-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
158 lines (151 loc) · 5.6 KB
/
Copy pathdocker-compose.yml
File metadata and controls
158 lines (151 loc) · 5.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#
# Brno University of Technology
# Faculty of Information Technology
#
# BSc Thesis 2006/2007
#
# Railway Interlocking Simulator
#
# Dockerization: 2025
# Optimized: 2026-01 (BuildKit cache mounts)
# Security fix: 2026-06 (BuildKit secrets for GitHub Packages token)
#
# Docker Compose orchestration for interlockSim project
#
# Usage:
# # Build services:
# docker compose build app # Build app (no tests; kDisco from GitHub Packages)
# docker compose build text # Build LaTeX thesis
#
# # Run test suite (separate from app image build; tests execute
# # DURING the image build -- there is no runtime test entry point):
# docker compose --profile test build test
#
# # Run GUI editor (requires X11):
# docker compose up app
#
# # Run simulation with example:
# docker compose run app java -jar interlockSim.jar example shuntingLoop 60
#
# # Run simulation with custom XML:
# docker compose run -v $(pwd)/myfile.xml:/app/myfile.xml app java -jar interlockSim.jar sim myfile.xml
#
# GitHub Packages authentication:
# Set GITHUB_ACTOR and GITHUB_TOKEN and EXPORT them before building. The
# token is passed to the build as a BuildKit secret (secrets.environment
# below) so it never appears in the resolved RUN command, image layers, or
# docker history. Because the secret provider reads the *process* env (not
# .env, which compose only auto-loads for ${VAR} interpolation), a .env
# file alone is NOT enough -- export it first:
#
# set -a; source .env; set +a
# docker compose up --build
#
# A non-exported .env yields an empty token and a 401 from GitHub Packages.
#
services:
# Build and run Java application with GUI support
# kDisco is automatically downloaded from GitHub Packages or uses local Maven cache
app:
build:
context: .
dockerfile: Dockerfile
target: runner
args:
# Match the host user's UID/GID so the container can read the 0600
# X11 auth cookie and write artifacts with host-user ownership.
# Set in .env or export before building:
# export RUNTIME_UID=$(id -u) RUNTIME_GID=$(id -g)
RUNTIME_UID: ${RUNTIME_UID:-1000}
RUNTIME_GID: ${RUNTIME_GID:-1000}
secrets:
# GitHub Packages credentials for kDisco dependency.
# Values are read from host environment variables and mounted as BuildKit
# secrets at /run/secrets/github_actor and /run/secrets/github_token.
- github_actor
- github_token
image: interlocksim:latest
environment:
# Pass host DISPLAY to container for X11 forwarding
- DISPLAY=${DISPLAY:-host.docker.internal:0}
# Pass X11 authentication
- XAUTHORITY=/tmp/.docker.xauth
volumes:
# Mount X11 socket for GUI display
- /tmp/.X11-unix:/tmp/.X11-unix:rw
# Mount X11 authentication file
- ${XAUTHORITY:-$HOME/.Xauthority}:/tmp/.docker.xauth:ro
# Mount local directory to extract artifacts
- ./artifacts/app:/artifacts
# Optional: mount XML files for simulation
# - ./src/main/resources:/app/xml:ro
network_mode: host
container_name: interlocksim-app
# Allow X11 forwarding
security_opt:
- seccomp:unconfined
# Optional: uncomment to keep container running for debugging
# stdin_open: true
# tty: true
# Run the full test suite in a dedicated image build (separate from the app image).
# Tests and quality gates execute DURING `build` -- BuildKit cache mounts and
# secrets only exist at build time, so there is no runtime test entry point.
# Tests run as the non-root `builder` user so filesystem-permission tests work.
# This service is gated behind the "test" profile so it is never built or started
# by a plain `docker compose up` or `docker compose up --build`.
#
# Usage:
# docker compose --profile test build test # Runs tests; fails if the suite fails
test:
profiles: ["test"]
build:
context: .
dockerfile: Dockerfile
target: test-runner
secrets:
- github_actor
- github_token
image: interlocksim-test:latest
container_name: interlocksim-test
# Native fast-sim CLI binary (no JVM, minimal image)
# Usage:
# docker compose build fast-sim
# docker compose run fast-sim example shuntingLoop 60
fast-sim:
build:
context: .
dockerfile: Dockerfile.fast-sim
secrets:
# GitHub Packages credentials for kDisco dependency (see app service above).
- github_actor
- github_token
image: interlocksim-fast-sim:latest
container_name: interlocksim-fast-sim
command: ["example", "shuntingLoop", "60"]
# Build LaTeX thesis with Czech language tools
text:
build:
context: .
dockerfile: text/Dockerfile
image: interlocksim-text:latest
volumes:
# Mount local directory to extract artifacts
- ./artifacts/text:/artifacts
container_name: interlocksim-text-build
# Optional: uncomment to see more detailed build output
# stdin_open: true
# tty: true
# Explicit network for clarity (optional)
networks:
default:
name: interlocksim-network
# BuildKit secrets: map host environment variables to secret IDs used in Dockerfiles.
# The values are mounted at runtime and are not persisted in the image.
secrets:
github_actor:
environment: GITHUB_ACTOR
github_token:
environment: GITHUB_TOKEN
# Note: BuildKit cache mounts are managed in Dockerfiles, not here
# Runtime volumes can be added here if needed in the future
volumes: {}