industrial-edge-insights-multimodal: DBS vuln fix (#1149)

pooja-intel · web-flow · commit 4f19e57527e4 · 2025-11-21T09:02:03.000+05:30
This PR enhances container security by implementing read-only filesystem configurations and privilege restrictions across multiple Docker services to address DBS (Docker Bench Security) vulnerabilities.

- Added read_only: true and security_opt: no-new-privileges to multiple services
- Configured volume mounts as read-only where appropriate
- Applied security hardening to nginx_proxy, ia-fusion-analytics, dlstreamer-pipeline-server, mediamtx, and coturn services

Signed-off-by: Pooja Kumbharkar &lt;pooja.kumbharkar@intel.com&gt;
diff --git a/manufacturing-ai-suite/industrial-edge-insights-multimodal/docker-compose.yml b/manufacturing-ai-suite/industrial-edge-insights-multimodal/docker-compose.yml
@@ -235,7 +235,8 @@ services:
     container_name: nginx_proxy
     read_only: true
     user: "${TIMESERIES_UID}:${TIMESERIES_UID}"
-    # entrypoint: ["sleep", "infinity"]
+    security_opt:
+    - no-new-privileges
     command: >
      /bin/sh -c "/usr/local/bin/nginx-cert-gen.sh && exec nginx -g 'daemon off;'"
     environment:
@@ -270,7 +271,10 @@ services:
         TIMESERIES_UID: ${TIMESERIES_UID}
     container_name: ia-fusion-analytics
     image: ${DOCKER_REGISTRY}${FUSION_MODULE_IMAGE}${IMAGE_SUFFIX:+-${IMAGE_SUFFIX}}
+    read_only: true
     restart: unless-stopped
+    security_opt:
+    - no-new-privileges
     environment:
       # MQTT Configuration
       MQTT_BROKER: ia-mqtt-broker
@@ -300,6 +304,7 @@ services:
     image: ${DLSTREAMER_PIPELINE_SERVER_IMAGE}
     container_name: dlstreamer-pipeline-server
     hostname: dlstreamer-pipeline-server
+    read_only: true
     networks:
     - timeseries_network
     restart: unless-stopped
@@ -381,6 +386,10 @@ services:
     image: bluenviron/mediamtx:1.11.3
     container_name: mediamtx
     restart: unless-stopped
+    read_only: true
+    security_opt:
+    - no-new-privileges
+    user: "${TIMESERIES_UID}:${TIMESERIES_UID}"
     ports:
       - ${WHIP_SERVER_PORT}:8889   # WebRTC
       - 9554:8554   # RTSP
@@ -409,6 +418,9 @@ services:
   coturn:
     image: coturn/coturn:4.7.0
     container_name: coturn
+    read_only: true
+    security_opt:
+    - no-new-privileges
     ports:
       - "${COTURN_UDP_PORT}:3478"
       - "${COTURN_UDP_PORT}:3478/udp"
diff --git a/manufacturing-ai-suite/industrial-edge-insights-time-series/docker-compose.yml b/manufacturing-ai-suite/industrial-edge-insights-time-series/docker-compose.yml
@@ -118,11 +118,11 @@ services:
     - timeseries_network
     volumes:
     - "vol_temp_time_series_analytics_microservice:/tmp/"
-    - ./apps/${SAMPLE_APP}/time-series-analytics-config/udfs/:/tmp/${SAMPLE_APP}/udfs/
-    - ./apps/${SAMPLE_APP}/time-series-analytics-config/tick_scripts/:/tmp/${SAMPLE_APP}/tick_scripts/
-    - ./apps/${SAMPLE_APP}/time-series-analytics-config/config.json:/app/config.json
-    - ./apps/${SAMPLE_APP}/time-series-analytics-config/models/:/tmp/${SAMPLE_APP}/models/
-    - /dev/dri:/dev/dri
+    - ./apps/${SAMPLE_APP}/time-series-analytics-config/udfs/:/tmp/${SAMPLE_APP}/udfs/:ro
+    - ./apps/${SAMPLE_APP}/time-series-analytics-config/tick_scripts/:/tmp/${SAMPLE_APP}/tick_scripts/:ro
+    - ./apps/${SAMPLE_APP}/time-series-analytics-config/config.json:/app/config.json:ro
+    - ./apps/${SAMPLE_APP}/time-series-analytics-config/models/:/tmp/${SAMPLE_APP}/models/:ro
+    - /dev/dri:/dev/dri:ro
     - "/run/udev:/run/udev:ro"
     group_add:
     # render group ID for ubuntu 20.04 host OS
