From db9a849a1311af6012bc4cfd64a2ce00fb377be6 Mon Sep 17 00:00:00 2001
From: mrveiss <martins.veiss@gmail.com>
Date: Thu, 19 Mar 2026 12:57:38 +0200
Subject: [PATCH 1/2] feat(docker): add resource limits, log rotation, and
 network segmentation (#1897)

- Add memory/CPU limits to all 9 services
- Add json-file log rotation (50MB max, 5 files)
- Bind RedisInsight to localhost only (was exposed to all interfaces)
- Split flat network into autobot-data + autobot-app tiers
- Add no-new-privileges security option to all containers
---
 docker-compose.yml | 134 +++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 123 insertions(+), 11 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index b272e3117..57354e703 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,7 +19,7 @@ services:
     restart: unless-stopped
     ports:
       - "${AUTOBOT_REDIS_PORT:-6379}:6379"
-      - "8001:8001"  # RedisInsight UI
+      - "127.0.0.1:8001:8001"  # RedisInsight UI (localhost only)
     volumes:
       - redis_data:/data
     environment:
@@ -29,8 +29,20 @@ services:
       interval: 10s
       timeout: 3s
       retries: 5
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-data
 
   autobot-postgres:
     image: postgres:16-bookworm
@@ -50,8 +62,20 @@ services:
       interval: 10s
       timeout: 3s
       retries: 5
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-data
 
   autobot-chromadb:
     image: chromadb/chroma:0.5.23
@@ -69,8 +93,20 @@ services:
       interval: 15s
       timeout: 5s
       retries: 3
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-data
 
   # ---- Application Layer ----
 
@@ -117,8 +153,21 @@ services:
       timeout: 10s
       retries: 5
       start_period: 120s
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+          cpus: '2.0'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-data
+      - autobot-app
 
   autobot-worker:
     build:
@@ -185,8 +234,21 @@ services:
       timeout: 10s
       retries: 5
       start_period: 60s
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-data
+      - autobot-app
 
   autobot-frontend:
     build:
@@ -206,8 +268,20 @@ services:
       interval: 30s
       timeout: 5s
       retries: 3
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: '0.5'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-app
 
   # ---- Optional: Local LLM ----
 
@@ -227,8 +301,20 @@ services:
       timeout: 10s
       retries: 3
       start_period: 30s
+    deploy:
+      resources:
+        limits:
+          memory: 4G
+          cpus: '4.0'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-app
     profiles:
       - ollama
 
@@ -242,8 +328,20 @@ services:
       - "9090:9090"
     volumes:
       - prometheus_data:/prometheus
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: '0.5'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-app
     profiles:
       - monitoring
 
@@ -260,8 +358,20 @@ services:
       - GF_USERS_ALLOW_SIGN_UP=false
     depends_on:
       - autobot-prometheus
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: '0.5'
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
     networks:
-      - autobot
+      - autobot-app
     profiles:
       - monitoring
 
@@ -278,5 +388,7 @@ volumes:
   grafana_data:
 
 networks:
-  autobot:
+  autobot-data:
+    driver: bridge
+  autobot-app:
     driver: bridge

From 8c15abe0626a9a6200226ebe61e56c6372dc8aec Mon Sep 17 00:00:00 2001
From: mrveiss <martins.veiss@gmail.com>
Date: Fri, 20 Mar 2026 15:35:04 +0200
Subject: [PATCH 2/2] fix(docker): address code review findings (#1897)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Bind internal ports to localhost (postgres, chromadb, ollama,
  prometheus, grafana) — only frontend 80/443 and redis remain public
- Ollama memory 4G→8G (7B models need ~5.5GB + runtime overhead)
- Add YAML anchor for logging config (9 blocks → 1 definition)
- Add health checks for Prometheus and Grafana
- Note Compose v2+ requirement in file header
---
 docker-compose.yml | 83 ++++++++++++++++++----------------------------
 1 file changed, 32 insertions(+), 51 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 57354e703..cc6f18c98 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,5 +1,6 @@
 # AutoBot Docker Compose — Single-Node Deployment (#1809)
 # All core services on one machine. Frontend at /, SLM at /slm.
+# Requires Docker Compose v2+ for resource limits (deploy.resources).
 #
 # Usage:
 #   docker compose up -d                    # Start all core services
@@ -10,6 +11,12 @@
 # Copyright (c) 2025 mrveiss
 # Author: mrveiss
 
+x-default-logging: &default-logging
+  driver: json-file
+  options:
+    max-size: "50m"
+    max-file: "5"
+
 services:
   # ---- Data Layer ----
 
@@ -34,11 +41,7 @@ services:
         limits:
           memory: 1G
           cpus: '1.0'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks:
@@ -49,7 +52,7 @@ services:
     container_name: autobot-postgres
     restart: unless-stopped
     ports:
-      - "5432:5432"
+      - "127.0.0.1:5432:5432"
     volumes:
       - postgres_data:/var/lib/postgresql/data
       - ./docker/postgres/init-databases.sql:/docker-entrypoint-initdb.d/init-databases.sql
@@ -67,11 +70,7 @@ services:
         limits:
           memory: 1G
           cpus: '1.0'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks:
@@ -82,7 +81,7 @@ services:
     container_name: autobot-chromadb
     restart: unless-stopped
     ports:
-      - "8100:8000"
+      - "127.0.0.1:8100:8000"
     volumes:
       - chroma_data:/chroma/chroma
     environment:
@@ -98,11 +97,7 @@ services:
         limits:
           memory: 1G
           cpus: '1.0'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks:
@@ -158,11 +153,7 @@ services:
         limits:
           memory: 2G
           cpus: '2.0'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks:
@@ -239,11 +230,7 @@ services:
         limits:
           memory: 1G
           cpus: '1.0'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks:
@@ -273,11 +260,7 @@ services:
         limits:
           memory: 512M
           cpus: '0.5'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks:
@@ -290,7 +273,7 @@ services:
     container_name: autobot-ollama
     restart: unless-stopped
     ports:
-      - "11434:11434"
+      - "127.0.0.1:11434:11434"
     volumes:
       - ollama_data:/root/.ollama
     environment:
@@ -304,13 +287,9 @@ services:
     deploy:
       resources:
         limits:
-          memory: 4G
+          memory: 8G  # 7B models need ~5.5GB; increase for larger models
           cpus: '4.0'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks:
@@ -325,19 +304,20 @@ services:
     container_name: autobot-prometheus
     restart: unless-stopped
     ports:
-      - "9090:9090"
+      - "127.0.0.1:9090:9090"
     volumes:
       - prometheus_data:/prometheus
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:9090/-/healthy"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
     deploy:
       resources:
         limits:
           memory: 512M
           cpus: '0.5'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks:
@@ -350,7 +330,7 @@ services:
     container_name: autobot-grafana
     restart: unless-stopped
     ports:
-      - "3000:3000"
+      - "127.0.0.1:3000:3000"
     volumes:
       - grafana_data:/var/lib/grafana
     environment:
@@ -358,16 +338,17 @@ services:
       - GF_USERS_ALLOW_SIGN_UP=false
     depends_on:
       - autobot-prometheus
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/api/health"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
     deploy:
       resources:
         limits:
           memory: 512M
           cpus: '0.5'
-    logging:
-      driver: json-file
-      options:
-        max-size: "50m"
-        max-file: "5"
+    logging: *default-logging
     security_opt:
       - no-new-privileges:true
     networks: