test: build docker test services instead of bind-mounting their config

[alii]

What this does

Converts the four test/docker services that bind-mounted local files — postgres_plain, postgres_auth, autobahn, squid — to build their own images (a small Dockerfile that COPYs the init-scripts/config in) instead of image: + volumes: bind mounts.

Why

Bind mounts resolve on the Docker daemon's filesystem, not the client's. The darwin CI runners are moving to a sidecar-Docker model (the daemon runs in a separate Linux VM, reached over DOCKER_HOST — Apple Silicon can't run accelerated Docker inside a macOS guest). In that model the bind-mounted ./init-scripts / ./config files don't exist on the daemon side, so they silently don't apply — e.g. the Postgres init scripts never run and the bun_sql_test role is missing, which then looks like a confusing test failure rather than a setup problem.

docker build's context, by contrast, ships to the daemon, so baking the files into the image works against both a local daemon and a remote/sidecar one.

This follows the pattern the repo already uses for its TLS services (postgres_tls, mysql_tls, redis_unified are all build:-based).

Changes

• New Dockerfile.postgres-plain, Dockerfile.postgres-auth, Dockerfile.autobahn, Dockerfile.squid (each FROM the stock image + COPY the scripts/config).
• The four services now use build: + a bun-*:local image tag; their volumes: bind mounts are removed.

Compatibility

• Local dev unchanged in behavior — docker compose up just builds the image on first run (cached after), then runs identically. Init scripts/config are baked in rather than mounted.
• Minor DX note: editing a baked config now needs a docker compose build to pick up (same as the existing TLS services).

Verification

Ran the real compose against an actual Linux Docker sidecar VM (Tart) over DOCKER_HOST:

• docker compose config valid; all four images build (context shipped to the remote daemon).
• postgres_plain + postgres_auth come up healthy, and the baked init scripts run → bun_sql_test role present on both (the exact thing that was silently missing with bind mounts).

Context

Second piece of the darwin Tart-runner migration; pairs with #31731 (the BUN_DOCKER_TEST_HOST host indirection).

[robobun]

^{Updated 3:00 PM PT - Jun 2nd, 2026}

❌ @alii, your commit 3657b19 has 1 failures in Build #60014 (All Failures):

• Linking two modules of different data layouts: '/var/lib/buildkite-agent/build/build/release/bun_rust.lto.o.tmp/regular-lto-flag-stub.bc' is '' whereas 'llvm-link' is 'e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-i128:128-f80:128-n8:16:32:64-S128' on 🐧 x64-musl-baseline - build-bun
• Linking two modules of different data layouts: '/var/lib/buildkite-agent/build/build/release/bun_rust.lto.o.tmp/regular-lto-flag-stub.bc' is '' whereas 'llvm-link' is 'e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-i128:128-f80:128-n8:16:32:64-S128' on 🐧 x64-musl - build-bun
• Linking two modules of different data layouts: '/var/lib/buildkite-agent/build/build/release/bun_rust.lto.o.tmp/regular-lto-flag-stub.bc' is '' whereas 'llvm-link' is 'e-m:e-p270:32:32-p271:32:32-p272:64:64-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128-Fn32' on 🐧 aarch64-musl - build-bun

---

🧪   To try this PR locally:

bunx bun-pr 31732

That installs a local version of the PR into your bun-31732 executable, so you can run:

bun-31732 --bun

[coderabbitai]

Warning

Review limit reached

@alii, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 18 minutes and 9 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d79f79b0-1619-48bb-9c50-8c7fce0280f3

📥 Commits

Reviewing files that changed from the base of the PR and between 3657b19 and e9c0e64.

📒 Files selected for processing (1)

• test/docker/README.md

Walkthrough

Docker test services are migrated from upstream images with mounted config files to self-contained local images embedding those configs; docker-compose is updated to build/use those images, and the test Docker helper now runs compose builds before starting services.

Changes

Containerize test services from config files

Layer / File(s)	Summary
PostgreSQL plain and auth services test/docker/Dockerfile.postgres-plain, test/docker/Dockerfile.postgres-auth, test/docker/docker-compose.yml	Two PostgreSQL Dockerfiles embed initialization scripts and pg_hba into postgres:15 images. Compose switches postgres_plain and postgres_auth to locally-built images (bun-postgres-plain:local, bun-postgres-auth:local).
Autobahn WebSocket test service test/docker/Dockerfile.autobahn, test/docker/docker-compose.yml	Autobahn Dockerfile embeds fuzzingserver.json into the autobahn-testsuite image. Compose autobahn service switches from the upstream image with mounted config to locally-built bun-autobahn:local.
Squid proxy service test/docker/Dockerfile.squid, test/docker/docker-compose.yml	Squid Dockerfile embeds squid.conf into the ubuntu/squid base image. Compose squid service switches to locally-built bun-squid:local.
Test runner: compose build behavior test/docker/index.ts	DockerComposeHelper.doUp(service) now runs docker compose build <service> unconditionally before up; buildServices() runs a single docker compose build to let Compose build all services with build: definitions.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and accurately summarizes the main change: converting Docker test services from bind-mounted configs to building their own images.
Description check	✅ Passed	The PR description comprehensively covers both required template sections and includes detailed context, rationale, changes, compatibility notes, and verification details.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/docker/Dockerfile.autobahn`:
- Line 1: The Dockerfile currently uses an unpinned base image reference "FROM
crossbario/autobahn-testsuite" which resolves to latest; update the FROM
instruction to pin a specific tag or digest (e.g., use
"crossbario/autobahn-testsuite:25.10.1" or a content digest) to ensure
deterministic builds—replace the untagged image reference in the Dockerfile with
the chosen tag or digest.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0b2a417e-643d-4e40-8eaa-7ef973266946

📥 Commits

Reviewing files that changed from the base of the PR and between 8fe7a60 and 5a04740.

📒 Files selected for processing (5)

• test/docker/Dockerfile.autobahn
• test/docker/Dockerfile.postgres-auth
• test/docker/Dockerfile.postgres-plain
• test/docker/Dockerfile.squid
• test/docker/docker-compose.yml

[claude]

LGTM — the whitelist concern is addressed (bare compose build + unconditional per-service build), and the rest is a mechanical bind-mount → COPY swap that mirrors the existing TLS-service pattern. Remaining README drift is a non-blocking nit.

Extended reasoning...

Overview

This PR converts four test-infrastructure services (postgres_plain, postgres_auth, autobahn, squid) from image: + bind-mounted config to build:-based images that COPY the same files in. It adds four trivial 2–3-line Dockerfiles, updates docker-compose.yml to reference them, and simplifies test/docker/index.ts by replacing the hardcoded build-service whitelist with a bare compose build (and an unconditional per-service build in doUp(), which is a no-op for image-only services). All changes are confined to test/docker/.

Security risks

None. This is test-only infrastructure with no auth, crypto, permissions, or production code paths involved. The Dockerfiles only COPY pre-existing repo files into stock base images.

Level of scrutiny

Low. The change is mechanical and follows the exact pattern already used by postgres_tls/mysql_tls/redis_unified in the same compose file. I cross-checked each new Dockerfile's COPY source/dest against the removed volumes: bind-mount entries — they match one-for-one. The index.ts simplification is the fix I suggested in my earlier review and is strictly more robust than the previous hardcoded list.

Other factors

• Both prior review comments (CodeRabbit's autobahn pin, my build-whitelist concern) have been addressed in d6aa2c5 and 3657b19 respectively; both threads are resolved.
• The CI failures reported by robobun are in build-cpp / build-rust linker steps and are unrelated to this PR, which touches only test/docker/.
• The one remaining open thread is my own README-drift nit, which I explicitly flagged as non-blocking and documentation-only.
• The PR description includes verification against a real remote Docker daemon (the motivating use case).

[claude]

LGTM — thanks for addressing the whitelist + README feedback; the bare compose build approach is cleaner than maintaining the list.

Extended reasoning...

Overview

This PR converts four test/docker services (postgres_plain, postgres_auth, autobahn, squid) from image: + bind-mounted config to build:-based local images that COPY their config in. It adds four trivial 2-3 line Dockerfiles, updates docker-compose.yml to reference them, drops the hardcoded build-service whitelists in index.ts in favor of unconditional/bare compose build, and updates the README. Everything is confined to test/docker/ — test infrastructure only, no runtime/library code touched.

Security risks

None. These are local test-only Docker images derived from the same upstream bases the compose file previously pulled directly (postgres:15, crossbario/autobahn-testsuite:25.10.1, ubuntu/squid:5.2-22.04_beta), with the only addition being a COPY of config files that were already bind-mounted before. No new network exposure, credentials, or privilege changes.

Level of scrutiny

Low. This is a mechanical refactor of test scaffolding that follows the exact pattern already in the repo for postgres_tls/mysql_tls/redis_unified. The motivation (bind mounts resolve on the daemon's FS, which breaks against a remote/sidecar Docker host) is well-explained and the fix is the standard solution. The index.ts change replaces a hardcoded service list with a bare compose build (which builds every service that has a build: section) — strictly less brittle than what it replaces. compose build <service> on image-only services is a documented no-op, so the unconditional pre-build in doUp() is safe.

Other factors

All prior review feedback has been addressed in follow-up commits: the autobahn base image is now pinned (d6aa2c5), the hardcoded whitelists in index.ts were removed (3657b19), and the README example/architecture tree were updated (e9c0e64). All inline comments are resolved, the bug-hunting pass found nothing, and no CODEOWNERS rule covers test/docker/. The author verified the change against a real remote Docker daemon. No reason to hold this for further human review.