fix: [#277] remove public MySQL port exposure for security

MySQL port 3306 was publicly accessible from outside the VM, allowing
anyone on the network to connect to the database. This posed a security
risk as the database credentials could be brute-forced.

Changes:
- Removed ports: - "3306:3306" from MySQL service in docker-compose
- Added security comment explaining why port is not exposed
- Updated unit test to verify port is NOT exposed

MySQL remains accessible to the Tracker via Docker's internal
database_network, and the healthcheck still works because mysqladmin
ping runs inside the container.

Closes #277

Author: josecelano

src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs

@@ -301,10 +301,10 @@ mod tests {
             "Volume should use local driver"
         );
 
-        // Verify port mapping
+        // Verify port is NOT exposed (security fix: https://github.com/torrust/torrust-tracker-deployer/issues/277)
         assert!(
-            content.contains("3306:3306"),
-            "Should expose MySQL port 3306"
+            !content.contains("3306:3306"),
+            "MySQL port 3306 should NOT be exposed externally for security"
         );
     }
 

templates/docker-compose/docker-compose.yml.tera

@@ -176,8 +176,11 @@ services:
 {%- for network in mysql.networks %}
       - {{ network }}
 {%- endfor %}
-    ports:
-      - "3306:3306"
+    # SECURITY: MySQL port is NOT exposed to the host/external network.
+    # - Only the tracker container can access MySQL via Docker's internal database_network
+    # - The healthcheck runs inside the container, so no external port is needed
+    # - This prevents unauthorized external access to the database
+    # See: https://github.com/torrust/torrust-tracker-deployer/issues/277
     volumes:
       - mysql_data:/var/lib/mysql
     command: --mysql-native-password=ON