compose: Use read-only filesystem

This adds needed tmpfs volumes and read only flag to all containers. See WeblateOrg/docker#1831
WeblateOrg · Jun 8, 2023 · f3661ef · f3661ef · endquote · Jun 8, 2023
1 parent bf3ba64
commit f3661ef
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 6 deletions.
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
@@ -3,7 +3,7 @@ name: Docker Image CI
 on: [push, pull_request]
 
 jobs:
-  build:
+  read-only:
     runs-on: ubuntu-20.04
     env:
       # Use short project name, otherwise inspect output is messy
@@ -13,7 +13,46 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Generate configuration
-      run: ./test-generate
+      run: ./test-generate 8080 http
+    - name: Startup container
+      run: ./test-boot
+    - name: List Python packages
+      run: ./test-pip
+    - name: Inspect container
+      run: ./test-inspect
+    - name: Check service is running
+      run: ./test-online
+    - name: Check service health status
+      run: ./test-health
+    - name: Run Django Checks
+      run: ./test-checks
+    - name: Verify supervisor
+      run: ./test-supervisor
+    - name: Test admin creation
+      run: ./test-admin
+    - name: Verify SAML certificate
+      run: ./test-saml
+    - name: Run commands
+      run: ./test-commands
+    - name: Run tests
+      run: ./test-tests
+    - name: Display logs
+      run: ./test-logs
+      if: always()
+    - name: Shutdown service
+      run: ./test-stop
+
+  read-write:
+    runs-on: ubuntu-20.04
+    env:
+      # Use short project name, otherwise inspect output is messy
+      COMPOSE_PROJECT_NAME: wl
+      TEST_EXTRA_ENV: 'WEBLATE_SAML_IDP_URL: https://example.com/idp'
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Generate configuration
+      run: ./test-generate 8080 http read-write
     - name: Startup container
       run: ./test-boot
     - name: List Python packages

diff --git a/docker-compose-https.yml b/docker-compose-https.yml
@@ -2,12 +2,16 @@ version: '3'
 services:
   weblate:
     image: weblate/weblate
+    tmpfs:
+    - /run
+    - /tmp
     volumes:
     - weblate-data:/app/data
     - weblate-cache:/app/cache
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -24,6 +28,7 @@ services:
   cache:
     image: redis:7-alpine
     restart: always
+    read_only: true
     command: [redis-server, --save, '60', '1']
     volumes:
     - redis-data:/data
@@ -33,6 +38,7 @@ services:
     - 80:80
     - 443:443
     restart: always
+    read_only: true
     environment:
       STAGE: production
       PROXY_READ_TIMEOUT: 3600

diff --git a/docker-compose-split.yml b/docker-compose-split.yml
@@ -3,6 +3,8 @@ services:
   weblate:
     image: weblate/weblate
     tmpfs:
+    - /run
+    - /tmp
     - /app/cache
     volumes:
     - type: volume
@@ -11,6 +13,7 @@ services:
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -20,6 +23,8 @@ services:
   weblate-celery-backup:
     image: weblate/weblate
     tmpfs:
+    - /run
+    - /tmp
     - /app/cache
     volumes:
     - type: volume
@@ -30,6 +35,7 @@ services:
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -38,6 +44,8 @@ services:
   weblate-celery-beat:
     image: weblate/weblate
     tmpfs:
+    - /run
+    - /tmp
     - /app/cache
     volumes:
     - type: volume
@@ -48,6 +56,7 @@ services:
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -56,6 +65,8 @@ services:
   weblate-celery-celery:
     image: weblate/weblate
     tmpfs:
+    - /run
+    - /tmp
     - /app/cache
     volumes:
     - type: volume
@@ -66,6 +77,7 @@ services:
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -75,6 +87,8 @@ services:
   weblate-celery-memory:
     image: weblate/weblate
     tmpfs:
+    - /run
+    - /tmp
     - /app/cache
     volumes:
     - type: volume
@@ -85,6 +99,7 @@ services:
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -94,6 +109,8 @@ services:
   weblate-celery-notify:
     image: weblate/weblate
     tmpfs:
+    - /run
+    - /tmp
     - /app/cache
     volumes:
     - type: volume
@@ -104,6 +121,7 @@ services:
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -113,6 +131,8 @@ services:
   weblate-celery-translate:
     image: weblate/weblate
     tmpfs:
+    - /run
+    - /tmp
     - /app/cache
     volumes:
     - type: volume
@@ -123,6 +143,7 @@ services:
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -139,6 +160,7 @@ services:
   cache:
     image: redis:7-alpine
     restart: always
+    read_only: true
     command: [redis-server, --save, '60', '1']
     volumes:
     - redis-data:/data

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -2,12 +2,16 @@ version: '3'
 services:
   weblate:
     image: weblate/weblate
+    tmpfs:
+    - /run
+    - /tmp
     volumes:
     - weblate-data:/app/data
     - weblate-cache:/app/cache
     env_file:
     - ./environment
     restart: always
+    read_only: true
     depends_on:
     - database
     - cache
@@ -21,6 +25,7 @@ services:
   cache:
     image: redis:7-alpine
     restart: always
+    read_only: true
     command: [redis-server, --save, '60', '1']
     volumes:
     - redis-data:/data

diff --git a/test-generate b/test-generate
@@ -3,7 +3,7 @@ cat > docker-compose.override.yml <<EOT
 version: '3'
 services:
   weblate:
-    image: ${TEST_CONTAINER:-weblate/weblate:latest}
+    image: ${TEST_CONTAINER:-weblate/weblate:edge}
     environment:
       WEBLATE_TIME_ZONE: Europe/Prague
       WEBLATE_SITE_DOMAIN: test.example.com
@@ -18,13 +18,19 @@ if [ "$3" = "split" ] ; then
   for service in celery-backup celery-beat celery-celery celery-memory celery-notify celery-translate ; do
     cat >> docker-compose.override.yml <<EOT
   weblate-${service}:
-    image: ${TEST_CONTAINER:-weblate/weblate:latest}
+    image: ${TEST_CONTAINER:-weblate/weblate:edge}
     environment:
       WEBLATE_TIME_ZONE: Europe/Prague
       WEBLATE_SITE_DOMAIN: test.example.com
 EOT
   done
 fi
+if [ "$3" = "read-write" ] ; then
+    sed -i -e '/- \/tmp/D' -e '/read_only: true/D' docker-compose.yml
+else
+    # Allow execution in tmp
+    sed -i 's/- \/tmp/- \/tmp:exec/' docker-compose.yml
+fi
 
 
 IP=127.0.0.1

diff --git a/test-tests b/test-tests
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
-docker-compose exec -T --user weblate --env CI_DATABASE=postgresql --env CI_DB_HOST=database --env CI_DB_NAME=weblate --env CI_DB_USER=weblate --env CI_DB_PASSWORD=weblate --env DJANGO_SETTINGS_MODULE=weblate.settings_test weblate weblate collectstatic --noinput
-docker-compose exec -T --user weblate --env CI_DATABASE=postgresql --env CI_DB_HOST=database --env CI_DB_NAME=weblate --env CI_DB_USER=weblate --env CI_DB_PASSWORD=weblate --env DJANGO_SETTINGS_MODULE=weblate.settings_test weblate weblate test --noinput weblate
+docker-compose exec -T --user weblate --env CI_BASE_DIR=/tmp --env CI_DATABASE=postgresql --env CI_DB_HOST=database --env CI_DB_NAME=weblate --env CI_DB_USER=weblate --env CI_DB_PASSWORD=weblate --env DJANGO_SETTINGS_MODULE=weblate.settings_test weblate weblate collectstatic --noinput
+docker-compose exec -T --user weblate --env CI_BASE_DIR=/tmp --env CI_DATABASE=postgresql --env CI_DB_HOST=database --env CI_DB_NAME=weblate --env CI_DB_USER=weblate --env CI_DB_PASSWORD=weblate --env DJANGO_SETTINGS_MODULE=weblate.settings_test weblate weblate test --noinput weblate
 RET=$?
 if [ $RET -ne 0 ] ; then
     docker-compose logs