services:
  nginx:
    build:
      context: .
      dockerfile: Dockerfile
    # Hardcoded x86-64 addresses require an x86-64 worker; run via qemu on arm64.
    platform: linux/amd64
    container_name: cve-2026-42945-nginx
    # ASLR-off launch needs the container's own address-space-randomization
    # setting honored; setarch -R sets the personality per-process. SYS_PTRACE
    # + unconfined seccomp keep the personality syscall and core dumps available
    # for the positive-control crash observation.
    cap_add:
      - SYS_PTRACE
    security_opt:
      - seccomp=unconfined
    init: true
    ports:
      # Bind to loopback only; exploiter/verifier run on the same host.
      - "127.0.0.1:19321:19321"
    tty: true
    stdin_open: true