From de9a63f67db705e6864517a6668e8839b5ec7964 Mon Sep 17 00:00:00 2001
From: Pierre Tessier <pierre@pierretessier.com>
Date: Mon, 8 Aug 2022 23:08:32 -0400
Subject: [PATCH 1/2] restrict network ports

---
 docker-compose.yml | 48 ++++++++++++++++++++++------------------------
 1 file changed, 23 insertions(+), 25 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index ed5bc87567..a3d31931fb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,22 +4,20 @@ x-default-logging: &logging
   options:
     max-size: "5m"
     max-file: "2"
-services:
 
+networks:
+  default:
+    name: opentelemetry-demo
+    driver: bridge
+
+services:
   # Jaeger
   jaeger:
     image: jaegertracing/all-in-one
     container_name: jaeger
     ports:
-      - "5775:5775"
-      - "5778:5778"
-      - "6831:6831"
-      - "6832:6832"
-      - "9411:9411"
-      - "16686:16686"
-      - "14250:14250"
-      - "14268:14268"
-      - "14269:14269"
+      - "16686:16686"                    # Jaeger UI
+      - "14250"                          # Jaeger model.proto endpoint
     logging: *logging
 
   # Collector
@@ -31,10 +29,10 @@ services:
       - ./src/otelcollector/otelcol-config.yml:/etc/otelcol-config.yml
       - ./src/otelcollector/otelcol-config-extras.yml:/etc/otelcol-config-extras.yml
     ports:
-      - "4317"
-      - "4318"
-      - "9464"
-      - "8888:8888"
+      - "4317"          # OTLP over gRPC receiver
+      - "4318"          # OTLP over HTTP receiver
+      - "9464"          # Prometheus exporter
+      - "8888"          # metrics endpoint
     depends_on:
       - jaeger
     logging: *logging
@@ -55,7 +53,7 @@ services:
       context: ./
       dockerfile: ./src/adservice/Dockerfile
     ports:
-      - "${AD_SERVICE_PORT}:${AD_SERVICE_PORT}"
+      - "${AD_SERVICE_PORT}"
     environment:
       - AD_SERVICE_PORT
       - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
@@ -73,7 +71,7 @@ services:
       context: ./
       dockerfile: ./src/cartservice/src/Dockerfile
     ports:
-      - "${CART_SERVICE_PORT}:${CART_SERVICE_PORT}"
+      - "${CART_SERVICE_PORT}"
     environment:
       - CART_SERVICE_PORT
       - REDIS_ADDR
@@ -93,7 +91,7 @@ services:
       context: ./
       dockerfile: ./src/checkoutservice/Dockerfile
     ports:
-      - "${CHECKOUT_SERVICE_PORT}:${CHECKOUT_SERVICE_PORT}"
+      - "${CHECKOUT_SERVICE_PORT}"
     environment:
       - CHECKOUT_SERVICE_PORT
       - CART_SERVICE_ADDR
@@ -124,7 +122,7 @@ services:
         - GRPC_VERSION=1.46.0
         - OPENTELEMETRY_VERSION=1.4.0
     ports:
-      - "${CURRENCY_SERVICE_PORT}:${CURRENCY_SERVICE_PORT}"
+      - "${CURRENCY_SERVICE_PORT}"
     environment:
       - CURRENCY_SERVICE_PORT
       - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
@@ -140,7 +138,7 @@ services:
     build:
       context: ./src/emailservice
     ports:
-      - "${EMAIL_SERVICE_PORT}:${EMAIL_SERVICE_PORT}"
+      - "${EMAIL_SERVICE_PORT}"
     environment:
       - APP_ENV=production
       - EMAIL_SERVICE_PORT
@@ -189,7 +187,7 @@ services:
       context: ./
       dockerfile: ./src/paymentservice/Dockerfile
     ports:
-      - "${PAYMENT_SERVICE_PORT}:${PAYMENT_SERVICE_PORT}"
+      - "${PAYMENT_SERVICE_PORT}"
     environment:
       - PAYMENT_SERVICE_PORT
       - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
@@ -206,7 +204,7 @@ services:
       context: ./
       dockerfile: ./src/productcatalogservice/Dockerfile
     ports:
-      - "${PRODUCT_CATALOG_SERVICE_PORT}:${PRODUCT_CATALOG_SERVICE_PORT}"
+      - "${PRODUCT_CATALOG_SERVICE_PORT}"
     environment:
       - PRODUCT_CATALOG_SERVICE_PORT
       - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
@@ -223,7 +221,7 @@ services:
       context: ./
       dockerfile: ./src/recommendationservice/Dockerfile
     ports:
-      - "${RECOMMENDATION_SERVICE_PORT}:${RECOMMENDATION_SERVICE_PORT}"
+      - "${RECOMMENDATION_SERVICE_PORT}"
     depends_on:
       - productcatalogservice
       - otelcol
@@ -243,7 +241,7 @@ services:
       context: ./
       dockerfile: ./src/shippingservice/Dockerfile
     ports:
-      - "${SHIPPING_SERVICE_PORT}:${SHIPPING_SERVICE_PORT}"
+      - "${SHIPPING_SERVICE_PORT}"
     environment:
       - SHIPPING_SERVICE_PORT
       - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
@@ -259,8 +257,8 @@ services:
     build:
       context: ./src/featureflagservice
     ports:
-      - "${FEATURE_FLAG_SERVICE_PORT}:${FEATURE_FLAG_SERVICE_PORT}"
-      - "${FEATURE_FLAG_GRPC_SERVICE_PORT}:${FEATURE_FLAG_GRPC_SERVICE_PORT}"
+      - "${FEATURE_FLAG_SERVICE_PORT}:${FEATURE_FLAG_SERVICE_PORT}"     # Feature Flag Service UI
+      - "${FEATURE_FLAG_GRPC_SERVICE_PORT}"                             # Feature Flag Service gRPC API
     environment:
       - FEATURE_FLAG_SERVICE_PORT
       - FEATURE_FLAG_GRPC_SERVICE_PORT

From e29219888710de7a5040fbad975c678650b093f6 Mon Sep 17 00:00:00 2001
From: Pierre Tessier <pierre@pierretessier.com>
Date: Mon, 8 Aug 2022 23:20:51 -0400
Subject: [PATCH 2/2] restrict network ports

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e81b99dad2..1bafbf359a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -59,3 +59,5 @@ significant modifications will be credited to OpenTelemetry Authors.
 ([#260](https://github.com/open-telemetry/opentelemetry-demo/pull/260))
 * Added span attributes to currency service
 ([#265](https://github.com/open-telemetry/opentelemetry-demo/pull/265))
+* Restricted network and port bindings
+([#272](https://github.com/open-telemetry/opentelemetry-demo/pull/272))