-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
58 lines (55 loc) · 2.15 KB
/
docker-compose.yml
File metadata and controls
58 lines (55 loc) · 2.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Local dev topology: backend (FastAPI) + frontend (Vite dev server) + Jaeger
# (OTLP collector + UI). One command to a working stack with traces.
#
# `docker compose up` brings the three services up on their published ports.
# Backend at http://localhost:8000, frontend at http://localhost:5173, Jaeger
# UI at http://localhost:16686. The frontend image (built by ticket #21) ships
# the Vite dev server bound to 0.0.0.0:5173 so HMR works through the published
# port.
services:
app:
build: .
ports:
- "8000:8000"
env_file:
- path: .env
required: false
depends_on:
- jaeger
environment:
# OTLP gRPC endpoint inside the compose network — the SDK auto-detects
# OTEL_EXPORTER_OTLP_ENDPOINT and emits to Jaeger's OTLP receiver.
- OTEL_EXPORTER_OTLP_ENDPOINT=http://jaeger:4317
- OTEL_EXPORTER_OTLP_PROTOCOL=grpc
- OTEL_SERVICE_NAME=harness-python-react
# Container hardening. The root FS is read-only at the kernel level so a
# post-exploit shell can't modify /app, persist binaries, or fill disk
# under the `app` user's ownership. /tmp is the only writable path —
# tmpfs-mounted with a 64 MB ceiling so it can't be abused as unbounded
# storage. Verified: `touch /app/foo` → EROFS; `touch /tmp/foo` succeeds;
# healthcheck reports healthy. See docs/SECURITY.md "Container Security".
read_only: true
tmpfs:
- /tmp:size=64m,mode=1777
frontend:
build: ./frontend
ports:
- "5173:5173"
depends_on:
- app
environment:
# Vite dev-server proxy target. Inside the compose network, the
# backend service is reachable at http://app:8000. The browser
# still hits http://localhost:5173/api/v1/* and Vite proxies it.
- VITE_API_PROXY_TARGET=http://app:8000
# Bind-mount the source so Vite HMR sees host edits. node_modules stays
# inside the container so platform-native deps aren't shadowed.
volumes:
- ./frontend:/app
- /app/node_modules
jaeger:
image: jaegertracing/all-in-one:latest
ports:
- "16686:16686" # Jaeger UI
- "4317:4317" # OTLP gRPC
- "4318:4318" # OTLP HTTP