From bba9af08b7d2e6d2f770cf200b5801688076f19b Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Thu, 28 Mar 2024 18:43:16 -0400 Subject: [PATCH] feat: update build-canned Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com> fix: add arm64 for zero-trust Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com> fix: update readme and tweak makefile per review Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com> fix: remove debugging Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com> fix: remove debug really this time Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com> fix: remove debug really this time Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com> fix: update ekuiper and selectively enable OpenZiti in it Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com> --- Makefile | 25 +- README.md | 13 +- compose-builder/.env | 2 +- compose-builder/Makefile | 13 +- compose-builder/add-security-zero-trust.yml | 1 + compose-builder/docker-compose-base.yml | 1 + docker-compose-arm64.yml | 1111 ++++++++------- docker-compose-no-secty-arm64.yml | 376 ++--- ...compose-no-secty-with-app-sample-arm64.yml | 403 +++--- docker-compose-no-secty-with-app-sample.yml | 403 +++--- docker-compose-no-secty.yml | 376 ++--- docker-compose-with-app-sample-arm64.yml | 1171 ++++++++-------- docker-compose-with-app-sample.yml | 1171 ++++++++-------- docker-compose-zero-trust-arm64.yml | 1211 +++++++++++++++++ docker-compose-zero-trust.yml | 30 +- docker-compose.yml | 1111 ++++++++------- 16 files changed, 4509 insertions(+), 2909 deletions(-) create mode 100644 docker-compose-zero-trust-arm64.yml diff --git a/Makefile b/Makefile index 6c79ae94..4216f6ae 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ # * # *******************************************************************************/ -.PHONY: help portainer portainer-down pull run pull-ui run-ui down-ui down clean get-token openziti openziti-down zero-trust zero-trust-down +.PHONY: help portainer portainer-down pull run pull-ui run-ui down-ui down clean get-token openziti openziti-down zero-trust .SILENT: help get-token help: @@ -22,7 +22,7 @@ help: ARGS:=$(wordlist 2,$(words $(MAKECMDGOALS)),$(MAKECMDGOALS)) $(eval $(ARGS):;@:) -OPTIONS:=" arm64 no-secty app-sample " # Must have spaces around words for `filter-out` function to work properly +OPTIONS:=" arm64 no-secty app-sample zero-trust " # Must have spaces around words for `filter-out` function to work properly # This tool now only supports compose V2, aka "docker compose" as it has replaced to old docker-compose tool. DOCKER_COMPOSE=docker compose @@ -37,11 +37,14 @@ endif ifeq (app-sample, $(filter app-sample,$(ARGS))) APP_SAMPLE:=-with-app-sample endif +ifeq (zero-trust, $(filter zero-trust,$(ARGS))) + ZERO_TRUST_OPTION=-zero-trust +endif SERVICES:=$(filter-out $(OPTIONS),$(ARGS)) define COMPOSE_DOWN - ${DOCKER_COMPOSE} -p edgex -f docker-compose.yml -f docker-compose-with-app-sample.yml down $1 + ${DOCKER_COMPOSE} -p edgex -f docker-compose-with-app-sample.yml down $1 endef # Define additional phony targets for all options to enable support for tab-completion in shell @@ -66,23 +69,11 @@ openziti-logs: openziti-clean: ${DOCKER_COMPOSE} -p edgex -f docker-compose-openziti.yml down -v -zero-trust: - ${DOCKER_COMPOSE} -p edgex -f docker-compose-zero-trust.yml up -d - -zero-trust-down: - ${DOCKER_COMPOSE} -p edgex -f docker-compose-zero-trust.yml down - -zero-trust-logs: - ${DOCKER_COMPOSE} -p edgex -f docker-compose-zero-trust.yml logs -f - -zero-trust-clean: - ${DOCKER_COMPOSE} -p edgex -f docker-compose-zero-trust.yml down -v - pull: - ${DOCKER_COMPOSE} -f docker-compose${NO_SECURITY}${ARM64}.yml pull ${SERVICES} + ${DOCKER_COMPOSE} -f docker-compose${NO_SECURITY}${ZERO_TRUST_OPTION}${ARM64}.yml pull ${SERVICES} run: - ${DOCKER_COMPOSE} -p edgex -f docker-compose${NO_SECURITY}${APP_SAMPLE}${ARM64}.yml up -d ${SERVICES} + ${DOCKER_COMPOSE} -p edgex -f docker-compose${NO_SECURITY}${APP_SAMPLE}${ZERO_TRUST_OPTION}${ARM64}.yml up -d ${SERVICES} down: $(COMPOSE_DOWN) diff --git a/README.md b/README.md index 310681de..489ea137 100644 --- a/README.md +++ b/README.md @@ -97,22 +97,13 @@ This folder contains the following compose files: - Use `make pull no-secty app-sample ` to pull all or some images for the services in this compose file. - **docker-compose-openziti.yml** - Contains the services needed to bring OpenZiti online, configure it, and enable consul to perform underlay-based health checking. Used in conjunction with `docker-compose-zero-trust.yml`. This compose file should be started before starting the `docker-compose-zero-trust.yml` compose file. + Contains the services needed to bring OpenZiti online, configure it, and enable consul to perform underlay-based health checking. Used in conjunction with `make run (pull) zero-trust`. This compose file should be started before starting the `make run zero-trust` compose file. **Make Commands** - Use `make openziti` and `make openziti-down` to start and stop the services using this compose file. - - Use `make openziti-clean` to remove all stopped containers, all volumes and all networks used by the EdgeX stack. Use this command when needing to do a fresh restart. **Note** You must _also_ run the corresponding `make zero-trust-clean` command to fully clean up. + - Use `make openziti-clean` to remove all stopped containers, all volumes and all networks used by the EdgeX stack. Use this command when needing to do a fresh restart. **Note** You must _also_ run the corresponding `make down zero-trust` command to fully clean up. - Use `make openziti-logs` to follow the logs - -- **docker-compose-zero-trust.yml** - Contains the services needed to run in zero-trust secure mode. Used in conjunction with `docker-compose-openziti.yml`. Start this compose file after starting OpenZiti. When operating in zero-trust mode, no ports are available other than the OpenZiti ports. Accessing services must be done using an OpenZiti tunneler or through using an OpenZiti SDK. The `go-mod-bootstrap` library has been upgraded to support zero-trust. - - **Make Commands** - - - Use `make zero-trust` and `make zero-trust-down` to start and stop the services using this compose file. - - Use `make zero-trust-clean` to remove all stopped containers, all volumes and all networks used by the EdgeX stack. Use this command when needing to do a fresh restart. **Note** You must _also_ run the corresponding `make openziti-clean` command to fully clean up. - - Use `make openziti-logs` to follow the logs ### TAF Compose files diff --git a/compose-builder/.env b/compose-builder/.env index 59c81b41..323c71f6 100644 --- a/compose-builder/.env +++ b/compose-builder/.env @@ -48,7 +48,7 @@ VAULT_VERSION=1.14 CONSUL_VERSION=1.16 # Lock on Redis 7.0 until EdgeX 4.0 REDIS_VERSION=7.0-alpine -KUIPER_VERSION=1.12-alpine +KUIPER_VERSION=v1.14.0-alpha.2 MOSQUITTO_VERSION=2.0 NANOMQ_VERSION=0.18 NATS_VERSION=2.9-alpine diff --git a/compose-builder/Makefile b/compose-builder/Makefile index b32e48b9..1d567bd4 100644 --- a/compose-builder/Makefile +++ b/compose-builder/Makefile @@ -65,8 +65,10 @@ endif ifeq (zero-trust, $(filter zero-trust,$(ARGS))) MAKE_ZERO_TRUST:=1 + export ZERO_TRUST_COMPOSE=-zero-trust else MAKE_ZERO_TRUST:=0 + export ZERO_TRUST_COMPOSE= endif ifeq (no-cleanup, $(filter no-cleanup,$(ARGS))) NO_CLEANUP:=1 @@ -1015,6 +1017,8 @@ build-canned: make compose ds-rest ds-virtual no-secty arm64 make compose ds-rest ds-virtual asc-sample no-secty make compose ds-rest ds-virtual asc-sample no-secty arm64 + make compose ds-rest ds-virtual zero-trust + make compose ds-rest ds-virtual zero-trust arm64 build-taf: make taf-compose taf-secty @@ -1035,7 +1039,7 @@ build-taf-nanomq: make taf-compose-perf taf-perf-no-secty mqtt-bus nanomq no-secty compose: gen - cat gen-header docker-compose.yml > $(RELEASE_FOLDER)/docker-compose$(NO_SECURITY)$(APP_SAMPLE)$(BUS)$(NANOMQ)$(ARCH).yml + cat gen-header docker-compose.yml > $(RELEASE_FOLDER)/docker-compose$(NO_SECURITY)$(APP_SAMPLE)$(BUS)$(NANOMQ)$(ZERO_TRUST_COMPOSE)$(ARCH).yml taf-compose: gen cat gen-header docker-compose.yml > $(RELEASE_FOLDER)/taf/docker-compose-taf$(NO_SECURITY)$(BUS)$(NANOMQ)$(ARCH).yml @@ -1051,9 +1055,12 @@ pull: gen gen: echo MQTT_VERBOSE=${MQTT_VERBOSE} - ${DOCKER_COMPOSE} -p edgex $(COMPOSE_FILES) ${GEN_COMMAND} --output docker-compose.yml + ${DOCKER_COMPOSE} -p edgex $(COMPOSE_FILES) ${GEN_COMMAND} --output docker-compose.yml.gen if [ "$(NO_CLEANUP)" = "0" ]; then rm -rf ./$(GEN_EXT_DIR); fi - + echo "# Generated with: $(docker_ver)" > docker-compose.yml + cat docker-compose.yml.gen >> docker-compose.yml + rm docker-compose.yml.gen + get-token: sh ./get-api-gateway-token.sh diff --git a/compose-builder/add-security-zero-trust.yml b/compose-builder/add-security-zero-trust.yml index 77009d1d..ff2aebea 100644 --- a/compose-builder/add-security-zero-trust.yml +++ b/compose-builder/add-security-zero-trust.yml @@ -37,6 +37,7 @@ services: environment: EDGEX_CREDENTIAL_NAME: rules-engine EDGEX_CREDENTIALS: /tmp/edgex/secrets/rules-engine/secrets-token.json + KUIPER__BASIC__ENABLEOPENZITI: true OPENZITI_CONTROLLER: openziti:1280 ports: !reset null volumes: diff --git a/compose-builder/docker-compose-base.yml b/compose-builder/docker-compose-base.yml index f4779f3f..9920abb5 100644 --- a/compose-builder/docker-compose-base.yml +++ b/compose-builder/docker-compose-base.yml @@ -264,6 +264,7 @@ services: environment: # KUIPER__BASIC__DEBUG: "true" KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: false KUIPER__BASIC__RESTPORT: 59720 CONNECTION__EDGEX__REDISMSGBUS__PORT: 6379 CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis diff --git a/docker-compose-arm64.yml b/docker-compose-arm64.yml index 9593ff93..5d20ea50 100644 --- a/docker-compose-arm64.yml +++ b/docker-compose-arm64.yml @@ -24,25 +24,30 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: command: - - /app-service-configurable - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /app-service-configurable + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-app-rules-engine depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" @@ -67,51 +72,53 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59701 - published: "59701" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/app-rules-engine - target: /tmp/edgex/secrets/app-rules-engine - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/app-rules-engine + target: /tmp/edgex/secrets/app-rules-engine + read_only: true + bind: + selinux: z + create_host_path: true consul: command: - - agent - - -ui - - -bootstrap - - -server - - -client - - 0.0.0.0 + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 container_name: edgex-core-consul depends_on: security-bootstrapper: condition: service_started + required: true vault: condition: service_started + required: true entrypoint: - - /edgex-init/consul_wait_install.sh + - /edgex-init/consul_wait_install.sh environment: EDGEX_ADD_REGISTRY_ACL_ROLES: "" EDGEX_GROUP: "2001" @@ -140,62 +147,68 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8500 - published: "8500" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: consul-config - target: /consul/config - volume: {} - - type: volume - source: consul-data - target: /consul/data - volume: {} - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: consul-acl-token - target: /tmp/edgex/secrets/consul-acl-token - volume: {} - - type: bind - source: /tmp/edgex/secrets/edgex-consul - target: /tmp/edgex/secrets/edgex-consul - read_only: true - bind: - selinux: z - create_host_path: true + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/edgex-consul + target: /tmp/edgex/secrets/edgex-consul + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + volume: {} core-command: command: - - /core-command - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-command + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-command depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 @@ -220,50 +233,53 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59882 - published: "59882" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-command - target: /tmp/edgex/secrets/core-command - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-command + target: /tmp/edgex/secrets/core-command + read_only: true + bind: + selinux: z + create_host_path: true core-common-config-bootstrapper: command: - - /entrypoint.sh - - /core-common-config-bootstrapper - - -cp=consul.http://edgex-core-consul:8500 + - /entrypoint.sh + - /core-common-config-bootstrapper + - -cp=consul.http://edgex-core-consul:8500 container_name: edgex-core-common-config-bootstrapper depends_on: consul: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: ALL_SERVICES_DATABASE_HOST: edgex-redis ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis @@ -292,46 +308,51 @@ services: edgex-network: null read_only: true security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-common-config-bootstrapper - target: /tmp/edgex/secrets/core-common-config-bootstrapper - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-common-config-bootstrapper + target: /tmp/edgex/secrets/core-common-config-bootstrapper + read_only: true + bind: + selinux: z + create_host_path: true core-data: command: - - /core-data - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-data + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-data depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -355,52 +376,56 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59880 - published: "59880" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-data - target: /tmp/edgex/secrets/core-data - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-data + target: /tmp/edgex/secrets/core-data + read_only: true + bind: + selinux: z + create_host_path: true core-metadata: command: - - /core-metadata - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-metadata + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-metadata depends_on: consul: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -424,44 +449,46 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59881 - published: "59881" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-metadata - target: /tmp/edgex/secrets/core-metadata - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-metadata + target: /tmp/edgex/secrets/core-metadata + read_only: true + bind: + selinux: z + create_host_path: true database: container_name: edgex-redis depends_on: security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/redis_wait_install.sh + - /edgex-init/redis_wait_install.sh environment: DATABASECONFIG_NAME: redis.conf DATABASECONFIG_PATH: /run/redis/conf @@ -486,58 +513,63 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 6379 - published: "6379" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /run + - /run user: root:root volumes: - - type: volume - source: db-data - target: /data - volume: {} - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: redis-config - target: /run/redis/conf - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-bootstrapper-redis - target: /tmp/edgex/secrets/security-bootstrapper-redis - read_only: true - bind: - selinux: z - create_host_path: true + - type: volume + source: db-data + target: /data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: redis-config + target: /run/redis/conf + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-bootstrapper-redis + target: /tmp/edgex/secrets/security-bootstrapper-redis + read_only: true + bind: + selinux: z + create_host_path: true device-rest: command: - - /device-rest - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /device-rest + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-device-rest depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -561,54 +593,59 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59986 - published: "59986" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59986 + published: "59986" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/device-rest - target: /tmp/edgex/secrets/device-rest - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-rest + target: /tmp/edgex/secrets/device-rest + read_only: true + bind: + selinux: z + create_host_path: true device-virtual: command: - - /device-virtual - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /device-virtual + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-device-virtual depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -632,48 +669,49 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59900 - published: "59900" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59900 + published: "59900" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/device-virtual - target: /tmp/edgex/secrets/device-virtual - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-virtual + target: /tmp/edgex/secrets/device-virtual + read_only: true + bind: + selinux: z + create_host_path: true nginx: command: - - /docker-entrypoint.sh - - nginx - - -g - - daemon off; + - /docker-entrypoint.sh + - nginx + - -g + - daemon off; container_name: edgex-nginx depends_on: security-secretstore-setup: condition: service_started + required: true entrypoint: - - /bin/sh - - /edgex-init/nginx_wait_install.sh + - /bin/sh + - /edgex-init/nginx_wait_install.sh environment: PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -694,44 +732,47 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 8443 - published: "8443" - protocol: tcp + - mode: ingress + target: 8443 + published: "8443" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /etc/nginx/conf.d - - /var/cache/nginx - - /var/log/nginx - - /var/run + - /etc/nginx/conf.d + - /var/cache/nginx + - /var/log/nginx + - /var/run volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: nginx-templates - target: /etc/nginx/templates - volume: {} - - type: volume - source: nginx-tls - target: /etc/ssl/nginx - volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} rules-engine: container_name: edgex-kuiper depends_on: database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/kuiper_wait_install.sh + - /edgex-init/kuiper_wait_install.sh environment: CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis @@ -743,6 +784,7 @@ services: EDGEX__DEFAULT__TOPIC: edgex/rules-events EDGEX__DEFAULT__TYPE: redis KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "false" KUIPER__BASIC__RESTPORT: "59720" PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -759,56 +801,56 @@ services: STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59720 - published: "59720" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: kuiper:kuiper volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: kuiper-data - target: /kuiper/data - volume: {} - - type: volume - source: kuiper-etc - target: /kuiper/etc - volume: {} - - type: volume - source: kuiper-connections - target: /kuiper/etc/connections - volume: {} - - type: volume - source: kuiper-sources - target: /kuiper/etc/sources - volume: {} - - type: volume - source: kuiper-log - target: /kuiper/log - volume: {} - - type: volume - source: kuiper-plugins - target: /kuiper/plugins - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} + - type: volume + source: kuiper-sources + target: /kuiper/etc/sources + volume: {} + - type: volume + source: kuiper-connections + target: /kuiper/etc/connections + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -835,34 +877,36 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + volume: {} security-proxy-auth: command: - - entrypoint.sh - - /security-proxy-auth - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - entrypoint.sh + - /security-proxy-auth + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-proxy-auth depends_on: core-common-config-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /bin/sh - - /edgex-init/ready_to_run_wait_install.sh + - /bin/sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -886,43 +930,45 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59842 - published: "59842" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59842 + published: "59842" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-proxy-auth - target: /tmp/edgex/secrets/security-proxy-auth - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-auth + target: /tmp/edgex/secrets/security-proxy-auth + read_only: true + bind: + selinux: z + create_host_path: true security-proxy-setup: container_name: edgex-security-proxy-setup depends_on: security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/proxy_setup_wait_install.sh + - /edgex-init/proxy_setup_wait_install.sh environment: EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986 EDGEX_SECURITY_SECRET_STORE: "true" @@ -957,51 +1003,53 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-config - target: /vault/config - volume: {} - - type: volume - source: nginx-templates - target: /etc/nginx/templates - volume: {} - - type: volume - source: nginx-tls - target: /etc/ssl/nginx - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-proxy-setup - target: /tmp/edgex/secrets/security-proxy-setup - read_only: true - bind: - selinux: z - create_host_path: true - - type: volume - source: consul-acl-token - target: /tmp/edgex/secrets/consul-acl-token - read_only: true - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-setup + target: /tmp/edgex/secrets/security-proxy-setup + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + read_only: true + volume: {} security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: security-bootstrapper: condition: service_started + required: true vault: condition: service_started + required: true environment: EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],message-bus[device-rest],redisdb[device-virtual],message-bus[device-virtual] EDGEX_ADD_SECRETSTORE_TOKENS: "" @@ -1031,60 +1079,65 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /run - - /vault + - /run + - /vault user: root:root volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets - target: /tmp/edgex/secrets - bind: - selinux: z - create_host_path: true - - type: volume - source: kuiper-sources - target: /tmp/kuiper - volume: {} - - type: volume - source: kuiper-connections - target: /tmp/kuiper-connections - volume: {} - - type: volume - source: vault-config - target: /vault/config - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: bind + source: /tmp/edgex/secrets + target: /tmp/edgex/secrets + bind: + selinux: z + create_host_path: true + - type: volume + source: kuiper-sources + target: /tmp/kuiper + volume: {} + - type: volume + source: kuiper-connections + target: /tmp/kuiper-connections + volume: {} support-notifications: command: - - /support-notifications - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /support-notifications + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-support-notifications depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -1108,54 +1161,59 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59860 - published: "59860" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/support-notifications - target: /tmp/edgex/secrets/support-notifications - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-notifications + target: /tmp/edgex/secrets/support-notifications + read_only: true + bind: + selinux: z + create_host_path: true support-scheduler: command: - - /support-scheduler - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /support-scheduler + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-support-scheduler depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data @@ -1181,35 +1239,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59861 - published: "59861" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/support-scheduler - target: /tmp/edgex/secrets/support-scheduler - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-scheduler + target: /tmp/edgex/secrets/support-scheduler + read_only: true + bind: + selinux: z + create_host_path: true ui: container_name: edgex-ui-go environment: @@ -1220,33 +1278,34 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 4000 - published: "4000" - protocol: tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true vault: cap_add: - - IPC_LOCK + - IPC_LOCK command: - - server + - server container_name: edgex-vault depends_on: security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/vault_wait_install.sh + - /edgex-init/vault_wait_install.sh environment: PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -1270,29 +1329,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp restart: always tmpfs: - - /vault/config + - /vault/config user: root:root volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-file + target: /vault/file + volume: {} + - type: volume + source: vault-logs + target: /vault/logs + volume: {} networks: edgex-network: name: edgex_edgex-network diff --git a/docker-compose-no-secty-arm64.yml b/docker-compose-no-secty-arm64.yml index 926efdc5..08528e8a 100644 --- a/docker-compose-no-secty-arm64.yml +++ b/docker-compose-no-secty-arm64.yml @@ -24,6 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: @@ -31,10 +32,13 @@ services: depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "false" @@ -44,67 +48,71 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59701 - published: "59701" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true consul: command: - - agent - - -ui - - -bootstrap - - -server - - -client - - 0.0.0.0 + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 container_name: edgex-core-consul hostname: edgex-core-consul image: hashicorp/consul:1.16 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8500 - published: "8500" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: consul-config - target: /consul/config - volume: {} - - type: volume - source: consul-data - target: /consul/data - volume: {} + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} core-command: container_name: edgex-core-command depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 @@ -114,28 +122,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59882 - published: "59882" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-common-config-bootstrapper: container_name: edgex-core-common-config-bootstrapper depends_on: consul: condition: service_started + required: true environment: ALL_SERVICES_DATABASE_HOST: edgex-redis ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis @@ -149,24 +158,27 @@ services: edgex-network: null read_only: true security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-data: container_name: edgex-core-data depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-core-data @@ -175,30 +187,32 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59880 - published: "59880" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-metadata: container_name: edgex-core-metadata depends_on: consul: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-core-metadata @@ -207,23 +221,23 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59881 - published: "59881" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true database: container_name: edgex-redis hostname: edgex-redis @@ -231,32 +245,36 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 6379 - published: "6379" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: db-data - target: /data - volume: {} + - type: volume + source: db-data + target: /data + volume: {} device-rest: container_name: edgex-device-rest depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-device-rest @@ -265,34 +283,38 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59986 - published: "59986" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59986 + published: "59986" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true device-virtual: container_name: edgex-device-virtual depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-device-virtual @@ -301,28 +323,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59900 - published: "59900" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59900 + published: "59900" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true rules-engine: container_name: edgex-kuiper depends_on: database: condition: service_started + required: true environment: CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis @@ -334,54 +357,58 @@ services: EDGEX__DEFAULT__TOPIC: edgex/rules-events EDGEX__DEFAULT__TYPE: redis KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "false" KUIPER__BASIC__RESTPORT: "59720" hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59720 - published: "59720" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: kuiper:kuiper volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: kuiper-data - target: /kuiper/data - volume: {} - - type: volume - source: kuiper-etc - target: /kuiper/etc - volume: {} - - type: volume - source: kuiper-log - target: /kuiper/log - volume: {} - - type: volume - source: kuiper-plugins - target: /kuiper/plugins - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} support-notifications: container_name: edgex-support-notifications depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-support-notifications @@ -390,32 +417,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59860 - published: "59860" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true support-scheduler: container_name: edgex-support-scheduler depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data @@ -426,23 +456,23 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59861 - published: "59861" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true ui: container_name: edgex-ui-go environment: @@ -453,22 +483,22 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 4000 - published: "4000" - protocol: tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true networks: edgex-network: name: edgex_edgex-network diff --git a/docker-compose-no-secty-with-app-sample-arm64.yml b/docker-compose-no-secty-with-app-sample-arm64.yml index ea197192..4224057d 100644 --- a/docker-compose-no-secty-with-app-sample-arm64.yml +++ b/docker-compose-no-secty-with-app-sample-arm64.yml @@ -24,6 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: @@ -31,10 +32,13 @@ services: depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "false" @@ -44,32 +48,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59701 - published: "59701" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true app-sample: container_name: edgex-app-sample depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: CLIENTS_CORE_COMMAND_HOST: edgex-core-command CLIENTS_CORE_DATA_HOST: edgex-core-data @@ -82,67 +89,71 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59700 - published: "59700" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59700 + published: "59700" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true consul: command: - - agent - - -ui - - -bootstrap - - -server - - -client - - 0.0.0.0 + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 container_name: edgex-core-consul hostname: edgex-core-consul image: hashicorp/consul:1.16 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8500 - published: "8500" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: consul-config - target: /consul/config - volume: {} - - type: volume - source: consul-data - target: /consul/data - volume: {} + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} core-command: container_name: edgex-core-command depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 @@ -152,28 +163,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59882 - published: "59882" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-common-config-bootstrapper: container_name: edgex-core-common-config-bootstrapper depends_on: consul: condition: service_started + required: true environment: ALL_SERVICES_DATABASE_HOST: edgex-redis ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis @@ -187,24 +199,27 @@ services: edgex-network: null read_only: true security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-data: container_name: edgex-core-data depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-core-data @@ -213,30 +228,32 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59880 - published: "59880" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-metadata: container_name: edgex-core-metadata depends_on: consul: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-core-metadata @@ -245,23 +262,23 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59881 - published: "59881" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true database: container_name: edgex-redis hostname: edgex-redis @@ -269,32 +286,36 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 6379 - published: "6379" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: db-data - target: /data - volume: {} + - type: volume + source: db-data + target: /data + volume: {} device-rest: container_name: edgex-device-rest depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-device-rest @@ -303,34 +324,38 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59986 - published: "59986" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59986 + published: "59986" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true device-virtual: container_name: edgex-device-virtual depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-device-virtual @@ -339,28 +364,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59900 - published: "59900" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59900 + published: "59900" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true rules-engine: container_name: edgex-kuiper depends_on: database: condition: service_started + required: true environment: CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis @@ -372,54 +398,58 @@ services: EDGEX__DEFAULT__TOPIC: edgex/rules-events EDGEX__DEFAULT__TYPE: redis KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "false" KUIPER__BASIC__RESTPORT: "59720" hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59720 - published: "59720" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: kuiper:kuiper volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: kuiper-data - target: /kuiper/data - volume: {} - - type: volume - source: kuiper-etc - target: /kuiper/etc - volume: {} - - type: volume - source: kuiper-log - target: /kuiper/log - volume: {} - - type: volume - source: kuiper-plugins - target: /kuiper/plugins - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} support-notifications: container_name: edgex-support-notifications depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-support-notifications @@ -428,32 +458,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59860 - published: "59860" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true support-scheduler: container_name: edgex-support-scheduler depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data @@ -464,23 +497,23 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59861 - published: "59861" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true ui: container_name: edgex-ui-go environment: @@ -491,22 +524,22 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 4000 - published: "4000" - protocol: tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true networks: edgex-network: name: edgex_edgex-network diff --git a/docker-compose-no-secty-with-app-sample.yml b/docker-compose-no-secty-with-app-sample.yml index fab03d3c..af704d8e 100644 --- a/docker-compose-no-secty-with-app-sample.yml +++ b/docker-compose-no-secty-with-app-sample.yml @@ -24,6 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: @@ -31,10 +32,13 @@ services: depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "false" @@ -44,32 +48,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59701 - published: "59701" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true app-sample: container_name: edgex-app-sample depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: CLIENTS_CORE_COMMAND_HOST: edgex-core-command CLIENTS_CORE_DATA_HOST: edgex-core-data @@ -82,67 +89,71 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59700 - published: "59700" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59700 + published: "59700" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true consul: command: - - agent - - -ui - - -bootstrap - - -server - - -client - - 0.0.0.0 + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 container_name: edgex-core-consul hostname: edgex-core-consul image: hashicorp/consul:1.16 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8500 - published: "8500" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: consul-config - target: /consul/config - volume: {} - - type: volume - source: consul-data - target: /consul/data - volume: {} + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} core-command: container_name: edgex-core-command depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 @@ -152,28 +163,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59882 - published: "59882" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-common-config-bootstrapper: container_name: edgex-core-common-config-bootstrapper depends_on: consul: condition: service_started + required: true environment: ALL_SERVICES_DATABASE_HOST: edgex-redis ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis @@ -187,24 +199,27 @@ services: edgex-network: null read_only: true security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-data: container_name: edgex-core-data depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-core-data @@ -213,30 +228,32 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59880 - published: "59880" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-metadata: container_name: edgex-core-metadata depends_on: consul: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-core-metadata @@ -245,23 +262,23 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59881 - published: "59881" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true database: container_name: edgex-redis hostname: edgex-redis @@ -269,32 +286,36 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 6379 - published: "6379" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: db-data - target: /data - volume: {} + - type: volume + source: db-data + target: /data + volume: {} device-rest: container_name: edgex-device-rest depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-device-rest @@ -303,34 +324,38 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59986 - published: "59986" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59986 + published: "59986" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true device-virtual: container_name: edgex-device-virtual depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-device-virtual @@ -339,28 +364,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59900 - published: "59900" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59900 + published: "59900" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true rules-engine: container_name: edgex-kuiper depends_on: database: condition: service_started + required: true environment: CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis @@ -372,54 +398,58 @@ services: EDGEX__DEFAULT__TOPIC: edgex/rules-events EDGEX__DEFAULT__TYPE: redis KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "false" KUIPER__BASIC__RESTPORT: "59720" hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59720 - published: "59720" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: kuiper:kuiper volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: kuiper-data - target: /kuiper/data - volume: {} - - type: volume - source: kuiper-etc - target: /kuiper/etc - volume: {} - - type: volume - source: kuiper-log - target: /kuiper/log - volume: {} - - type: volume - source: kuiper-plugins - target: /kuiper/plugins - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} support-notifications: container_name: edgex-support-notifications depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-support-notifications @@ -428,32 +458,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59860 - published: "59860" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true support-scheduler: container_name: edgex-support-scheduler depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data @@ -464,23 +497,23 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59861 - published: "59861" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true ui: container_name: edgex-ui-go environment: @@ -491,22 +524,22 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 4000 - published: "4000" - protocol: tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true networks: edgex-network: name: edgex_edgex-network diff --git a/docker-compose-no-secty.yml b/docker-compose-no-secty.yml index 4c55776c..d6e3e261 100644 --- a/docker-compose-no-secty.yml +++ b/docker-compose-no-secty.yml @@ -24,6 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: @@ -31,10 +32,13 @@ services: depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "false" @@ -44,67 +48,71 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59701 - published: "59701" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true consul: command: - - agent - - -ui - - -bootstrap - - -server - - -client - - 0.0.0.0 + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 container_name: edgex-core-consul hostname: edgex-core-consul image: hashicorp/consul:1.16 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8500 - published: "8500" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: consul-config - target: /consul/config - volume: {} - - type: volume - source: consul-data - target: /consul/data - volume: {} + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} core-command: container_name: edgex-core-command depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 @@ -114,28 +122,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59882 - published: "59882" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-common-config-bootstrapper: container_name: edgex-core-common-config-bootstrapper depends_on: consul: condition: service_started + required: true environment: ALL_SERVICES_DATABASE_HOST: edgex-redis ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis @@ -149,24 +158,27 @@ services: edgex-network: null read_only: true security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-data: container_name: edgex-core-data depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-core-data @@ -175,30 +187,32 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59880 - published: "59880" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true core-metadata: container_name: edgex-core-metadata depends_on: consul: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-core-metadata @@ -207,23 +221,23 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59881 - published: "59881" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true database: container_name: edgex-redis hostname: edgex-redis @@ -231,32 +245,36 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 6379 - published: "6379" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: db-data - target: /data - volume: {} + - type: volume + source: db-data + target: /data + volume: {} device-rest: container_name: edgex-device-rest depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-device-rest @@ -265,34 +283,38 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59986 - published: "59986" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59986 + published: "59986" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true device-virtual: container_name: edgex-device-virtual depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-device-virtual @@ -301,28 +323,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59900 - published: "59900" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59900 + published: "59900" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true rules-engine: container_name: edgex-kuiper depends_on: database: condition: service_started + required: true environment: CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis @@ -334,54 +357,58 @@ services: EDGEX__DEFAULT__TOPIC: edgex/rules-events EDGEX__DEFAULT__TYPE: redis KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "false" KUIPER__BASIC__RESTPORT: "59720" hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59720 - published: "59720" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: kuiper:kuiper volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: kuiper-data - target: /kuiper/data - volume: {} - - type: volume - source: kuiper-etc - target: /kuiper/etc - volume: {} - - type: volume - source: kuiper-log - target: /kuiper/log - volume: {} - - type: volume - source: kuiper-plugins - target: /kuiper/plugins - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} support-notifications: container_name: edgex-support-notifications depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" SERVICE_HOST: edgex-support-notifications @@ -390,32 +417,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59860 - published: "59860" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true support-scheduler: container_name: edgex-support-scheduler depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true environment: EDGEX_SECURITY_SECRET_STORE: "false" INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data @@ -426,23 +456,23 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59861 - published: "59861" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true ui: container_name: edgex-ui-go environment: @@ -453,22 +483,22 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 4000 - published: "4000" - protocol: tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true networks: edgex-network: name: edgex_edgex-network diff --git a/docker-compose-with-app-sample-arm64.yml b/docker-compose-with-app-sample-arm64.yml index 935a608e..26eadeec 100644 --- a/docker-compose-with-app-sample-arm64.yml +++ b/docker-compose-with-app-sample-arm64.yml @@ -24,25 +24,30 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: command: - - /app-service-configurable - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /app-service-configurable + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-app-rules-engine depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" @@ -67,52 +72,56 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59701 - published: "59701" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/app-rules-engine - target: /tmp/edgex/secrets/app-rules-engine - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/app-rules-engine + target: /tmp/edgex/secrets/app-rules-engine + read_only: true + bind: + selinux: z + create_host_path: true app-sample: command: - - /app-service-configurable - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /app-service-configurable + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-app-sample depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: CLIENTS_CORE_COMMAND_HOST: edgex-core-command CLIENTS_CORE_DATA_HOST: edgex-core-data @@ -140,51 +149,53 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59700 - published: "59700" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59700 + published: "59700" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/app-sample - target: /tmp/edgex/secrets/app-sample - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/app-sample + target: /tmp/edgex/secrets/app-sample + read_only: true + bind: + selinux: z + create_host_path: true consul: command: - - agent - - -ui - - -bootstrap - - -server - - -client - - 0.0.0.0 + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 container_name: edgex-core-consul depends_on: security-bootstrapper: condition: service_started + required: true vault: condition: service_started + required: true entrypoint: - - /edgex-init/consul_wait_install.sh + - /edgex-init/consul_wait_install.sh environment: EDGEX_ADD_REGISTRY_ACL_ROLES: app-sample EDGEX_GROUP: "2001" @@ -213,62 +224,68 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8500 - published: "8500" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: consul-config - target: /consul/config - volume: {} - - type: volume - source: consul-data - target: /consul/data - volume: {} - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: consul-acl-token - target: /tmp/edgex/secrets/consul-acl-token - volume: {} - - type: bind - source: /tmp/edgex/secrets/edgex-consul - target: /tmp/edgex/secrets/edgex-consul - read_only: true - bind: - selinux: z - create_host_path: true + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/edgex-consul + target: /tmp/edgex/secrets/edgex-consul + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + volume: {} core-command: command: - - /core-command - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-command + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-command depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 @@ -293,50 +310,53 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59882 - published: "59882" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-command - target: /tmp/edgex/secrets/core-command - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-command + target: /tmp/edgex/secrets/core-command + read_only: true + bind: + selinux: z + create_host_path: true core-common-config-bootstrapper: command: - - /entrypoint.sh - - /core-common-config-bootstrapper - - -cp=consul.http://edgex-core-consul:8500 + - /entrypoint.sh + - /core-common-config-bootstrapper + - -cp=consul.http://edgex-core-consul:8500 container_name: edgex-core-common-config-bootstrapper depends_on: consul: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: ALL_SERVICES_DATABASE_HOST: edgex-redis ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis @@ -365,46 +385,51 @@ services: edgex-network: null read_only: true security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-common-config-bootstrapper - target: /tmp/edgex/secrets/core-common-config-bootstrapper - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-common-config-bootstrapper + target: /tmp/edgex/secrets/core-common-config-bootstrapper + read_only: true + bind: + selinux: z + create_host_path: true core-data: command: - - /core-data - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-data + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-data depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -428,52 +453,56 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59880 - published: "59880" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-data - target: /tmp/edgex/secrets/core-data - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-data + target: /tmp/edgex/secrets/core-data + read_only: true + bind: + selinux: z + create_host_path: true core-metadata: command: - - /core-metadata - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-metadata + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-metadata depends_on: consul: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -497,44 +526,46 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59881 - published: "59881" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-metadata - target: /tmp/edgex/secrets/core-metadata - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-metadata + target: /tmp/edgex/secrets/core-metadata + read_only: true + bind: + selinux: z + create_host_path: true database: container_name: edgex-redis depends_on: security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/redis_wait_install.sh + - /edgex-init/redis_wait_install.sh environment: DATABASECONFIG_NAME: redis.conf DATABASECONFIG_PATH: /run/redis/conf @@ -559,58 +590,63 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 6379 - published: "6379" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /run + - /run user: root:root volumes: - - type: volume - source: db-data - target: /data - volume: {} - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: redis-config - target: /run/redis/conf - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-bootstrapper-redis - target: /tmp/edgex/secrets/security-bootstrapper-redis - read_only: true - bind: - selinux: z - create_host_path: true + - type: volume + source: db-data + target: /data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: redis-config + target: /run/redis/conf + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-bootstrapper-redis + target: /tmp/edgex/secrets/security-bootstrapper-redis + read_only: true + bind: + selinux: z + create_host_path: true device-rest: command: - - /device-rest - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /device-rest + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-device-rest depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -634,54 +670,59 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59986 - published: "59986" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59986 + published: "59986" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/device-rest - target: /tmp/edgex/secrets/device-rest - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-rest + target: /tmp/edgex/secrets/device-rest + read_only: true + bind: + selinux: z + create_host_path: true device-virtual: command: - - /device-virtual - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /device-virtual + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-device-virtual depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -705,48 +746,49 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59900 - published: "59900" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59900 + published: "59900" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/device-virtual - target: /tmp/edgex/secrets/device-virtual - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-virtual + target: /tmp/edgex/secrets/device-virtual + read_only: true + bind: + selinux: z + create_host_path: true nginx: command: - - /docker-entrypoint.sh - - nginx - - -g - - daemon off; + - /docker-entrypoint.sh + - nginx + - -g + - daemon off; container_name: edgex-nginx depends_on: security-secretstore-setup: condition: service_started + required: true entrypoint: - - /bin/sh - - /edgex-init/nginx_wait_install.sh + - /bin/sh + - /edgex-init/nginx_wait_install.sh environment: PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -767,44 +809,47 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 8443 - published: "8443" - protocol: tcp + - mode: ingress + target: 8443 + published: "8443" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /etc/nginx/conf.d - - /var/cache/nginx - - /var/log/nginx - - /var/run + - /etc/nginx/conf.d + - /var/cache/nginx + - /var/log/nginx + - /var/run volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: nginx-templates - target: /etc/nginx/templates - volume: {} - - type: volume - source: nginx-tls - target: /etc/ssl/nginx - volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} rules-engine: container_name: edgex-kuiper depends_on: database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/kuiper_wait_install.sh + - /edgex-init/kuiper_wait_install.sh environment: CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis @@ -816,6 +861,7 @@ services: EDGEX__DEFAULT__TOPIC: edgex/rules-events EDGEX__DEFAULT__TYPE: redis KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "false" KUIPER__BASIC__RESTPORT: "59720" PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -832,56 +878,56 @@ services: STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59720 - published: "59720" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: kuiper:kuiper volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: kuiper-data - target: /kuiper/data - volume: {} - - type: volume - source: kuiper-etc - target: /kuiper/etc - volume: {} - - type: volume - source: kuiper-connections - target: /kuiper/etc/connections - volume: {} - - type: volume - source: kuiper-sources - target: /kuiper/etc/sources - volume: {} - - type: volume - source: kuiper-log - target: /kuiper/log - volume: {} - - type: volume - source: kuiper-plugins - target: /kuiper/plugins - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} + - type: volume + source: kuiper-sources + target: /kuiper/etc/sources + volume: {} + - type: volume + source: kuiper-connections + target: /kuiper/etc/connections + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -908,34 +954,36 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + volume: {} security-proxy-auth: command: - - entrypoint.sh - - /security-proxy-auth - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - entrypoint.sh + - /security-proxy-auth + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-proxy-auth depends_on: core-common-config-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /bin/sh - - /edgex-init/ready_to_run_wait_install.sh + - /bin/sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -959,43 +1007,45 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59842 - published: "59842" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59842 + published: "59842" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-proxy-auth - target: /tmp/edgex/secrets/security-proxy-auth - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-auth + target: /tmp/edgex/secrets/security-proxy-auth + read_only: true + bind: + selinux: z + create_host_path: true security-proxy-setup: container_name: edgex-security-proxy-setup depends_on: security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/proxy_setup_wait_install.sh + - /edgex-init/proxy_setup_wait_install.sh environment: EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986,app-sample.http://edgex-app-sample:59700 EDGEX_SECURITY_SECRET_STORE: "true" @@ -1030,51 +1080,53 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-config - target: /vault/config - volume: {} - - type: volume - source: nginx-templates - target: /etc/nginx/templates - volume: {} - - type: volume - source: nginx-tls - target: /etc/ssl/nginx - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-proxy-setup - target: /tmp/edgex/secrets/security-proxy-setup - read_only: true - bind: - selinux: z - create_host_path: true - - type: volume - source: consul-acl-token - target: /tmp/edgex/secrets/consul-acl-token - read_only: true - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-setup + target: /tmp/edgex/secrets/security-proxy-setup + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + read_only: true + volume: {} security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: security-bootstrapper: condition: service_started + required: true vault: condition: service_started + required: true environment: EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],message-bus[device-rest],redisdb[device-virtual],message-bus[device-virtual],redisdb[app-sample],message-bus[app-sample] EDGEX_ADD_SECRETSTORE_TOKENS: app-sample @@ -1104,60 +1156,65 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /run - - /vault + - /run + - /vault user: root:root volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets - target: /tmp/edgex/secrets - bind: - selinux: z - create_host_path: true - - type: volume - source: kuiper-sources - target: /tmp/kuiper - volume: {} - - type: volume - source: kuiper-connections - target: /tmp/kuiper-connections - volume: {} - - type: volume - source: vault-config - target: /vault/config - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: bind + source: /tmp/edgex/secrets + target: /tmp/edgex/secrets + bind: + selinux: z + create_host_path: true + - type: volume + source: kuiper-sources + target: /tmp/kuiper + volume: {} + - type: volume + source: kuiper-connections + target: /tmp/kuiper-connections + volume: {} support-notifications: command: - - /support-notifications - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /support-notifications + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-support-notifications depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -1181,54 +1238,59 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59860 - published: "59860" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/support-notifications - target: /tmp/edgex/secrets/support-notifications - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-notifications + target: /tmp/edgex/secrets/support-notifications + read_only: true + bind: + selinux: z + create_host_path: true support-scheduler: command: - - /support-scheduler - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /support-scheduler + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-support-scheduler depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data @@ -1254,35 +1316,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59861 - published: "59861" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/support-scheduler - target: /tmp/edgex/secrets/support-scheduler - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-scheduler + target: /tmp/edgex/secrets/support-scheduler + read_only: true + bind: + selinux: z + create_host_path: true ui: container_name: edgex-ui-go environment: @@ -1293,33 +1355,34 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 4000 - published: "4000" - protocol: tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true vault: cap_add: - - IPC_LOCK + - IPC_LOCK command: - - server + - server container_name: edgex-vault depends_on: security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/vault_wait_install.sh + - /edgex-init/vault_wait_install.sh environment: PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -1343,29 +1406,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp restart: always tmpfs: - - /vault/config + - /vault/config user: root:root volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-file + target: /vault/file + volume: {} + - type: volume + source: vault-logs + target: /vault/logs + volume: {} networks: edgex-network: name: edgex_edgex-network diff --git a/docker-compose-with-app-sample.yml b/docker-compose-with-app-sample.yml index 42c1dc04..60f65e71 100644 --- a/docker-compose-with-app-sample.yml +++ b/docker-compose-with-app-sample.yml @@ -24,25 +24,30 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: command: - - /app-service-configurable - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /app-service-configurable + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-app-rules-engine depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" @@ -67,52 +72,56 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59701 - published: "59701" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/app-rules-engine - target: /tmp/edgex/secrets/app-rules-engine - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/app-rules-engine + target: /tmp/edgex/secrets/app-rules-engine + read_only: true + bind: + selinux: z + create_host_path: true app-sample: command: - - /app-service-configurable - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /app-service-configurable + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-app-sample depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: CLIENTS_CORE_COMMAND_HOST: edgex-core-command CLIENTS_CORE_DATA_HOST: edgex-core-data @@ -140,51 +149,53 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59700 - published: "59700" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59700 + published: "59700" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/app-sample - target: /tmp/edgex/secrets/app-sample - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/app-sample + target: /tmp/edgex/secrets/app-sample + read_only: true + bind: + selinux: z + create_host_path: true consul: command: - - agent - - -ui - - -bootstrap - - -server - - -client - - 0.0.0.0 + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 container_name: edgex-core-consul depends_on: security-bootstrapper: condition: service_started + required: true vault: condition: service_started + required: true entrypoint: - - /edgex-init/consul_wait_install.sh + - /edgex-init/consul_wait_install.sh environment: EDGEX_ADD_REGISTRY_ACL_ROLES: app-sample EDGEX_GROUP: "2001" @@ -213,62 +224,68 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8500 - published: "8500" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: consul-config - target: /consul/config - volume: {} - - type: volume - source: consul-data - target: /consul/data - volume: {} - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: consul-acl-token - target: /tmp/edgex/secrets/consul-acl-token - volume: {} - - type: bind - source: /tmp/edgex/secrets/edgex-consul - target: /tmp/edgex/secrets/edgex-consul - read_only: true - bind: - selinux: z - create_host_path: true + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/edgex-consul + target: /tmp/edgex/secrets/edgex-consul + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + volume: {} core-command: command: - - /core-command - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-command + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-command depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 @@ -293,50 +310,53 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59882 - published: "59882" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-command - target: /tmp/edgex/secrets/core-command - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-command + target: /tmp/edgex/secrets/core-command + read_only: true + bind: + selinux: z + create_host_path: true core-common-config-bootstrapper: command: - - /entrypoint.sh - - /core-common-config-bootstrapper - - -cp=consul.http://edgex-core-consul:8500 + - /entrypoint.sh + - /core-common-config-bootstrapper + - -cp=consul.http://edgex-core-consul:8500 container_name: edgex-core-common-config-bootstrapper depends_on: consul: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: ALL_SERVICES_DATABASE_HOST: edgex-redis ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis @@ -365,46 +385,51 @@ services: edgex-network: null read_only: true security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-common-config-bootstrapper - target: /tmp/edgex/secrets/core-common-config-bootstrapper - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-common-config-bootstrapper + target: /tmp/edgex/secrets/core-common-config-bootstrapper + read_only: true + bind: + selinux: z + create_host_path: true core-data: command: - - /core-data - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-data + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-data depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -428,52 +453,56 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59880 - published: "59880" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-data - target: /tmp/edgex/secrets/core-data - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-data + target: /tmp/edgex/secrets/core-data + read_only: true + bind: + selinux: z + create_host_path: true core-metadata: command: - - /core-metadata - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-metadata + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-metadata depends_on: consul: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -497,44 +526,46 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59881 - published: "59881" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-metadata - target: /tmp/edgex/secrets/core-metadata - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-metadata + target: /tmp/edgex/secrets/core-metadata + read_only: true + bind: + selinux: z + create_host_path: true database: container_name: edgex-redis depends_on: security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/redis_wait_install.sh + - /edgex-init/redis_wait_install.sh environment: DATABASECONFIG_NAME: redis.conf DATABASECONFIG_PATH: /run/redis/conf @@ -559,58 +590,63 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 6379 - published: "6379" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /run + - /run user: root:root volumes: - - type: volume - source: db-data - target: /data - volume: {} - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: redis-config - target: /run/redis/conf - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-bootstrapper-redis - target: /tmp/edgex/secrets/security-bootstrapper-redis - read_only: true - bind: - selinux: z - create_host_path: true + - type: volume + source: db-data + target: /data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: redis-config + target: /run/redis/conf + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-bootstrapper-redis + target: /tmp/edgex/secrets/security-bootstrapper-redis + read_only: true + bind: + selinux: z + create_host_path: true device-rest: command: - - /device-rest - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /device-rest + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-device-rest depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -634,54 +670,59 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59986 - published: "59986" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59986 + published: "59986" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/device-rest - target: /tmp/edgex/secrets/device-rest - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-rest + target: /tmp/edgex/secrets/device-rest + read_only: true + bind: + selinux: z + create_host_path: true device-virtual: command: - - /device-virtual - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /device-virtual + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-device-virtual depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -705,48 +746,49 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59900 - published: "59900" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59900 + published: "59900" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/device-virtual - target: /tmp/edgex/secrets/device-virtual - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-virtual + target: /tmp/edgex/secrets/device-virtual + read_only: true + bind: + selinux: z + create_host_path: true nginx: command: - - /docker-entrypoint.sh - - nginx - - -g - - daemon off; + - /docker-entrypoint.sh + - nginx + - -g + - daemon off; container_name: edgex-nginx depends_on: security-secretstore-setup: condition: service_started + required: true entrypoint: - - /bin/sh - - /edgex-init/nginx_wait_install.sh + - /bin/sh + - /edgex-init/nginx_wait_install.sh environment: PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -767,44 +809,47 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 8443 - published: "8443" - protocol: tcp + - mode: ingress + target: 8443 + published: "8443" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /etc/nginx/conf.d - - /var/cache/nginx - - /var/log/nginx - - /var/run + - /etc/nginx/conf.d + - /var/cache/nginx + - /var/log/nginx + - /var/run volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: nginx-templates - target: /etc/nginx/templates - volume: {} - - type: volume - source: nginx-tls - target: /etc/ssl/nginx - volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} rules-engine: container_name: edgex-kuiper depends_on: database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/kuiper_wait_install.sh + - /edgex-init/kuiper_wait_install.sh environment: CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis @@ -816,6 +861,7 @@ services: EDGEX__DEFAULT__TOPIC: edgex/rules-events EDGEX__DEFAULT__TYPE: redis KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "false" KUIPER__BASIC__RESTPORT: "59720" PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -832,56 +878,56 @@ services: STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59720 - published: "59720" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: kuiper:kuiper volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: kuiper-data - target: /kuiper/data - volume: {} - - type: volume - source: kuiper-etc - target: /kuiper/etc - volume: {} - - type: volume - source: kuiper-connections - target: /kuiper/etc/connections - volume: {} - - type: volume - source: kuiper-sources - target: /kuiper/etc/sources - volume: {} - - type: volume - source: kuiper-log - target: /kuiper/log - volume: {} - - type: volume - source: kuiper-plugins - target: /kuiper/plugins - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} + - type: volume + source: kuiper-sources + target: /kuiper/etc/sources + volume: {} + - type: volume + source: kuiper-connections + target: /kuiper/etc/connections + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -908,34 +954,36 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + volume: {} security-proxy-auth: command: - - entrypoint.sh - - /security-proxy-auth - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - entrypoint.sh + - /security-proxy-auth + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-proxy-auth depends_on: core-common-config-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /bin/sh - - /edgex-init/ready_to_run_wait_install.sh + - /bin/sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -959,43 +1007,45 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59842 - published: "59842" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59842 + published: "59842" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-proxy-auth - target: /tmp/edgex/secrets/security-proxy-auth - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-auth + target: /tmp/edgex/secrets/security-proxy-auth + read_only: true + bind: + selinux: z + create_host_path: true security-proxy-setup: container_name: edgex-security-proxy-setup depends_on: security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/proxy_setup_wait_install.sh + - /edgex-init/proxy_setup_wait_install.sh environment: EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986,app-sample.http://edgex-app-sample:59700 EDGEX_SECURITY_SECRET_STORE: "true" @@ -1030,51 +1080,53 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-config - target: /vault/config - volume: {} - - type: volume - source: nginx-templates - target: /etc/nginx/templates - volume: {} - - type: volume - source: nginx-tls - target: /etc/ssl/nginx - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-proxy-setup - target: /tmp/edgex/secrets/security-proxy-setup - read_only: true - bind: - selinux: z - create_host_path: true - - type: volume - source: consul-acl-token - target: /tmp/edgex/secrets/consul-acl-token - read_only: true - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-setup + target: /tmp/edgex/secrets/security-proxy-setup + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + read_only: true + volume: {} security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: security-bootstrapper: condition: service_started + required: true vault: condition: service_started + required: true environment: EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],message-bus[device-rest],redisdb[device-virtual],message-bus[device-virtual],redisdb[app-sample],message-bus[app-sample] EDGEX_ADD_SECRETSTORE_TOKENS: app-sample @@ -1104,60 +1156,65 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /run - - /vault + - /run + - /vault user: root:root volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets - target: /tmp/edgex/secrets - bind: - selinux: z - create_host_path: true - - type: volume - source: kuiper-sources - target: /tmp/kuiper - volume: {} - - type: volume - source: kuiper-connections - target: /tmp/kuiper-connections - volume: {} - - type: volume - source: vault-config - target: /vault/config - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: bind + source: /tmp/edgex/secrets + target: /tmp/edgex/secrets + bind: + selinux: z + create_host_path: true + - type: volume + source: kuiper-sources + target: /tmp/kuiper + volume: {} + - type: volume + source: kuiper-connections + target: /tmp/kuiper-connections + volume: {} support-notifications: command: - - /support-notifications - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /support-notifications + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-support-notifications depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -1181,54 +1238,59 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59860 - published: "59860" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/support-notifications - target: /tmp/edgex/secrets/support-notifications - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-notifications + target: /tmp/edgex/secrets/support-notifications + read_only: true + bind: + selinux: z + create_host_path: true support-scheduler: command: - - /support-scheduler - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /support-scheduler + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-support-scheduler depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data @@ -1254,35 +1316,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59861 - published: "59861" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/support-scheduler - target: /tmp/edgex/secrets/support-scheduler - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-scheduler + target: /tmp/edgex/secrets/support-scheduler + read_only: true + bind: + selinux: z + create_host_path: true ui: container_name: edgex-ui-go environment: @@ -1293,33 +1355,34 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 4000 - published: "4000" - protocol: tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true vault: cap_add: - - IPC_LOCK + - IPC_LOCK command: - - server + - server container_name: edgex-vault depends_on: security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/vault_wait_install.sh + - /edgex-init/vault_wait_install.sh environment: PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -1343,29 +1406,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp restart: always tmpfs: - - /vault/config + - /vault/config user: root:root volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-file + target: /vault/file + volume: {} + - type: volume + source: vault-logs + target: /vault/logs + volume: {} networks: edgex-network: name: edgex_edgex-network diff --git a/docker-compose-zero-trust-arm64.yml b/docker-compose-zero-trust-arm64.yml new file mode 100644 index 00000000..af3459a8 --- /dev/null +++ b/docker-compose-zero-trust-arm64.yml @@ -0,0 +1,1211 @@ +# * Copyright 2024 Intel Corporation. +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# * in compliance with the License. You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software distributed under the License +# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# * or implied. See the License for the specific language governing permissions and limitations under +# * the License. +# * +# * EdgeX Foundry, Odessa WIP release +# *******************************************************************************/ +# +# +# +# ************************ This is a generated compose file **************************** +# +# DO NOT MAKE CHANGES that are intended to be permanent to EdgeX edgex-compose repo. +# +# Permanent changes can be made to the source compose files located in the compose-builder folder +# at the top level of the edgex-compose repo. +# +# From the compose-builder folder use `make build` to regenerate all standard compose files variations +# +# Generated with: Docker Compose version v2.25.0 +name: edgex +services: + app-rules-engine: + command: + - /app-service-configurable + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-app-rules-engine + depends_on: + consul: + condition: service_started + required: true + core-common-config-bootstrapper: + condition: service_started + required: true + core-metadata: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_PROFILE: rules-engine + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: app-rules-engine.edgex.ziti + SERVICE_PORT: "80" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-app-rules-engine + image: nexus3.edgexfoundry.org:10004/app-service-configurable-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/app-rules-engine + target: /tmp/edgex/secrets/app-rules-engine + read_only: true + bind: + selinux: z + create_host_path: true + consul: + command: + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 + container_name: edgex-core-consul + depends_on: + security-bootstrapper: + condition: service_started + required: true + vault: + condition: service_started + required: true + entrypoint: + - /edgex-init/consul_wait_install.sh + environment: + EDGEX_ADD_REGISTRY_ACL_ROLES: "" + EDGEX_GROUP: "2001" + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: "2002" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json + STAGEGATE_REGISTRY_ACL_MANAGEMENTTOKENPATH: /tmp/edgex/secrets/consul-acl-token/mgmt_token.json + STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-consul + image: hashicorp/consul:1.16 + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/edgex-consul + target: /tmp/edgex/secrets/edgex-consul + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + volume: {} + core-command: + command: + - /core-command + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-core-command + depends_on: + consul: + condition: service_started + required: true + core-common-config-bootstrapper: + condition: service_started + required: true + core-metadata: + condition: service_started + required: true + database: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + security-secretstore-setup: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + CLIENTS_CORE_METADATA_HOST: core-metadata.edgex.ziti + CLIENTS_CORE_METADATA_PORT: "80" + CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: zerotrust + EDGEX_SECURITY_SECRET_STORE: "true" + EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: core-command.edgex.ziti + SERVICE_PORT: "80" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-command + image: nexus3.edgexfoundry.org:10004/core-command-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-command + target: /tmp/edgex/secrets/core-command + read_only: true + bind: + selinux: z + create_host_path: true + core-common-config-bootstrapper: + command: + - /entrypoint.sh + - /core-common-config-bootstrapper + - -cp=consul.http://edgex-core-consul:8500 + container_name: edgex-core-common-config-bootstrapper + depends_on: + consul: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + security-secretstore-setup: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + ALL_SERVICES_DATABASE_HOST: edgex-redis + ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis + ALL_SERVICES_REGISTRY_HOST: edgex-core-consul + ALL_SERVICES_SERVICE_SECURITYOPTIONS_MODE: zerotrust + APP_SERVICES_CLIENTS_CORE_METADATA_HOST: core-metadata.edgex.ziti + APP_SERVICES_CLIENTS_CORE_METADATA_PORT: "80" + APP_SERVICES_CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: zerotrust + DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: core-metadata.edgex.ziti + DEVICE_SERVICES_CLIENTS_CORE_METADATA_PORT: "80" + DEVICE_SERVICES_CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: zerotrust + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-common-config-bootstrapper + image: nexus3.edgexfoundry.org:10004/core-common-config-bootstrapper-arm64:latest + networks: + edgex-network: null + read_only: true + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-common-config-bootstrapper + target: /tmp/edgex/secrets/core-common-config-bootstrapper + read_only: true + bind: + selinux: z + create_host_path: true + core-data: + command: + - /core-data + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-core-data + depends_on: + consul: + condition: service_started + required: true + core-common-config-bootstrapper: + condition: service_started + required: true + database: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + security-secretstore-setup: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: core-data.edgex.ziti + SERVICE_PORT: "80" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-data + image: nexus3.edgexfoundry.org:10004/core-data-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-data + target: /tmp/edgex/secrets/core-data + read_only: true + bind: + selinux: z + create_host_path: true + core-metadata: + command: + - /core-metadata + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-core-metadata + depends_on: + consul: + condition: service_started + required: true + database: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + security-secretstore-setup: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: core-metadata.edgex.ziti + SERVICE_PORT: "80" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-metadata + image: nexus3.edgexfoundry.org:10004/core-metadata-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-metadata + target: /tmp/edgex/secrets/core-metadata + read_only: true + bind: + selinux: z + create_host_path: true + database: + container_name: edgex-redis + depends_on: + security-bootstrapper: + condition: service_started + required: true + security-secretstore-setup: + condition: service_started + required: true + entrypoint: + - /edgex-init/redis_wait_install.sh + environment: + DATABASECONFIG_NAME: redis.conf + DATABASECONFIG_PATH: /run/redis/conf + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-redis + image: redis:7.0-alpine + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - type: volume + source: db-data + target: /data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: redis-config + target: /run/redis/conf + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-bootstrapper-redis + target: /tmp/edgex/secrets/security-bootstrapper-redis + read_only: true + bind: + selinux: z + create_host_path: true + device-rest: + command: + - /device-rest + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-device-rest + depends_on: + consul: + condition: service_started + required: true + core-common-config-bootstrapper: + condition: service_started + required: true + core-data: + condition: service_started + required: true + core-metadata: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: device-rest.edgex.ziti + SERVICE_PORT: "80" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-device-rest + image: nexus3.edgexfoundry.org:10004/device-rest-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-rest + target: /tmp/edgex/secrets/device-rest + read_only: true + bind: + selinux: z + create_host_path: true + device-virtual: + command: + - /device-virtual + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-device-virtual + depends_on: + consul: + condition: service_started + required: true + core-common-config-bootstrapper: + condition: service_started + required: true + core-data: + condition: service_started + required: true + core-metadata: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: device-virtual.edgex.ziti + SERVICE_PORT: "80" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-device-virtual + image: nexus3.edgexfoundry.org:10004/device-virtual-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-virtual + target: /tmp/edgex/secrets/device-virtual + read_only: true + bind: + selinux: z + create_host_path: true + rules-engine: + container_name: edgex-kuiper + depends_on: + database: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + security-secretstore-setup: + condition: service_started + required: true + entrypoint: + - /edgex-init/kuiper_wait_install.sh + environment: + CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" + CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis + CONNECTION__EDGEX__REDISMSGBUS__SERVER: edgex-redis + CONNECTION__EDGEX__REDISMSGBUS__TYPE: redis + EDGEX__DEFAULT__PORT: "6379" + EDGEX__DEFAULT__PROTOCOL: redis + EDGEX__DEFAULT__SERVER: edgex-redis + EDGEX__DEFAULT__TOPIC: edgex/rules-events + EDGEX__DEFAULT__TYPE: redis + EDGEX_CREDENTIAL_NAME: rules-engine + EDGEX_CREDENTIALS: /tmp/edgex/secrets/rules-engine/secrets-token.json + KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "true" + KUIPER__BASIC__RESTPORT: "59720" + OPENZITI_CONTROLLER: openziti:1280 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kuiper + image: lfedge/ekuiper:v1.14.0-alpha.2 + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: kuiper:kuiper + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} + - type: volume + source: kuiper-sources + target: /kuiper/etc/sources + volume: {} + - type: volume + source: kuiper-connections + target: /kuiper/etc/connections + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + volume: {} + - type: bind + source: /tmp/edgex/secrets/rules-engine + target: /tmp/edgex/secrets/rules-engine + read_only: true + bind: + selinux: z + create_host_path: true + security-bootstrapper: + container_name: edgex-security-bootstrapper + environment: + EDGEX_GROUP: "2001" + EDGEX_USER: "2002" + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-bootstrapper + image: nexus3.edgexfoundry.org:10004/security-bootstrapper-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + volume: {} + security-secretstore-setup: + container_name: edgex-security-secretstore-setup + depends_on: + security-bootstrapper: + condition: service_started + required: true + vault: + condition: service_started + required: true + environment: + EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],message-bus[device-rest],redisdb[device-virtual],message-bus[device-virtual] + EDGEX_ADD_SECRETSTORE_TOKENS: "" + EDGEX_GROUP: "2001" + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: "2002" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECUREMESSAGEBUS_TYPE: redis + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-secretstore-setup + image: nexus3.edgexfoundry.org:10004/security-secretstore-setup-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /vault + user: root:root + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: bind + source: /tmp/edgex/secrets + target: /tmp/edgex/secrets + bind: + selinux: z + create_host_path: true + - type: volume + source: kuiper-sources + target: /tmp/kuiper + volume: {} + - type: volume + source: kuiper-connections + target: /tmp/kuiper-connections + volume: {} + support-notifications: + command: + - /support-notifications + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-support-notifications + depends_on: + consul: + condition: service_started + required: true + core-common-config-bootstrapper: + condition: service_started + required: true + database: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + security-secretstore-setup: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: support-notifications.edgex.ziti + SERVICE_PORT: "80" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-notifications + image: nexus3.edgexfoundry.org:10004/support-notifications-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-notifications + target: /tmp/edgex/secrets/support-notifications + read_only: true + bind: + selinux: z + create_host_path: true + support-scheduler: + command: + - /support-scheduler + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-support-scheduler + depends_on: + consul: + condition: service_started + required: true + core-common-config-bootstrapper: + condition: service_started + required: true + database: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + security-secretstore-setup: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data + INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: support-scheduler.edgex.ziti + SERVICE_PORT: "80" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-scheduler + image: nexus3.edgexfoundry.org:10004/support-scheduler-arm64:latest + networks: + edgex-network: null + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-scheduler + target: /tmp/edgex/secrets/support-scheduler + read_only: true + bind: + selinux: z + create_host_path: true + ui: + command: + - ./edgex-ui-server + - --configDir=res/docker + container_name: edgex-ui-go + depends_on: + consul: + condition: service_started + required: true + core-common-config-bootstrapper: + condition: service_started + required: true + core-metadata: + condition: service_started + required: true + security-bootstrapper: + condition: service_started + required: true + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + CLIENTS_CORE_COMMAND_HOST: core-command.edgex.ziti + CLIENTS_CORE_COMMAND_PORT: "80" + CLIENTS_CORE_COMMAND_SECURITYOPTIONS_MODE: zerotrust + CLIENTS_CORE_DATA_HOST: core-data.edgex.ziti + CLIENTS_CORE_DATA_PORT: "80" + CLIENTS_CORE_DATA_SECURITYOPTIONS_MODE: zerotrust + CLIENTS_CORE_METADATA_HOST: core-metadata.edgex.ziti + CLIENTS_CORE_METADATA_PORT: "80" + CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: zerotrust + CLIENTS_RULES_ENGINE_HOST: rules-engine.edgex.ziti + CLIENTS_RULES_ENGINE_PORT: "80" + CLIENTS_RULES_ENGINE_SECURITYOPTIONS_MODE: zerotrust + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: support-notifications.edgex.ziti + CLIENTS_SUPPORT_NOTIFICATIONS_PORT: "80" + CLIENTS_SUPPORT_NOTIFICATIONS_SECURITYOPTIONS_MODE: zerotrust + CLIENTS_SUPPORT_SCHEDULER_HOST: support-scheduler.edgex.ziti + CLIENTS_SUPPORT_SCHEDULER_PORT: "80" + CLIENTS_SUPPORT_SCHEDULER_SECURITYOPTIONS_MODE: zerotrust + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: edgex-ui-go + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + VAULT_ADDR: http://edgex-vault:8200 + hostname: edgex-ui-go + image: nexus3.edgexfoundry.org:10004/edgex-ui-arm64:latest + networks: + edgex-network: null + ports: + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + volume: {} + - type: bind + source: /tmp/edgex/secrets/ui + target: /tmp/edgex/secrets/ui + read_only: true + bind: + selinux: z + create_host_path: true + vault: + cap_add: + - IPC_LOCK + command: + - server + container_name: edgex-vault + depends_on: + security-bootstrapper: + condition: service_started + required: true + entrypoint: + - /edgex-init/vault_wait_install.sh + environment: + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + VAULT_ADDR: http://edgex-vault:8200 + VAULT_CONFIG_DIR: /vault/config + VAULT_UI: "true" + hostname: edgex-vault + image: hashicorp/vault:1.14 + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /vault/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-file + target: /vault/file + volume: {} + - type: volume + source: vault-logs + target: /vault/logs + volume: {} +networks: + edgex-network: + name: edgex_edgex-network + driver: bridge +volumes: + consul-acl-token: + name: edgex_consul-acl-token + consul-config: + name: edgex_consul-config + consul-data: + name: edgex_consul-data + db-data: + name: edgex_db-data + edgex-init: + name: edgex_edgex-init + kuiper-connections: + name: edgex_kuiper-connections + kuiper-data: + name: edgex_kuiper-data + kuiper-etc: + name: edgex_kuiper-etc + kuiper-log: + name: edgex_kuiper-log + kuiper-plugins: + name: edgex_kuiper-plugins + kuiper-sources: + name: edgex_kuiper-sources + redis-config: + name: edgex_redis-config + vault-config: + name: edgex_vault-config + vault-file: + name: edgex_vault-file + vault-logs: + name: edgex_vault-logs diff --git a/docker-compose-zero-trust.yml b/docker-compose-zero-trust.yml index 6821917f..06f830bf 100644 --- a/docker-compose-zero-trust.yml +++ b/docker-compose-zero-trust.yml @@ -1,3 +1,30 @@ +# * Copyright 2024 Intel Corporation. +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# * in compliance with the License. You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software distributed under the License +# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# * or implied. See the License for the specific language governing permissions and limitations under +# * the License. +# * +# * EdgeX Foundry, Odessa WIP release +# *******************************************************************************/ +# +# +# +# ************************ This is a generated compose file **************************** +# +# DO NOT MAKE CHANGES that are intended to be permanent to EdgeX edgex-compose repo. +# +# Permanent changes can be made to the source compose files located in the compose-builder folder +# at the top level of the edgex-compose repo. +# +# From the compose-builder folder use `make build` to regenerate all standard compose files variations +# +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: @@ -676,6 +703,7 @@ services: EDGEX_CREDENTIAL_NAME: rules-engine EDGEX_CREDENTIALS: /tmp/edgex/secrets/rules-engine/secrets-token.json KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "true" KUIPER__BASIC__RESTPORT: "59720" OPENZITI_CONTROLLER: openziti:1280 PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -693,7 +721,7 @@ services: STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null read_only: true diff --git a/docker-compose.yml b/docker-compose.yml index de9e5bcb..1ae58cd1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -24,25 +24,30 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # +# Generated with: Docker Compose version v2.25.0 name: edgex services: app-rules-engine: command: - - /app-service-configurable - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /app-service-configurable + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-app-rules-engine depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" @@ -67,51 +72,53 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59701 - published: "59701" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/app-rules-engine - target: /tmp/edgex/secrets/app-rules-engine - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/app-rules-engine + target: /tmp/edgex/secrets/app-rules-engine + read_only: true + bind: + selinux: z + create_host_path: true consul: command: - - agent - - -ui - - -bootstrap - - -server - - -client - - 0.0.0.0 + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 container_name: edgex-core-consul depends_on: security-bootstrapper: condition: service_started + required: true vault: condition: service_started + required: true entrypoint: - - /edgex-init/consul_wait_install.sh + - /edgex-init/consul_wait_install.sh environment: EDGEX_ADD_REGISTRY_ACL_ROLES: "" EDGEX_GROUP: "2001" @@ -140,62 +147,68 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8500 - published: "8500" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: volume - source: consul-config - target: /consul/config - volume: {} - - type: volume - source: consul-data - target: /consul/data - volume: {} - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: consul-acl-token - target: /tmp/edgex/secrets/consul-acl-token - volume: {} - - type: bind - source: /tmp/edgex/secrets/edgex-consul - target: /tmp/edgex/secrets/edgex-consul - read_only: true - bind: - selinux: z - create_host_path: true + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/edgex-consul + target: /tmp/edgex/secrets/edgex-consul + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + volume: {} core-command: command: - - /core-command - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-command + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-command depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-metadata: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 @@ -220,50 +233,53 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59882 - published: "59882" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-command - target: /tmp/edgex/secrets/core-command - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-command + target: /tmp/edgex/secrets/core-command + read_only: true + bind: + selinux: z + create_host_path: true core-common-config-bootstrapper: command: - - /entrypoint.sh - - /core-common-config-bootstrapper - - -cp=consul.http://edgex-core-consul:8500 + - /entrypoint.sh + - /core-common-config-bootstrapper + - -cp=consul.http://edgex-core-consul:8500 container_name: edgex-core-common-config-bootstrapper depends_on: consul: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: ALL_SERVICES_DATABASE_HOST: edgex-redis ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis @@ -292,46 +308,51 @@ services: edgex-network: null read_only: true security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-common-config-bootstrapper - target: /tmp/edgex/secrets/core-common-config-bootstrapper - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-common-config-bootstrapper + target: /tmp/edgex/secrets/core-common-config-bootstrapper + read_only: true + bind: + selinux: z + create_host_path: true core-data: command: - - /core-data - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-data + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-data depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -355,52 +376,56 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59880 - published: "59880" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-data - target: /tmp/edgex/secrets/core-data - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-data + target: /tmp/edgex/secrets/core-data + read_only: true + bind: + selinux: z + create_host_path: true core-metadata: command: - - /core-metadata - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /core-metadata + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-metadata depends_on: consul: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -424,44 +449,46 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59881 - published: "59881" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/core-metadata - target: /tmp/edgex/secrets/core-metadata - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-metadata + target: /tmp/edgex/secrets/core-metadata + read_only: true + bind: + selinux: z + create_host_path: true database: container_name: edgex-redis depends_on: security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/redis_wait_install.sh + - /edgex-init/redis_wait_install.sh environment: DATABASECONFIG_NAME: redis.conf DATABASECONFIG_PATH: /run/redis/conf @@ -486,58 +513,63 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 6379 - published: "6379" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /run + - /run user: root:root volumes: - - type: volume - source: db-data - target: /data - volume: {} - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: redis-config - target: /run/redis/conf - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-bootstrapper-redis - target: /tmp/edgex/secrets/security-bootstrapper-redis - read_only: true - bind: - selinux: z - create_host_path: true + - type: volume + source: db-data + target: /data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: redis-config + target: /run/redis/conf + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-bootstrapper-redis + target: /tmp/edgex/secrets/security-bootstrapper-redis + read_only: true + bind: + selinux: z + create_host_path: true device-rest: command: - - /device-rest - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /device-rest + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-device-rest depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -561,54 +593,59 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59986 - published: "59986" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59986 + published: "59986" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/device-rest - target: /tmp/edgex/secrets/device-rest - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-rest + target: /tmp/edgex/secrets/device-rest + read_only: true + bind: + selinux: z + create_host_path: true device-virtual: command: - - /device-virtual - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /device-virtual + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-device-virtual depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true core-data: condition: service_started + required: true core-metadata: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -632,48 +669,49 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59900 - published: "59900" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59900 + published: "59900" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/device-virtual - target: /tmp/edgex/secrets/device-virtual - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/device-virtual + target: /tmp/edgex/secrets/device-virtual + read_only: true + bind: + selinux: z + create_host_path: true nginx: command: - - /docker-entrypoint.sh - - nginx - - -g - - daemon off; + - /docker-entrypoint.sh + - nginx + - -g + - daemon off; container_name: edgex-nginx depends_on: security-secretstore-setup: condition: service_started + required: true entrypoint: - - /bin/sh - - /edgex-init/nginx_wait_install.sh + - /bin/sh + - /edgex-init/nginx_wait_install.sh environment: PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -694,44 +732,47 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 8443 - published: "8443" - protocol: tcp + - mode: ingress + target: 8443 + published: "8443" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /etc/nginx/conf.d - - /var/cache/nginx - - /var/log/nginx - - /var/run + - /etc/nginx/conf.d + - /var/cache/nginx + - /var/log/nginx + - /var/run volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: nginx-templates - target: /etc/nginx/templates - volume: {} - - type: volume - source: nginx-tls - target: /etc/ssl/nginx - volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} rules-engine: container_name: edgex-kuiper depends_on: database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/kuiper_wait_install.sh + - /edgex-init/kuiper_wait_install.sh environment: CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis @@ -743,6 +784,7 @@ services: EDGEX__DEFAULT__TOPIC: edgex/rules-events EDGEX__DEFAULT__TYPE: redis KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__ENABLEOPENZITI: "false" KUIPER__BASIC__RESTPORT: "59720" PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -759,56 +801,56 @@ services: STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-kuiper - image: lfedge/ekuiper:1.12-alpine + image: lfedge/ekuiper:v1.14.0-alpha.2 networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59720 - published: "59720" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: kuiper:kuiper volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: kuiper-data - target: /kuiper/data - volume: {} - - type: volume - source: kuiper-etc - target: /kuiper/etc - volume: {} - - type: volume - source: kuiper-connections - target: /kuiper/etc/connections - volume: {} - - type: volume - source: kuiper-sources - target: /kuiper/etc/sources - volume: {} - - type: volume - source: kuiper-log - target: /kuiper/log - volume: {} - - type: volume - source: kuiper-plugins - target: /kuiper/plugins - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} + - type: volume + source: kuiper-sources + target: /kuiper/etc/sources + volume: {} + - type: volume + source: kuiper-connections + target: /kuiper/etc/connections + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -835,34 +877,36 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + volume: {} security-proxy-auth: command: - - entrypoint.sh - - /security-proxy-auth - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - entrypoint.sh + - /security-proxy-auth + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-proxy-auth depends_on: core-common-config-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /bin/sh - - /edgex-init/ready_to_run_wait_install.sh + - /bin/sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -886,43 +930,45 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59842 - published: "59842" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59842 + published: "59842" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-proxy-auth - target: /tmp/edgex/secrets/security-proxy-auth - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-auth + target: /tmp/edgex/secrets/security-proxy-auth + read_only: true + bind: + selinux: z + create_host_path: true security-proxy-setup: container_name: edgex-security-proxy-setup depends_on: security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/proxy_setup_wait_install.sh + - /edgex-init/proxy_setup_wait_install.sh environment: EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986 EDGEX_SECURITY_SECRET_STORE: "true" @@ -957,51 +1003,53 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: root:root volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-config - target: /vault/config - volume: {} - - type: volume - source: nginx-templates - target: /etc/nginx/templates - volume: {} - - type: volume - source: nginx-tls - target: /etc/ssl/nginx - volume: {} - - type: bind - source: /tmp/edgex/secrets/security-proxy-setup - target: /tmp/edgex/secrets/security-proxy-setup - read_only: true - bind: - selinux: z - create_host_path: true - - type: volume - source: consul-acl-token - target: /tmp/edgex/secrets/consul-acl-token - read_only: true - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-setup + target: /tmp/edgex/secrets/security-proxy-setup + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + read_only: true + volume: {} security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: security-bootstrapper: condition: service_started + required: true vault: condition: service_started + required: true environment: EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],message-bus[device-rest],redisdb[device-virtual],message-bus[device-virtual] EDGEX_ADD_SECRETSTORE_TOKENS: "" @@ -1031,60 +1079,65 @@ services: read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true tmpfs: - - /run - - /vault + - /run + - /vault user: root:root volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets - target: /tmp/edgex/secrets - bind: - selinux: z - create_host_path: true - - type: volume - source: kuiper-sources - target: /tmp/kuiper - volume: {} - - type: volume - source: kuiper-connections - target: /tmp/kuiper-connections - volume: {} - - type: volume - source: vault-config - target: /vault/config - volume: {} + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: bind + source: /tmp/edgex/secrets + target: /tmp/edgex/secrets + bind: + selinux: z + create_host_path: true + - type: volume + source: kuiper-sources + target: /tmp/kuiper + volume: {} + - type: volume + source: kuiper-connections + target: /tmp/kuiper-connections + volume: {} support-notifications: command: - - /support-notifications - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /support-notifications + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-support-notifications depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup @@ -1108,54 +1161,59 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59860 - published: "59860" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/support-notifications - target: /tmp/edgex/secrets/support-notifications - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-notifications + target: /tmp/edgex/secrets/support-notifications + read_only: true + bind: + selinux: z + create_host_path: true support-scheduler: command: - - /support-scheduler - - -cp=consul.http://edgex-core-consul:8500 - - --registry + - /support-scheduler + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-support-scheduler depends_on: consul: condition: service_started + required: true core-common-config-bootstrapper: condition: service_started + required: true database: condition: service_started + required: true security-bootstrapper: condition: service_started + required: true security-secretstore-setup: condition: service_started + required: true entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: EDGEX_SECURITY_SECRET_STORE: "true" INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data @@ -1181,35 +1239,35 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 59861 - published: "59861" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true - - type: bind - source: /tmp/edgex/secrets/support-scheduler - target: /tmp/edgex/secrets/support-scheduler - read_only: true - bind: - selinux: z - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/support-scheduler + target: /tmp/edgex/secrets/support-scheduler + read_only: true + bind: + selinux: z + create_host_path: true ui: container_name: edgex-ui-go environment: @@ -1220,33 +1278,34 @@ services: networks: edgex-network: null ports: - - mode: ingress - target: 4000 - published: "4000" - protocol: tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: - - no-new-privileges:true + - no-new-privileges:true user: 2002:2001 volumes: - - type: bind - source: /etc/localtime - target: /etc/localtime - read_only: true - bind: - create_host_path: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + bind: + create_host_path: true vault: cap_add: - - IPC_LOCK + - IPC_LOCK command: - - server + - server container_name: edgex-vault depends_on: security-bootstrapper: condition: service_started + required: true entrypoint: - - /edgex-init/vault_wait_install.sh + - /edgex-init/vault_wait_install.sh environment: PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -1270,29 +1329,29 @@ services: networks: edgex-network: null ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp restart: always tmpfs: - - /vault/config + - /vault/config user: root:root volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-file + target: /vault/file + volume: {} + - type: volume + source: vault-logs + target: /vault/logs + volume: {} networks: edgex-network: name: edgex_edgex-network