Skip to content

Commit 1e56196

Browse files
committed
Defensive changes
1 parent a87481f commit 1e56196

1 file changed

Lines changed: 20 additions & 1 deletion

File tree

docker-compose.yaml

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,16 +44,27 @@ services:
4444

4545
# Untrusted-input compilers. Cap resources and drop privileges. Not read_only:
4646
# these compilers write intermediate files; confirm a writable path per image
47-
# before tightening further.
47+
# before tightening further. NET_BIND_SERVICE is the one capability kept, so
48+
# the non-root uvicorn can bind port 80.
49+
# NOTE: the healthchecks need the hardened images (which add /health to z88dk)
50+
# rebuilt and pushed — see zxcode-api-z88dk / zxcode-api-zxbasic.
4851
z88dk:
4952
image: ghcr.io/stever/zxcoder-api-z88dk
5053
restart: always
5154
mem_limit: 512m
5255
cpus: 1.0
5356
pids_limit: 256
5457
cap_drop: [ALL]
58+
cap_add:
59+
- NET_BIND_SERVICE
5560
security_opt:
5661
- no-new-privileges:true
62+
healthcheck:
63+
test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:80/health',timeout=3).status==200 else 1)"]
64+
interval: 30s
65+
timeout: 5s
66+
retries: 3
67+
start_period: 20s
5768

5869
zxbasic:
5970
image: ghcr.io/stever/zxcoder-api-zxbasic
@@ -62,8 +73,16 @@ services:
6273
cpus: 1.0
6374
pids_limit: 256
6475
cap_drop: [ALL]
76+
cap_add:
77+
- NET_BIND_SERVICE
6578
security_opt:
6679
- no-new-privileges:true
80+
healthcheck:
81+
test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:80/health',timeout=3).status==200 else 1)"]
82+
interval: 30s
83+
timeout: 5s
84+
retries: 3
85+
start_period: 20s
6786

6887
# Headless emulator: compiles a program to .tap and renders it running to
6988
# GIF/MP4. Renders inline BASIC, or a public project looked up from Hasura

0 commit comments

Comments
 (0)