Add Docker Compose file recipes to rewrite-docker

[timtebeek]

Summary

The rewrite-docker module currently only supports Dockerfile transformations. Docker Compose files (compose.yaml, docker-compose.yml) are widely used and would benefit from automated refactoring, security hardening, and modernization recipes.

Since Compose files are YAML, many of these can be declarative (reusing rewrite-yaml building blocks like MergeYaml, DeleteKey, ChangeValue), while others need imperative Java visitors.

---

1. Migration & Modernization

• RemoveVersionKey — Remove the deprecated top-level version field (ignored by Compose v2+)
• RenameComposeFile — Rename docker-compose.yml/docker-compose.yaml to compose.yaml (modern convention)
• MigrateLinksToNetworks — Replace links: with shared networks: definitions
• MigrateVolumesFromToNamedVolumes — Replace deprecated volumes_from: with explicit named volumes
• MigrateDependsOnToLongForm — Convert depends_on: [db] to object form with condition: service_healthy
• MigrateMemLimitToDeployResources — Move mem_limit, memswap_limit, cpu_shares, cpus to deploy.resources.limits
• MigrateExtendsToProfiles — Replace extends (removed in v3) with profiles or anchors
• RemoveContainerNameInSwarmMode — Remove container_name which is incompatible with Swarm replication
• NormalizeEnvironmentFormat — Convert environment: list form (- KEY=val) to map form (KEY: val) or vice versa
• NormalizePortFormat — Convert short-form ports ("8080:80") to long-form (target: 80, published: 8080)

2. Security Hardening

• AddReadOnlyRootFilesystem — Add read_only: true to services
• AddNoNewPrivileges — Add security_opt: [no-new-privileges:true] to services
• AddCapDropAll — Add cap_drop: [ALL] to services
• AddNonRootUser — Add user: "1000:1000" to services that lack a user: directive
• RemovePrivilegedMode — Remove privileged: true from services
• RemoveDockerSocketMount — Remove /var/run/docker.sock volume mounts
• AddPidsLimit — Add pids_limit to prevent fork bombs
• DisableIpcHostMode — Remove or change ipc: host
• DisablePidHostMode — Remove or change pid: host
• AddSeccompProfile — Add default seccomp profile via security_opt

3. Image Management

• PinServiceImageVersion — Replace image: nginx or image: nginx:latest with a specific tag
• ChangeServiceImage — Change image name/tag for a service (glob-based matching)
• FindUnpinnedServiceImages — Search: find services using latest or no tag
• FindEndOfLifeServiceImages — Search: find services using known EOL images
• NormalizeServiceImageName — Add docker.io/library/ prefix for Docker Hub official images
• AddImagePullPolicy — Add pull_policy: always or pull_policy: if_not_present

4. Health Checks & Reliability

• AddHealthCheck — Add a healthcheck: block to services that lack one
• AddRestartPolicy — Add restart: unless-stopped (or always) to services
• AddStopGracePeriod — Add explicit stop_grace_period for graceful shutdown
• AddInitTrue — Add init: true for proper PID 1 signal handling
• FindServicesWithoutHealthCheck — Search: identify services missing health checks
• FindServicesWithoutRestartPolicy — Search: identify services without restart policies

5. Resource Management

• AddResourceLimits — Add deploy.resources.limits (memory, cpus) to services
• AddResourceReservations — Add deploy.resources.reservations (memory, cpus)
• FindServicesWithoutResourceLimits — Search: find services with no resource constraints
• SetUlimits — Add ulimits: configuration (nofile, nproc)

6. Network Configuration

• AddExplicitNetworks — Add explicit network definitions instead of relying on the default network
• RemoveHostNetworkMode — Remove network_mode: host from services
• FindServicesWithHostNetwork — Search: find services using host networking
• AddNetworkDriver — Set explicit network driver (e.g., bridge, overlay)

7. Volume Management

• MigrateAnonymousToNamedVolumes — Replace anonymous volumes with named volumes in the top-level volumes: section
• AddReadOnlyVolumeMount — Add :ro suffix to volume mounts that should be read-only
• FindSensitivePathMounts — Search: find mounts of /etc, /proc, /sys, /dev
• AddVolumeLabels — Add labels to named volumes for management

8. Logging & Observability

• AddLoggingDriver — Add logging: block with driver and options (e.g., json-file with max-size/max-file)
• SetLogRotation — Add log rotation options to prevent unbounded disk usage

9. Environment & Secrets

• MigrateInlineEnvToEnvFile — Move inline environment: variables to an env_file: reference
• FindHardcodedSecrets — Search: detect likely secrets/passwords in environment: values
• MigrateToDockerSecrets — Move sensitive env vars to secrets: configuration
• AddOrUpdateEnvironmentVariable — Add or change an environment variable in a service

10. Composite Best-Practice Recipes

• ComposeBestPractices — Umbrella: applies security + modernization + reliability recipes
• ComposeSecurityBestPractices — Bundle: AddCapDropAll + AddNoNewPrivileges + AddReadOnlyRootFilesystem + RemovePrivilegedMode + AddNonRootUser + RemoveDockerSocketMount
• ComposeModernization — Bundle: RemoveVersionKey + RenameComposeFile + MigrateLinksToNetworks + MigrateMemLimitToDeployResources
• ComposeReliability — Bundle: AddHealthCheck + AddRestartPolicy + AddResourceLimits + AddStopGracePeriod + AddInitTrue

Implementation Notes

• File matching: Recipes should target files named compose.yaml, compose.yml, docker-compose.yaml, docker-compose.yml, and optionally compose.*.yaml (override files), using Preconditions with HasSourcePath glob patterns.
• YAML path selectors: Service-level properties live under $.services.*.<property>.
• Many recipes are declarative: ~20 can be pure YAML recipe descriptors using existing rewrite-yaml recipes — no Java code needed.
• Reuse from Dockerfile recipes: Concepts like FindEndOfLifeImages and NormalizeDockerHubImageName already exist for Dockerfiles; their logic (EOL image lists, normalization rules) can be shared.