mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity
Files
d58edcb51cda22940236d5ef23351f3d8912c9f5
stack/docker/docker-compose.yml
Jason Woltje dce975bf4e fix(#363): Update OpenBao image to fix CRITICAL CVE-2025-68121 + 4 HIGH CVEs 
Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable,
released 2026-02-04) in both the Dockerfile and the dev docker-compose.

CVEs resolved:
- CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption
- CVE-2024-8185 (HIGH): DoS via Raft join requests
- CVE-2024-9180 (HIGH): Root namespace privilege escalation
- CVE-2025-59043 (HIGH): DoS via malicious JSON
- CVE-2025-64761 (HIGH): Identity group root escalation

All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new
features (horizontal read scalability, OCI plugin distribution).

Files changed:
- docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0
- docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0

The production/swarm compose files use the custom-built
git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM
this Dockerfile, so they inherit the fix on next CI build.

Fixes #363
2026-02-12 12:36:08 -06:00

142 lines
3.4 KiB
YAML
Raw Blame History

services:
postgres:
build:
context: ./postgres
dockerfile: Dockerfile
container_name: mosaic-postgres
restart: unless-stopped
environment:
POSTGRES_USER: ${POSTGRES_USER:-mosaic}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mosaic_dev_password}
POSTGRES_DB: ${POSTGRES_DB:-mosaic}
ports:
- "${POSTGRES_PORT:-5432}:5432"
volumes:
- postgres_data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mosaic} -d ${POSTGRES_DB:-mosaic}"]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
networks:
- mosaic-network
valkey:
image: valkey/valkey:8-alpine
container_name: mosaic-valkey
restart: unless-stopped
ports:
- "${VALKEY_PORT:-6379}:6379"
volumes:
- valkey_data:/data
healthcheck:
test: ["CMD", "valkey-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
start_period: 10s
networks:
- mosaic-network
coordinator:
build:
context: ../apps/coordinator
dockerfile: Dockerfile
container_name: mosaic-coordinator
restart: unless-stopped
environment:
GITEA_WEBHOOK_SECRET: ${GITEA_WEBHOOK_SECRET}
GITEA_URL: ${GITEA_URL:-https://git.mosaicstack.dev}
LOG_LEVEL: ${LOG_LEVEL:-info}
HOST: 0.0.0.0
PORT: 8000
ports:
- "8000:8000"
healthcheck:
test:
[
"CMD",
"python",
"-c",
"import urllib.request; urllib.request.urlopen('http://localhost:8000/health')",
]
interval: 30s
timeout: 10s
retries: 3
start_period: 5s
networks:
- mosaic-network
openbao:
image: quay.io/openbao/openbao:2.5.0
container_name: mosaic-openbao
restart: unless-stopped
user: root
ports:
- "127.0.0.1:${OPENBAO_PORT:-8200}:8200"
volumes:
- openbao_data:/openbao/data
- openbao_init:/openbao/init
- ./openbao/config.hcl:/openbao/config/config.hcl:ro
environment:
VAULT_ADDR: http://0.0.0.0:8200
SKIP_SETCAP: "true"
entrypoint: ["/bin/sh", "-c"]
command: ["bao server -config=/openbao/config/config.hcl"]
cap_add:
- IPC_LOCK
healthcheck:
test:
[
"CMD",
"wget",
"--spider",
"--quiet",
"http://127.0.0.1:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200",
]
interval: 10s
timeout: 5s
retries: 5
start_period: 10s
networks:
- mosaic-network
labels:
com.mosaic.service: "secrets"
com.mosaic.description: "OpenBao secrets management"
openbao-init:
image: quay.io/openbao/openbao:2.5.0
container_name: mosaic-openbao-init
restart: unless-stopped
user: root
volumes:
- openbao_init:/openbao/init
- ./openbao/init.sh:/init.sh:ro
environment:
VAULT_ADDR: http://openbao:8200
command: /init.sh
depends_on:
openbao:
condition: service_healthy
networks:
- mosaic-network
labels:
com.mosaic.service: "secrets-init"
com.mosaic.description: "OpenBao auto-initialization sidecar"
volumes:
postgres_data:
name: mosaic-postgres-data
valkey_data:
name: mosaic-valkey-data
openbao_data:
name: mosaic-openbao-data
openbao_init:
name: mosaic-openbao-init
networks:
mosaic-network:
name: mosaic-network
driver: bridge
Reference in New Issue View Git Blame Copy Permalink