[PR #208] [MERGED] Add Docker Security Best Practices to docker-compose file. #808

New issue

Closed

opened 2026-02-25 20:36:47 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 20:36:47 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/benbusby/whoogle-search/pull/208
Author: @pred2k
Created: 2/22/2021
Status: ✅ Merged
Merged: 2/26/2021
Merged by: @benbusby

Base: develop ← Head: feature/docker-security

📝 Commits (1)

53aa3d4 Add Docker Security Best Practices to docker-compose file.

📊 Changes

1 file changed (+18 additions, -1 deletions)

View changed files

📝 docker-compose.yml (+18 -1)

📄 Description

This adds several security improvement to the docker-compose file to protect the host system.

Don't run container as root user. Container processes shouldn't have root priviliges to the Kernel on host system.
Run container with a read-only main volume. Container are immutable instances. Use tmpfs if the app need to write temporary files.
Limit resources like RAM and PIDs.

From CIS Docker Community Edition Benchmark and OWASP Docker Security Cheat Sheet.

I couldn't successfully test a search connection over tor. This didn't even work with a original benbusby/whoogle-search image.
I misuse the debian-tor user (uid 102) to get the tor and the python process running in the image.

Additionaly i would like to discuss two things:

It would be better to create separate user in the Dockerfile (and set it with USER ...) to run python3 -um app .... This allows more specific permission grants for the python app.
The tor process should be moved a seperate container and started as a second service via the docker-compose file. This could also make the tor connection more optional.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/benbusby/whoogle-search/pull/208 **Author:** [@pred2k](https://github.com/pred2k) **Created:** 2/22/2021 **Status:** ✅ Merged **Merged:** 2/26/2021 **Merged by:** [@benbusby](https://github.com/benbusby) **Base:** `develop` ← **Head:** `feature/docker-security` --- ### 📝 Commits (1) - [`53aa3d4`](https://github.com/benbusby/whoogle-search/commit/53aa3d438da0b44f9834f281053ba8134acdc9be) Add Docker Security Best Practices to docker-compose file. ### 📊 Changes **1 file changed** (+18 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `docker-compose.yml` (+18 -1) </details> ### 📄 Description This adds several security improvement to the docker-compose file to protect the host system. - Don't run container as root user. Container processes shouldn't have root priviliges to the Kernel on host system. - Run container with a read-only main volume. Container are immutable instances. Use tmpfs if the app need to write temporary files. - Limit resources like RAM and PIDs. From **CIS Docker Community Edition Benchmark** and **[OWASP Docker Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)**. I couldn't successfully test a search connection over tor. This didn't even work with a original `benbusby/whoogle-search` image. I misuse the `debian-tor` user (uid 102) to get the `tor` and the `python` process running in the image. Additionaly i would like to discuss two things: - It would be better to create separate user in the `Dockerfile` (and set it with `USER ...`) to run `python3 -um app ...`. This allows more specific permission grants for the python app. - The `tor` process should be moved a seperate container and started as a second service via the docker-compose file. This could also make the tor connection more optional. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>