Production Hardening

.travis.yml

@@ -12,11 +12,13 @@ install:
     - sleep 30
 
 env:
-    - BUILD="docker-compose up -d"
-    - BUILD="docker run -d --name db -e POSTGRES_USER=mmuser -e POSTGRES_PASSWORD=mmuser_password -e POSTGRES_DB=mattermost mattermost-prod-db && sleep 5 && docker run -d --link db -p 80:80 --name app mattermost-prod-app"
+    - BUILD="mkdir -p ./volumes/app/mattermost/{data,logs,config} && docker-compose up -d"
+    - BUILD="docker run -d --name db -e POSTGRES_USER=mmuser -e POSTGRES_PASSWORD=mmuser_password -e POSTGRES_DB=mattermost mattermost-prod-db && sleep 5 && docker run -d --link db -p 80:8000 --name app mattermost-prod-app"
 
 script:
     - curl -sSf http://localhost > /dev/null
+    - docker ps -a | grep app | grep healthy
+    - docker ps -a | grep db | grep healthy
 
 after_failure:
     - timeout 3s docker-compose logs app db web

README.md

@@ -86,7 +86,10 @@ them you may generate a self-signed SSL certificate.
 ### Starting/Stopping Docker
 
 #### Start
+If you are running docker with non root user, make sure the UID and GID in app/Dockerfile are the same as your current UID/GID
 ```
+mkdir -p ./volumes/app/mattermost/{data,logs,config}
+chown -R $UID:$GID ./volumes/app/mattermost/
 docker-compose start
 ```
 

app/Dockerfile

@@ -6,6 +6,9 @@ ENV MM_VERSION=4.7.2
 
 # Build argument to set Mattermost edition
 ARG edition=enterprise
+ARG PUID=2000
+ARG PGID=2000
+
 
 # Install some needed packages
 RUN apk add --no-cache \
@@ -27,14 +30,24 @@ RUN mkdir -p /mattermost/data \
     && cp /mattermost/config/config.json /config.json.save \
     && rm -rf /mattermost/config/config.json
 
+# Get ready for production
+RUN addgroup -g ${PGID} mattermost \
+    && adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
+    && chown -R mattermost:mattermost /mattermost /config.json.save 
+
+USER mattermost 
+
+#Healthcheck to make sure container is ready
+HEALTHCHECK CMD curl --fail http://localhost:8000 || exit 1
+
 # Configure entrypoint and command
 COPY entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
 WORKDIR /mattermost
 CMD ["platform"]
 
-# Expose port 80 of the container
-EXPOSE 80
+# Expose port 8000 of the container
+EXPOSE 8000
 
-# Use a volume for the data directory
-VOLUME /mattermost/data
+# Declare volumes for mount point directories
+VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config"]

app/entrypoint.sh

@@ -35,7 +35,7 @@ if [ "$1" = 'platform' ]; then
     # Copy default configuration file
     cp /config.json.save $MM_CONFIG
     # Substitue some parameters with jq
-    jq '.ServiceSettings.ListenAddress = ":80"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
     jq '.LogSettings.EnableConsole = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
     jq '.LogSettings.ConsoleLevel = "INFO"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
     jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG

db/Dockerfile

@@ -18,7 +18,12 @@ RUN apk add --no-cache \
 # Add wale script
 COPY setup-wale.sh /docker-entrypoint-initdb.d/
 
+#Healthcheck to make sure container is ready
+HEALTHCHECK CMD pg_isready -U postgres || exit 1
+
 # Add and configure entrypoint and command
 COPY entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["postgres"]
+
+VOLUME ["/var/run/postgresql", "/usr/share/postgresql/", "/var/lib/postgresql/data", "/tmp"]

docker-compose.yml

@@ -4,6 +4,7 @@ services:
 
   db:
     build: db
+    read_only: true
     restart: unless-stopped
     volumes:
       - ./volumes/db/var/lib/postgresql/data:/var/lib/postgresql/data
@@ -24,6 +25,7 @@ services:
       # comment out 2 following lines for team edition
       # args:
       #   - edition=team
+    #read_only: true
     restart: unless-stopped
     volumes:
       - ./volumes/app/mattermost/config:/mattermost/config:rw
@@ -43,6 +45,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
+    read_only: true
     restart: unless-stopped
     volumes:
       # This directory must have cert files if you want to enable SSL

web/Dockerfile

@@ -1,11 +1,19 @@
 FROM nginx:mainline-alpine
 
 # Remove default configuration and add our custom Nginx configuration files
-RUN rm /etc/nginx/conf.d/default.conf
-COPY ./mattermost /etc/nginx/sites-available/
-COPY ./mattermost-ssl /etc/nginx/sites-available/
+RUN rm /etc/nginx/conf.d/default.conf \
+    && apk add --no-cache curl
+
+COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
 COPY ./security.conf /etc/nginx/conf.d/
 
 # Add and setup entrypoint
 COPY entrypoint.sh /
+
+#Healthcheck to make sure container is ready
+HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
+
 ENTRYPOINT ["/entrypoint.sh"]
+
+VOLUME ["/var/run", "/etc/nginx/conf.d/", "/var/cache/nginx/"]
+

web/entrypoint.sh

@@ -2,7 +2,7 @@
 
 # Define default value for app container hostname and port
 APP_HOST=${APP_HOST:-app}
-APP_PORT_NUMBER=${APP_PORT_NUMBER:-80}
+APP_PORT_NUMBER=${APP_PORT_NUMBER:-8000}
 
 # Check if SSL should be enabled (if certificates exists)
 if [ -f "/cert/cert.pem" -a -f "/cert/key-no-password.pem" ]; then