From 52c256123f3fbc535f8ea69acdc583fe81770aa0 Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Tue, 23 Jun 2026 01:26:58 -0700 Subject: [PATCH 1/2] fix(pii): bind a configurable $PORT to avoid app :3000 collision MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pii image hardcoded uvicorn --port 3000 and ignored env. In the app ECS task (awsvpc) all containers share one network namespace, and the app owns 3000 — so the sidecar must listen elsewhere (the stock presidio images honored PORT and ran on 5002/5001). Bind ${PORT} (shell-form CMD), default 5001, and update EXPOSE/HEALTHCHECK accordingly so the taskdef can set PORT=5001. Verified: default binds 5001; PORT=5002 override binds 5002; /analyze works on the overridden port. --- docker/pii.Dockerfile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docker/pii.Dockerfile b/docker/pii.Dockerfile index 1045a762e6..ff769114c3 100644 --- a/docker/pii.Dockerfile +++ b/docker/pii.Dockerfile @@ -38,11 +38,15 @@ RUN groupadd -g 1001 pii && \ chown -R pii:pii /app USER pii -EXPOSE 3000 +# Bind a configurable port via $PORT. In the ECS task all containers share one +# network namespace (awsvpc), so this must NOT collide with the app on 3000 — +# default to 5001 and let the taskdef override via PORT. +ENV PORT=5001 +EXPOSE 5001 # start-period is generous: five large spaCy models load at import before # /health responds. Tune against measured cold-start once built. HEALTHCHECK --interval=30s --timeout=5s --start-period=180s --retries=3 \ - CMD curl -fsS http://localhost:3000/health || exit 1 + CMD curl -fsS "http://localhost:${PORT}/health" || exit 1 -CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "3000"] +CMD ["sh", "-c", "exec uvicorn server:app --host 0.0.0.0 --port ${PORT}"] From 45a1694e739a2ef3b6788eef9e750cb962e225d7 Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Tue, 23 Jun 2026 01:33:57 -0700 Subject: [PATCH 2/2] fix(pii): hardcode port 5001 (drop $PORT indirection) EXPOSE can't be parameterized, so the configurable-PORT approach left EXPOSE showing 5001 regardless (Greptile P2). We own both the image and the taskdef and only ever need 5001, so hardcode it: exec-form CMD on 5001, EXPOSE 5001, healthcheck on 5001. Runtime cmdline is identical to the verified ${PORT} default (uvicorn ... --port 5001). --- docker/pii.Dockerfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docker/pii.Dockerfile b/docker/pii.Dockerfile index ff769114c3..96153208f5 100644 --- a/docker/pii.Dockerfile +++ b/docker/pii.Dockerfile @@ -38,15 +38,13 @@ RUN groupadd -g 1001 pii && \ chown -R pii:pii /app USER pii -# Bind a configurable port via $PORT. In the ECS task all containers share one -# network namespace (awsvpc), so this must NOT collide with the app on 3000 — -# default to 5001 and let the taskdef override via PORT. -ENV PORT=5001 +# Listen on 5001. In the ECS task all containers share one network namespace +# (awsvpc) and the app owns 3000, so this sidecar must not use 3000. EXPOSE 5001 # start-period is generous: five large spaCy models load at import before # /health responds. Tune against measured cold-start once built. HEALTHCHECK --interval=30s --timeout=5s --start-period=180s --retries=3 \ - CMD curl -fsS "http://localhost:${PORT}/health" || exit 1 + CMD curl -fsS http://localhost:5001/health || exit 1 -CMD ["sh", "-c", "exec uvicorn server:app --host 0.0.0.0 --port ${PORT}"] +CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "5001"]