dce975bf4e
Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable, released 2026-02-04) in both the Dockerfile and the dev docker-compose. CVEs resolved: - CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption - CVE-2024-8185 (HIGH): DoS via Raft join requests - CVE-2024-9180 (HIGH): Root namespace privilege escalation - CVE-2025-59043 (HIGH): DoS via malicious JSON - CVE-2025-64761 (HIGH): Identity group root escalation All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new features (horizontal read scalability, OCI plugin distribution). Files changed: - docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0 - docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0 The production/swarm compose files use the custom-built git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM this Dockerfile, so they inherit the fix on next CI build. Fixes #363
142 lines
3.4 KiB
YAML
142 lines
3.4 KiB
YAML
services:
|
|
postgres:
|
|
build:
|
|
context: ./postgres
|
|
dockerfile: Dockerfile
|
|
container_name: mosaic-postgres
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_USER: ${POSTGRES_USER:-mosaic}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mosaic_dev_password}
|
|
POSTGRES_DB: ${POSTGRES_DB:-mosaic}
|
|
ports:
|
|
- "${POSTGRES_PORT:-5432}:5432"
|
|
volumes:
|
|
- postgres_data:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mosaic} -d ${POSTGRES_DB:-mosaic}"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 30s
|
|
networks:
|
|
- mosaic-network
|
|
|
|
valkey:
|
|
image: valkey/valkey:8-alpine
|
|
container_name: mosaic-valkey
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${VALKEY_PORT:-6379}:6379"
|
|
volumes:
|
|
- valkey_data:/data
|
|
healthcheck:
|
|
test: ["CMD", "valkey-cli", "ping"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 10s
|
|
networks:
|
|
- mosaic-network
|
|
|
|
coordinator:
|
|
build:
|
|
context: ../apps/coordinator
|
|
dockerfile: Dockerfile
|
|
container_name: mosaic-coordinator
|
|
restart: unless-stopped
|
|
environment:
|
|
GITEA_WEBHOOK_SECRET: ${GITEA_WEBHOOK_SECRET}
|
|
GITEA_URL: ${GITEA_URL:-https://git.mosaicstack.dev}
|
|
LOG_LEVEL: ${LOG_LEVEL:-info}
|
|
HOST: 0.0.0.0
|
|
PORT: 8000
|
|
ports:
|
|
- "8000:8000"
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD",
|
|
"python",
|
|
"-c",
|
|
"import urllib.request; urllib.request.urlopen('http://localhost:8000/health')",
|
|
]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 5s
|
|
networks:
|
|
- mosaic-network
|
|
|
|
openbao:
|
|
image: quay.io/openbao/openbao:2.5.0
|
|
container_name: mosaic-openbao
|
|
restart: unless-stopped
|
|
user: root
|
|
ports:
|
|
- "127.0.0.1:${OPENBAO_PORT:-8200}:8200"
|
|
volumes:
|
|
- openbao_data:/openbao/data
|
|
- openbao_init:/openbao/init
|
|
- ./openbao/config.hcl:/openbao/config/config.hcl:ro
|
|
environment:
|
|
VAULT_ADDR: http://0.0.0.0:8200
|
|
SKIP_SETCAP: "true"
|
|
entrypoint: ["/bin/sh", "-c"]
|
|
command: ["bao server -config=/openbao/config/config.hcl"]
|
|
cap_add:
|
|
- IPC_LOCK
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD",
|
|
"wget",
|
|
"--spider",
|
|
"--quiet",
|
|
"http://127.0.0.1:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200",
|
|
]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 10s
|
|
networks:
|
|
- mosaic-network
|
|
labels:
|
|
com.mosaic.service: "secrets"
|
|
com.mosaic.description: "OpenBao secrets management"
|
|
|
|
openbao-init:
|
|
image: quay.io/openbao/openbao:2.5.0
|
|
container_name: mosaic-openbao-init
|
|
restart: unless-stopped
|
|
user: root
|
|
volumes:
|
|
- openbao_init:/openbao/init
|
|
- ./openbao/init.sh:/init.sh:ro
|
|
environment:
|
|
VAULT_ADDR: http://openbao:8200
|
|
command: /init.sh
|
|
depends_on:
|
|
openbao:
|
|
condition: service_healthy
|
|
networks:
|
|
- mosaic-network
|
|
labels:
|
|
com.mosaic.service: "secrets-init"
|
|
com.mosaic.description: "OpenBao auto-initialization sidecar"
|
|
|
|
volumes:
|
|
postgres_data:
|
|
name: mosaic-postgres-data
|
|
valkey_data:
|
|
name: mosaic-valkey-data
|
|
openbao_data:
|
|
name: mosaic-openbao-data
|
|
openbao_init:
|
|
name: mosaic-openbao-init
|
|
|
|
networks:
|
|
mosaic-network:
|
|
name: mosaic-network
|
|
driver: bridge
|