Harden Docker distributed Erlang startup by homerquan · Pull Request #3 · MirrorNeuronLab/MirrorNeuron

homerquan · 2026-05-18T17:40:21Z

Prevent accidental remote code execution by removing default exposure of Erlang distribution ports and disallowing the predictable fallback cookie when starting a distributed BEAM node from the Docker image.

Stop advertising EPMD/distribution ports in the Docker image by removing EXPOSE 4369 9000-9010 and keep only the application gRPC port exposed (50051).
Make the Docker CMD require a non-empty, non-default MN_COOKIE when MN_NODE_NAME enables distributed Erlang and exit with a clear error if the cookie is unset or still mirrorneuron.
Update the MN_COOKIE entry in the README.md to note that mirrorneuron is only a local-development default and that operators must set a strong cookie before enabling distributed Erlang or running in production.

Ran mix format, which completed successfully.
Verified the Dockerfile no longer exposes EPMD/distribution ports and that the startup command fails when MN_NODE_NAME is set but MN_COOKIE is empty or the default mirrorneuron by executing the image startup command in-shell and checking for the expected error string, which succeeded.
mix test could not be run in this environment because mix local.hex --force failed to fetch Hex metadata (network/registry error), so test-suite execution was not completed here.

Harden Docker distributed Erlang startup

e021a7b

homerquan added codex aardvark labels May 18, 2026 — with ChatGPT Codex Connector

homerquan merged commit 54a6774 into main May 18, 2026
1 check passed

Provide feedback