tweaking, hardening

docker/heralding/Dockerfile

@@ -22,14 +22,14 @@ RUN apk -U upgrade && \
     cd /opt/ && \
     git clone https://github.com/johnnykv/heralding && \
     cd heralding && \
-    mv /root/dist/heralding.yml /opt/heralding/ && \
     pip3 install -r requirements.txt && \
     pip3 install heralding && \
 
 # Setup user, groups and configs
     addgroup -g 2000 heralding && \
     adduser -S -H -s /bin/bash -u 2000 -D -g 2000 heralding && \
-    mkdir -p /var/log/heralding/ && \
+    mkdir -p /var/log/heralding/ /etc/heralding && \
+    mv /root/dist/heralding.yml /etc/heralding/ && \
 
 # Clean up
     apk del --purge \
@@ -45,5 +45,5 @@ RUN apk -U upgrade && \
     rm -rf /var/cache/apk/*
 
 # Start elasticpot
-WORKDIR /opt/heralding/
-CMD ["heralding","-l","/var/log/heralding/heralding.log"]
+WORKDIR /tmp/heralding/
+CMD ["heralding","-c","/etc/heralding/heralding.yml","-l","/var/log/heralding/heralding.log"]

docker/heralding/docker-compose.yml

@@ -10,6 +10,10 @@ services:
     build: .
     container_name: heralding
     restart: always
+    environment:
+      - PYTHON_EGG_CACHE=/tmp/heralding
+    tmpfs:
+      - /tmp/heralding:exec
     networks:
      - heralding_local
     ports:
@@ -26,5 +30,6 @@ services:
      - "5432:5432"
      - "5900:5900"
     image: "dtagdevsec/heralding:1804"
+    read_only: true
     volumes:
      - /data/heralding/log:/var/log/heralding