Приложение 9. Пример docker-compose.yml для контейнера AppSec.Hub
Примечание
В версиях Docker-compose ниже 2.24.0 в сервисах metrics-db, metrics и metrics-init следующие строки:
env_file:
- path: docker/.env # default
required: true
- path: docker/.env-local # optional override
required: false
необходимо заменить на строки:
Ниже приведен пример docker-compose.yml для версий Docker-compose выше 2.26.0.
Примечание
В версиях Docker-compose 2.26.0 и выше для ограничения по процессам вместо параметра pids_limit требуется использовать поле deploy.resources.limits.pids.
В docker-compose.yml для версий Docker-compose 2.26.0 и выше поле, которое в версиях ниже 2.26.0 описывалось так:
должно быть определено следующим образом:
Ниже приведен пример docker-compose.yml для версий Docker-compose выше 2.26.0.
x-metrics-image: &metrics-image registry.appsec.global/appsechub/hub-metrics:${hub_metrics_version}
x-metrics-depends-on: &metrics-depends-on
- metrics-db
x-metrics-volumes:
&metrics-volumes # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
- ./docker:/app/docker
- metrics_home:/app/metrics_home
services:
hub-core:
image: registry.appsec.global/appsechub/hub-core:${hub_core_version}
container_name: hub-core
networks:
- net-hub
links:
- consul
depends_on:
consul:
condition: service_healthy
environment:
- UMASK=0022
- HUB_LOG_LEVEL=info
- TZ=Europe/Moscow
tmpfs:
- /usr/local/tomcat/temp/:uid=2000,gid=2000
- /usr/local/tomcat/work/:uid=2000,gid=2000
volumes:
- ./logs/hub-core:/usr/local/tomcat/logs
- ./config/hub-core/app.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/app.properties
- ./config/hub-core/auth.properties:/usr/local/tomcat/webapps/hub/WEB-INF/classes/auth.properties
#- ./certs/rootCA.crt:/etc/ssl/certs/self-signed/rootCA.crt
#- ./certs/cacerts:/usr/lib/jvm/java-11-amazon-corretto/lib/security/cacerts
- ./zapfiles:/opt/zapfiles
# pids_limit: 400
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
cpu_shares: 1024
deploy:
resources:
limits:
memory: 3000M
pids: 400
hub-ui:
image: registry.appsec.global/appsechub/hub-ui:${hub_ui_version}
container_name: hub-ui
networks:
- net-hub
links:
- hub-core
- gateway
- hub-sso
depends_on:
hub-core:
condition: service_healthy
gateway:
condition: service_healthy
hub-sso:
condition: service_healthy
ports:
- ${IP_EXTERNAL}:80:8080/tcp
- ${IP_EXTERNAL}:443:4443/tcp
environment:
- TZ=Europe/Moscow
volumes:
- ./config/hub-ui/:/etc/nginx/conf.d/:ro
- ./logs/hub-ui/:/var/log/nginx
- ./ssl:/etc/ssl/certs/ssl-cert:ro
# pids_limit: 100
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
tmpfs:
- /tmp
- /var/cache/nginx/
cpu_shares: 512
deploy:
resources:
limits:
memory: 100M
pids: 100
postgresql:
image: registry.appsec.global/public/sfs-postgresql:13.2.2-alpine
container_name: postgresql
volumes:
- ./postgresql/data:/data
# При первом запуске должны быть закомментированы, впоследствии можно использовать
#- ./config/postgresql/postgresql.conf:/data/postgresql.conf
#- ./logs/postgresql:/data/logs
networks:
- net-hub
environment:
- POSTGRES_PASSWORD=${pgsql_admin_password}
- TZ=Europe/Moscow
# pids_limit: 100
security_opt:
- no-new-privileges
restart: on-failure:5
#read_only: true
tmpfs:
- /var/run/postgresql/
- /var/cache
cpu_shares: 1024
deploy:
resources:
limits:
memory: 300M
pids: 100
flyway-db:
image: registry.appsec.global/appsechub/hub-db:${hub_db_version}
container_name: flyway-db
networks:
- net-hub
environment:
- hubadmPassword=${hub_adm_password}
- hubappPassword=${hub_app_password}
- hubbiPassword=${hub_bi_password}
- hubauthPassword=${hub_auth_password}
- hubdbName=${hub_db_name}
- PGPASSWORD=${pgsql_admin_password}
- PGUSER=postgres
- PG_URL=${pgsql_url}
- PG_PORT=${pgsql_port}
- REPAIR_DB_ENABLE=disable
- REPAIR_DW_ENABLE=disable
depends_on:
- postgresql
hub-air:
image: registry.appsec.global/appsechub/hub-air:${hub_air_version}
container_name: hub-air
volumes:
- ./logs/hub-air:/opt/py-model/logs
- ./ml/local:/opt/py-model/ml/local
environment:
- TZ=Europe/Moscow
- CONSUL_HOST=http://consul
- CONSUL_PORT=8500
- CONSUL_TOKEN=${CONSUL_TOKEN}
- LOG_LEVEL=DEBUG
- LOG_FILE=1
- LOG_BASE_PATH=/opt/py-model/logs/avc_prediction.log
- MODEL_USE_ENCRYPTION=${MODEL_USE_ENCRYPTION}
- MODEL_SECRET_KEY="${MODEL_SECRET_KEY}"
networks:
- net-hub
# pids_limit: 100
tmpfs:
- /tmp/:uid=2000,gid=2000
security_opt:
- no-new-privileges
restart: on-failure:5
read_only: true
cpu_shares: 512
deploy:
resources:
limits:
memory: 1G
pids: 100
consul:
image: registry.appsec.global/public/sfs-consul:1.14.4
container_name: consul
volumes:
- ./consul-data:/consul/data
- ./config/consul/server.json:/consul/config/server.json
networks:
- net-hub
healthcheck:
test: curl -f http://localhost:8500
ports:
- "8500:8500"
- "8600:8600/tcp"
- "8600:8600/udp"
command: "agent -server -bootstrap -ui -client=0.0.0.0 -bind=127.0.0.1 -config-file=/consul/config/server.json"
restart: on-failure:5
# pids_limit: 300
security_opt:
- no-new-privileges
cpu_shares: 1024
deploy:
resources:
limits:
memory: 300M
pids: 300
gateway:
image: registry.appsec.global/appsechub/hub-gateway:${hub_gateway_version}
container_name: gateway
environment:
- TZ=Europe/Moscow
- JWT_TOKEN=${gateway_jwt_token}
- CONSUL_HOST=http://consul
- CONSUL_PORT=8500
- CONSUL_TOKEN=${CONSUL_TOKEN}
# Следующий параметр является необязательным:
- JAVA_OPTS=-Dsession.timeout=1800
links:
- consul
- hub-core
depends_on:
hub-core:
condition: service_healthy
networks:
- net-hub
# pids_limit: 400
security_opt:
- no-new-privileges
cpu_shares: 2048
restart: on-failure:5
deploy:
resources:
limits:
memory: 1536M
pids: 400
issue-rule:
image: registry.appsec.global/appsechub/hub-issue-rule:${hub_issue_rule_version}
container_name: issue-rule
environment:
- TZ=Europe/Moscow
- CONSUL_HOST=http://consul
- CONSUL_PORT=8500
- CONSUL_TOKEN=${CONSUL_TOKEN}
- DB_URL=jdbc:postgresql://${pgsql_url}/${hub_db_name}
- HUBAPP_USERNAME=hubapp
- HUBAPP_PASSWORD=${hub_app_password}
- DB_POOL_SIZE=${DB_POOL_SIZE}
networks:
- net-hub
tmpfs:
- /tmp:uid=2000,gid=2000
links:
- flyway-db
depends_on:
flyway-db:
condition: service_completed_successfully
restart: on-failure:5
read_only: true
# pids_limit: 400
security_opt:
- no-new-privileges
cpu_shares: 768
deploy:
resources:
limits:
memory: 600M
pids: 400
hub-issue:
image: registry.appsec.global/appsechub/hub-issue:${hub_issue_version}
container_name: hub-issue
environment:
- TZ=Europe/Moscow
- CONSUL_HOST=http://consul
- CONSUL_PORT=8500
- CONSUL_TOKEN=${CONSUL_TOKEN}
- DB_URL=jdbc:postgresql://${pgsql_url}/${hub_db_name}
- HUBAPP_USERNAME=hubapp
- HUBAPP_PASSWORD=${hub_app_password}
- ENCRYPT_KEY=${ENC_KEY}
- importReportFileThreadPoolQueueCapacity=100
- importReportFileThreadPoolSize=20
- reportUpdateDescriptions=false
- DB_POOL_SIZE=${DB_POOL_SIZE}
networks:
- net-hub
tmpfs:
- /tmp:uid=2000,gid=2000
links:
- flyway-db
depends_on:
flyway-db:
condition: service_completed_successfully
restart: on-failure:5
read_only: true
# pids_limit: 400
security_opt:
- no-new-privileges
cpu_shares: 768
deploy:
resources:
limits:
memory: 1000M
pids: 400
hub-sso:
image: registry.appsec.global/appsechub/hub-sso:${hub_sso_version}
container_name: hub-sso
environment:
- TZ=Europe/Moscow
- CONSUL_HOST=http://consul
- CONSUL_PORT=8500
- CONSUL_TOKEN=${CONSUL_TOKEN}
- SSO_ENC_KEY=${SSO_ENC_KEY}
- HUB_URL=${HUB_URL}
- DB_URL=jdbc:postgresql://${pgsql_url}/${hub_db_name}
- HUBAPP_USERNAME=hubapp
- HUBAPP_PASSWORD=${hub_app_password}
- HUBAUTH_USERNAME=hubauth
- HUBAUTH_PASSWORD=${hub_auth_password}
- HUB_LOG_LEVEL=info
- DB_POOL_SIZE=${DB_POOL_SIZE}
networks:
- net-hub
tmpfs:
- /var/tmp/log/:uid=2000,gid=2000
- /tmp:uid=2000,gid=2000
restart: on-failure:5
read_only: true
# pids_limit: 400
security_opt:
- no-new-privileges
cpu_shares: 768
deploy:
resources:
limits:
memory: 600M
pids: 400
rabbitmq:
image: registry.appsec.global/public/rabbitmq:3.13-management
container_name: rabbitmq
environment:
- RABBITMQ_DEFAULT_USER=${RABBITMQ_USERNAME}
- RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD}
networks:
- net-hub
volumes:
- ./rabbit:/var/lib/rabbitmq
ports:
- 15672:15672
- 5672:5672
restart: on-failure:5
security_opt:
- no-new-privileges
cpu_shares: 1024
deploy:
resources:
limits:
memory: 300M
scheduler:
image: registry.appsec.global/appsechub/hub-scheduler:${hub_scheduler_version}
container_name: scheduler
# ports:
# - 50053:50053
environment:
- PG_USER=postgres
- PGPASSWORD=${pgsql_admin_password}
- PG_URL=${pgsql_url}
- HUB_URL=${HUB_URL}
- TZ=Europe/Moscow
- CONSUL_HOST=http://consul
- CONSUL_PORT=8500
- CONSUL_TOKEN=${consul_token}
- DB_URL=jdbc:postgresql://${pgsql_url}/${hub_db_name}
- HUBAPP_USERNAME=hubapp
- HUBAPP_PASSWORD=${hub_app_password}
- USE_GRPC_SECURITY=${USE_GRPC_SECURITY}
- GRPC_AUTHORITY=${GRPC_AUTHORITY}
networks:
- net-hub
cpu_shares: 768
deploy:
resources:
limits:
memory: 1000M
# pids: 400
hub-pipeline:
image: registry.appsec.global/appsechub/hub-pipeline:${hub_pipeline_version}
container_name: hub-pipeline
environment:
- PG_USER=postgres
- PGPASSWORD=${pgsql_admin_password}
- PG_URL=${pgsql_url}
- HUB_URL=${HUB_URL}
- TZ=Europe/Moscow
- CONSUL_HOST=http://consul
- CONSUL_PORT=8500
- CONSUL_TOKEN=${CONSUL_TOKEN}
- DB_URL=jdbc:postgresql://${pgsql_url}/${hub_db_name}
- HUBAPP_USERNAME=hubapp
- HUBAPP_PASSWORD=${hub_app_password}
- RABBITMQ_HOST=${RABBITMQ_HOST}
- RABBITMQ_AMQP_PORT=${RABBITMQ_AMQP_PORT}
- RABBITMQ_USERNAME=${RABBITMQ_USERNAME}
- RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD}
- ARCHIVE_LIFETIME_DAYS=${ARCHIVE_LIFETIME_DAYS}
- LOGS_LIFETIME_DAYS=${LOGS_LIFETIME_DAYS}
- SCHEDULER_INTERVAL_HOURS=${SCHEDULER_INTERVAL_HOURS}
- CONSUL_SCHEDULER_INTERVAL_MINUTES=${CONSUL_SCHEDULER_INTERVAL_MINUTES}
cpu_shares: 768
deploy:
resources:
limits:
memory: 1000M
pids: 400
# Количество блоков hub-pipelne-agent - по количеству агентов, под каждый агент должен быть создан свой блок.
# При установке на разных хостах hub-pipelne-agent должен быть установлен на отдельной ноде.
hub-pipelne-agent:
image: registry.appsec.global/appsechub/hub-pipeline-agent:${hub_pipeline_agent_version}
container_name: hub-pipeline-agent
networks:
- net-hub
user: 2000:2000
environment:
- LOG_CONSOLE="1"
- LOG_FILE="0"
- LOG_BASE_PATH=
- AUTH_USE="0"
- AUTH_EXPIRED="365"
- AUTH_SECRET_KEY=
- AUTH_SCHEME=
- MODEL_USE_ENCRYPTION="0"
- MODEL_SECRET_KEY=
- MODEL_DEFAULT_PRACTICE
- MODEL_LOWER_LIMIT="0.8"
- MODEL_MIN_FREE_DISK_SPACE="100"
- LOG_LEVEL=INFO
- ENCRYPTION_KEY=${ENC_KEY}
- PIPELINE_SERVICE_NAME=grpc-pipeline-50053
- SCANS_FOLDER=/app/scans_folder
- ARCHIVE_FOLDER=/app/archive_folder
- RABBITMQ__HOST=${RABBITMQ_HOST}
- RABBITMQ__PORT=${RABBITMQ_PORT}
- RABBITMQ_MANAGEMENT_PORT=${RABBITMQ_MANAGEMENT_PORT}
- RABBITMQ__USER=${RABBITMQ_USER}
- RABBITMQ__PASSWORD=${RABBITMQ_PASSWORD}
- RABBITMQ__EXCHANGE=${RABBITMQ_EXCHANGE}
- RABBITMQ__ROUTING_KEY=${RABBITMQ_ROUTING_KEY}
- CONSUL__HOST=http://localhost
- CONSUL__PORT=8500
- CONSUL__TOKEN=${CONSUL_TOKEN}
- GRPC__ID=${GRPC_ID}
- GRPC__NAME=${GRPC_NAME}
- GRPC__TAGS=${GRPC_TAGS}
- GRPC__PORT=${GRPC_PORT}
- GRPC__ADDRESS=${GRPC_ADDRESS}
- LANG=en_US.utf-8
- DOCKER_HOST=tcp://docker-in-docker:2375
- PIPELINE_SERVICE_HOST=${PIPELINE_SERVICE_HOST}
- PIPELINE_SERVICE_PORT=${PIPELINE_SERVICE_PORT}
volumes:
- ./ssh-pub-keys-all:/home/ubuntu/.ssh
- /etc/localtime:/etc/localtime
- /etc/timezone:/etc/timezone
- ./certs:/tmp/certs
restart: on-failure:5
cpu_shares: 2048
deploy:
resources:
limits:
memory: 3072M
docker-in-docker:
image: registry.appsec.global/public/sfs-docker:19.03.3-dind
container_name: docker-in-docker
privileged: true
volumes:
- ./docker-certs:/etc/docker/certs.d
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment:
- DOCKER_TLS_CERTDIR=
networks:
- net-hub
# pids_limit: 100
restart: on-failure:5
cpu_shares: 512
deploy:
resources:
limits:
memory: 512M
pids: 100
metrics-db:
env_file:
- path: docker/.env # default
required: true
- path: docker/.env-local # optional override
required: false
image: registry.appsec.global/public/sfs-postgresql:13.2.2-alpine
networks:
- net-hub
container_name: metrics-db
restart: unless-stopped
environment:
- POSTGRES_USER=metrics
- POSTGRES_DB=metrics
- PGDATA=/var/lib/postgresql/data
volumes:
- ./db-data:/var/lib/postgresql/data
deploy:
resources:
limits:
memory: 600M
pids: 400
metrics:
env_file:
- path: docker/.env # default
required: true
- path: docker/.env-local # optional override
required: false
image: registry.appsec.global/appsechub/hub-metrics:${hub_metrics_version}
networks:
- net-hub
container_name: hub-superset
command: ["/app/docker/docker-bootstrap.sh", "app-gunicorn"]
user: "root"
restart: unless-stopped
depends_on:
- metrics-db
volumes:
- ./docker:/app/docker
- metrics_home:/app/metrics_home
deploy:
resources:
limits:
memory: 600M
pids: 400
metrics-init:
image: registry.appsec.global/appsechub/hub-metrics:${hub_metrics_version}
networks:
- net-hub
container_name: metrics-init
command: ["/app/docker/docker-init.sh"]
env_file:
- path: docker/.env # default
required: true
- path: docker/.env-local # optional override
required: false
depends_on:
metrics-db:
condition: service_healthy
user: "root"
volumes:
- ./docker:/app/docker
- metrics_home:/app/metrics_home
healthcheck:
disable: true
deploy:
resources:
limits:
memory: 300M
pids: 400
metrics-appsechub-bridge:
container_name: 'metrics-appsechub-bridge'
image: registry.appsec.global/appsechub/hub-metrics-bridge:${hub_metrics_bridge_version}
networks:
- net-hub
depends_on:
metrics-db:
condition: service_healthy
environment:
PG_USER: ${metrics_pg_user}
PGPASSWORD: ${metrics_pg_password}
PG_URL: ${metrics_pg_url}
SCHEDULER_DB_PASSWORD: ${metrics_scheduler_db_password}
METRICS_DB_PASSWORD: ${metrics_db_password}
REMOTE_HOST_DB: ${pgsql_url}
REMOTE_PORT_DB: ${pgsql_port}
REMOTE_DB: ${hub_db_name}
REMOTE_USER_DB: hubadm
REMOTE_PASSWORD_DB: ${hub_adm_password}
METRICS_HOST: ${metrics_host}
METRICS_PORT: ${metrics_port}
METRICS_USERNAME: ${metrics_username}
METRICS_PASSWORD: ${metrics_password}
METRICS_DATABASE_URL: ${metrics_database_url}
CHRON: "0 0 * * * *"
CONSUL_HOST: http://consul
CONSUL_PORT: 8500
CONSUL_TOKEN: ${CONSUL_TOKEN}
restart: on-failure:5
deploy:
resources:
limits:
memory: 600M
pids: 400
volumes:
metrics_home:
external: false
db_home:
external: false
db-data:
driver: local
networks:
net-hub:
driver: "bridge"
driver_opts:
com.docker.network.driver.mtu: 1450