Перейти к содержанию

Приложение 9. Пример docker-compose.yml для контейнера AppSec.Hub

Примечание

В версиях Docker-compose ниже 2.24.0 в сервисах metrics-db, metrics и metrics-init следующие строки:

  env_file:
    - path: docker/.env # default
      required: true
    - path: docker/.env-local # optional override
      required: false

необходимо заменить на строки:

  env_file:
    - ./docker/.env

Ниже приведен пример docker-compose.yml для версий Docker-compose выше 2.26.0.

Примечание

В версиях Docker-compose 2.26.0 и выше для ограничения по процессам вместо параметра pids_limit требуется использовать поле deploy.resources.limits.pids.

В docker-compose.yml для версий Docker-compose 2.26.0 и выше поле, которое в версиях ниже 2.26.0 описывалось так:

pids_limit: 400

должно быть определено следующим образом:

deploy:
    resources:
        limits:
            pids: 400

Ниже приведен пример docker-compose.yml для версий Docker-compose выше 2.26.0.

x-metrics-image: &metrics-image registry.appsec.global/appsechub/hub-metrics:${hub_metrics_version}
x-metrics-depends-on: &metrics-depends-on
  - metrics-db
x-metrics-volumes:
  &metrics-volumes # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
  - ./docker:/app/docker
  - metrics_home:/app/metrics_home

services:
    hub-core:
        image: registry.appsec.global/appsechub/hub-core:${hub_core_version}
        container_name: hub-core
        networks:
            - net-hub
        links:
            - consul
        depends_on:
            consul:
                condition: service_healthy
        environment:
            - UMASK=0022
            - HUB_LOG_LEVEL=info
            - TZ=Europe/Moscow
        tmpfs:
            - /usr/local/tomcat/temp/:uid=2000,gid=2000
            - /usr/local/tomcat/work/:uid=2000,gid=2000
        volumes:
            - ./logs/hub-core:/usr/local/tomcat/logs
            - ./config/hub-core/app.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/app.properties
            - ./config/hub-core/auth.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/auth.properties
            #- ./certs/rootCA.crt:/etc/ssl/certs/self-signed/rootCA.crt
            #- ./certs/cacerts:/usr/lib/jvm/java-11-amazon-corretto/lib/security/cacerts
            - ./zapfiles:/opt/zapfiles
        # pids_limit: 400
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        cpu_shares: 1024
        deploy:
            resources:
                limits:
                    memory: 3000M
                    pids: 400

    hub-ui:
        image: registry.appsec.global/appsechub/hub-ui:${hub_ui_version}
        container_name: hub-ui
        networks:
            - net-hub
        links:
            - hub-core
            - gateway
            - hub-sso
        depends_on:
            hub-core:
                condition: service_healthy
            gateway:
                condition: service_healthy
            hub-sso:
                condition: service_healthy
        ports:
            - ${IP_EXTERNAL}:80:8080/tcp
            - ${IP_EXTERNAL}:443:4443/tcp
        environment:
            - TZ=Europe/Moscow
        volumes:
            - ./config/hub-ui/:/etc/nginx/conf.d/:ro
            - ./logs/hub-ui/:/var/log/nginx
            - ./ssl:/etc/ssl/certs/ssl-cert:ro
        # pids_limit: 100
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        tmpfs:
            - /tmp
            - /var/cache/nginx/
        cpu_shares: 512
        deploy:
            resources:
                limits:
                    memory: 100M
                    pids: 100

    postgresql:
        image: registry.appsec.global/public/sfs-postgresql:13.2.2-alpine
        container_name: postgresql
        volumes:
            - ./postgresql/data:/data
            # При первом запуске должны быть закомментированы, впоследствии можно использовать
            #- ./config/postgresql/postgresql.conf:/data/postgresql.conf
            #- ./logs/postgresql:/data/logs
        networks:
            - net-hub
        environment:
            - POSTGRES_PASSWORD=${pgsql_admin_password}
            - TZ=Europe/Moscow
        # pids_limit: 100
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        #read_only: true
        tmpfs:
            - /var/run/postgresql/
            - /var/cache
        cpu_shares: 1024
        deploy:
            resources:
                limits:
                    memory: 300M
                    pids: 100

    flyway-db:
        image: registry.appsec.global/appsechub/hub-db:${hub_db_version}
        container_name: flyway-db
        networks:
            - net-hub
        environment:
            - hubadmPassword=${hub_adm_password}
            - hubappPassword=${hub_app_password}
            - hubbiPassword=${hub_bi_password}
            - hubauthPassword=${hub_auth_password}
            - hubdbName=${hub_db_name}
            - PGPASSWORD=${pgsql_admin_password}
            - PGUSER=postgres
            - PG_URL=${pgsql_url}
            - PG_PORT=${pgsql_port}
            - REPAIR_DB_ENABLE=disable
            - REPAIR_DW_ENABLE=disable
        depends_on:
            - postgresql

    hub-air:
        image: registry.appsec.global/appsechub/hub-air:${hub_air_version}
        container_name: hub-air
        volumes:
            - ./logs/hub-air:/opt/py-model/logs
            - ./ml/local:/opt/py-model/ml/local
        environment:
            - TZ=Europe/Moscow
            - CONSUL_HOST=http://consul
            - CONSUL_PORT=8500
            - CONSUL_TOKEN=${consul_token}
            - LOG_LEVEL=DEBUG
            - LOG_FILE=1
            - LOG_BASE_PATH=/opt/py-model/logs/avc_prediction.log
            - MODEL_USE_ENCRYPTION=${MODEL_USE_ENCRYPTION}
            - MODEL_SECRET_KEY="${MODEL_SECRET_KEY}"
        networks:
            - net-hub
        # pids_limit: 100
        tmpfs:
            - /tmp/:uid=2000,gid=2000
        security_opt:
            - no-new-privileges
        restart: on-failure:5
        read_only: true
        cpu_shares: 512
        deploy:
            resources:
                limits:
                    memory: 1G
                    pids: 100
    consul:
        image: registry.appsec.global/public/sfs-consul:1.14.4
        container_name: consul
        volumes:
            - ./consul-data:/consul/data
            - ./config/consul/server.json:/consul/config/server.json
        networks:
            - net-hub
        healthcheck:
            test: curl -f http://localhost:8500
        ports:
            - "8500:8500"
            - "8600:8600/tcp"
            - "8600:8600/udp"
        command: "agent -server -bootstrap -ui -client=0.0.0.0 -bind=127.0.0.1 -config-file=/consul/config/server.json"
        restart: on-failure:5
        # pids_limit: 300
        security_opt:
            - no-new-privileges
        cpu_shares: 1024
        deploy:
            resources:
                limits:
                    memory: 300M
                    pids: 300

    gateway:
        image: registry.appsec.global/appsechub/hub-gateway:${hub_gateway_version}
        container_name: gateway
        environment:
            - TZ=Europe/Moscow
            - JWT_TOKEN=${gateway_jwt_token}
            - CONSUL_HOST=http://consul
            - CONSUL_PORT=8500
            - CONSUL_TOKEN=${consul_token}
            # Следующий параметр является необязательным:            
            - JAVA_OPTS=-Dsession.timeout=1800
        links:
            - consul
            - hub-core
        depends_on:
            hub-core:
                condition: service_healthy
        networks:
            - net-hub
        # pids_limit: 400
        security_opt:
            - no-new-privileges
        cpu_shares: 2048
        restart: on-failure:5
        deploy:
            resources:
                limits:
                    memory: 1536M
                    pids: 400

    issue-rule:
        image: registry.appsec.global/appsechub/hub-issue-rule:${hub_issue_rule_version}
        container_name: issue-rule
        environment:
            - TZ=Europe/Moscow
            - CONSUL_HOST=http://consul
            - CONSUL_PORT=8500
            - CONSUL_TOKEN=${consul_token}
            - DB_URL=jdbc:postgresql://${pgsql_url}/${hub_db_name}
            - HUBAPP_USERNAME=hubapp
            - HUBAPP_PASSWORD=${hub_app_password}
        networks:
            - net-hub
        tmpfs:
            - /tmp:uid=2000,gid=2000
        links:
            - flyway-db
        depends_on:
            flyway-db:
                condition: service_completed_successfully
        restart: on-failure:5
        read_only: true
        # pids_limit: 400
        security_opt:
            - no-new-privileges
        cpu_shares: 768
        deploy:
            resources:
                limits:
                    memory: 600M
                    pids: 400

    hub-issue:
        image: registry.appsec.global/appsechub/hub-issue:${hub_issue_version}
        container_name: hub-issue
        environment:
            - TZ=Europe/Moscow
            - CONSUL_HOST=http://consul
            - CONSUL_PORT=8500
            - CONSUL_TOKEN=${consul_token}
            - DB_URL=jdbc:postgresql://${pgsql_url}/${hub_db_name}
            - HUBAPP_USERNAME=hubapp
            - HUBAPP_PASSWORD=${hub_app_password}
        networks:
            - net-hub
        tmpfs:
            - /tmp:uid=2000,gid=2000
        links:
            - flyway-db
        depends_on:
            flyway-db:
                condition: service_completed_successfully
        restart: on-failure:5
        read_only: true
        # pids_limit: 400
        security_opt:
            - no-new-privileges
        cpu_shares: 768
        deploy:
            resources:
                limits:
                    memory: 600M
                    pids: 400

    hub-sso:
        image: registry.appsec.global/appsechub/hub-sso:${hub_sso_version}
        container_name: hub-sso
        environment:
            - TZ=Europe/Moscow
            - CONSUL_HOST=http://consul
            - CONSUL_PORT=8500
            - CONSUL_TOKEN=${consul_token}
            - SSO_ENC_KEY=${SSO_ENC_KEY}
            - HUB_URL=${HUB_URL}
            - DB_URL=jdbc:postgresql://${pgsql_url}/${hub_db_name}
            - HUBAPP_USERNAME=hubapp
            - HUBAPP_PASSWORD=${hub_app_password}
            - HUBAUTH_USERNAME=hubauth
            - HUBAUTH_PASSWORD=${hub_auth_password}
            - HUB_LOG_LEVEL=info
        networks:
            - net-hub
        tmpfs:
            - /var/tmp/log/:uid=2000,gid=2000
            - /tmp:uid=2000,gid=2000
        restart: on-failure:5
        read_only: true
        # pids_limit: 400
        security_opt:
            - no-new-privileges
        cpu_shares: 768
        deploy:
            resources:
                limits:
                    memory: 600M
                    pids: 400

    metrics-db:
      env_file:
        - path: docker/.env # default
          required: true
        - path: docker/.env-local # optional override
          required: false
      image: registry.appsec.global/public/sfs-postgresql:13.2.2-alpine
      networks:
          - net-hub
      container_name: metrics-db
      restart: unless-stopped
      environment:
        - POSTGRES_USER=metrics
        - POSTGRES_DB=metrics
        - PGDATA=/var/lib/postgresql/data
      volumes:
        - ./db-data:/var/lib/postgresql/data
      deploy:
        resources:
            limits:
                memory: 600M
                pids: 400

    metrics:
      env_file:
        - path: docker/.env # default
          required: true
        - path: docker/.env-local # optional override
          required: false
      image: *metrics-image
      networks:
          - net-hub
      container_name: hub-superset
      command: ["/app/docker/docker-bootstrap.sh", "app-gunicorn"]
      user: "root"
      restart: unless-stopped
      depends_on: *metrics-depends-on
      volumes: *metrics-volumes
      deploy:
        resources:
            limits:
                memory: 600M
                pids: 400

    metrics-init:
      image: *metrics-image
      networks:
          - net-hub
      container_name: metrics-init
      command: ["/app/docker/docker-init.sh"]
      env_file:
        - path: docker/.env # default
          required: true
        - path: docker/.env-local # optional override
          required: false
      depends_on:
        metrics-db:
          condition: service_healthy
      user: "root"
      volumes: *metrics-volumes
      healthcheck:
        disable: true
      deploy:
        resources:
            limits:
                memory: 300M
                pids: 400

    metrics-appsechub-bridge:
      container_name: 'metrics-appsechub-bridge'
      image: registry.appsec.global/appsechub/hub-metrics-bridge:${hub_metrics_bridge_version}
      networks:
          - net-hub
      depends_on:
        metrics-db:
          condition: service_healthy
      environment:
        PG_USER: ${metrics_pg_user}
        PGPASSWORD: ${metrics_pg_password}
        PG_URL: ${metrics_pg_url}
        SCHEDULER_DB_PASSWORD: ${pgtt_scheduler_db_password}
        METRICS_DB_PASSWORD: ${metrics_db_password}
        REMOTE_HOST_DB: ${pgsql_url}
        REMOTE_PORT_DB: ${pgsql_port}
        REMOTE_DB: ${hub_db_name}
        REMOTE_USER_DB: hubadm
        REMOTE_PASSWORD_DB: ${hub_adm_password}
        METRICS_HOST: ${metrics_host}
        METRICS_PORT: ${metrics_port}
        METRICS_USERNAME: ${metrics_username}
        METRICS_PASSWORD: ${metrics_password}
        METRICS_DATABASE_URL: ${metrics_database_url}
        CHRON: "0 * * * *"
        CONSUL_HOST: http://consul
        CONSUL_PORT: 8500
        CONSUL_TOKEN: ${consul_token}
      restart: on-failure:5
      deploy:
        resources:
            limits:
                memory: 600M
                pids: 400

    pg-timetable:
      image: registry.appsec.global/appsechub/hub-metrics-pg-timetable:${hub_metrics_pgtt_version}
      networks:
          - net-hub
      container_name: 'pg-timetable'
      environment:
        - PGTT_PGHOST=${pgtt_pghost}
        - PGTT_PGPORT=${pgtt_pgport}
        - PGTT_PGUSER=${pgtt_pguser}
        - PGTT_PGPASSWORD=${pgtt_scheduler_db_password}
        - PGTT_PGDATABASE=${pgtt_pgdatabase}
      command: '-c=metrics-worker'
      depends_on:
        metrics-db:
          condition: service_healthy
      deploy:
        resources:
            limits:
                memory: 100M
                pids: 400

volumes:
  metrics_home:
    external: false
  db_home:
    external: false
  db-data:
    driver: local

networks:
    net-hub:
        driver: "bridge"
        ipam:
            driver: default
            config:
                - subnet: 172.20.0.0/16
К началу