Add the base for the docker swarm

Author: ThibaultDac

README.md

@@ -1,2 +1,82 @@
 # pyro-devops
+
 Deployment and infrastructure management
+
+  
+
+## Getting started
+
+## Structure
+
+The file docker-swarm.yml is used for the docker swarm
+The folder nginx is a demo for a image of a reverse proxy with nginx 
+
+### Prerequisites
+
+  
+- Docker swarm
+
+  
+
+### Installation
+
+https://docs.docker.com/get-docker/
+
+https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/
+
+  
+## Security good practice
+https://docs.docker.com/engine/install/linux-postinstall/
+Log your infrastructure and your containers (portainer,...) 
+Run your ssh/administration on a private network (with bastion + vpn)
+https://www.stackrox.com/post/2019/09/docker-security-101/
+AppArmor/ SELinux,failtoban, iptable, waf
+Check your SLA, IT Disastery Recovery process
+Vulnerability assessment and management (VAM)
+Identity and Access Management
+
+## Usage
+
+
+
+
+Export the variables/secret in your env file (if you don't have a Vault) 
+```
+export BUCKET_MEDIA_FOLDER=media
+...
+```
+  
+If needed build your images (for exemple the mynginx image in the folder nginx) and push it in the local registry
+
+```
+docker run -d -p 5000:5000 --restart=always --name registry registry:2 #start the local registry
+
+docker build -t pyro/mynginx .
+
+docker image tag pyro/mynginx localhost:5000/mynginx
+
+docker push localhost:5000/mynginx:latest
+
+docker pull localhost:5000/mynginx
+```
+
+and after deploy your docker swarm
+```
+
+docker stack deploy -c docker-swarm.yml my_node
+
+```
+
+You can check that the service is running with
+
+
+
+```
+
+docker service ls
+
+docker ps
+
+docker service logs xxxxxx
+
+```

docker-swarm.yml

@@ -0,0 +1,68 @@
+version: '3.7'
+
+services:
+  web:
+    image: localhost:5000/myapp:latest #Todo change for have the offical pyro-api image on docker hub
+    command: uvicorn app.main:app --reload --workers 1 --host 0.0.0.0 --port 5000 #if the port if edited, please inject a new nginx.conf config in the reverseproxy
+    volumes:
+      - ./src/:/usr/src/app/
+    environment:
+      - DATABASE_URL=postgresql://pyro_api:pyro_api@db/pyro_api_dev #todo fill here the  real  values from the vault/env
+      - TEST_DATABASE_URL=postgresql://pyro_api_test:pyro_api_test@test_db/pyro_api_dev_test #todo fill here the real values from the vault/env
+      - SUPERUSER_LOGIN=superuser #todo fill here the  real  values from the vault/env
+      - SUPERUSER_PWD=superuser #todo fill here the  real  values from the vault/env
+      - QARNOT_TOKEN=${QARNOT_TOKEN}
+      - BUCKET_NAME=${BUCKET_NAME}
+      - BUCKET_MEDIA_FOLDER=${BUCKET_MEDIA_FOLDER}
+    deploy:
+      resources: #todo increase the limit if needed
+          limits:
+            cpus: '0.60'
+            memory: 100M
+          reservations:
+            cpus: '0.50'
+            memory: 40M
+      replicas: 15 # for some load balancing
+      restart_policy:
+        max_attempts: 3
+        condition: on-failure
+      update_config:
+        parallelism: 3
+        delay: 10s
+    networks:
+      - balance
+    cap_drop:
+      - ALL #limit the permission of the service
+  db:
+    image: postgres:12.1-alpine 
+    volumes:
+      - postgres_data:/var/lib/postgresql/data/ #for data persistence
+    environment:
+      - POSTGRES_USER=pyro_api #todo fill here the  real  values from the vault/env
+      - POSTGRES_PASSWORD=pyro_api #todo fill here the  real  values from the vault/env
+      - POSTGRES_DB=pyro_api_dev #todo fill here the  real  values from the vault/env
+    networks:
+      - balance
+
+  proxytwo:
+    image: localhost:5000/mynginx:latest #nginx with some security addition
+    ports:
+      - 80:6000 #todo use https (port 443) when the certificate is ready
+    depends_on:
+      - web 
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+    networks:
+      - balance
+
+networks:
+  balance:
+    driver: overlay
+
+volumes:
+  postgres_data:
+
+
+
+

nginx/Dockerfile

@@ -0,0 +1,37 @@
+FROM nginx
+RUN rm /etc/nginx/conf.d/default.conf
+
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY common.conf /etc/nginx/common.conf
+COPY common_location.conf /etc/nginx/common_location.conf
+COPY buffer.conf /etc/nginx/buffer.conf
+#USER root
+
+
+
+## add permissions for nginx user
+#RUN chown -R nginx:nginx /var/cache/nginx && \
+#        chown -R nginx:nginx /var/log/nginx && \
+#        chown -R nginx:nginx /etc/nginx/conf.d
+#RUN touch /var/run/nginx.pid && \
+#        chown -R nginx:nginx /var/run/nginx.pid
+ARG NGINX_MODULES=" \
+    --with-http_ssl_module \
+    --with-http_v2_module \
+    --with-http_gzip_static_module \
+    --with-http_stub_status_module \
+    --with-file-aio \
+    --with-threads \
+    --with-pcre-jit \
+    --without-http_ssi_module \
+    --without-http_scgi_module \
+    --without-http_uwsgi_module \
+    --without-http_geo_module \
+    --without-http_autoindex_module \
+    --without-http_split_clients_module \
+    --without-http_memcached_module \
+    --without-http_empty_gif_module \
+    --without-http_browser_module"
+#USER nginx
+#COPY nginx.conf /etc/nginx/conf.d/default.conf2
+

nginx/buffer.conf

@@ -0,0 +1,4 @@
+client_body_buffer_size  1k;
+client_header_buffer_size 1k;
+client_max_body_size 1k;
+large_client_header_buffers 2 1k;

nginx/common.conf

@@ -0,0 +1,4 @@
+add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
+add_header X-Frame-Options              SAMEORIGIN;
+add_header X-Content-Type-Options       nosniff;
+add_header X-XSS-Protection             "1; mode=block";

nginx/common_location.conf

@@ -0,0 +1,6 @@
+proxy_set_header    X-Real-IP           $remote_addr;
+proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+proxy_set_header    X-Forwarded-Proto   $scheme;
+proxy_set_header    Host                $host;
+proxy_set_header    X-Forwarded-Host    $host;
+proxy_set_header    X-Forwarded-Port    $server_port;

nginx/nginx.conf

@@ -0,0 +1,26 @@
+upstream loadbalance {
+    least_conn;
+    server web:5000;
+}
+
+server {
+  server_name   pyro.test;
+  server_tokens off;
+  listen 6000;
+  include /etc/nginx/common.conf;
+  include /etc/nginx/buffer.conf;
+  #limit_conn_zone $binary_remote_addr zone=addr:5m;  todo
+  #limit_conn addr 1; todo
+  #todo check all the methods in the api
+  if ($request_method !~ ^(GET|HEAD|POST|DELETE)$) { 
+   return 444;
+  }
+  
+  #todo create the certificate and import it
+  #include      /etc/nginx/ssl.conf;for ssl 
+  #return 301 https://$host$request_uri; 
+    location / {
+        proxy_pass http://loadbalance;
+        include /etc/nginx/common_location.conf;
+    }
+}

nginx/ssl.conf

@@ -0,0 +1,12 @@
+ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
+ssl_ecdh_curve              secp384r1;
+ssl_ciphers                 "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256";
+ssl_prefer_server_ciphers   on;
+ssl_dhparam                 /etc/nginx/dhparams.pem;
+ssl_certificate             /etc/ssl/private/fullchain.pem;
+ssl_certificate_key         /etc/ssl/private/privkey.pem;
+ssl_session_timeout         10m;
+ssl_session_cache           shared:SSL:10m;
+ssl_session_tickets         off;
+ssl_stapling                on;
+ssl_stapling_verify         on;

nginx/sysctl.conf

@@ -0,0 +1,68 @@
+# Avoid a smurf attack
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+ 
+# Turn on protection for bad icmp error messages
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+ 
+# Turn on syncookies for SYN flood attack protection
+net.ipv4.tcp_syncookies = 1
+ 
+# Turn on and log spoofed, source routed, and redirect packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+ 
+# No source routed packets here
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+ 
+# Turn on reverse path filtering
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+ 
+# Make sure no one can alter the routing tables
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+ 
+# Don't act as a router
+net.ipv4.ip_forward = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+ 
+ 
+# Turn on execshild
+kernel.exec-shield = 1
+kernel.randomize_va_space = 1
+ 
+# Tuen IPv6
+net.ipv6.conf.default.router_solicitations = 0
+net.ipv6.conf.default.accept_ra_rtr_pref = 0
+net.ipv6.conf.default.accept_ra_pinfo = 0
+net.ipv6.conf.default.accept_ra_defrtr = 0
+net.ipv6.conf.default.autoconf = 0
+net.ipv6.conf.default.dad_transmits = 0
+net.ipv6.conf.default.max_addresses = 1
+ 
+# Optimization for port usefor LBs
+# Increase system file descriptor limit
+fs.file-max = 65535
+ 
+# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+kernel.pid_max = 65536
+ 
+# Increase system IP port limits
+net.ipv4.ip_local_port_range = 2000 65000
+ 
+# Increase TCP max buffer size setable using setsockopt()
+net.ipv4.tcp_rmem = 4096 87380 8388608
+net.ipv4.tcp_wmem = 4096 87380 8388608
+ 
+# Increase Linux auto tuning TCP buffer limits
+# min, default, and max number of bytes to use
+# set max to at least 4MB, or higher if you use very high BDP paths
+# Tcp Windows etc
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.netdev_max_backlog = 5000
+net.ipv4.tcp_window_scaling = 1