(#45) 인프라 보안 강화 및 데이터 보존 정책 설정

alexization · web-flow · commit 525a8662a3de · 2026-02-11T13:31:20.000+09:00
* 인프라 보안 강화 및 데이터 보존 정책 설정

- Prometheus 데이터 보존 기간 30일 명시 설정
- Loki compactor 활성화 및 로그 보존 기간 30일 설정
- Dockerfile 비root 사용자(appuser) 실행 및 management 포트 노출
- 내부 서비스 포트(DB, Prometheus, Loki, Actuator) 127.0.0.1 바인딩
- .dockerignore 추가하여 불필요한 빌드 컨텍스트 제외
- Loki datasource에 editable 속성 추가

* Dockerfile COPY --chown 레이어 최적화 및 Loki delete_request_store 설정 추가
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,16 @@
+.git
+.github
+.gitignore
+.dockerignore
+
+build/
+.gradle/
+
+dashboards/
+alerting/
+*.yml
+!build.gradle
+!settings.gradle
+
+README.md
+LICENSE
diff --git a/Dockerfile b/Dockerfile
@@ -17,10 +17,14 @@ RUN ./gradlew bootJar -x test --no-daemon
 
 FROM eclipse-temurin:21-jre-alpine
 
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+
 WORKDIR /app
 
-COPY --from=builder /app/build/libs/*.jar app.jar
+COPY --chown=appuser:appgroup --from=builder /app/build/libs/*.jar app.jar
+
+USER appuser
 
-EXPOSE 8080
+EXPOSE 8080 9090
 
 ENTRYPOINT ["java", "-jar", "app.jar"]
diff --git a/datasource.yml b/datasource.yml
@@ -13,4 +13,5 @@ datasources:
     type: loki
     uid: loki
     access: proxy
-    url: http://loki:3100
+    url: http://loki:3100
+    editable: true
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -5,7 +5,7 @@ services:
     restart: unless-stopped
     ports:
       - "8080:8080"
-      - "9090:9090"
+      - "127.0.0.1:9090:9090"
     environment:
       SPRING_PROFILES_ACTIVE: prod
       DB_URL: jdbc:mysql://git-ranker-db:3306/${DB_NAME}?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul
@@ -49,7 +49,7 @@ services:
       MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
       TZ: Asia/Seoul
     ports:
-      - "3306:3306"
+      - "127.0.0.1:3306:3306"
     volumes:
       - mysql_data:/var/lib/mysql
     deploy:
@@ -73,12 +73,13 @@ services:
       - ./prometheus.yml:/etc/prometheus/prometheus.yml
       - prometheus_data:/prometheus
     ports:
-      - "9091:9090"
+      - "127.0.0.1:9091:9090"
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
       - '--storage.tsdb.path=/prometheus'
       - '--web.console.libraries=/usr/share/prometheus/console_libraries'
       - '--web.console.templates=/usr/share/prometheus/consoles'
+      - '--storage.tsdb.retention.time=30d'
     deploy:
       resources:
         limits:
@@ -94,7 +95,7 @@ services:
     container_name: git-ranker-loki
     restart: unless-stopped
     ports:
-      - "3100:3100"
+      - "127.0.0.1:3100:3100"
     volumes:
       - ./loki-config.yml:/etc/loki/local-config.yml
       - loki_data:/loki
diff --git a/loki-config.yml b/loki-config.yml
@@ -31,12 +31,19 @@ schema_config:
         prefix: index_
         period: 24h
 
+compactor:
+  working_directory: /loki/compactor
+  retention_enabled: true
+  compaction_interval: 10m
+  delete_request_store: filesystem
+
 limits_config:
   allow_structured_metadata: true
   reject_old_samples: false
   reject_old_samples_max_age: 168h
   ingestion_rate_mb: 16
   ingestion_burst_size_mb: 32
+  retention_period: 30d
 
 query_range:
   results_cache:
