From fe0c2afe60a1a2dd046ad585e6324c42ad36e489 Mon Sep 17 00:00:00 2001 From: Chris Sherwood Date: Fri, 13 Mar 2026 20:09:44 -0700 Subject: [PATCH] fix(security): remove MySQL and Redis port exposure to host MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MySQL (3306) and Redis (6379) were published to all host interfaces despite only being accessed by the admin container via Docker's internal network. Redis has no authentication, so anyone on the LAN could connect. Removes the port mappings — containers still communicate internally via Docker service names. Closes #279 Co-Authored-By: Claude Opus 4.6 --- install/management_compose.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/install/management_compose.yaml b/install/management_compose.yaml index 43b8bf7..3bf5060 100644 --- a/install/management_compose.yaml +++ b/install/management_compose.yaml @@ -57,8 +57,6 @@ services: image: mysql:8.0 container_name: nomad_mysql restart: unless-stopped - ports: - - "3306:3306" environment: - MYSQL_ROOT_PASSWORD=replaceme - MYSQL_DATABASE=nomad @@ -75,8 +73,6 @@ services: image: redis:7-alpine container_name: nomad_redis restart: unless-stopped - ports: - - "6379:6379" volumes: - /opt/project-nomad/redis:/data healthcheck: