mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
ea22c8087b
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #42226 When doing dev in a remote environment, like a public cloud VM, don't expose ports to the public. This is a contributor security improvement. The localstack fail is present on main, and was not caused by this change: https://github.com/fleetdm/fleet/actions/runs/23439965808/job/68187858627 # Checklist for submitter ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Docker Compose configuration updated across multiple services (Redis, MySQL, mail, monitoring, and storage services) to restrict port bindings to localhost only instead of all network interfaces. * Documentation Docker Compose examples updated to reflect localhost-only port binding for core services. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
173 lines
5.8 KiB
YAML
173 lines
5.8 KiB
YAML
---
|
|
services:
|
|
# To test with MariaDB, set FLEET_MYSQL_IMAGE to mariadb:10.6 or the like (note MariaDB is not
|
|
# officially supported).
|
|
# To run in macOS M1, set FLEET_MYSQL_IMAGE=arm64v8/mysql:oracle FLEET_MYSQL_PLATFORM=linux/arm64/v8
|
|
mysql:
|
|
image: ${FLEET_MYSQL_IMAGE:-mysql:8.0.44}
|
|
platform: ${FLEET_MYSQL_PLATFORM:-linux/x86_64}
|
|
volumes:
|
|
- mysql-persistent-volume:/tmp
|
|
command: [
|
|
"mysqld",
|
|
"--datadir=/tmp/mysqldata",
|
|
# These 3 keys run MySQL with GTID consistency enforced to avoid issues with production deployments that use it.
|
|
"--enforce-gtid-consistency=ON",
|
|
"--log-bin=bin.log",
|
|
"--server-id=master-01",
|
|
# Required for storage of Apple MDM bootstrap packages.
|
|
"--max_allowed_packet=536870912",
|
|
]
|
|
environment: &mysql-default-environment
|
|
MYSQL_ROOT_PASSWORD: toor
|
|
MYSQL_DATABASE: fleet
|
|
MYSQL_USER: fleet
|
|
MYSQL_PASSWORD: insecure
|
|
# This is required by Percona XtraDB server.
|
|
CLUSTER_NAME: fleet
|
|
ports:
|
|
- "127.0.0.1:${FLEET_MYSQL_PORT:-3306}:3306"
|
|
|
|
mysql_test:
|
|
image: ${FLEET_MYSQL_IMAGE:-mysql:8.0.44}
|
|
platform: ${FLEET_MYSQL_PLATFORM:-linux/x86_64}
|
|
# innodb-file-per-table=OFF gives ~20% speedup for test runs.
|
|
command: [
|
|
"mysqld",
|
|
"--datadir=/tmpfs",
|
|
"--slow_query_log=1",
|
|
"--log_output=TABLE",
|
|
"--log-queries-not-using-indexes",
|
|
"--innodb-file-per-table=OFF",
|
|
"--table-definition-cache=8192",
|
|
# These 3 keys run MySQL with GTID consistency enforced to avoid issues with production deployments that use it.
|
|
"--enforce-gtid-consistency=ON",
|
|
"--log-bin=bin.log",
|
|
"--server-id=1",
|
|
# Required for storage of Apple MDM bootstrap packages.
|
|
"--max_allowed_packet=536870912",
|
|
]
|
|
environment: *mysql-default-environment
|
|
ports:
|
|
- "127.0.0.1:${FLEET_MYSQL_TEST_PORT:-3307}:3306"
|
|
tmpfs:
|
|
- /var/lib/mysql:rw,noexec,nosuid
|
|
- /tmpfs
|
|
|
|
mysql_replica_test:
|
|
image: ${FLEET_MYSQL_IMAGE:-mysql:8.0.44}
|
|
platform: ${FLEET_MYSQL_PLATFORM:-linux/x86_64}
|
|
# innodb-file-per-table=OFF gives ~20% speedup for test runs.
|
|
command: [
|
|
"mysqld",
|
|
"--datadir=/tmpfs",
|
|
"--slow_query_log=1",
|
|
"--log_output=TABLE",
|
|
"--log-queries-not-using-indexes",
|
|
"--innodb-file-per-table=OFF",
|
|
"--table-definition-cache=8192",
|
|
# These 3 keys run MySQL with GTID consistency enforced to avoid issues with production deployments that use it.
|
|
"--enforce-gtid-consistency=ON",
|
|
"--log-bin=bin.log",
|
|
"--server-id=2",
|
|
# Required for storage of Apple MDM bootstrap packages.
|
|
"--max_allowed_packet=536870912",
|
|
]
|
|
environment: *mysql-default-environment
|
|
ports:
|
|
# ports 3308 and 3309 are used by the main and replica MySQL containers in tools/mysql-replica-testing/docker-compose.yml
|
|
- "127.0.0.1:${FLEET_MYSQL_REPLICA_TEST_PORT:-3310}:3306"
|
|
tmpfs:
|
|
- /var/lib/mysql:rw,noexec,nosuid
|
|
- /tmpfs
|
|
|
|
# Unauthenticated SMTP server.
|
|
mailhog:
|
|
image: mailhog/mailhog:latest
|
|
ports:
|
|
- "127.0.0.1:${FLEET_MAILHOG_WEB_PORT:-8025}:8025"
|
|
- "127.0.0.1:${FLEET_MAILHOG_SMTP_PORT:-1025}:1025"
|
|
|
|
# SMTP server with Basic Authentication.
|
|
mailpit:
|
|
image: axllent/mailpit:latest
|
|
ports:
|
|
- "127.0.0.1:${FLEET_MAILPIT_WEB_PORT:-8026}:8025"
|
|
- "127.0.0.1:${FLEET_MAILPIT_SMTP_PORT:-1026}:1025"
|
|
volumes:
|
|
- ./tools/mailpit/auth.txt:/auth.txt
|
|
command: ["--smtp-auth-file=/auth.txt", "--smtp-auth-allow-insecure=true"]
|
|
|
|
# SMTP server with TLS
|
|
smtp4dev_test:
|
|
image: rnwood/smtp4dev:v3
|
|
ports:
|
|
- "127.0.0.1:${FLEET_SMTP4DEV_WEB_PORT:-8028}:80"
|
|
- "127.0.0.1:${FLEET_SMTP4DEV_SMTP_PORT:-1027}:25"
|
|
volumes:
|
|
- ./tools/smtp4dev:/certs
|
|
environment:
|
|
- ServerOptions__TlsMode=ImplicitTls
|
|
- ServerOptions__TlsCertificate=/certs/fleet.crt
|
|
- ServerOptions__TlsCertificatePrivateKey=/certs/fleet.key
|
|
|
|
redis:
|
|
image: redis:6
|
|
ports:
|
|
- "127.0.0.1:${FLEET_REDIS_PORT:-6379}:6379"
|
|
|
|
saml_idp:
|
|
image: fleetdm/docker-idp:latest
|
|
volumes:
|
|
- ./tools/saml/users.php:/var/www/simplesamlphp/config/authsources.php
|
|
- ./tools/saml/config.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php
|
|
ports:
|
|
- "127.0.0.1:${FLEET_SAML_IDP_HTTP_PORT:-9080}:8080"
|
|
- "127.0.0.1:${FLEET_SAML_IDP_HTTPS_PORT:-9443}:8443"
|
|
|
|
# CAdvisor container allows monitoring other containers. Useful for
|
|
# development.
|
|
cadvisor:
|
|
image: gcr.io/cadvisor/cadvisor:latest
|
|
ports:
|
|
- "127.0.0.1:${FLEET_CADVISOR_PORT:-5678}:8080"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- /sys:/sys:ro
|
|
- /var/lib/docker/:/var/lib/docker:ro
|
|
|
|
prometheus:
|
|
image: prom/prometheus:latest
|
|
ports:
|
|
- "127.0.0.1:${FLEET_PROMETHEUS_PORT:-9090}:9090"
|
|
volumes:
|
|
- ./tools/app/prometheus.yml:/etc/prometheus/prometheus.yml
|
|
|
|
# localstack to simulate AWS integrations like firehose & kinesis
|
|
# use http://localhost:4566 as the `--endpoint-url` argument in awscli
|
|
localstack:
|
|
image: localstack/localstack:4.5
|
|
ports:
|
|
- "127.0.0.1:${FLEET_LOCALSTACK_PORT:-4566}:4566"
|
|
- "127.0.0.1:${FLEET_LOCALSTACK_LEGACY_PORT:-4571}:4571"
|
|
environment:
|
|
- SERVICES=firehose,kinesis,s3,iam,sts,secretsmanager
|
|
|
|
# s3 compatible object storage (file carving/software installers)
|
|
s3:
|
|
image: rustfs/rustfs:1.0.0-alpha.85
|
|
ports:
|
|
- "127.0.0.1:${FLEET_S3_PORT:-9000}:9000"
|
|
- "127.0.0.1:${FLEET_S3_CONSOLE_PORT:-9001}:9001"
|
|
environment:
|
|
- RUSTFS_ADDRESS=0.0.0.0:9000
|
|
- RUSTFS_CONSOLE_ADDRESS=0.0.0.0:9001
|
|
- RUSTFS_CONSOLE_ENABLE=true
|
|
- RUSTFS_ACCESS_KEY=locals3
|
|
- RUSTFS_SECRET_KEY=locals3
|
|
volumes:
|
|
- data-s3:/data:rw
|
|
|
|
volumes:
|
|
mysql-persistent-volume:
|
|
data-s3:
|