Skip to content

fix(pii): listen on 5001 to avoid app :3000 collision (awsvpc)#5182

Merged
TheodoreSpeaks merged 2 commits into
stagingfrom
fix/pii-port
Jun 23, 2026
Merged

fix(pii): listen on 5001 to avoid app :3000 collision (awsvpc)#5182
TheodoreSpeaks merged 2 commits into
stagingfrom
fix/pii-port

Conversation

@TheodoreSpeaks

@TheodoreSpeaks TheodoreSpeaks commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • The sim/pii image hardcoded uvicorn --port 3000, so it always bound 3000.
  • In the app ECS task (awsvpc), all containers share one network namespace and the app owns 3000 — a sim/pii sidecar on 3000 collides with it and breaks the task. (The stock mcr presidio images ran on 5002/5001, which is why they coexisted with the app.)
  • Fix: the sidecar now listens on 5001 — exec-form CMD on 5001, EXPOSE 5001, healthcheck on 5001.

Why hardcode 5001 (not a configurable $PORT)

An earlier revision made the port configurable via $PORT, but EXPOSE can't be parameterized in a Dockerfile, so it always showed 5001 regardless of the runtime port (Greptile P2). We own both the image and the taskdef and only ever need one port, so hardcoding 5001 keeps EXPOSE/healthcheck/CMD consistent and avoids the mismatch. (Implication: the taskdef just needs containerPort: 5001; a PORT env on the sidecar is a no-op.)

Deploy ordering

Must be in ECR before the infra taskdef points the sidecar at sim/pii — otherwise the taskdef would run the old 3000-binding image and collide with the app. Independent of the app-rewire PR (which deploys after the taskdef). Sequence: this → infra taskdef (containerPort 5001, PII_URL=http://localhost:5001) → app-rewire.

Testing

Built locally and verified the service binds 5001 and /analyze returns spans on that port. The hardcoded build produces an identical runtime process (uvicorn server:app --host 0.0.0.0 --port 5001) to the verified revision; CI rebuilds the image on merge.

Type of Change

  • Bug fix

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@TheodoreSpeaks
fix(pii): bind a configurable $PORT to avoid app :3000 collision
52c2561 
The pii image hardcoded uvicorn --port 3000 and ignored env. In the app ECS
task (awsvpc) all containers share one network namespace, and the app owns
3000 — so the sidecar must listen elsewhere (the stock presidio images honored
PORT and ran on 5002/5001). Bind ${PORT} (shell-form CMD), default 5001, and
update EXPOSE/HEALTHCHECK accordingly so the taskdef can set PORT=5001.

Verified: default binds 5001; PORT=5002 override binds 5002; /analyze works on
the overridden port.
@vercel

vercel Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jun 23, 2026 8:38am

Request Review

@cursor

cursor Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary

Low Risk
Container port and health-check wiring only; no application logic changes in this diff.

Overview
Moves the combined Presidio sim/pii container off 3000 to 5001 so it can run as an ECS awsvpc sidecar without colliding with the main app on 3000.

docker/pii.Dockerfile updates EXPOSE, the HEALTHCHECK curl target, and the uvicorn CMD from 3000 to 5001, with a short comment explaining the shared network namespace constraint.

Reviewed by Cursor Bugbot for commit 45a1694. Bugbot is set up for automated code reviews on this repo. Configure here.

@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@greptile review

@greptile-apps

greptile-apps Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes a port collision in the ECS awsvpc task where the sim/pii sidecar was hardcoded to :3000, conflicting with the main app container that owns that port. The Dockerfile now targets :5001 for EXPOSE, HEALTHCHECK, and CMD.

  • The collision fix itself is correct — changing from :3000 to :5001 resolves the immediate crash when the sidecar is deployed alongside the app.
  • The CMD remains in JSON/exec-form (["uvicorn", ..., "--port", "5001"]), which bypasses the shell entirely, so $PORT is never expanded. The PR description and testing notes claim PORT=5002 dynamically overrides the port, but that cannot work with exec-form — the env var is silently ignored.
  • The HEALTHCHECK also hardcodes 5001, meaning any future env-var port override would cause the health check to probe the wrong port.

Confidence Score: 4/5

Safe to merge for the collision fix alone, but the dynamic port override via $PORT will not work as documented until the CMD is converted to shell-form.

The core goal — moving the sidecar off :3000 to avoid colliding with the app in the shared ECS network namespace — is achieved. However, the CMD is still exec-form with a hardcoded 5001, so the env-var override path described in both the PR description and the testing notes is silently broken. Any infra or operator that relies on setting PORT to a value other than 5001 will find the container ignores it, and the HEALTHCHECK will also probe the wrong port in that scenario.

docker/pii.Dockerfile — CMD and HEALTHCHECK both need shell-form with ${PORT:-5001} to deliver the documented env-var override behavior.

Important Files Changed

Filename Overview
docker/pii.Dockerfile Port changed from 3000 to 5001 (fixes ECS awsvpc collision), but the CMD remains exec-form so the promised $PORT env-var override is silently ignored; HEALTHCHECK also hardcodes 5001.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant ECS as ECS Task (awsvpc)
    participant App as sim/app container :3000
    participant PII as sim/pii sidecar

    Note over ECS: All containers share one network namespace

    ECS->>App: start → binds :3000
    ECS->>PII: "start with PORT=5001"

    alt Before this PR (port hardcoded 3000)
        PII-->>App: PORT COLLISION on :3000 — task fails
    else After this PR (port hardcoded 5001)
        PII->>PII: binds :5001 (hardcoded) — PORT env var ignored
        Note over PII: $PORT override silently dropped (exec-form CMD)
    else With suggested fix (shell-form)
        PII->>PII: "binds :5001 by default via ${PORT:-5001}"
        Note over PII: taskdef can override port via PORT env var
    end

    App->>PII: http://localhost:5001/analyze
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant ECS as ECS Task (awsvpc)
    participant App as sim/app container :3000
    participant PII as sim/pii sidecar

    Note over ECS: All containers share one network namespace

    ECS->>App: start → binds :3000
    ECS->>PII: "start with PORT=5001"

    alt Before this PR (port hardcoded 3000)
        PII-->>App: PORT COLLISION on :3000 — task fails
    else After this PR (port hardcoded 5001)
        PII->>PII: binds :5001 (hardcoded) — PORT env var ignored
        Note over PII: $PORT override silently dropped (exec-form CMD)
    else With suggested fix (shell-form)
        PII->>PII: "binds :5001 by default via ${PORT:-5001}"
        Note over PII: taskdef can override port via PORT env var
    end

    App->>PII: http://localhost:5001/analyze
Loading

Reviews (3): Last reviewed commit: "fix(pii): hardcode port 5001 (drop $PORT..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread docker/pii.Dockerfile
@greptile-apps

greptile-apps Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes a port collision in the sim/pii Docker image where uvicorn was hardcoded to port 3000 — conflicting with the main app container in the ECS awsvpc network namespace. The fix introduces a configurable $PORT environment variable defaulting to 5001, updates EXPOSE and HEALTHCHECK to match, and switches CMD to shell-form with exec so uvicorn still receives signals as PID 1.

  • CMD signal handling is correct: CMD [\"sh\", \"-c\", \"exec uvicorn ...\"] uses exec to replace the shell with uvicorn, so the process receives SIGTERM directly as PID 1 for graceful shutdown.
  • HEALTHCHECK uses shell-form without brackets, so ${PORT} is expanded from the container environment at runtime — it will honor both the ENV default and any taskdef override.
  • The file-header comment still says "port (3000)" and should be updated to reflect the new default.

Confidence Score: 4/5

Safe to merge — the change is isolated to one Dockerfile and correctly resolves the port collision with a well-understood pattern.

The core mechanics are sound: exec in the shell-form CMD preserves PID 1 signal delivery, and the HEALTHCHECK shell-form correctly expands ${PORT} at runtime. The only open items are a stale port reference in the file-header comment and the EXPOSE annotation not reflecting potential runtime overrides — neither affects runtime behavior.

docker/pii.Dockerfile — verify the stale "port (3000)" comment at the top is updated before the image is published.

Important Files Changed

Filename Overview
docker/pii.Dockerfile Switches uvicorn from a hardcoded port 3000 to a runtime-configurable $PORT (default 5001) using ENV + shell-form CMD with exec, and updates HEALTHCHECK accordingly. Stale port reference remains in the top comment.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant TD as ECS TaskDef
    participant App as App Container (:3000)
    participant PII as PII Sidecar

    Note over TD: awsvpc — shared network namespace

    TD->>PII: "start with PORT=5001 env var"
    PII->>PII: "sh -c "exec uvicorn ... --port ${PORT}""
    PII-->>TD: listening on :5001

    TD->>App: start (owns :3000)
    App-->>TD: listening on :3000

    Note over App,PII: No port collision

    TD->>PII: "HEALTHCHECK curl http://localhost:${PORT}/health"
    PII-->>TD: 200 OK

    TD->>App: "route PII_URL=http://localhost:5001"
    App->>PII: POST /analyze
    PII-->>App: PII spans response
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant TD as ECS TaskDef
    participant App as App Container (:3000)
    participant PII as PII Sidecar

    Note over TD: awsvpc — shared network namespace

    TD->>PII: "start with PORT=5001 env var"
    PII->>PII: "sh -c "exec uvicorn ... --port ${PORT}""
    PII-->>TD: listening on :5001

    TD->>App: start (owns :3000)
    App-->>TD: listening on :3000

    Note over App,PII: No port collision

    TD->>PII: "HEALTHCHECK curl http://localhost:${PORT}/health"
    PII-->>TD: 200 OK

    TD->>App: "route PII_URL=http://localhost:5001"
    App->>PII: POST /analyze
    PII-->>App: PII spans response
Loading

Comments Outside Diff (1)

  1. docker/pii.Dockerfile, line 1-3 (link)

    P2 The file-header comment still references port 3000, which is now the wrong default. It will mislead anyone reading the file about which port the service listens on.

Reviews (2): Last reviewed commit: "fix(pii): bind a configurable $PORT to a..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread docker/pii.Dockerfile Outdated
@TheodoreSpeaks
fix(pii): hardcode port 5001 (drop $PORT indirection)
45a1694 
EXPOSE can't be parameterized, so the configurable-PORT approach left EXPOSE
showing 5001 regardless (Greptile P2). We own both the image and the taskdef
and only ever need 5001, so hardcode it: exec-form CMD on 5001, EXPOSE 5001,
healthcheck on 5001. Runtime cmdline is identical to the verified ${PORT}
default (uvicorn ... --port 5001).
@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@greptile review

greptile-apps[bot]
greptile-apps Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread docker/pii.Dockerfile
CMD curl -fsS http://localhost:5001/health || exit 1

CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "3000"]
CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "5001"]

@greptile-apps greptile-apps Bot Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 $PORT is ignored — exec-form CMD bypasses shell variable expansion

The PR description says "bind ${PORT} via a shell-form CMD, default 5001" and the testing section claims PORT=5002 binds 5002. But the CMD uses JSON/exec-form (["uvicorn", …, "--port", "5001"]), which is passed directly to the process without invoking a shell — $PORT is never expanded. Setting PORT=5002 in the ECS taskdef will have no effect; the container will still bind 5001. The HEALTHCHECK on line 48 also hardcodes 5001, so any env-var override would cause the health check to probe the wrong port. To match the stated intent, both lines need to use shell-form and read ${PORT:-5001}.

Suggested change
CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "5001"]
CMD uvicorn server:app --host 0.0.0.0 --port ${PORT:-5001}

@TheodoreSpeaks TheodoreSpeaks changed the title fix(pii): bind a configurable $PORT to avoid app :3000 collision fix(pii): listen on 5001 to avoid app :3000 collision (awsvpc) Jun 23, 2026
@TheodoreSpeaks TheodoreSpeaks merged commit 4d2e7d5 into staging Jun 23, 2026
17 checks passed
@TheodoreSpeaks TheodoreSpeaks deleted the fix/pii-port branch June 23, 2026 08:46
@TheodoreSpeaks TheodoreSpeaks mentioned this pull request Jun 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheodoreSpeaks