Container Reference

Volumes

The Squirro container images use the following volumes to persist data.

Docker Compose Permanent Volume Configuration

In an AWS-based deployment, it is recommended to use EFS for the shared data volume. The relevant bits are the target of /mnt/squirro and the UID and GID of 44040.

volumes:
    - squirro_shared_data:/mnt/squirro:uid=44040,gid=44040

Docker Compose Temporary Data Volume Configuration

The temporary data volume is used to store temporary data that does not need to persist. Because the containers’ main filesystem is read-only, this volume is critical for the operation of the container.

- /tmp:uid=44040,gid=44040
- /run:uid=44040,gid=44040

Security

The Squirro container images are designed to be secure by default. The following security features are in place:

• The container is scanned for vulnerabilities using Trivy.

• The container is based on Amazon Linux 2023, a secure and hardened base image.

• The container runs as a non-privileged user with user ID 44040.

• The container is configured to run in read-only mode.

• The container is configured to run with a minimal set of capabilities.

• The container is configured to drop all capabilities.

• Secrets are not stored in the container image.

• Environment variables are used to configure the container.

• Secrets are provided as environment variables or secret files.

Example Docker Configuration

For reference, here is an example of a Compose file with a security-related configuration. Squirro recommends always using the config file generation feature from the Squirro Container Registry to generate the Compose file.

services:
    squirro:
        restart: always
        image: containers.squirro.com/squirro/minimal:amd64-unstable-latest
        ports:
            - "8080:8080"
            - "8443:8443"
        secrets:
            - redis_password
            - db_password
            - elasticsearch_password
            - flask_secret_key
            - client_id
            - client_secret
        environment:
            # Elasticsearch
            - SQ_ES_INDEX_SERVERS=http://elasticsearch:9200
            - SQ_ES_AUTH_USER=elastic
            - SQ_ES_AUTH_PASSWORD=secretsfile:/run/secrets/elasticsearch_password
            # Redis
            - SQ_REDIS_QUEUE_PASSWORD=secretsfile:/run/secrets/redis_password
            - SQ_REDIS_CACHE_PASSWORD=secretsfile:/run/secrets/redis_password
            # Database
            - SQ_SQL_PASSWORD=secretsfile:/run/secrets/db_password
            # Frontend
            - SQ_FLASK_SECRET_KEY=secretsfile:/run/secrets/flask_secret_key
            # User Service Client Secrets
            - SQ_CLIENT_ID=secretsfile:/run/secrets/client_id
            - SQ_CLIENT_SECRET=secretsfile:/run/secrets/client_secret
            # Log Level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
            - SQ_LOG_LEVEL=INFO
        user: "44040:44040"
        security_opt:
            - no-new-privileges:true
        read_only: true
        tmpfs:
            - /tmp:uid=44040,gid=44040
            - /run:uid=44040,gid=44040
        volumes:
            - squirro_shared_data:/mnt/squirro:uid=44040,gid=44040
        deploy:
        resources:
            limits:
                cpus: "4"
                memory: 10G
            reservations:
                cpus: "4.0"
                memory: 10G
        networks:
            - default
        depends_on:
            db:
                condition: service_healthy
            redis-queue:
                condition: service_started
            redis-cache:
                condition: service_started
            elasticsearch:
                condition: service_started
    db:
        ...
    redis-queue:
        ...
    redis-cache:
        ...
    elasticsearch:
        ...
volumes:
    squirro_shared_data:
networks:
    default:
        driver: bridge
secrets:
    mirror_user:
        file: ./secrets/mirror_user
    mirror_password:
        file: ./secrets/mirror_password
    redis_password:
        file: ./secrets/redis_password
    db_password:
        file: ./secrets/db_password
    elasticsearch_password:
        file: ./secrets/elasticsearch_password
    flask_secret_key:
        file: ./secrets/flask_secret_key
    client_id:
        file: ./secrets/client_id
    client_secret:
        file: ./secrets/client_secret

Environment Variables

The following variables can be set to control the behavior of the Squirro container images. At the time of writing, this applies only to the squirro-minimal image.

The plan is that, where applicable, the same variables are used in all Squirro future container images, for example, dedicated user service with the same login, database, and Redis variables and secrets.

SSL / TLS Configuration

Variable	Type	Default	Description
SQ_CA_FILE	file path		Provides a custom CA file for the container. This is useful if you have a custom CA file that is not part of the default CA trust store. The provided file is prepended to the default CA trust store of Amazon Linux 2023. Hence, this is only needed if the container needs to trust additional CA certificates / self-signed certificates.

Elasticsearch Configuration

Variable	Type	Default	Description
SQ_ES_INDEX_SERVERS	string	http://elasticsearch:9200	The URL to the Elasticsearch server. This can be a single URL or a comma-separated list of URLs. e.g. http://elasticsearch:9200,http://elasticsearch2:9200
SQ_ES_AUTH_USER	string	elastic	The username to authenticate with the Elasticsearch server.
SQ_ES_AUTH_PASSWORD	string		The password to authenticate with the Elasticsearch server. A secret file is recommended for this value, secretsfile:/run/secrets/elasticsearch_password for example.

Database Configuration

Squirro currently only supports PostgreSQL as the database backend for squirro-minimal. Plans are in place to support MariadB/MySQL in the near future.

Variable	Type	Default	Description
SQ_SQL_PROTOCOL	string	postgresql	Which database protocol to use. Currently only postgresql is supported. Equates to the SQLAlchemy dialect.
SQ_SQL_HOST	string	db	The hostname of the database server. This can be the hostname of the database server or the IP address, for AWS RDS, this is the endpoint, mydbinstance.123456789012.us-east-1.rds.amazonaws.com for example.
SQ_SQL_PORT	integer	5432	The TCP port of the database server.
SQ_SQL_USER	string	postgres	Username to connect to the database server.
SQ_SQL_PASSWORD	string		Password to connect to the database server. A secret file is recommended for this value, secretsfile:/run/secrets/db_password for example.
SQ_SQL_CONFIGURATION_DATABASE, SQ_SQL_DATASOURCE_DATABASE, SQ_SQL_EMAILSENDER_DATABASE, SQ_SQL_FILTERING_DATABASE, SQ_SQL_FINGERPRINT_DATABASE, SQ_SQL_MACHINELEARNING_DATABASE, SQ_SQL_NOTES_DATABASE, SQ_SQL_PLUMBER_DATABASE, SQ_SQL_SCHEDULER_DATABASE, SQ_SQL_STUDIO_DATABASE, SQ_SQL_TOPIC_DATABASE, SQ_SQL_USER_DATABASE	string	configuration, datasource, emailsender, filtering, fingerprint, machinelearning, notes, plumber, scheduler, studio, topic, squser	The name of the database to use for each service. You are responsible to create the databases.
SQ_SQL_CONFIGURATION_SERVICE_URI, SQ_SQL_DATASOURCE_SERVICE_URI, SQ_SQL_EMAILSENDER_SERVICE_URI, SQ_SQL_FILTERING_SERVICE_URI, SQ_SQL_FINGERPRINT_SERVICE_URI, SQ_SQL_MACHINELEARNING_SERVICE_URI, SQ_SQL_NOTES_SERVICE_URI, SQ_SQL_PLUMBER_SERVICE_URI, SQ_SQL_SCHEDULER_SERVICE_URI, SQ_SQL_STUDIO_SERVICE_URI, SQ_SQL_TOPIC_SERVICE_URI, SQ_SQL_USER_SERVICE_URI	string		For a custom deployment, you can provide the full URI to the database server, postgresql://user:password@hostname:port/database?customparam=value for example.

Redis Configuration

Squirro requires two instances of Redis, one for the cache and one for persistent storage and queues.

Redis Queue

Variable	Type	Default	Description
SQ_REDIS_QUEUE_HOST	string	redis-queue	The hostname of the Redis server. For AWS ElastiCache, this is the endpoint. e.g. myredisinstance.123456789012.us-east-1.cache.amazonaws.com
SQ_REDIS_QUEUE_PORT	integer	6379	The TCP port of the Redis server.
SQ_REDIS_QUEUE_SSL	boolean	false	Enable SSL for the connection to the Redis server.
SQ_REDIS_QUEUE_SSL_VERIFY	boolean	false	Verify the SSL certificate of the Redis server.

Redis Queue

Variable	Type	Default	Description
SQ_REDIS_CACHE_HOST	string	redis-cache	The hostname of the Redis server. For AWS ElastiCache, this is the endpoint. e.g. myredisinstance.123456789012.us-east-1.cache.amazonaws.com
SQ_REDIS_CACHE_PORT	integer	6380	The TCP port of the Redis server.
SQ_REDIS_CACHE_SSL	boolean	false	Enable SSL for the connection to the Redis server.
SQ_REDIS_CACHE_SSL_VERIFY	boolean	false	Verify the SSL certificate of the Redis server.

Secrets and Client IDs

Squirro requires a few secrets as environment variables or secret files.

Variable	Type	Default	Description
SQ_FLASK_SECRET_KEY	string or secretsfile		The secret key to use for the Flask application. This is used to sign cookies and other sensitive data. A secret file is recommended for this value, secretsfile:/run/secrets/flask_secret_key for example.
SQ_CLIENT_ID	string or secretsfile		The client id to use for various Service Clients. A secret file is recommended for this value, secretsfile:/run/secrets/client_id for example.
SQ_CLIENT_SECRET	string or secretsfile		The client secret to use for various Service Clients. A secret file is recommended for this value, secretsfile:/run/secrets/client_id for example.

Logging Configuration

Variable	Type	Default	Description
SQ_LOG_LEVEL	string	INFO	Log Level (DEBUG, INFO, WARNING, ERROR, CRITICAL)