fix: replace SERVICES with TEMPORAL_SERVICES and add service validation

.github/workflows/compose.yaml

@@ -211,6 +211,98 @@ jobs:
         run: |
           docker compose -f docker-compose-multirole.yaml ps temporal-history temporal-frontend temporal-matching temporal-worker
 
+      - name: Verify each container runs only its expected service
+        run: |
+          port_listening() {
+            container=$1
+            port=$2
+            hex_port=$(printf '%04X' "$port")
+            docker exec "$container" cat /proc/net/tcp /proc/net/tcp6 2>/dev/null \
+              | awk '{print $2}' | grep -qi ":${hex_port}$"
+          }
+
+          check_expected_port() {
+            container=$1
+            port=$2
+            if ! port_listening "$container" "$port"; then
+              echo "FAIL: $container is not listening on expected port $port"
+              docker exec "$container" cat /proc/net/tcp /proc/net/tcp6 2>/dev/null || true
+              exit 1
+            fi
+            echo "OK: $container is listening on port $port"
+          }
+
+          check_no_port() {
+            container=$1
+            port=$2
+            if port_listening "$container" "$port"; then
+              echo "FAIL: $container is unexpectedly listening on port $port"
+              exit 1
+            fi
+            echo "OK: $container is not listening on port $port"
+          }
+
+          # history: port 7234 only
+          check_expected_port temporal-history 7234
+          check_no_port temporal-history 7235
+          check_no_port temporal-history 7237
+          check_no_port temporal-history 7236
+
+          # matching: port 7235 only
+          check_expected_port temporal-matching 7235
+          check_no_port temporal-matching 7234
+          check_no_port temporal-matching 7237
+          check_no_port temporal-matching 7236
+
+          # frontend: port 7237 (FRONTEND_GRPC_PORT=7237)
+          check_expected_port temporal-frontend 7237
+          check_no_port temporal-frontend 7234
+          check_no_port temporal-frontend 7235
+
+          # frontend2: port 7236 (FRONTEND_GRPC_PORT=7236)
+          check_expected_port temporal-frontend2 7236
+          check_no_port temporal-frontend2 7234
+          check_no_port temporal-frontend2 7235
+
+          # worker: should not bind any of the other service ports
+          check_no_port temporal-worker 7234
+          check_no_port temporal-worker 7235
+          check_no_port temporal-worker 7237
+          check_no_port temporal-worker 7236
+
+      - name: Verify ringpop membership ports are reachable on temporal-network
+        run: |
+          port_listening() {
+            container=$1
+            port=$2
+            hex_port=$(printf '%04X' "$port")
+            docker exec "$container" cat /proc/net/tcp /proc/net/tcp6 2>/dev/null \
+              | awk '{print $2}' | grep -qi ":${hex_port}$"
+          }
+
+          # Check membership ports are listening inside each container
+          for entry in "temporal-history:6934" "temporal-matching:6935"; do
+            container=${entry%:*}
+            port=${entry#*:}
+            if ! port_listening "$container" "$port"; then
+              echo "FAIL: $container is not listening on membership port $port"
+              docker exec "$container" cat /proc/net/tcp /proc/net/tcp6 2>/dev/null || true
+              exit 1
+            fi
+            echo "OK: $container is listening on membership port $port"
+          done
+
+          # Verify membership ports are reachable from within temporal-network
+          for entry in "temporal-history:6934" "temporal-matching:6935"; do
+            target=${entry%:*}
+            port=${entry#*:}
+            if ! docker exec temporal-admin-tools nc -zw3 "$target" "$port"; then
+              echo "FAIL: $target:$port is not reachable on temporal-network"
+              exit 1
+            fi
+            echo "OK: $target:$port is reachable on temporal-network"
+          done
+
       - name: Print all logs on failure
         if: failure()
         working-directory: compose

compose/docker-compose-multirole.yaml

@@ -108,7 +108,7 @@ services:
       - DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development-sql.yaml
       - TEMPORAL_HISTORY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
       - TEMPORAL_VISIBILITY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
-      - SERVICES=history
+      - TEMPORAL_SERVICES=history
       - PROMETHEUS_ENDPOINT=0.0.0.0:8000
       - ENABLE_ES=true
       - ES_SEEDS=elasticsearch
@@ -141,7 +141,7 @@ services:
       - DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development-sql.yaml
       - TEMPORAL_HISTORY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
       - TEMPORAL_VISIBILITY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
-      - SERVICES=matching
+      - TEMPORAL_SERVICES=matching
       - PROMETHEUS_ENDPOINT=0.0.0.0:8001
       - ENABLE_ES=true
       - ES_SEEDS=elasticsearch
@@ -174,7 +174,7 @@ services:
       - DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development-sql.yaml
       - TEMPORAL_HISTORY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
       - TEMPORAL_VISIBILITY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
-      - SERVICES=frontend
+      - TEMPORAL_SERVICES=frontend
       - FRONTEND_GRPC_PORT=7237
       - PROMETHEUS_ENDPOINT=0.0.0.0:8002
       - ENABLE_ES=true
@@ -208,7 +208,7 @@ services:
       - DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development-sql.yaml
       - TEMPORAL_HISTORY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
       - TEMPORAL_VISIBILITY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
-      - SERVICES=frontend
+      - TEMPORAL_SERVICES=frontend
       # set different frontend grpc port
       - FRONTEND_GRPC_PORT=7236
       # set different membership port than temporal-frontend
@@ -245,7 +245,7 @@ services:
       - DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development-sql.yaml
       - TEMPORAL_HISTORY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
       - TEMPORAL_VISIBILITY_NAMESPACEDEFAULT_ARCHIVAL_FILESTORE=enabled
-      - SERVICES=worker
+      - TEMPORAL_SERVICES=worker
       - PROMETHEUS_ENDPOINT=0.0.0.0:8003
       # set to nginx
       - PUBLIC_FRONTEND_ADDRESS=temporal-nginx:7233

tls/tls-full/docker-compose.yml

@@ -12,7 +12,7 @@ services:
       - ${TEMPORAL_LOCAL_CERT_DIR}:${TEMPORAL_TLS_CERTS_DIR}
       - ./config_template.yaml:/etc/temporal/config/config_template.yaml
     environment:
-      - "SERVICES=frontend:matching:history:worker:internal-frontend"
+      - "TEMPORAL_SERVICES=frontend:matching:history:worker:internal-frontend"
       - "CASSANDRA_SEEDS=cassandra"
       - "DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development.yaml"
       - "TEMPORAL_CLI_ADDRESS=temporal:7233" # used by tctl. Will be deprecated