Docker Container Security - jordan-dalby/ByteStash GitHub Wiki

The following can be used to further secure the bytestash container:

• User and Group IDs: Ensures the container runs with a specific user and group.
• No New Privileges: Prevents the container from gaining new privileges.
• Read-Only Filesystem: Protects the container’s filesystem from unauthorized changes.
• Capability Drop: Limits the container’s ability to perform privileged operations.
• Temporary Filesystem: Uses tmpfs for ephemeral storage, ensuring temporary files are lost when the container stops.
• Healthcheck: Monitors the availability of bytetstash

   user: PUID:GUID #specify a non root user
    security_opt:
      - no-new-privileges:true
    read_only: true # make sure you set explicitly set your volumes to rw
    cap_drop:
      - ALL
    tmpfs:
      - /tmp
    healthcheck:
      test:
        - CMD
        - wget
        - --spider
        - --timeout=10
        - http://IP:PORT/ #enter your container IP/port
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s