Use read-only filesystem

FriendsOfShopware · Jan 24, 2024 · adb75d3 · adb75d3
1 parent 17a68de
commit adb75d3
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 29 deletions.
diff --git a/cmd/project/docker_up.go b/cmd/project/docker_up.go
@@ -16,7 +16,6 @@ import (
 //go:embed templates/compose.yaml
 var composeFileTemplate string
 
-// TODO: Add --watch flag that calls docker compose watch instead of up
 var dockerUpCmd = &cobra.Command{
 	Use:   "up",
 	Short: "Start local setup",
@@ -38,7 +37,7 @@ var dockerUpCmd = &cobra.Command{
 			return err
 		}
 
-		return runTransparentCommand(exec.CommandContext(cmd.Context(), "docker", "compose", "up", "-d", "--wait"))
+		return runTransparentCommand(exec.CommandContext(cmd.Context(), "docker", "compose", "up", "-d", "--wait", "--remove-orphans"))
 	},
 }
 

diff --git a/cmd/project/templates/compose.yaml b/cmd/project/templates/compose.yaml
@@ -33,18 +33,10 @@ x-environment-cdn: &environment-cdn
     AWS_ACCESS_KEY_ID: '{{ .awsAccessKeyID }}'
     AWS_SECRET_ACCESS_KEY: '{{ .awsSecretAccessKey }}'
 
-x-volumes-app: &volumes-app # TODO: Remove these, they are not needed anymore with a CDN
-  volumes:
-    - files:/var/www/html/files
-    - theme:/var/www/html/public/theme
-    - media:/var/www/html/public/media
-    - thumbnail:/var/www/html/public/thumbnail
-    - sitemap:/var/www/html/public/sitemap
-
 x-volumes-app-cache: &volumes-app-cache
   tmpfs:
-    - /var/www/html/var/cache
-    - /var/www/html/var/log
+    - /var/www/html/var/cache:rw,noexec,nosuid,nodev,mode=1777 # Shopware needs this
+    - /home/www-data:rw,noexec,nosuid,nodev,mode=1777 # Caddy needs this
 
 services:
   database:
@@ -99,14 +91,9 @@ services:
       cdn:
         condition: service_healthy
 
-  init-perm:
-    image: alpine
-    <<: [ *environment-app, *volumes-app ]
-    command: chown 82:82 /var/www/html/files /var/www/html/public/theme /var/www/html/public/media /var/www/html/public/thumbnail /var/www/html/public/sitemap
-
   init:
     image: local
-    <<: [ *environment-app, *volumes-app ]
+    <<: *environment-app
     build:
       context: .
     entrypoint: /setup
@@ -117,15 +104,13 @@ services:
         condition: service_healthy
       cdn:
         condition: service_healthy
-      init-perm:
-        condition: service_completed_successfully
       init-cdn:
         condition: service_completed_successfully
 
   web:
     image: local
-    # read_only: true
-    <<: [ *environment-app, *volumes-app ]
+    read_only: true
+    <<: [ *environment-app, *volumes-app-cache ]
     build:
       context: .
     depends_on:
@@ -147,8 +132,8 @@ services:
 
   worker:
     image: local
-    # read_only: true
-    <<: [ *environment-app, *volumes-app ]
+    read_only: true
+    <<: [ *environment-app, *volumes-app-cache ]
     restart: unless-stopped
     build:
       context: .
@@ -159,12 +144,9 @@ services:
     deploy:
       replicas: 3
 
+# TODO: Add redis
+
 volumes:
   mysql-data:
   opensearch-data:
-  files:
-  theme:
-  media:
-  thumbnail:
-  sitemap:
   cdn: