Merge branch 'main' of https://github.com/Sun-ZhenXing/compose-anything

Apply @appcypher recommendations for microsandbox Docker configuration

README.md

@@ -17,7 +17,7 @@ These services require building custom Docker images from source.
 ## Supported Services
 
 | Service                                                        | Version              |
-| -------------------------------------------------------------- | ------------------- |
+| -------------------------------------------------------------- | -------------------- |
 | [Apache APISIX](./src/apisix)                                  | 3.13.0               |
 | [Apache Cassandra](./src/cassandra)                            | 5.0.2                |
 | [Apache Flink](./src/flink)                                    | 1.20.0               |
@@ -37,6 +37,7 @@ These services require building custom Docker images from source.
 | [Dify](./apps/dify)                                            | 0.18.2               |
 | [DNSMasq](./src/dnsmasq)                                       | 2.91                 |
 | [Dockge](./src/dockge)                                         | 1                    |
+| [Docker Android Emulator](./src/docker-android)                | api-33               |
 | [Docker Registry](./src/docker-registry)                       | 3.0.0                |
 | [Doris](./src/doris)                                           | 3.0.0                |
 | [DuckDB](./src/duckdb)                                         | v1.1.3               |
@@ -99,7 +100,7 @@ These services require building custom Docker images from source.
 | [OpenCut](./src/opencut)                                       | latest               |
 | [OpenList](./src/openlist)                                     | latest               |
 | [OpenLIT](./apps/openlit)                                      | latest               |
-| [OpenObserve](./apps/openobserve)                              | v0.50.0             |
+| [OpenObserve](./apps/openobserve)                              | v0.50.0 (enterprise) |
 | [OpenSearch](./src/opensearch)                                 | 2.19.0               |
 | [OpenTelemetry Collector](./src/otel-collector)                | 0.115.1              |
 | [Overleaf](./src/overleaf)                                     | 5.2.1                |

README.zh.md

@@ -17,7 +17,7 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件，
 ## 已经支持的服务
 
 | 服务                                                           | 版本                  |
-| -------------------------------------------------------------- | ------------------- |
+| -------------------------------------------------------------- | --------------------- |
 | [Apache APISIX](./src/apisix)                                  | 3.13.0                |
 | [Apache Cassandra](./src/cassandra)                            | 5.0.2                 |
 | [Apache Flink](./src/flink)                                    | 1.20.0                |
@@ -37,6 +37,7 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件，
 | [Dify](./apps/dify)                                            | 0.18.2                |
 | [DNSMasq](./src/dnsmasq)                                       | 2.91                  |
 | [Dockge](./src/dockge)                                         | 1                     |
+| [Docker Android Emulator](./src/docker-android)                | api-33                |
 | [Docker Registry](./src/docker-registry)                       | 3.0.0                 |
 | [Doris](./src/doris)                                           | 3.0.0                 |
 | [DuckDB](./src/duckdb)                                         | v1.1.3                |
@@ -99,7 +100,7 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件，
 | [OpenCut](./src/opencut)                                       | latest                |
 | [OpenList](./src/openlist)                                     | latest                |
 | [OpenLIT](./apps/openlit)                                      | latest                |
-| [OpenObserve](./apps/openobserve)                              | v0.50.0             |
+| [OpenObserve](./apps/openobserve)                              | v0.50.0（enterprise） |
 | [OpenSearch](./src/opensearch)                                 | 2.19.0                |
 | [OpenTelemetry Collector](./src/otel-collector)                | 0.115.1               |
 | [Overleaf](./src/overleaf)                                     | 5.2.1                 |

apps/openobserve/.env.example

@@ -22,8 +22,8 @@ ZO_DATA_DIR=/data
 
 # Root user credentials
 # IMPORTANT: Change these default credentials before deploying to production
-ZO_ROOT_USER_EMAIL=admin@example.com
+ZO_ROOT_USER_EMAIL="root@example.com"
-ZO_ROOT_USER_PASSWORD=Complexpass#123
+ZO_ROOT_USER_PASSWORD="Complexpass#123"
 
 # Optional: S3 object storage configuration
 # Leave empty to use local disk storage

apps/openobserve/README.md

@@ -41,10 +41,10 @@
 ### Basic Configuration
 
 | Environment Variable        | Description                     | Default            |
-| --------------------------- | ------------------------------- | ------------------- |
+| --------------------------- | ------------------------------- | ------------------ |
 | `OPENOBSERVE_VERSION`       | OpenObserve image version       | `v0.50.0`          |
 | `OPENOBSERVE_PORT_OVERRIDE` | Web UI port                     | `5080`             |
-| `ZO_ROOT_USER_EMAIL`        | Root user email                 | `admin@example.com` |
+| `ZO_ROOT_USER_EMAIL`        | Root user email                 | `root@example.com` |
 | `ZO_ROOT_USER_PASSWORD`     | Root user password              | `Complexpass#123`  |
 | `ZO_DATA_DIR`               | Data directory inside container | `/data`            |
 
@@ -83,7 +83,7 @@ Send OTLP data to `http://localhost:5080/api/default/` with authentication.
 ### Logs via HTTP
 
 ```bash
-curl -u admin@example.com:Complexpass#123 \
+curl -u root@example.com:Complexpass#123 \
   -H "Content-Type: application/json" \
   http://localhost:5080/api/default/logs/_json \
   -d '[{"message": "Hello OpenObserve", "level": "info"}]'

apps/openobserve/README.zh.md

@@ -41,10 +41,10 @@
 ### 基础配置
 
 | 环境变量                    | 说明                 | 默认值             |
-| --------------------------- | -------------------- | ------------------- |
+| --------------------------- | -------------------- | ------------------ |
 | `OPENOBSERVE_VERSION`       | OpenObserve 镜像版本 | `v0.50.0`          |
 | `OPENOBSERVE_PORT_OVERRIDE` | Web UI 端口          | `5080`             |
-| `ZO_ROOT_USER_EMAIL`        | 根用户邮箱           | `admin@example.com` |
+| `ZO_ROOT_USER_EMAIL`        | 根用户邮箱           | `root@example.com` |
 | `ZO_ROOT_USER_PASSWORD`     | 根用户密码           | `Complexpass#123`  |
 | `ZO_DATA_DIR`               | 容器内数据目录       | `/data`            |
 
@@ -83,7 +83,7 @@ OpenObserve 支持多种采集方式：
 ### 通过 HTTP 采集日志
 
 ```bash
-curl -u admin@example.com:Complexpass#123 \
+curl -u root@example.com:Complexpass#123 \
   -H "Content-Type: application/json" \
   http://localhost:5080/api/default/logs/_json \
   -d '[{"message": "Hello OpenObserve", "level": "info"}]'

apps/openobserve/docker-compose.yaml

@@ -21,7 +21,7 @@ services:
     environment:
       - TZ=${TZ:-UTC}
       - ZO_DATA_DIR=${ZO_DATA_DIR:-/data}
-      - ZO_ROOT_USER_EMAIL=${ZO_ROOT_USER_EMAIL:-admin@example.com}
+      - ZO_ROOT_USER_EMAIL=${ZO_ROOT_USER_EMAIL:-root@example.com}
       - ZO_ROOT_USER_PASSWORD=${ZO_ROOT_USER_PASSWORD:-Complexpass#123}
       # Optional: S3 configuration for object storage
       - ZO_S3_BUCKET_NAME=${ZO_S3_BUCKET_NAME:-}

builds/microsandbox/.env.example

@@ -2,29 +2,51 @@
 # KVM-based secure sandbox environment
 
 # Global registry prefix (optional)
-# Leave empty to pull from Docker Hub
+# Leave empty to use ghcr.io/zerocore-ai/microsandbox
 GLOBAL_REGISTRY=
 
 # MicroSandbox version
-# Default: 0.2.6
+# Default: latest (recommended to use latest stable version)
-MICROSANDBOX_VERSION=0.2.6
+# Set to empty string to always pull the latest version
+MICROSANDBOX_VERSION=latest
 
-# Auto pull base images on build
+# Debian base image version
+# Default: 13.2-slim
+DEBIAN_VERSION=13.2-slim
+
+# Auto pull base images on build (Python, Node.js SDKs)
 # Default: true
 MICROSANDBOX_AUTO_PULL_IMAGES=true
 
+# Development mode (disables API key requirements)
+# Default: true (for easier testing)
+# Set to false in production environments
+MICROSANDBOX_DEV_MODE=true
+
 # Timezone
 # Default: UTC
 TZ=UTC
 
+# ============================================
+# Port Configuration
+# ============================================
+
+# Internal port (inside container)
+# Default: 5555
+MICROSANDBOX_PORT=5555
+
+# External port (host machine)
+# Default: 5555
+MICROSANDBOX_PORT_OVERRIDE=5555
+
 # ============================================
 # Resource Limits
 # ============================================
 
 # CPU limits
 # MicroSandbox requires more CPU for KVM virtualization
-MICROSANDBOX_CPU_LIMIT=4.00
+MICROSANDBOX_CPU_LIMIT=4
-MICROSANDBOX_CPU_RESERVATION=1.00
+MICROSANDBOX_CPU_RESERVATION=1
 
 # Memory limits
 # MicroSandbox requires more memory for running VMs

builds/microsandbox/Dockerfile

@@ -2,7 +2,7 @@ ARG DEBIAN_VERSION=13.2-slim
 FROM debian:${DEBIAN_VERSION}
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG MICROSANDBOX_VERSION=0.2.6
+ARG MICROSANDBOX_VERSION
 ARG TARGETARCH
 
 RUN apt update && \
@@ -12,32 +12,22 @@ RUN apt update && \
     apt clean && \
     rm -rf /var/lib/apt/lists/*
 
-# Download and install microsandbox binary based on architecture
+# Install microsandbox using the official install script
-RUN ARCH=${TARGETARCH:-amd64} && \
+# This ensures we always get the latest version if MICROSANDBOX_VERSION is not set
-    case "${ARCH}" in \
+# and handles architecture detection automatically
-        amd64) MICROSANDBOX_ARCH="x86_64" ;; \
+RUN VERSION="${MICROSANDBOX_VERSION:-}" && \
-        arm64) MICROSANDBOX_ARCH="aarch64" ;; \
+    curl -fsSL https://raw.githubusercontent.com/zerocore-ai/microsandbox/refs/heads/main/scripts/install_microsandbox.sh | sh
-        *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \
-    esac && \
-    curl -fsSL "https://github.com/zerocore-ai/microsandbox/releases/download/microsandbox-v${MICROSANDBOX_VERSION}/microsandbox-${MICROSANDBOX_VERSION}-linux-${MICROSANDBOX_ARCH}.tar.gz" \
-    -o /tmp/microsandbox.tar.gz && \
-    mkdir -p /usr/local/bin /usr/local/lib && \
-    tar -xzf /tmp/microsandbox.tar.gz -C /tmp && \
-    cd /tmp/microsandbox-${MICROSANDBOX_VERSION}-linux-${MICROSANDBOX_ARCH} && \
-    mv ms* /usr/local/bin/ && \
-    mv *.so.* /usr/local/lib/ && \
-    chmod +x /usr/local/bin/ms* && \
-    rm -rf /tmp/microsandbox*
 
 # Setup directories for root user
 RUN mkdir -p /root/.local/bin /root/.local/lib /root/.microsandbox
 
-# Set up environment variables (based on setup_env.sh)
+# Set up environment variables
 ENV PATH="/root/.local/bin:/usr/local/bin:${PATH}"
 ENV LD_LIBRARY_PATH="/root/.local/lib:/usr/local/lib:${LD_LIBRARY_PATH}"
 ENV HOME="/root"
 
-WORKDIR /root
+# Set working directory to match docker-compose working_dir
+WORKDIR /workspace
 
 ARG MICROSANDBOX_AUTO_PULL_IMAGES=true
 RUN if [ "${MICROSANDBOX_AUTO_PULL_IMAGES}" = "true" ]; then \

builds/microsandbox/README.md

@@ -102,19 +102,22 @@ docker compose run --rm microsandbox --help
 ### Environment Variables
 
 | Variable                          | Description                            | Default   |
-| --------------------------------- | ------------------------------ | ------- |
+| --------------------------------- | -------------------------------------- | --------- |
-| `MICROSANDBOX_VERSION`            | MicroSandbox version           | `0.2.6` |
+| `MICROSANDBOX_VERSION`            | MicroSandbox version                   | `latest`  |
+| `DEBIAN_VERSION`                  | Debian base image version              | `13.2-slim` |
 | `MICROSANDBOX_AUTO_PULL_IMAGES`   | Auto pull base images on build         | `true`    |
-| `MICROSANDBOX_PORT_OVERRIDE`      | Port mapping for MicroSandbox  | `5555`  |
+| `MICROSANDBOX_DEV_MODE`           | Enable dev mode (no API key required)  | `true`    |
+| `MICROSANDBOX_PORT`               | Internal container port                | `5555`    |
+| `MICROSANDBOX_PORT_OVERRIDE`      | External host port mapping             | `5555`    |
 | `TZ`                              | Container timezone                     | `UTC`     |
-| `MICROSANDBOX_CPU_LIMIT`          | Maximum CPU cores              | `4.00`  |
+| `MICROSANDBOX_CPU_LIMIT`          | Maximum CPU cores                      | `4`       |
-| `MICROSANDBOX_CPU_RESERVATION`    | Reserved CPU cores             | `1.00`  |
+| `MICROSANDBOX_CPU_RESERVATION`    | Reserved CPU cores                     | `1`       |
 | `MICROSANDBOX_MEMORY_LIMIT`       | Maximum memory allocation              | `4G`      |
 | `MICROSANDBOX_MEMORY_RESERVATION` | Reserved memory                        | `1G`      |
 
 ### Volume Mounts
 
-- `microsandbox_config`: MicroSandbox configuration and state
+- `microsandbox_namespaces`: MicroSandbox namespace configurations and VM state
 - `microsandbox_workspace`: Working directory for sandbox operations
 
 ## Security Considerations
@@ -127,6 +130,13 @@ MicroSandbox requires `privileged: true` to access KVM devices. This is necessar
 - Review the code you plan to execute in the sandbox
 - Keep the MicroSandbox image updated with security patches
 - Use network isolation if running untrusted code
+- In production environments, disable dev mode by setting `MICROSANDBOX_DEV_MODE=false`
+
+**Why Privileged Mode?**
+
+MicroSandbox uses KVM (Kernel-based Virtual Machine) to provide hardware-level isolation. Unlike Docker containers, which share the host kernel, MicroSandbox creates true virtual machines with their own kernels. This provides much stronger security boundaries, even though the Docker container itself runs in privileged mode.
+
+The privileged container is only the orchestrator - the actual untrusted code runs inside isolated VMs with hardware-enforced boundaries. This architecture is specifically designed for running untrusted code safely.
 
 ### KVM Device Access
 

builds/microsandbox/README.zh.md

@@ -102,31 +102,41 @@ docker compose run --rm microsandbox --help
 ### 环境变量
 
 | 变量                              | 描述                     | 默认值      |
-| --------------------------------- | ---------------------- | ------- |
+| --------------------------------- | ------------------------ | ----------- |
-| `MICROSANDBOX_VERSION`            | MicroSandbox 版本      | `0.2.6` |
+| `MICROSANDBOX_VERSION`            | MicroSandbox 版本        | `latest`    |
+| `DEBIAN_VERSION`                  | Debian 基础镜像版本      | `13.2-slim` |
 | `MICROSANDBOX_AUTO_PULL_IMAGES`   | 构建时自动拉取基础镜像   | `true`      |
-| `MICROSANDBOX_PORT_OVERRIDE`      | MicroSandbox 端口映射  | `5555`  |
+| `MICROSANDBOX_DEV_MODE`           | 启用开发模式（无需 API 密钥） | `true`      |
+| `MICROSANDBOX_PORT`               | 容器内部端口             | `5555`      |
+| `MICROSANDBOX_PORT_OVERRIDE`      | 外部主机端口映射         | `5555`      |
 | `TZ`                              | 容器时区                 | `UTC`       |
-| `MICROSANDBOX_CPU_LIMIT`          | CPU 核心数上限         | `4.00`  |
+| `MICROSANDBOX_CPU_LIMIT`          | CPU 核心数上限           | `4`         |
-| `MICROSANDBOX_CPU_RESERVATION`    | CPU 核心数预留         | `1.00`  |
+| `MICROSANDBOX_CPU_RESERVATION`    | CPU 核心数预留           | `1`         |
 | `MICROSANDBOX_MEMORY_LIMIT`       | 最大内存分配             | `4G`        |
 | `MICROSANDBOX_MEMORY_RESERVATION` | 内存预留                 | `1G`        |
 
 ### 卷挂载
 
-- `microsandbox_config`：MicroSandbox 配置和状态
+- `microsandbox_namespaces`：MicroSandbox 命名空间配置和虚拟机状态
 - `microsandbox_workspace`：沙箱操作的工作目录
 
 ## 安全注意事项
 
 ### 特权模式
 
-MicroSandbox 需要 `privileged: true` 以访问 KVM 设备。这对于硬件虚拟化是必需的，但会授予容器提升的权限。请考虑以下事项：
+MicroSandbox 需要 `privileged: true` 以访问 KVM 设备。这对于硬件虚拟化是必需的，但会授予容器提升的权限。请考虑以下事项:
 
 - 仅在受信任的系统上运行 MicroSandbox
 - 审查您计划在沙箱中执行的代码
 - 保持 MicroSandbox 镜像更新以获取安全补丁
 - 如果运行不受信任的代码，请使用网络隔离
+- 在生产环境中，通过设置 `MICROSANDBOX_DEV_MODE=false` 禁用开发模式
+
+**为什么需要特权模式？**
+
+MicroSandbox 使用 KVM（基于内核的虚拟机）来提供硬件级隔离。与共享主机内核的 Docker 容器不同，MicroSandbox 创建具有自己内核的真实虚拟机。这提供了更强的安全边界，即使 Docker 容器本身以特权模式运行。
+
+特权容器只是协调器——实际的不受信任代码在具有硬件强制边界的隔离虚拟机内运行。此架构专门设计用于安全地运行不受信任的代码。
 
 ### KVM 设备访问
 

builds/microsandbox/docker-compose.yaml

@@ -8,7 +8,7 @@ x-defaults: &defaults
     driver: json-file
     options:
       max-size: 100m
-      max-file: 3
+      max-file: "3"
 
 services:
   microsandbox:
@@ -21,11 +21,14 @@ services:
         - linux/arm64
       args:
         - DEBIAN_VERSION=${DEBIAN_VERSION:-13.2-slim}
-        - MICROSANDBOX_VERSION=${MICROSANDBOX_VERSION:-0.2.6}
+        - MICROSANDBOX_VERSION=${MICROSANDBOX_VERSION:-}
         - MICROSANDBOX_AUTO_PULL_IMAGES=${MICROSANDBOX_AUTO_PULL_IMAGES:-true}
-    image: ${GLOBAL_REGISTRY:-}alexsuntop/microsandbox:${MICROSANDBOX_VERSION:-0.2.6}
+    image: ${GLOBAL_REGISTRY:-ghcr.io/zerocore-ai/}microsandbox:${MICROSANDBOX_VERSION:-latest}
     ports:
-      - ${MICROSANDBOX_PORT_OVERRIDE:-5555}:${MICROSANDBOX_PORT:-5555}
+      - "${MICROSANDBOX_PORT_OVERRIDE:-5555}:${MICROSANDBOX_PORT:-5555}"
+    # Privileged mode and relaxed security profiles are required for KVM access
+    # This provides hardware-level isolation inside the container
+    # See README.md for security considerations
     privileged: true
     security_opt:
       - apparmor=unconfined
@@ -34,31 +37,41 @@ services:
       - TZ=${TZ:-UTC}
       - MICROSANDBOX_HOME=/root/.microsandbox
     volumes:
-      - microsandbox_config:/root/.microsandbox/namespaces
+      # Store namespace configurations and VM state
+      - microsandbox_namespaces:/root/.microsandbox/namespaces
+      # Working directory for sandbox operations
       - microsandbox_workspace:/workspace
     devices:
+      # KVM device for hardware-accelerated virtualization
       - /dev/kvm:/dev/kvm
+      # TUN device for network tunneling (TAP/TUN interfaces)
       - /dev/net/tun:/dev/net/tun
     command:
-      [
+      - /bin/sh
-        "server",
+      - -c
-        "start",
+      - >
-        "--host",
+        if [ "$${MICROSANDBOX_DEV_MODE:-true}" = "true" ]; then
-        "0.0.0.0",
+          DEV_FLAG="--dev";
-        "--port",
+        else
-        "${MICROSANDBOX_PORT:-5555}",
+          DEV_FLAG="";
-        "--dev",
+        fi;
-      ]
+        exec server start --host 0.0.0.0 --port $${MICROSANDBOX_PORT:-5555} $${DEV_FLAG};
     working_dir: /workspace
+    healthcheck:
+      test: ["CMD-SHELL", "msb --version || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
     deploy:
       resources:
         limits:
-          cpus: ${MICROSANDBOX_CPU_LIMIT:-4.00}
+          cpus: ${MICROSANDBOX_CPU_LIMIT:-4}
           memory: ${MICROSANDBOX_MEMORY_LIMIT:-4G}
         reservations:
-          cpus: ${MICROSANDBOX_CPU_RESERVATION:-1.00}
+          cpus: ${MICROSANDBOX_CPU_RESERVATION:-1}
           memory: ${MICROSANDBOX_MEMORY_RESERVATION:-1G}
 
 volumes:
-  microsandbox_config:
+  microsandbox_namespaces:
   microsandbox_workspace:

src/docker-android/.env.example

@@ -0,0 +1,31 @@
+# Docker Android image tag (e.g., api-33, api-33-playstore)
+# DOCKER_ANDROID_VERSION=api-33
+
+# Docker Android GPU image tag (used by the gpu profile)
+# DOCKER_ANDROID_GPU_VERSION=api-33-cuda
+
+# Host port overrides
+# DOCKER_ANDROID_ADB_PORT_OVERRIDE=5555
+# DOCKER_ANDROID_CONSOLE_PORT_OVERRIDE=5554
+
+# KVM device path (Linux hosts only)
+# DOCKER_ANDROID_KVM_DEVICE=/dev/kvm
+
+# Optional ADB key directory for Play Store images
+# DOCKER_ANDROID_KEYS_DIR=./keys
+
+# Emulator settings
+# DOCKER_ANDROID_DISABLE_ANIMATION=false
+# DOCKER_ANDROID_DISABLE_HIDDEN_POLICY=false
+# DOCKER_ANDROID_SKIP_AUTH=true
+# DOCKER_ANDROID_MEMORY=8192
+# DOCKER_ANDROID_CORES=4
+
+# GPU settings
+# DOCKER_ANDROID_GPU_COUNT=1
+
+# Resource limits
+# DOCKER_ANDROID_CPU_LIMIT=2
+# DOCKER_ANDROID_MEMORY_LIMIT=8G
+# DOCKER_ANDROID_CPU_RESERVATION=1
+# DOCKER_ANDROID_MEMORY_RESERVATION=4G

src/docker-android/README.md

@@ -0,0 +1,59 @@
+# Docker Android Emulator
+
+[English](./README.md) | [中文](./README.zh.md)
+
+This service deploys the HQarroum Docker Android emulator image.
+
+## Usage
+
+- Start the default emulator:
+
+  ```bash
+  docker compose up -d
+  ```
+
+- Start with GPU acceleration:
+
+  ```bash
+  docker compose --profile gpu up -d
+  ```
+
+- Connect with ADB:
+
+  ```bash
+  adb connect 127.0.0.1:5555
+  ```
+
+## Services
+
+- `docker_android`: Android emulator (default).
+- `docker_android_gpu`: Android emulator with CUDA support (profile: `gpu`).
+
+## Configuration
+
+- `DOCKER_ANDROID_VERSION`: Image tag, default is `api-33`.
+- `DOCKER_ANDROID_GPU_VERSION`: GPU image tag, default is `api-33-cuda`.
+- `DOCKER_ANDROID_ADB_PORT_OVERRIDE`: Host port for ADB, default is `5555`.
+- `DOCKER_ANDROID_CONSOLE_PORT_OVERRIDE`: Host port for emulator console, default is `5554`.
+- `DOCKER_ANDROID_KVM_DEVICE`: KVM device path, default is `/dev/kvm`.
+- `DOCKER_ANDROID_KEYS_DIR`: ADB key directory for Play Store images, default is `./keys`.
+- `DOCKER_ANDROID_DISABLE_ANIMATION`: Disable animations, default is `false`.
+- `DOCKER_ANDROID_DISABLE_HIDDEN_POLICY`: Disable hidden API policy, default is `false`.
+- `DOCKER_ANDROID_SKIP_AUTH`: Skip ADB authentication, default is `true`.
+- `DOCKER_ANDROID_MEMORY`: Emulator RAM in MB, default is `8192`.
+- `DOCKER_ANDROID_CORES`: Emulator CPU cores, default is `4`.
+- `DOCKER_ANDROID_GPU_COUNT`: Number of GPUs, default is `1`.
+- `DOCKER_ANDROID_CPU_LIMIT`: CPU limit, default is `2`.
+- `DOCKER_ANDROID_MEMORY_LIMIT`: Memory limit, default is `8G`.
+- `DOCKER_ANDROID_CPU_RESERVATION`: CPU reservation, default is `1`.
+- `DOCKER_ANDROID_MEMORY_RESERVATION`: Memory reservation, default is `4G`.
+
+## Volumes
+
+- `docker_android_data`: Android AVD data stored at `/data`.
+
+## Notes
+
+- Linux with KVM is required for performance. Ensure `/dev/kvm` is available.
+- For Play Store images, set `DOCKER_ANDROID_VERSION=api-33-playstore` and place `adbkey` and `adbkey.pub` in the `./keys` directory.
+- The emulator is headless and can be controlled with `scrcpy` after connecting ADB.

src/docker-android/README.zh.md

@@ -0,0 +1,59 @@
+# Docker Android Emulator
+
+[English](./README.md) | [中文](./README.zh.md)
+
+该服务用于部署 HQarroum 的 Docker Android Emulator 镜像。
+
+## 使用方法
+
+- 启动默认模拟器：
+
+  ```bash
+  docker compose up -d
+  ```
+
+- 启动 GPU 加速：
+
+  ```bash
+  docker compose --profile gpu up -d
+  ```
+
+- 使用 ADB 连接：
+
+  ```bash
+  adb connect 127.0.0.1:5555
+  ```
+
+## 服务
+
+- `docker_android`：默认 Android 模拟器。
+- `docker_android_gpu`：带 CUDA 的 Android 模拟器（Profile：`gpu`）。
+
+## 配置
+
+- `DOCKER_ANDROID_VERSION`：镜像标签，默认 `api-33`。
+- `DOCKER_ANDROID_GPU_VERSION`：GPU 镜像标签，默认 `api-33-cuda`。
+- `DOCKER_ANDROID_ADB_PORT_OVERRIDE`：ADB 主机端口，默认 `5555`。
+- `DOCKER_ANDROID_CONSOLE_PORT_OVERRIDE`：模拟器控制台端口，默认 `5554`。
+- `DOCKER_ANDROID_KVM_DEVICE`：KVM 设备路径，默认 `/dev/kvm`。
+- `DOCKER_ANDROID_KEYS_DIR`：Play Store 镜像的 ADB 密钥目录，默认 `./keys`。
+- `DOCKER_ANDROID_DISABLE_ANIMATION`：禁用动画，默认 `false`。
+- `DOCKER_ANDROID_DISABLE_HIDDEN_POLICY`：禁用隐藏 API 策略，默认 `false`。
+- `DOCKER_ANDROID_SKIP_AUTH`：跳过 ADB 认证，默认 `true`。
+- `DOCKER_ANDROID_MEMORY`：模拟器内存（MB），默认 `8192`。
+- `DOCKER_ANDROID_CORES`：模拟器 CPU 核心数，默认 `4`。
+- `DOCKER_ANDROID_GPU_COUNT`：GPU 数量，默认 `1`。
+- `DOCKER_ANDROID_CPU_LIMIT`：CPU 限制，默认 `2`。
+- `DOCKER_ANDROID_MEMORY_LIMIT`：内存限制，默认 `8G`。
+- `DOCKER_ANDROID_CPU_RESERVATION`：CPU 预留，默认 `1`。
+- `DOCKER_ANDROID_MEMORY_RESERVATION`：内存预留，默认 `4G`。
+
+## 数据卷
+
+- `docker_android_data`：Android AVD 数据目录，挂载到 `/data`。
+
+## 说明
+
+- 建议在支持 KVM 的 Linux 主机上运行，确保 `/dev/kvm` 可用。
+- Play Store 镜像请设置 `DOCKER_ANDROID_VERSION=api-33-playstore`，并将 `adbkey` 与 `adbkey.pub` 放到 `./keys` 目录。
+- 模拟器为无界面模式，ADB 连接后可使用 `scrcpy` 进行控制。

src/docker-android/docker-compose.yaml

@@ -0,0 +1,83 @@
+x-defaults: &defaults
+  restart: unless-stopped
+  logging:
+    driver: json-file
+    options:
+      max-size: 100m
+      max-file: "3"
+
+services:
+  docker_android:
+    <<: *defaults
+    image: ${GLOBAL_REGISTRY:-}halimqarroum/docker-android:${DOCKER_ANDROID_VERSION:-api-33}
+    ports:
+      - "${DOCKER_ANDROID_ADB_PORT_OVERRIDE:-5555}:5555"
+      - "${DOCKER_ANDROID_CONSOLE_PORT_OVERRIDE:-5554}:5554"
+    volumes:
+      - docker_android_data:/data
+      - ${DOCKER_ANDROID_KEYS_DIR:-./keys}:/keys:ro
+    environment:
+      - TZ=${TZ:-UTC}
+      - DISABLE_ANIMATION=${DOCKER_ANDROID_DISABLE_ANIMATION:-false}
+      - DISABLE_HIDDEN_POLICY=${DOCKER_ANDROID_DISABLE_HIDDEN_POLICY:-false}
+      - SKIP_AUTH=${DOCKER_ANDROID_SKIP_AUTH:-true}
+      - MEMORY=${DOCKER_ANDROID_MEMORY:-8192}
+      - CORES=${DOCKER_ANDROID_CORES:-4}
+    devices:
+      - "${DOCKER_ANDROID_KVM_DEVICE:-/dev/kvm}:/dev/kvm"
+    healthcheck:
+      test: ["CMD-SHELL", "adb devices 2>/dev/null | grep -q emulator"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 60s
+    deploy:
+      resources:
+        limits:
+          cpus: ${DOCKER_ANDROID_CPU_LIMIT:-2}
+          memory: ${DOCKER_ANDROID_MEMORY_LIMIT:-8G}
+        reservations:
+          cpus: ${DOCKER_ANDROID_CPU_RESERVATION:-1}
+          memory: ${DOCKER_ANDROID_MEMORY_RESERVATION:-4G}
+
+  docker_android_gpu:
+    <<: *defaults
+    profiles:
+      - gpu
+    image: ${GLOBAL_REGISTRY:-}halimqarroum/docker-android:${DOCKER_ANDROID_GPU_VERSION:-api-33-cuda}
+    ports:
+      - "${DOCKER_ANDROID_ADB_PORT_OVERRIDE:-5555}:5555"
+      - "${DOCKER_ANDROID_CONSOLE_PORT_OVERRIDE:-5554}:5554"
+    volumes:
+      - docker_android_data:/data
+      - ${DOCKER_ANDROID_KEYS_DIR:-./keys}:/keys:ro
+    environment:
+      - TZ=${TZ:-UTC}
+      - DISABLE_ANIMATION=${DOCKER_ANDROID_DISABLE_ANIMATION:-false}
+      - DISABLE_HIDDEN_POLICY=${DOCKER_ANDROID_DISABLE_HIDDEN_POLICY:-false}
+      - SKIP_AUTH=${DOCKER_ANDROID_SKIP_AUTH:-true}
+      - MEMORY=${DOCKER_ANDROID_MEMORY:-8192}
+      - CORES=${DOCKER_ANDROID_CORES:-4}
+    devices:
+      - "${DOCKER_ANDROID_KVM_DEVICE:-/dev/kvm}:/dev/kvm"
+    healthcheck:
+      test: ["CMD-SHELL", "adb devices 2>/dev/null | grep -q emulator"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 60s
+    deploy:
+      resources:
+        limits:
+          cpus: ${DOCKER_ANDROID_CPU_LIMIT:-2}
+          memory: ${DOCKER_ANDROID_MEMORY_LIMIT:-8G}
+        reservations:
+          cpus: ${DOCKER_ANDROID_CPU_RESERVATION:-1}
+          memory: ${DOCKER_ANDROID_MEMORY_RESERVATION:-4G}
+          devices:
+            - driver: nvidia
+              count: ${DOCKER_ANDROID_GPU_COUNT:-1}
+              capabilities: [gpu]
+
+volumes:
+  docker_android_data:

src/mongodb-replicaset-single/docker-compose.yaml

@@ -14,9 +14,6 @@ x-mongo: &mongo
     MONGO_INITDB_ROOT_USERNAME: ${MONGO_INITDB_ROOT_USERNAME:-root}
     MONGO_INITDB_ROOT_PASSWORD: ${MONGO_INITDB_ROOT_PASSWORD:-password}
     MONGO_INITDB_DATABASE: ${MONGO_INITDB_DATABASE:-admin}
-  volumes:
-    - ./secrets/rs0.key:/data/rs0.key:ro
-    - mongo_data:/data/db
   entrypoint:
     - bash
     - -c
@@ -49,6 +46,9 @@ services:
     <<: *mongo
     ports:
       - "${MONGO_PORT_OVERRIDE_1:-27017}:27017"
+    volumes:
+      - mongo_data:/data/db
+      - ./secrets/rs0.key:/data/rs0.key:ro
 
   mongo-init:
     <<: *defaults
@@ -66,6 +66,8 @@ services:
       MONGO_HOST: ${MONGO_HOST:-host.docker.internal}
     volumes:
       - ./secrets/rs0.key:/data/rs0.key:ro
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     entrypoint:
       - bash
       - -c

src/mongodb-replicaset/docker-compose.yaml

@@ -14,8 +14,6 @@ x-mongo: &mongo
     MONGO_INITDB_ROOT_USERNAME: ${MONGO_INITDB_ROOT_USERNAME:-root}
     MONGO_INITDB_ROOT_PASSWORD: ${MONGO_INITDB_ROOT_PASSWORD:-password}
     MONGO_INITDB_DATABASE: ${MONGO_INITDB_DATABASE:-admin}
-  volumes:
-    - ./secrets/rs0.key:/data/rs0.key:ro
   entrypoint:
     - bash
     - -c
@@ -47,16 +45,25 @@ services:
     <<: *mongo
     ports:
       - "${MONGO_PORT_OVERRIDE_1:-27017}:27017"
+    volumes:
+      - mongo1_data:/data/db
+      - ./secrets/rs0.key:/data/rs0.key:ro
 
   mongo2:
     <<: *mongo
     ports:
       - "${MONGO_PORT_OVERRIDE_2:-27018}:27017"
+    volumes:
+      - mongo2_data:/data/db
+      - ./secrets/rs0.key:/data/rs0.key:ro
 
   mongo3:
     <<: *mongo
     ports:
       - "${MONGO_PORT_OVERRIDE_3:-27019}:27017"
+    volumes:
+      - mongo3_data:/data/db
+      - ./secrets/rs0.key:/data/rs0.key:ro
 
   mongo-init:
     <<: *defaults
@@ -78,6 +85,8 @@ services:
       MONGO_PORT_2: ${MONGO_PORT_OVERRIDE_2:-27018}
       MONGO_PORT_3: ${MONGO_PORT_OVERRIDE_3:-27019}
       MONGO_HOST: ${MONGO_HOST:-host.docker.internal}
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     volumes:
       - ./secrets/rs0.key:/data/rs0.key:ro
     entrypoint:
@@ -122,3 +131,8 @@ services:
         reservations:
           cpus: ${MONGO_REPLICA_INIT_CPU_RESERVATION:-0.50}
           memory: ${MONGO_REPLICA_INIT_MEMORY_RESERVATION:-1024M}
+
+volumes:
+  mongo1_data:
+  mongo2_data:
+  mongo3_data: