fix: exposed ports and security on docker compose file

[zulkhair]

Closes: WORLD-1215, WORLD-1210

Overview

Disable exposed port for redis, nakamadb, and celestia

Brief Changelog

• Remove exposed port
• Add password for redis

Testing and Verifying

• Run using world cli
• Run using docker compose for every container

Summary by CodeRabbit

• New Features
  • Introduced new configuration options for enhanced tracing and metrics collection in Nakama.
  • Added a new key for coordination between Cardinal and EVM.
• Improvements
  • Updated Redis password handling for improved security.
• Configuration Changes
  • Adjusted port mappings and environment variables across multiple services for better management.

[zulkhair]

• fix: exposed ports and security on docker compose file #55 👈
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @zulkhair and the rest of your teammates on Graphite

[coderabbitai]

Walkthrough

The changes in this pull request involve modifications to the docker-compose.yml and world.toml files. The docker-compose.yml file updates service configurations, including the addition of an environment variable REDIS_PASSWORD for security, removal of certain port mappings, and adjustments to service commands. The world.toml file introduces new configuration options related to tracing and metrics, updates the REDIS_PASSWORD, and adds a new key for coordination. These changes enhance security and telemetry capabilities.

Changes

File	Change Summary
docker-compose.yml	- Added REDIS_PASSWORD environment variable for cardinal and cardinal-debug services. - Removed port mapping for 40000 in cardinal-debug. - Updated command in redis to require a password. - Removed port mappings for 8080 and 26257 in nakama-db. - Adjusted port mappings in celestia-devnet.
world.toml	- Updated REDIS_PASSWORD from empty to "very_unsafe_password_replace_me". - Added telemetry options in [nakama]: NAKAMA_TRACE_ENABLED, NAKAMA_METRICS_ENABLED, NAKAMA_TRACE_SAMPLE_RATE, NAKAMA_METRICS_INTERVAL. - Added ROUTER_KEY in [common].

Assessment against linked issues

Objective	Addressed	Explanation
Do not expose Redis to the internet by default on starter-game-template (WORLD-1215)	✅
Update starter game template world.toml with new telemetry options (WORLD-1210)	✅

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range comments (1)

docker-compose.yml (1)

Security concern: Debug port exposed without environment isolation

The debug port 40000 is indeed exposed in both the Dockerfile and docker-compose.yml without any environment-specific isolation. The Dockerfile confirms it's used for the Delve debugger (dlv). Since there are no Docker Compose profiles to segregate development from production environments, this poses a security risk in production deployments.

Recommendations:

• Add Docker Compose profiles to isolate debug configuration to development environment
• Use environment variables to conditionally expose the debug port
• Consider removing the debug configuration from the main Dockerfile and use a development-specific Dockerfile instead

🔗 Analysis chain

Line range hint 37-38: Security concern: Debug port exposed to host.

The debug port 40000 is exposed to the host machine, which could pose security risks in production environments. Consider:

1. Removing this port mapping in production
2. Using Docker compose profiles to only include this in development

---

Let me run the correct search for port 40000.

---

Let me check if there are any Docker Compose profiles or environment-specific configurations.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the debug port is used in other services
rg "40000" --type yaml

Length of output: 1379

---

Script:

#!/bin/bash
# Check if the debug port is used in other services
rg "40000" 

Length of output: 179

---

Script:

#!/bin/bash
# Check for Docker Compose profiles and environment configurations
rg "profiles?:" docker-compose.yml
rg "^[[:space:]]*environment:" -A 2 docker-compose.yml

Length of output: 830

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between c4ea800 and 90ad1ef.

📒 Files selected for processing (2)

• docker-compose.yml (4 hunks)
• world.toml (2 hunks)

🔇 Additional comments (7)

world.toml (2)

8-9: LGTM! Secure default configuration

The telemetry settings are disabled by default, which is a secure configuration. The comments clearly explain their purpose.

---

31-39: 🛠️ Refactor suggestion

Consider security and performance implications of default values

While the observability settings are well documented, having tracing and metrics enabled by default might:

1. Impact performance in development environments
2. Increase resource usage
3. Generate unnecessary telemetry data

Consider disabling these by default and documenting the recommended values for different environments (dev/staging/prod).

-NAKAMA_TRACE_ENABLED = true   
-NAKAMA_METRICS_ENABLED = true
+NAKAMA_TRACE_ENABLED = false   # Enable in production for observability
+NAKAMA_METRICS_ENABLED = false # Enable in production for monitoring

docker-compose.yml (5)

6-6: LGTM: Redis password environment variable properly configured.

The addition of REDIS_PASSWORD environment variable with a default value improves security by ensuring Redis authentication is always configured.

Also applies to: 24-24

---

134-136: LGTM: Improved security for Nakama DB.

Good security improvement by removing unnecessary port exposures while maintaining internal communication through the Docker network.

---

137-141: LGTM: Redis security properly configured.

Excellent security improvements:

1. Redis password requirement properly enforced via command
2. Port 6379 correctly configured to be only exposed internally

---

159-161: ⚠️ Potential issue

Security concern: Ports still accessible from host.

Not specifying host ports (e.g., "26658" instead of "host:26658") allows Docker to assign random host ports, which doesn't prevent host access. Consider:

1. Using expose instead of ports if these ports are only needed for internal container communication
2. Explicitly mapping required ports with specific host ports if external access is needed

---

Line range hint 1-162: Verify security of environment variables.

While the Redis and DB passwords are properly configured, consider:

1. Adding comments or documentation for all security-sensitive environment variables
2. Adding validation for minimum password strength
3. Providing a template for secure production values

#!/bin/bash
# Check for environment variables that might contain sensitive data
rg "PASSWORD|TOKEN|KEY" --type yaml

[rmrt1n]

lgtm!

[zulkhair]

Merge activity

• ​Oct 25, 1:48 PM EDT​: A user started a stack merge that includes this pull request via Graphite.
• ​Oct 25, 1:49 PM EDT​: A user merged this pull request with Graphite.