Skip to content

Improve Docker setup with deprecation fixes and security hardening #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ggfevans wants to merge 1 commit into from
Closed

Improve Docker setup with deprecation fixes and security hardening #9

ggfevans wants to merge 1 commit into from

Conversation

@ggfevans
Copy link
Contributor

@ggfevans ggfevans commented Jan 20, 2026
edited
Loading

Addresses #7

  • Replace deprecated npm ci --only=production with npm ci --omit=dev
  • Remove deprecated top-level version field from compose files
  • Remove redundant healthcheck definitions (Dockerfiles are source of truth)
  • Add missing LASTFM_API_KEY to docker-compose.dev.yml
  • Add security hardening: no-new-privileges and cap_drop ALL

Capabilities Explanation

We use cap_drop: ALL to remove all Linux capabilities, then add back only what's required:

Container Capabilities Reason
Backend SETUID, SETGID su-exec drops from root to nodejs user at runtime
Frontend CHOWN, SETUID, SETGID nginx entrypoint sets up cache directories and spawns workers

Why this is still a security win

Default Docker containers have ~14 capabilities. With this change:

Removed (no longer available to containers):

  • NET_RAW - Raw packet crafting
  • SYS_CHROOT - Chroot jail creation
  • MKNOD - Device node creation
  • AUDIT_WRITE - Kernel audit log writes
  • DAC_OVERRIDE - Bypass file permission checks
  • FOWNER - Bypass ownership checks
  • FSETID - Set file SUID/SGID bits
  • KILL - Send signals to any process
  • NET_BIND_SERVICE - Bind to privileged ports
  • SETFCAP - Set file capabilities
  • SETPCAP - Modify process capabilities

Retained (minimum required):

  • SETUID/SETGID - User switching (both containers)
  • CHOWN - Ownership changes (frontend only)

@ggfevans @claude
Improve Docker setup with deprecation fixes and security hardening
7961967 
- Replace deprecated `npm ci --only=production` with `npm ci --omit=dev`
- Remove deprecated top-level `version` field from compose files
- Remove redundant healthcheck definitions (Dockerfiles are source of truth)
- Add missing LASTFM_API_KEY to docker-compose.dev.yml
- Add security hardening: no-new-privileges and cap_drop ALL

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@ggfevans
Copy link
Contributor Author

ggfevans commented Jan 21, 2026

closing in lieu of #14 & #15

@ggfevans ggfevans closed this Jan 21, 2026
@ggfevans ggfevans deleted the docker-improvements branch January 21, 2026 04:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ggfevans