[docker] Bundle XTM One in the default stack#578
Open
SamuelHassine wants to merge 6 commits into
Open
Conversation
Adds XTM One alongside OpenCTI in the default compose stack:
- New pgsql-xtm-one service (pgvector/pgvector:pg17) with dedicated
credentials and volume (pgsqlxtmonedata).
- New xtm-one + xtm-one-worker services (published filigran images),
reusing the existing redis and minio.
- xtm-one exposed on host port 8090 (after OpenCTI 8080); BASE_URL and
FRONTEND_URL both resolve to the templated
${XTM_ONE_EXTERNAL_SCHEME}://${XTM_ONE_HOST}:${XTM_ONE_PORT}.
- OpenCTI wired to XTM One via XTM__XTM_ONE_URL / XTM__XTM_ONE_TOKEN and
the shared PLATFORM_REGISTRATION_TOKEN.
- .env.sample documents the XTM ONE block and the mandatory-to-rotate
PLATFORM_REGISTRATION_TOKEN.
The XTM One images are published on Docker Hub as xtmone/platform and xtmone/worker, not filigran/xtm-one(-worker).
Use admin@filigran.io as the default admin email for OpenCTI and XTM One in .env.sample so the shared JWT email claim resolves on the platform. Admin emails live in .env.sample only; none are hard-coded in the compose file. Unify the XTM One comments to match the other docker repos.
There was a problem hiding this comment.
Pull request overview
Adds XTM One to the default Docker Compose stack so it can run alongside OpenCTI with its own PostgreSQL/pgvector store while reusing existing Redis and MinIO dependencies.
Changes:
- Wires OpenCTI to XTM One via
XTM__XTM_ONE_URLand shared registration token. - Adds
pgsql-xtm-one,xtm-one, andxtm-one-workerservices plus a dedicated volume. - Extends
.env.samplewith XTM One configuration and shared platform registration settings.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
docker-compose.yml |
Adds XTM One services, PostgreSQL storage, OpenCTI integration env vars, port exposure, and volume. |
.env.sample |
Documents new shared token and XTM One environment variables; adjusts OpenCTI admin email default. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Use xtmone/platform:latest and xtmone/worker:latest directly, matching the opencti/platform:latest convention, and drop the XTM_ONE_VERSION variable from .env.sample.
- Use curl for the XTM One healthcheck (the xtmone/platform image ships curl, not wget). - Mirror the XTM One services and OpenCTI XTM__XTM_ONE_* wiring into docker-compose.opensearch.yml so both stacks bundle XTM One and the shared .env.sample variables take effect there too.
Member
Author
|
All review threads addressed and resolved; CI is green (signed commits + build).
Note: I can't self-approve this PR (I opened it) — it needs a maintainer approval to merge. |
Strip the trailing whitespace on the connector-mitre depends_on line that precedes the new XTM ONE section in both docker-compose.yml and docker-compose.opensearch.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
Adds XTM One alongside OpenCTI in the default compose stack so
docker compose up -dbrings up the AI assistant next to the platform.pgsql-xtm-oneservice (pgvector/pgvector:pg17) with dedicated credentials and volume.xtm-oneandxtm-one-workerservices pulled from the publishedxtmone/platform:latestandxtmone/worker:latestimages (hub.docker.com/u/xtmone), reusing the existingredisandminio. Images are pinned to:latestlikeopencti/platform.xtm-oneis exposed on host port8090;BASE_URLandFRONTEND_URLboth resolve to the templated${XTM_ONE_EXTERNAL_SCHEME}://${XTM_ONE_HOST}:${XTM_ONE_PORT}(no hard-coded internal hostnames). Its healthcheck usescurl(present in the image;wgetis not).XTM__XTM_ONE_URL/XTM__XTM_ONE_TOKENand the sharedPLATFORM_REGISTRATION_TOKEN.docker-compose.opensearch.yml, so both the Elasticsearch and OpenSearch stacks bundle XTM One and the shared.env.samplevariables take effect in both..env.sampledocuments the newXTM ONEblock and the mandatory-to-rotatePLATFORM_REGISTRATION_TOKEN. Admin email defaults toadmin@filigran.io.This mirrors the unified
xtm-dockerstack (FiligranHQ/xtm-docker#15); the OpenAEV docker repo receives the same treatment via OpenAEV-Platform/docker#131.Related issues