROLE LOGIN PASSWORD :ckan_db_password;
|
||||
CREATE DATABASE ckandb OWNER ckandbuser ENCODING 'utf-8';
|
|
@ -1,4 +1,4 @@
|
|||
\set datastore_ro_password '\'' `echo $DATASTORE_READONLY_PASSWORD` '\''
|
||||
|
||||
CREATE ROLE datastore_ro NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD :datastore_ro_password;
|
||||
CREATE DATABASE datastore OWNER ckan ENCODING 'utf-8';
|
||||
CREATE DATABASE datastore OWNER ckandbuser ENCODING 'utf-8';
|
|
@ -1,2 +0,0 @@
|
|||
CREATE DATABASE ckan_test OWNER ckan ENCODING 'utf-8';
|
||||
CREATE DATABASE datastore_test OWNER ckan ENCODING 'utf-8';
|
|
@ -0,0 +1,2 @@
|
|||
CREATE DATABASE ckan_test OWNER ckandbuser ENCODING 'utf-8';
|
||||
CREATE DATABASE datastore_test OWNER ckandbuser ENCODING 'utf-8';
|
Loading…
Reference in New Issue