forked from digitalandrew/wairz
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
503 lines (489 loc) · 16.7 KB
/
Copy pathdocker-compose.yml
File metadata and controls
503 lines (489 loc) · 16.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
services:
# One-shot schema migrator (Phase 3 / O2). Runs exactly once per
# ``docker compose up``, obtains the alembic advisory lock, upgrades
# the schema, and exits 0. Backend + worker ``depends_on`` this
# service with ``condition: service_completed_successfully`` so they
# never race on startup. On an already-migrated DB this exits in <2s.
#
# Operational notes:
# - If migration fails, backend AND worker fail to start. Check
# ``docker compose logs migrator`` — the failure surfaces cleanly
# rather than being obscured by the backend's restart loop.
# - No Redis / Docker proxy dependency — alembic only needs
# PostgreSQL.
# - Uses the same image as backend/worker so there's no extra
# build cache target.
migrator:
build:
context: ./backend
dockerfile: Dockerfile
additional_contexts:
kernels: ./emulation/kernels
args:
DOCKER_GID: "${DOCKER_GID:-999}"
env_file:
- .env
environment:
DATABASE_URL: postgresql+asyncpg://${POSTGRES_USER:-wairz}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required. Set it in .env (see .env.example)}@postgres:5432/${POSTGRES_DB:-wairz}
entrypoint: ["sh", "-c", ".venv/bin/python -m alembic upgrade head"]
depends_on:
postgres:
condition: service_healthy
restart: "no"
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
docker-proxy:
image: ghcr.io/tecnativa/docker-socket-proxy:0.3.0
restart: unless-stopped
environment:
CONTAINERS: 1
POST: 1
IMAGES: 1
NETWORKS: 1
VOLUMES: 0
EXEC: 1
EVENTS: 1
BUILD: 0
COMMIT: 0
CONFIGS: 0
DISTRIBUTION: 0
PLUGINS: 0
SECRETS: 0
SERVICES: 0
SESSION: 0
SWARM: 0
SYSTEM: 0
TASKS: 0
NODES: 0
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- default
deploy:
resources:
limits:
memory: 128M
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
postgres:
image: postgres:16-alpine
restart: unless-stopped
environment:
POSTGRES_USER: ${POSTGRES_USER:-wairz}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required. Set it in .env (see .env.example)}
POSTGRES_DB: ${POSTGRES_DB:-wairz}
ports:
- "127.0.0.1:${POSTGRES_HOST_PORT:-5432}:5432"
volumes:
- pgdata:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U wairz"]
interval: 5s
timeout: 5s
retries: 5
logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"
# Nightly PostgreSQL backup (infra-volumes V3). ``pg_dump -Fc`` against
# the primary postgres service, written into ``${BACKUP_DIR:-./backups}``
# on the host. 30-day retention, enforced inside the container via
# ``find -mtime +30 -delete``. Recovery procedure documented in
# docs/operations/backup-recovery.md.
pg-backup:
image: postgres:16-alpine
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
environment:
PGHOST: postgres
PGUSER: ${POSTGRES_USER:-wairz}
PGPASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required. Set it in .env (see .env.example)}
PGDATABASE: ${POSTGRES_DB:-wairz}
volumes:
- ${BACKUP_DIR:-./backups}:/backups
entrypoint: ["/bin/sh", "-c"]
command:
- |
set -eu
echo "[pg-backup] Starting daily backup loop — sleeping until 03:30 on first run"
# Initial delay so we don't dump immediately on `docker compose up`
# — gives operators time to cancel / tune before the first write.
sleep 300
while true; do
TIMESTAMP=$$(date +%Y%m%d_%H%M%S)
OUT="/backups/wairz_$$TIMESTAMP.dump"
echo "[pg-backup] dumping to $$OUT"
if pg_dump --clean --if-exists -Fc -f "$$OUT"; then
echo "[pg-backup] dump complete: $$(stat -c '%s bytes' "$$OUT")"
else
echo "[pg-backup] dump FAILED" >&2
rm -f "$$OUT"
fi
# 30-day retention: delete dumps older than 30 days.
find /backups -maxdepth 1 -name 'wairz_*.dump' -mtime +30 -delete
echo "[pg-backup] sleeping 24h"
sleep 86400
done
deploy:
resources:
limits:
memory: 512M
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
redis:
image: redis:7-alpine
restart: unless-stopped
ports:
- "127.0.0.1:${REDIS_HOST_PORT:-6379}:6379"
volumes:
- redisdata:/data
# Host requires: sysctl vm.overcommit_memory=1 (for Redis background saves)
sysctls:
net.core.somaxconn: 511
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 5s
retries: 5
logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"
backend:
build:
context: ./backend
dockerfile: Dockerfile
additional_contexts:
kernels: ./emulation/kernels
args:
DOCKER_GID: "${DOCKER_GID:-999}"
restart: unless-stopped
ports:
# Default binds to 127.0.0.1 to prevent LAN exposure of the
# unauthenticated /ws WebSocket endpoint. Override via
# BACKEND_HOST_BIND=0.0.0.0 only after auth is hardened.
- "${BACKEND_HOST_BIND:-127.0.0.1}:${BACKEND_HOST_PORT:-8000}:8000"
env_file:
- .env
environment:
DATABASE_URL: postgresql+asyncpg://${POSTGRES_USER:-wairz}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required. Set it in .env (see .env.example)}@postgres:5432/${POSTGRES_DB:-wairz}
REDIS_URL: redis://redis:6379/0
STORAGE_ROOT: /data/firmware
GHIDRA_INSTALL_DIR: /opt/ghidra
GHIDRA_SCRIPTS_PATH: /opt/ghidra_scripts
EMULATION_IMAGE: wairz-emulation
EMULATION_NETWORK: wairz_emulation_net
FUZZING_IMAGE: wairz-fuzzing
SYSTEM_EMULATION_IMAGE: wairz-system-emulation
UART_BRIDGE_HOST: host.docker.internal
UART_BRIDGE_PORT: "9999"
DOCKER_HOST: tcp://docker-proxy:2375
# Phase β.10 (Rule #37): offline UEFI Secure Boot revocation
# bundle, baked into the worker+backend image at build (see backend/
# Dockerfile and backend/ms-anchors/). NO network fetch at scan time.
DBX_BUNDLE_PATH: /opt/wairz/dbxupdate.bin
# Phase η.D (Rule #37): offline LOLDrivers BYOVD fingerprinting data
# set, same bake-at-build discipline as DBX_BUNDLE_PATH. Read by
# app.services.loldrivers_lookup_service at lifespan startup.
LOLDRIVERS_BUNDLE_PATH: /opt/wairz/loldrivers.json
# Phase λ.α.C (Rule #37): offline Volatility 3 ISF symbol bundle root.
# Bake-at-build discipline behind ARG INCLUDE_VOL3=1 in backend/Dockerfile.
# Read by app.services.vol3_runner (λ.α.D) — when the directory is
# missing OR empty, the runner detects + surfaces a clear "rebuild
# with INCLUDE_VOL3=1" failure rather than reaching out at scan time.
# The λ.α.B memory-image enumerator is unaffected — it never needs
# the symbol bundle.
VOL3_SYMBOLS_PATH: /opt/wairz/vol3-symbols
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
- firmware_data:/data/firmware
- kernel_vulns_data:/data/kernel-vulns
- ./ghidra/scripts:/opt/ghidra_scripts:ro
- ./emulation/kernels:/opt/kernels:rw
- /tmp/wairz-dumps:/tmp/wairz-dumps
networks:
- default
- emulation_net
depends_on:
migrator:
condition: service_completed_successfully
postgres:
condition: service_healthy
redis:
condition: service_healthy
docker-proxy:
condition: service_started
deploy:
resources:
limits:
memory: 4096M
logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"
healthcheck:
# Poll /ready (lightweight liveness) for the Docker healthcheck tick;
# /health remains the deep surface called by operators/monitoring for
# full subsystem status. /ready added in commit 566637a.
test: ["CMD-SHELL", "curl -sf http://localhost:8000/ready || exit 1"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
worker:
build:
context: ./backend
dockerfile: Dockerfile
additional_contexts:
kernels: ./emulation/kernels
args:
DOCKER_GID: "${DOCKER_GID:-999}"
restart: unless-stopped
env_file:
- .env
environment:
DATABASE_URL: postgresql+asyncpg://${POSTGRES_USER:-wairz}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required. Set it in .env (see .env.example)}@postgres:5432/${POSTGRES_DB:-wairz}
REDIS_URL: redis://redis:6379/0
STORAGE_ROOT: /data/firmware
GHIDRA_INSTALL_DIR: /opt/ghidra
GHIDRA_SCRIPTS_PATH: /opt/ghidra_scripts
EMULATION_IMAGE: wairz-emulation
EMULATION_NETWORK: wairz_emulation_net
FUZZING_IMAGE: wairz-fuzzing
SYSTEM_EMULATION_IMAGE: wairz-system-emulation
DOCKER_HOST: tcp://docker-proxy:2375
# Phase β.10: see backend service block above for the offline-trust-anchor
# discipline rationale.
DBX_BUNDLE_PATH: /opt/wairz/dbxupdate.bin
# Phase η.D: see backend service block above for the offline LOLDrivers
# BYOVD bundle rationale.
LOLDRIVERS_BUNDLE_PATH: /opt/wairz/loldrivers.json
# Phase λ.α.C: see backend service block above for the offline Vol3
# ISF symbol bundle rationale.
VOL3_SYMBOLS_PATH: /opt/wairz/vol3-symbols
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
- firmware_data:/data/firmware
- kernel_vulns_data:/data/kernel-vulns
- ./ghidra/scripts:/opt/ghidra_scripts:ro
- ./emulation/kernels:/opt/kernels:rw
- /tmp/wairz-dumps:/tmp/wairz-dumps
depends_on:
migrator:
condition: service_completed_successfully
postgres:
condition: service_healthy
redis:
condition: service_healthy
docker-proxy:
condition: service_started
entrypoint: ["sh", "-c", "exec .venv/bin/arq app.workers.arq_worker.WorkerSettings"]
deploy:
resources:
limits:
memory: 4096M
healthcheck:
# `arq --check` issues a Redis health-check round-trip and exits non-zero
# if the worker's heartbeat key is missing/stale. Stronger than `pgrep arq`
# because it verifies both (a) the Python process is alive AND (b) Redis
# is reachable AND (c) the heartbeat is fresh (default arq health interval
# is ~5s). Audit-2026-05-04 F-H-04 / quick-wins M-8.
test: ["CMD", ".venv/bin/arq", "--check", "app.workers.arq_worker.WorkerSettings"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"
emulation:
profiles: ["build"]
build:
context: ./emulation
dockerfile: Dockerfile
image: wairz-emulation
volumes:
- firmware_data:/data/firmware:ro
- ./emulation/kernels:/opt/kernels:ro
networks:
- emulation_net
deploy:
resources:
limits:
# Bumped 1024M → 2048M on 2026-05-22 (over-constraint sweep).
# config.py:32 emulation_memory_limit_mb=1024 is the QEMU guest
# RAM cap; the compose cap is the cgroup HOST memory limit for
# the qemu PROCESS, which needs guest_ram + ~1024M for QEMU
# internals (TCG translation cache, device-model state, KVM/QEMU
# bookkeeping). Equal values were double-gating on the same
# constraint with no overhead — QEMU OOM-killed under load.
memory: 2048M
pids: 256
fuzzing:
profiles: ["build"]
build:
context: ./fuzzing
dockerfile: Dockerfile
image: wairz-fuzzing
volumes:
- firmware_data:/data/firmware:ro
deploy:
resources:
limits:
memory: 2048M
pids: 256
system-emulation:
profiles: ["build"]
build:
context: ./system-emulation
dockerfile: Dockerfile
image: wairz-system-emulation
# Narrowed from `privileged: true` to the minimal cap-set documented
# in `system-emulation/Dockerfile:11`. FirmAE's tap-network bring-up
# needs NET_ADMIN (interface config), SYS_ADMIN (mount/clone), and
# MKNOD (creating /dev/net/tun-derived nodes for nested namespaces).
# If a startup regresses, add caps ONE AT A TIME and document the
# specific FirmAE failure that required it — do NOT revert to
# `privileged: true` to "see if it works". Audit-2026-05-04 F-H-03.
cap_add:
- NET_ADMIN
- SYS_ADMIN
- MKNOD
devices:
- /dev/net/tun:/dev/net/tun
ports:
- "5000"
volumes:
- firmware_data:/firmwares:ro
networks:
- emulation_net
environment:
- POSTGRES_PASSWORD=${FIRMAE_DB_PASSWORD:?FIRMAE_DB_PASSWORD is required. Set it in .env (see .env.example)}
deploy:
resources:
limits:
memory: 2048M
pids: 512
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"
vulhunt:
# Pinned to a digest so 'docker compose pull' cannot silently
# promote upstream :latest into this stack. Bump explicitly by
# setting VULHUNT_IMAGE in .env or replacing the digest below.
#
# No healthcheck: the upstream image is a Chainguard distroless
# build (no /bin/sh, no curl/wget/nc/python — only the `vulhunt-ce`
# binary on PATH), and `vulhunt-ce` itself exposes no health
# subcommand (only scan/mcp/btp/ba2). A docker healthcheck has
# to run INSIDE the target container, so there is no in-image
# probe we can call. Audit-2026-05-04 F-H-04 / quick-wins M-8.
# Future fix would require either upstreaming a `vulhunt-ce
# health` subcommand or shipping a side-car ambassador on the
# same network — both out of scope for an audit close-out.
image: ${VULHUNT_IMAGE:-ghcr.io/vulhunt-re/vulhunt@sha256:cf361828e394f61382f0db6b121c3db3224629c89afec1d97681a91425a832ad}
restart: unless-stopped
entrypoint: ["vulhunt-ce", "mcp", "--host", "0.0.0.0", "--port", "8080"]
volumes:
- firmware_data:/data/firmware:ro
deploy:
resources:
limits:
memory: 4096M
pids: 256
logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"
clamav:
image: clamav/clamav:latest
profiles: ["clamav"]
restart: unless-stopped
volumes:
- clamav-db:/var/lib/clamav
- firmware_data:/data/firmware:ro
deploy:
resources:
limits:
memory: 4096M
healthcheck:
# `clamdcheck` (no .sh) is NOT on PATH in clamav/clamav:latest.
# Use `clamdscan --ping=1` (clamav ≥0.103) — pings clamd over the socket and exits non-zero
# if the daemon is unresponsive, which is what a healthcheck should actually detect.
test: ["CMD", "clamdscan", "--ping=1"]
interval: 60s
timeout: 10s
retries: 3
start_period: 120s
logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"
frontend:
build:
context: ./frontend
dockerfile: Dockerfile
restart: unless-stopped
ports:
- "${FRONTEND_HOST_BIND:-127.0.0.1}:${FRONTEND_HOST_PORT:-3000}:3000"
# Frontend is static nginx — does NOT need the full env_file.
# Vite baked VITE_* values at build time; only MAX_UPLOAD_SIZE_MB
# is interpolated into nginx.conf.template at runtime. Passing
# just that one value prevents backend secrets (NVD_API_KEY,
# POSTGRES_PASSWORD, VirusTotal / abuse.ch keys, etc.) from
# leaking into the nginx container's /proc/<pid>/environ.
environment:
MAX_UPLOAD_SIZE_MB: "${MAX_UPLOAD_SIZE_MB:-2048}"
depends_on:
- backend
healthcheck:
# Use explicit IPv4 127.0.0.1 not localhost: the nginx:alpine base
# image resolves localhost to ::1 first (IPv6) but nginx only
# listens on 0.0.0.0:3000 (IPv4). wget -qO /dev/null localhost:3000
# silently fails the IPv6 probe and the container reports
# (unhealthy) even though the site is actually serving. Matches
# the fix already applied to backend at line 232.
test: ["CMD-SHELL", "wget -qO /dev/null http://127.0.0.1:3000/ || exit 1"]
interval: 30s
timeout: 5s
retries: 3
logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"
volumes:
pgdata:
redisdata:
firmware_data:
kernel_vulns_data:
clamav-db:
networks:
emulation_net:
name: wairz_emulation_net
external: true
default:
driver: bridge