690421:1536 Update ClamAV

2026-04-21 15:36:59 +07:00
parent 1549098eac
commit 486aca08a8
6 changed files with 48 additions and 147 deletions
@@ -13,6 +13,8 @@ x-logging: &default_logging
      max-size: '10m'
      max-file: '5'
 name: lcbp3-monitoring
 networks:
  lcbp3:
    external: true
@@ -162,7 +164,7 @@ services:
          memory: 256M
    environment:
      TZ: 'Asia/Bangkok'
-    # H4: cAdvisor binds 8080 ภายใน container — map เป็น 8088 บน host
+    # H4: cAdvisor binds 8080  container  map  8088  host
    ports:
      - '8088:8080'
    networks:
@@ -212,8 +214,8 @@ services:
    <<: [*restart_policy, *default_logging]
    image: grafana/promtail:2.9.0
    container_name: promtail
-    # L5: รันในฐานะ root เพราะต้องอ่าน /var/lib/docker/containers
+    # L5:  root  /var/lib/docker/containers
-    # ที่ mount เข้ามาแบบ read-only
+    #  mount  read-only
    user: '0:0'
    deploy:
      resources:
@@ -8,7 +8,7 @@
 #     - Registry ใช้ Port 5000 (domain: registry.np-dms.work)
 #     - Portainer ใช้ Port 9443 (domain: portainer.np-dms.work)
 # ============================================================
-# 🔒 SECURITY (M6):
+#  SECURITY (M6):
 #   Registry เปิด htpasswd auth (ADR-016)
 #   Prerequisite (ทำครั้งเดียวก่อน deploy):
 #     docker run --rm --entrypoint htpasswd httpd:2 -Bbn \
@@ -108,7 +108,8 @@ services:
      - lcbp3
    healthcheck:
      # test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:80/']
-      test: ["CMD-SHELL", "wget --spider -q http://localhost/ || exit 1"]
+      # test: ["CMD-SHELL", "wget --spider -q http://localhost/ || exit 1"]
      test: ["CMD", "pgrep", "nginx"]
      interval: 30s
      timeout: 10s
      retries: 3
@@ -175,14 +175,14 @@ services:
    <<: [*restart_policy, *default_logging]
    image: clamav/clamav:1.4.4
    container_name: clamav
-    security_opt:
+    # security_opt:
-      - no-new-privileges:true
+    #  - no-new-privileges:true
-    cap_drop:
+    # cap_drop:
-      - ALL
+    #   - ALL
-    cap_add:
+    # cap_add:
-      - CHOWN
+    #   - CHOWN
-      - SETUID
+    #   - SETUID
-      - SETGID
+    #   - SETGID
    deploy:
      resources:
        limits:
@@ -192,6 +192,8 @@ services:
          cpus: '0.25'
          memory: 1G
    environment:
      CLAMAV_NO_LOG_FILE: 'true'      # ปิดการเขียนไฟล์ clamd.log
      FRESHCLAM_NO_LOG_FILE: 'true'   # ปิดการเขียนไฟล์ freshclam.log
      TZ: 'Asia/Bangkok'
      CLAMAV_NO_FRESHCLAMD: 'false'
      CLAMAV_NO_CLAMD: 'false'
@@ -6,64 +6,38 @@
 #   - cadvisor:8080
 # H5: ไม่ publish ports ออก LAN, ตัด obsolete `version:` field, pin tags
 # ============================================================
-
+# Application name lcbp3-monitoring-exporter
-x-restart: &restart_policy
+version: '3.8'
  restart: unless-stopped
 x-logging: &default_logging
  logging:
    driver: 'json-file'
    options:
      max-size: '10m'
      max-file: '5'
 networks:
  lcbp3:
    external: true
-
+name: lcbp3-monitoring-exporter
 services:
  node-exporter:
-    <<: [*restart_policy, *default_logging]
+    image: prom/node-exporter:v1.7.0
    image: prom/node-exporter:v1.8.2
    container_name: node-exporter
-    deploy:
+    restart: unless-stopped
      resources:
        limits:
          cpus: '0.5'
          memory: 128M
    environment:
      TZ: 'Asia/Bangkok'
    command:
      - '--path.procfs=/host/proc'
      - '--path.sysfs=/host/sys'
      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
-    expose:
+    ports:
-      - '9100'
+      - "9100:9100"
    networks:
      - lcbp3
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /:/rootfs:ro
    healthcheck:
      test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:9100/metrics']
      interval: 30s
      timeout: 10s
      retries: 3
  cadvisor:
-    <<: [*restart_policy, *default_logging]
+    image: gcr.io/cadvisor/cadvisor:v0.47.2
    image: gcr.io/cadvisor/cadvisor:v0.49.1
    container_name: cadvisor
-    deploy:
+    restart: unless-stopped
-      resources:
+    privileged: true
-        limits:
+    ports:
-          cpus: '0.5'
+      - "8088:8080"
          memory: 256M
    environment:
      TZ: 'Asia/Bangkok'
    expose:
      - '8080'
    networks:
      - lcbp3
    volumes:
@@ -71,8 +45,18 @@ services:
      - /var/run:/var/run:ro
      - /sys:/sys:ro
      - /var/lib/docker/:/var/lib/docker:ro
-    healthcheck:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:8080/healthz']
+
-      interval: 30s
+  mysqld-exporter:
-      timeout: 10s
+    image: prom/mysqld-exporter:v0.15.0
-      retries: 3
+    container_name: mysqld-exporter
    restart: unless-stopped
    user: root
    command:
      - '--config.my-cnf=/etc/mysql/my.cnf'
    ports:
      - "9104:9104"
    networks:
      - lcbp3
    volumes:
      - "/share/np-dms/monitoring/mysqld-exporter/.my.cnf:/etc/mysql/my.cnf:ro"
@@ -1,7 +1,7 @@
 # File: /share/np-dms/n8n/docker-compose.yml
 # DMS Container v1.8.6 — Application: n8n
 # ============================================================
-# 🔒 SECURITY:
+# ߔ⠓ECURITY:
 #   - secrets อยู่ใน .env (gitignored) — หลีกปัญหาการตีความหมาย `$` ใน YAML
 #   - n8n ไม่ได้ mount /var/run/docker.sock โดยตรง (H3)
 #     ใช้ docker-socket-proxy จำกัด capability — read-only Containers/Images API
@@ -113,9 +113,7 @@ services:
  n8n:
    <<: [*restart_policy, *default_logging]
-    build:
+    image: n8nio/n8n:2.16.1
      context: ./n8n-custom
      dockerfile: Dockerfile
    container_name: n8n
    depends_on:
      n8n-db:
@@ -166,8 +164,6 @@ services:
      EXECUTIONS_DATA_PRUNE: 'true'
      EXECUTIONS_DATA_MAX_AGE: 168
      # EXECUTIONS_DATA_PRUNE_TIMEOUT: 60
      # Storage Migration (fix deprecation warning)
      N8N_MIGRATE_FS_STORAGE_PATH: 'true'
    ports:
      - '5678:5678'
@@ -1,88 +1,4 @@
-# File: /share/np-dms/npm/docker-compose.yml
+04-Infrastructure-OPS/04-00-docker-compose/QNAP/npm/docker-compose.yml
 # DMS Container v1.8.6 — Application: lcbp3-npm, Service: npm + landing
 x-restart: &restart_policy
  restart: unless-stopped
 x-logging: &default_logging
  logging:
    driver: 'json-file'
    options:
      max-size: '10m'
      max-file: '5'
 name: lcbp3-npm
 services:
  npm:
    <<: [*restart_policy, *default_logging]
    image: jc21/nginx-proxy-manager:2.11.3
    container_name: npm
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 128M
    security_opt:
      - no-new-privileges:true
    ports:
      - '80:80' # HTTP
      - '443:443' # HTTPS
      - '81:81' # NPM Admin UI
    env_file:
      - .env
    environment:
      TZ: 'Asia/Bangkok'
      DB_MYSQL_HOST: 'mariadb'
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: 'npm'
      # ⚠️ ADR-016: ห้ามใช้รหัสง่าย ๆ เช่น 'npm' — ตั้งใน .env (NPM_DB_PASSWORD)
      DB_MYSQL_PASSWORD: ${NPM_DB_PASSWORD:?NPM_DB_PASSWORD required}
      DB_MYSQL_NAME: 'npm'
      # Uncomment this if IPv6 is not enabled on your host
      DISABLE_IPV6: 'true'
    networks:
      - lcbp3
      - giteanet
    volumes:
      - '/share/np-dms/npm/data:/data'
      - '/share/dms-data/logs/npm:/data/logs'
      - '/share/np-dms/npm/letsencrypt:/etc/letsencrypt'
      - '/share/np-dms/npm/custom:/data/nginx/custom'
    healthcheck:
      test: ['CMD', 'curl', '-f', 'http://localhost:81/api/']
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
  landing:
    <<: [*restart_policy, *default_logging]
    image: nginx:1.27-alpine
    container_name: landing
    user: '0:0'
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 128M
    security_opt:
      - no-new-privileges:true
    volumes:
      - '/share/np-dms/npm/landing:/usr/share/nginx/html:ro'
    networks:
      - lcbp3
    healthcheck:
      test: ['CMD', 'curl', '-f', 'http://localhost/']
      interval: 30s
      timeout: 5s
      retries: 3
 networks:
  lcbp3:
    external: true
  giteanet:
    external: true
    name: gitnet
 # docker exec -it npm id
 # chown -R 0:0 /share/Container/npm