Initial Security updates

- Update database user names and passwords
- The CKAN database is created with a new SQL script in the docker-entrypoint-initdb.d/ directory
- Remove host port for CKAN container
- now has a front-end network for NGINX and a back-end network for the rest of the containers, plus NGINX
This commit is contained in:
Brett 2023-05-31 14:26:56 +02:00
parent aeda97cfe2
commit d621fb62df
7 changed files with 37 additions and 13 deletions

10
.env
View File

@ -13,13 +13,15 @@ NGINX_PORT_HOST=81
NGINX_SSLPORT_HOST=8443
# CKAN databases
POSTGRES_USER=ckan
POSTGRES_PASSWORD=ckan
POSTGRES_USER=admindbuser
POSTGRES_PASSWORD=admindbpassword
CKAN_DB_USER=ckandbuser
CKAN_DB_PASSWORD=ckandbpassword
DATASTORE_READONLY_USER=datastore_ro
DATASTORE_READONLY_PASSWORD=datastore
POSTGRES_HOST=db
CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan
CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore
CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb
CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore
CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore
# Test database connections

View File

@ -12,6 +12,9 @@ services:
build:
context: nginx/
dockerfile: Dockerfile
networks:
- frontend
- backend
depends_on:
ckan:
condition: service_healthy
@ -26,6 +29,8 @@ services:
dockerfile: Dockerfile
args:
- TZ=${TZ}
networks:
- backend
env_file:
- .env
depends_on:
@ -35,8 +40,6 @@ services:
condition: service_healthy
redis:
condition: service_healthy
ports:
- "0.0.0.0:${CKAN_PORT_HOST}:${CKAN_PORT}"
volumes:
- ckan_storage:/var/lib/ckan
restart: unless-stopped
@ -45,6 +48,8 @@ services:
datapusher:
container_name: ${DATAPUSHER_CONTAINER_NAME}
networks:
- backend
image: ckan/ckan-base-datapusher:${DATAPUSHER_VERSION}
restart: unless-stopped
healthcheck:
@ -57,18 +62,24 @@ services:
args:
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- CKAN_DB_PASSWORD=${CKAN_DB_PASSWORD}
networks:
- backend
environment:
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- CKAN_DB_PASSWORD=${CKAN_DB_PASSWORD}
- PGDATA=/var/lib/postgresql/data/db
volumes:
- pg_data:/var/lib/postgresql/data
restart: unless-stopped
healthcheck:
test: ["CMD", "pg_isready", "-U", "ckan"]
test: ["CMD", "pg_isready", "-U", "admindbuser", "-d", "admindb"]
solr:
container_name: ${SOLR_CONTAINER_NAME}
networks:
- backend
image: ckan/ckan-solr:${SOLR_IMAGE_VERSION}
volumes:
- solr_data:/var/solr
@ -78,7 +89,13 @@ services:
redis:
container_name: ${REDIS_CONTAINER_NAME}
networks:
- backend
image: redis:${REDIS_VERSION}
restart: unless-stopped
healthcheck:
test: ["CMD", "redis-cli", "-e", "QUIT"]
networks:
frontend:
backend:

View File

@ -4,10 +4,11 @@ FROM postgres:12-alpine
RUN echo "host all all 0.0.0.0/0 md5" >> /var/lib/postgresql/data/pg_hba.conf
# Customize default user/pass/db
ENV POSTGRES_DB ckan
ENV POSTGRES_USER ckan
ENV POSTGRES_DB admindb
ENV POSTGRES_USER admindbuser
ARG POSTGRES_PASSWORD
ARG CKAN_DB_PASSWORD
ARG DATASTORE_READONLY_PASSWORD
# Include extra setup scripts (eg datastore)
ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d

View File

@ -0,0 +1,4 @@
\set ckan_db_password '\'' `echo $CKAN_DB_PASSWORD` '\''
CREATE ROLE ckandbuser NOSUPERUSER CREATEDB CREATEROLE LOGIN PASSWORD :ckan_db_password;
CREATE DATABASE ckandb OWNER ckandbuser ENCODING 'utf-8';

View File

@ -1,4 +1,4 @@
\set datastore_ro_password '\'' `echo $DATASTORE_READONLY_PASSWORD` '\''
CREATE ROLE datastore_ro NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD :datastore_ro_password;
CREATE DATABASE datastore OWNER ckan ENCODING 'utf-8';
CREATE DATABASE datastore OWNER ckandbuser ENCODING 'utf-8';

View File

@ -1,2 +0,0 @@
CREATE DATABASE ckan_test OWNER ckan ENCODING 'utf-8';
CREATE DATABASE datastore_test OWNER ckan ENCODING 'utf-8';

View File

@ -0,0 +1,2 @@
CREATE DATABASE ckan_test OWNER ckandbuser ENCODING 'utf-8';
CREATE DATABASE datastore_test OWNER ckandbuser ENCODING 'utf-8';