security: harden Docker registry and container runtime

- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID) - Reject sha512 digests (only sha256 supported) - Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL - Bind upload sessions to repository name (prevent session fixation) - Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion) - Fix catalog to show namespaced images (library/alpine instead of library) - Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy - Run containers as non-root user (USER nora) in all 3 Dockerfiles - Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
2026-04-12 06:50:31 +00:00 · 2026-03-19 08:29:28 +00:00
parent f76dab1184
commit fa2cd45ed3
8 changed files with 225 additions and 57 deletions
--- a/8
+++ b/8
@@ -2,9 +2,11 @@
 # Binary is pre-built by CI (cargo build --release) and passed via context
 FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805

-RUN apk add --no-cache ca-certificates && mkdir -p /data
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S nora && adduser -S -G nora nora \
+    && mkdir -p /data && chown nora:nora /data

-COPY nora /usr/local/bin/nora
+COPY --chown=nora:nora nora /usr/local/bin/nora

 ENV RUST_LOG=info
 ENV NORA_HOST=0.0.0.0
@@ -17,5 +19,7 @@ EXPOSE 4000

 VOLUME ["/data"]

+USER nora
+
 ENTRYPOINT ["/usr/local/bin/nora"]
 CMD ["serve"]