Add local port binding support

Author: MoeMahhouk

internal/components.go

@@ -435,8 +435,8 @@ type BuilderHubPostgres struct {
 func (b *BuilderHubPostgres) Run(service *service, ctx *ExContext) {
 	service.
 		WithImage("docker.io/flashbots/builder-hub-db").
-		WithTag("latest").
-		WithPort("postgres", 5432).
+		WithTag("0.2.1").
+		WithLocalPort("postgres", 5432).
 		WithEnv("POSTGRES_USER", "postgres").
 		WithEnv("POSTGRES_PASSWORD", "postgres").
 		WithEnv("POSTGRES_DB", "postgres").
@@ -460,7 +460,7 @@ type BuilderHub struct {
 func (b *BuilderHub) Run(service *service, ctx *ExContext) {
 	service.
 		WithImage("docker.io/flashbots/builder-hub").
-		WithTag("latest").
+		WithTag("0.2.1").
 		WithEntrypoint("/app/builder-hub").
 		WithEnv("POSTGRES_DSN", "postgres://postgres:postgres@"+ConnectRaw(b.postgres, "postgres", "")+"/postgres?sslmode=disable").
 		WithEnv("LISTEN_ADDR", "0.0.0.0:"+`{{Port "http" 8080}}`).
@@ -483,7 +483,7 @@ func (b *BuilderHubMockProxy) Run(service *service, ctx *ExContext) {
 	service.
 		WithImage("nginx").
 		WithTag("1.27").
-		WithPort("http", 8888).
+		WithLocalPort("http", 8888).
 		DependsOnRunning(b.TargetService).
 		WithEntrypoint("/bin/sh").
 		WithArgs("-c", fmt.Sprintf(`cat > /etc/nginx/conf.d/default.conf << 'EOF'

internal/local_runner.go

@@ -583,7 +583,13 @@ func (d *LocalRunner) toDockerComposeService(s *service) (map[string]interface{}
 	if len(s.ports) > 0 {
 		ports := []string{}
 		for _, p := range s.ports {
-			ports = append(ports, fmt.Sprintf("%d:%d", p.HostPort, p.Port))
+			if p.Local {
+				// Bind only to localhost (127.0.0.1)
+				ports = append(ports, fmt.Sprintf("127.0.0.1:%d:%d", p.HostPort, p.Port))
+			} else {
+				// Bind to all interfaces (default)
+				ports = append(ports, fmt.Sprintf("%d:%d", p.HostPort, p.Port))
+			}
 		}
 		service["ports"] = ports
 	}

internal/manifest.go

@@ -222,6 +222,9 @@ type Port struct {
 	// container port. It is populated by the local runner
 	// TODO: We might want to move this to the runner itself.
 	HostPort int
+
+	// Local indicates if this port should only be bound to localhost (127.0.0.1)
+	Local bool
 }
 
 // NodeRef describes a reference from one service to another
@@ -356,7 +359,7 @@ func (s *service) WithTag(tag string) *service {
 	return s
 }
 
-func (s *service) WithPort(name string, portNumber int) *service {
+func (s *service) WithPort(name string, portNumber int, local bool) *service {
 	// add the port if not already present with the same name.
 	// if preset with the same name, they must have same port number
 	for _, p := range s.ports {
@@ -367,16 +370,26 @@ func (s *service) WithPort(name string, portNumber int) *service {
 			return s
 		}
 	}
-	s.ports = append(s.ports, &Port{Name: name, Port: portNumber})
+	s.ports = append(s.ports, &Port{Name: name, Port: portNumber, Local: local})
 	return s
 }
 
+// WithLocalPort is a convenience method to add a port that should only be bound to localhost
+func (s *service) WithLocalPort(name string, portNumber int) *service {
+	return s.WithPort(name, portNumber, true)
+}
+
+// WithPublicPort is a convenience method to add a port that should be bound to all interfaces (default behavior)
+func (s *service) WithPublicPort(name string, portNumber int) *service {
+	return s.WithPort(name, portNumber, false)
+}
+
 func (s *service) applyTemplate(arg string) {
 	var port []Port
 	var nodeRef []NodeRef
 	_, port, nodeRef = applyTemplate(arg)
 	for _, p := range port {
-		s.WithPort(p.Name, p.Port)
+		s.WithPort(p.Name, p.Port, false) // Default to non-local ports for backward compatibility
 	}
 	for _, n := range nodeRef {
 		s.nodeRefs = append(s.nodeRefs, &n)
@@ -445,7 +458,7 @@ func applyTemplate(templateStr string) (string, []Port, []NodeRef) {
 			return fmt.Sprintf(`{{Service "%s" "%s"}}`, name, portLabel)
 		},
 		"Port": func(name string, defaultPort int) string {
-			portRef = append(portRef, Port{Name: name, Port: defaultPort})
+			portRef = append(portRef, Port{Name: name, Port: defaultPort, Local: false})
 			return fmt.Sprintf(`{{Port "%s" %d}}`, name, defaultPort)
 		},
 	}

main.go

@@ -24,6 +24,7 @@ var dryRun bool
 var interactive bool
 var timeout time.Duration
 var logLevelFlag string
+var localPortsFlag bool
 
 var rootCmd = &cobra.Command{
 	Use:   "playground",
@@ -167,6 +168,7 @@ func main() {
 		recipeCmd.Flags().BoolVar(&interactive, "interactive", false, "interactive mode")
 		recipeCmd.Flags().DurationVar(&timeout, "timeout", 0, "") // Used for CI
 		recipeCmd.Flags().StringVar(&logLevelFlag, "log-level", "info", "log level")
+		recipeCmd.Flags().BoolVar(&localPortsFlag, "local-ports", false, "bind all ports to localhost only (127.0.0.1) for enhanced security")
 
 		cookCmd.AddCommand(recipeCmd)
 	}
@@ -217,6 +219,15 @@ func runIt(recipe internal.Recipe) error {
 		return fmt.Errorf("failed to validate manifest: %w", err)
 	}
 
+	// set the local ports flag
+	if localPortsFlag {
+		for _, svc := range svcManager.Services() {
+			for _, port := range svc.Ports() {
+				port.Local = true
+			}
+		}
+	}
+
 	// generate the dot graph
 	dotGraph := svcManager.GenerateDotGraph()
 	if err := artifacts.Out.WriteFile("graph.dot", dotGraph); err != nil {