Fix issue 2017: setting localhost as default in docker-compose based setups

[pasindutennage-da]

Fixes #2017

Set localhost as the default in SV, localhost, and validator docker-compose in cluster/compose

For SV and Validator, there is an option to expose externally using -E flag, in the respective start.sh scripts.

For localnet, it is hardcoded, because no extra traffic is expected.

[martinflorian-da]

Ah your idea being that these should never be public? Hm not 100% sure about that change - perhaps someone do wants to make them public after all, as part of their testing?

Probably nicest to make them optionally public like for the other compose file?

cc @isegall-da WDYT?

[pasindutennage-da]

I have some mixed feeling about this, and the following is my reasoning.

1. In any realistic setting, localnet will never host a real deployment, and hence nothing bad can happen if no port is opened for the outside (the open ports accept traffic only from 127.0.0.1).

2. Now validator is a bit tricky -- Validator initiates the connection with the SV (and not the other way), and therefor it is OK if the validator only accepts new connection requests (or just requests) from localhost. But, I am curious about the case where any other component (a front end) connects with the validator, in which case validator does have to listen to new connections from outside it's local machine. If the later is a realistic scenario, then the user has to put -E in the start.sh.

3. The SV case: SV often gets external requests, so I believe it's default behavior should listen to 0.0.0.0 (all interfaces), instead of localhost. But a counter argument to that is, SV in production use helm charts, and in any realistic setting this docker-compose will be used for local testing. Hence for all practical purposes, I think it is ok to let SV accept connections from localhost only.

@moritzkiefer-da Please let me know what you think.

Thanks

[isegall-da]

I would actually drop SV and localnet from this PR altogether, and focus only on validators. Everything else is dev tooling, so I'd keep those simple (and vulnerable).

For validators, I think that your all-or-nothing approach of the -E flag makes sense.

[moritzkiefer-da]

I'd look at it this way:

The whole reason we're adding this is that it got flagged as a security issue. Imho the best course of action on that is to change the default for everything including localnet (so yes I strongly disagree with @isegall-da here) Yes it is only localnet but that doesn't really matter. If someone gets an RCE on your machine because you exposed localnet publicly that's bad.

Which then leaves the question of where we allow changing it. There I'd also keep it simple: Allow overwriting it everywhere. If nothing else this is useful for backwards compatibility and there is no real downside. Trying to justify why you really don't need it for e.g. localnet only to then have a user complain that we broke their setup with no option to fix it seems more trouble than just adding the flag.

[martinflorian-da]

Looks reasonable to me, nice work @pasindutennage-da !

1. CI is unhappy, AFAICT due to the log checker. Ideally you can avoid the problematic log; it looks like the better option in this case (the other option being adding it to the right "ignore" file):

Found problems in the sbt output:
time="2025-10-08T15:17:21Z" level=warning msg="The \"HOST_BIND_IP\" variable is not set. Defaulting to a blank string."
time="2025-10-08T15:17:23Z" level=warning msg="The \"HOST_BIND_IP\" variable is not set. Defaulting to a blank string."
Total: 2 lines with problems.

2. This looks to me like a change we should make more public. How about adding something to docs/src/release_notes.rst?

[pasindutennage-da]

The CI error comes because the test is not exporting the HOST_BIND_IP correclty. I made a revision, and now if the variable is not set, it uses the default value.

[isegall-da]

The CI error comes because the test is not exporting the HOST_BIND_IP correclty. I made a revision, and now if the variable is not set, it uses the default value.

The message was probably from stop.sh. You might want instead to just add HOST_BIND_IP here:

splice/cluster/compose/validator/stop.sh

Line 33 in 38602fd

export VALIDATOR_NEW_PARTICIPANT_IDENTIFIER=""

(where we just export a bunch of env vars, for the exact purpose of avoiding these warnings)

[moritzkiefer-da]

Thanks! Changes lgtm overall, definitely should go in the release notes including mentioning the option to turn it back on.

Also please ask someone on macos to test this (probably spin up localnet and check that you can still open the wallet or something like that) as we discussed in slack. Docker on macos can be a bit finicky

[martinflorian-da]

Nice job, thank you @pasindutennage-da !

Mainly to try it out (90% sure this doesn't break anything there), you might want to consider doing a (basic) cluster test as well before you merge: https://github.com/hyperledger-labs/splice/blob/main/TESTING.md#requesting-cluster-tests

[martinflorian-da]

Suggested change

	- Docker-compose based deployment of LocalNet, Validator, and SuperValidator expose only to 127.0.0.1 by default. If you want to expose externally, use ``-E`` in Validator and SuperValidator ``start.sh``. For LocalNet, ``export HOST_BIND_IP=0.0.0.0`` manually.
	- Docker-compose based deployments of LocalNet, validator, and SV now expose only to 127.0.0.1 by default. If you want to expose externally, use ``-E`` in validator and SV ``start.sh``. For LocalNet, set ``export HOST_BIND_IP=0.0.0.0`` manually.

wording nit

[martinflorian-da]

...and actually, how annoying would it be to extend our integration tests for these flows to check that all opened ports are bound to localhost?

I.e., DockerComposeFullNetworkFrontendIntegrationTest and DockerComposeValidatorFrontendIntegrationTest.

[martinflorian-da]

...and actually, how annoying would it be to extend our integration tests for these flows to check that all opened ports are bound to localhost?

I.e., DockerComposeFullNetworkFrontendIntegrationTest and DockerComposeValidatorFrontendIntegrationTest.

From a quick look at the code there it looks like a reasonable investment; let's do this so we guard against regressions?