diff --git a/.github/workflows/redis-docker.yml b/.github/workflows/redis-docker.yml index 9f158b3..35fc38e 100644 --- a/.github/workflows/redis-docker.yml +++ b/.github/workflows/redis-docker.yml @@ -5,6 +5,8 @@ on: branches: - redis - redis-tests + schedule: + - cron: '0 0 * * 1' # Run weekly to check for base image updates permissions: contents: read @@ -12,9 +14,35 @@ permissions: packages: write jobs: + check-base-images: + name: Check Base Images + runs-on: ubuntu-latest + outputs: + base_image: ${{ steps.get-base-image.outputs.base_image }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Get base image from Dockerfile + id: get-base-image + run: | + BASE_IMAGE=$(grep "^FROM.*as builder" Dockerfile | awk '{print $2}') + echo "base_image=${BASE_IMAGE}" >> "$GITHUB_OUTPUT" + echo "Found base image: ${BASE_IMAGE}" + + - name: Check base image updates + uses: docker/scout-action@v1 + with: + command: recommendations,cves + image: ${{ steps.get-base-image.outputs.base_image }} + only-fixed: true + only-severities: critical,high + exit-code: true + security-checks: name: Security Checks runs-on: ubuntu-latest + needs: check-base-images steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/docker/docker-redis/docker-compose.yml b/docker/docker-redis/docker-compose.yml index e262fdc..471a6d7 100644 --- a/docker/docker-redis/docker-compose.yml +++ b/docker/docker-redis/docker-compose.yml @@ -3,13 +3,15 @@ version: '3.8' services: redis: image: redis:7.2-alpine - command: redis-server /usr/local/etc/redis/redis.conf + command: > + sh -c "envsubst < /usr/local/etc/redis/redis.conf.template > /usr/local/etc/redis/redis.conf && + redis-server /usr/local/etc/redis/redis.conf" volumes: - - ./redis.conf:/usr/local/etc/redis/redis.conf + - ./redis.conf:/usr/local/etc/redis/redis.conf.template:ro ports: - "6379:6379" healthcheck: - test: ["CMD", "redis-cli", "ping"] + test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "ping"] interval: 5s timeout: 3s retries: 3 @@ -23,6 +25,9 @@ services: tmpfs: - /tmp - /var/run + - /usr/local/etc/redis + environment: + - REDIS_PASSWORD=${REDIS_PASSWORD} api: build: @@ -48,6 +53,7 @@ services: - AWS_CONFIG_FILE=/root/.aws/config - AWS_PROFILE=${AWS_PROFILE:-default} - CACHE_EXPIRY=600 + - PYTHONUNBUFFERED=1 volumes: - ~/.aws:/root/.aws:ro ports: @@ -74,10 +80,9 @@ services: command: ["gunicorn", "--bind", "0.0.0.0:5001", "--workers", "${GUNICORN_WORKERS:-8}", "api:app"] healthcheck: test: ["CMD", "curl", "-f", "http://localhost:5001/health"] - interval: 30s - timeout: 10s + interval: 10s + timeout: 5s retries: 3 - start_period: 10s logging: driver: "json-file" options: diff --git a/docker/docker-redis/redis.conf b/docker/docker-redis/redis.conf index 651501b..2b072cc 100644 --- a/docker/docker-redis/redis.conf +++ b/docker/docker-redis/redis.conf @@ -14,6 +14,9 @@ tls-key-file "" tls-auth-clients no tls-prefer-server-ciphers yes +# Security +requirepass ${REDIS_PASSWORD} + # General daemonize no supervised no @@ -33,23 +36,24 @@ dbfilename dump.rdb dir /data # Memory Management -maxmemory 512mb +maxmemory 256mb maxmemory-policy allkeys-lru maxmemory-samples 5 -# Security -requirepass ${REDIS_PASSWORD} -rename-command FLUSHDB "" -rename-command FLUSHALL "" -rename-command DEBUG "" -rename-command CONFIG "" +# Append only mode +appendonly no +appendfilename "appendonly.aof" +appendfsync everysec +no-appendfsync-on-rewrite no +auto-aof-rewrite-percentage 100 +auto-aof-rewrite-min-size 64mb # Slow Log slowlog-log-slower-than 10000 slowlog-max-len 128 # Latency Monitor -latency-monitor-threshold 100 +latency-monitor-threshold 0 # Event Notification notify-keyspace-events ""