From c0863c741281564f64b61d084d3be619c482ac5a Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 13:19:28 +0100 Subject: [PATCH 01/11] Dockerfile review after CI changes Removing some unnecessary lines on the Docker file and making everything more explicit --- docker/centrifuge-chain/Dockerfile | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/docker/centrifuge-chain/Dockerfile b/docker/centrifuge-chain/Dockerfile index f401485280..ad8475b75e 100644 --- a/docker/centrifuge-chain/Dockerfile +++ b/docker/centrifuge-chain/Dockerfile @@ -30,8 +30,6 @@ FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder ARG RUSTC_WRAPPER='' ARG SCCACHE_GHA_ENABLED="false" - RUN rustup target add wasm32-unknown-unknown - COPY . centrifuge-chain WORKDIR /centrifuge-chain ARG FEATURES="" @@ -54,24 +52,24 @@ FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy # Add chain resources to image COPY res /resources/ - RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge && \ - mkdir -p /data /centrifuge/.local/share && \ - chown -R centrifuge:centrifuge /data && \ - ln -s /data /centrifuge/.local/share/centrifuge - COPY --from=builder /centrifuge-chain/target/release/centrifuge-chain /usr/local/bin - # checks - RUN ldd /usr/local/bin/centrifuge-chain && \ - /usr/local/bin/centrifuge-chain --version RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* ; - RUN mkdir -p /root/.local/share/centrifuge-chain && \ - ln -s /root/.local/share/centrifuge-chain /data - + + RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge && \ + mkdir -p /data && \ + chown -R centrifuge:centrifuge /data && \ + chown -R centrifuge:centrifuge /resources && \ + chown -R centrifuge:centrifuge /usr/local/bin/centrifuge-chain && \ + chown -R centrifuge:centrifuge /centrifuge/ -ENV RUST_BACKTRACE 1 USER centrifuge +# checks +RUN ldd /usr/local/bin/centrifuge-chain && \ + /usr/local/bin/centrifuge-chain --version +ENV RUST_BACKTRACE 1 EXPOSE 30333 9933 9944 VOLUME ["/data"] ENTRYPOINT ["/usr/local/bin/centrifuge-chain"] +CMD ["--help"] From 60be1a46a0c97d1bb8312d4d0b013b7415d555c1 Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 13:22:45 +0100 Subject: [PATCH 02/11] fix the docker tagging to look more as we imagined --- .github/workflows/build-docker.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index c0b9b2b681..5639748e30 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -49,11 +49,8 @@ jobs: uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 #v5 with: images: centrifugeio/centrifuge-chain - flavor: | - suffix=-${{ env.NOW }} - prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }} tags: | - type=raw,event=branch,value={{branch}}-{{sha}} + type=raw,event=branch,value={{branch}}-{{sha}},suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }},suffix= type=semver,pattern={{raw}},suffix=,prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }} type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test-' || '' }},suffix= type=edge From 585fc9275113367880541bffae7e1a856788f2a4 Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 13:36:07 +0100 Subject: [PATCH 03/11] test different options for docker tags --- .github/workflows/build-docker.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 5639748e30..891b06663d 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -50,10 +50,10 @@ jobs: with: images: centrifugeio/centrifuge-chain tags: | - type=raw,event=branch,value={{branch}}-{{sha}},suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }},suffix= - type=semver,pattern={{raw}},suffix=,prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }} - type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test-' || '' }},suffix= - type=edge + type=raw,event=branch,value=${{ matrix.target == 'test' && 'test-' || '' }}{{branch}}-{{sha}}-${{ env.NOW }} + type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }} + type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test-' || '' }} + type=edge,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }} - name: Configure GHA cache uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6 From 10c800c78187a5baaa23a390f97905383bb47181 Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 13:44:37 +0100 Subject: [PATCH 04/11] use edge tag is used when not pushing a branch --- .github/workflows/build-docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 891b06663d..c256cd1f87 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -53,7 +53,7 @@ jobs: type=raw,event=branch,value=${{ matrix.target == 'test' && 'test-' || '' }}{{branch}}-{{sha}}-${{ env.NOW }} type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }} type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test-' || '' }} - type=edge,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }} + type=edge,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }},condition=${{ github.event_name != 'push' || github.ref == 'refs/heads/'* }} - name: Configure GHA cache uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6 From 25dde97d4bdf216b57ee3e9759a36796cfd94ebf Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 13:55:59 +0100 Subject: [PATCH 05/11] fix condition for docker tag --- .github/workflows/build-docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index c256cd1f87..0e2ab2b6bc 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -53,7 +53,7 @@ jobs: type=raw,event=branch,value=${{ matrix.target == 'test' && 'test-' || '' }}{{branch}}-{{sha}}-${{ env.NOW }} type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }} type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test-' || '' }} - type=edge,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }},condition=${{ github.event_name != 'push' || github.ref == 'refs/heads/'* }} + type=edge,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }},condition=${{ !startsWith(github.ref, 'refs/heads/') }} - name: Configure GHA cache uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6 From ac3a7b4206ae373916dad819eff4ba94f9e1e9c8 Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 14:00:27 +0100 Subject: [PATCH 06/11] assume prefix adds a `-` except for raw formt --- .github/workflows/build-docker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 0e2ab2b6bc..584f0542ed 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -51,9 +51,9 @@ jobs: images: centrifugeio/centrifuge-chain tags: | type=raw,event=branch,value=${{ matrix.target == 'test' && 'test-' || '' }}{{branch}}-{{sha}}-${{ env.NOW }} - type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }} - type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test-' || '' }} - type=edge,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }},condition=${{ !startsWith(github.ref, 'refs/heads/') }} + type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test' || 'latest=auto' }} + type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test' || '' }} + type=edge,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test' || '' }},condition=${{ !startsWith(github.ref, 'refs/heads/') }} - name: Configure GHA cache uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6 From 00d3e69c14798ff523304cae8e7481f50ea4f0b7 Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 14:00:39 +0100 Subject: [PATCH 07/11] Add some comments to the dockerfile --- docker/centrifuge-chain/Dockerfile | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/docker/centrifuge-chain/Dockerfile b/docker/centrifuge-chain/Dockerfile index ad8475b75e..fbf826bc90 100644 --- a/docker/centrifuge-chain/Dockerfile +++ b/docker/centrifuge-chain/Dockerfile @@ -1,8 +1,6 @@ -# Based on +# Inspired by # https://github.com/paritytech/polkadot-sdk/blob/master/docker/dockerfiles/polkadot/polkadot_injected_release.Dockerfile -# ToDo: create a CI/builder image with preloaded tools -# FROM --platform=linux/amd64 docker.io/library/ubuntu:22.04 as builder FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder # Defaults ENV RUST_BACKTRACE 1 @@ -38,7 +36,9 @@ FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder # ===== SECOND STAGE ====== -# ToDo: create a secure image as a base for the binary +# IF we were to publish binaries that we can always trust we could skip the first part +# and simply download the binaries here. Some short of hash or integrity check would need to +# happen to make sure the binary is what we want. FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy LABEL io.centrifuge.image.authors="guillermo@k-f.co" \ @@ -56,13 +56,18 @@ FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* ; - RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge && \ - mkdir -p /data && \ - chown -R centrifuge:centrifuge /data && \ - chown -R centrifuge:centrifuge /resources && \ - chown -R centrifuge:centrifuge /usr/local/bin/centrifuge-chain && \ - chown -R centrifuge:centrifuge /centrifuge/ + # Because of the following, all data and config directories need to be owned by UID and GID 1000 + RUN groupadd --gid 1000 centrifuge && useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge + + RUN mkdir -p /data && \ + chown -R centrifuge:centrifuge /data && \ + chown -R centrifuge:centrifuge /resources && \ + chown -R centrifuge:centrifuge /usr/local/bin/centrifuge-chain && \ + chown -R centrifuge:centrifuge /centrifuge/ +# Running as an non-root is a good security practice +# in some cases the container can be forced to run as root overriding the next line +# but by default we want to enforce this. USER centrifuge # checks RUN ldd /usr/local/bin/centrifuge-chain && \ From 901fbca78d74ffd44efcd5699cc7057957c33b6a Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 14:27:43 +0100 Subject: [PATCH 08/11] yet another try at fixing the tag when not in main --- .github/workflows/build-docker.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 584f0542ed..c6ae02a1ed 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -50,10 +50,11 @@ jobs: with: images: centrifugeio/centrifuge-chain tags: | - type=raw,event=branch,value=${{ matrix.target == 'test' && 'test-' || '' }}{{branch}}-{{sha}}-${{ env.NOW }} + type=raw,enable=${{ github.ref == 'refs/heads/main' }},value=${{ matrix.target == 'test' && 'test-' || '' }}{{branch}}-{{sha}}-${{ env.NOW }} type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test' || 'latest=auto' }} type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test' || '' }} - type=edge,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test' || '' }},condition=${{ !startsWith(github.ref, 'refs/heads/') }} + type=edge,event=pull_request,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test' || '' }} + type=ref,event=tag - name: Configure GHA cache uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6 @@ -69,7 +70,7 @@ jobs: file: ./docker/centrifuge-chain/Dockerfile build-args: | FEATURES=${{ matrix.target == 'test' && 'fast-runtime' || '' }} - push: ${{ github.event_name == 'pull_request' && false || true }} + push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} # Cache options: # https://docs.docker.com/build/ci/github-actions/cache/ From 247287783f7ba3bf7395e993f2b4fffba0ee02ad Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 14:39:16 +0100 Subject: [PATCH 09/11] More tag experiments --- .github/workflows/build-docker.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index c6ae02a1ed..ab4362bd44 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -49,12 +49,15 @@ jobs: uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 #v5 with: images: centrifugeio/centrifuge-chain + flavor: | + prefix=${{ matrix.target == 'test' && 'test' || 'latest=auto' }} tags: | - type=raw,enable=${{ github.ref == 'refs/heads/main' }},value=${{ matrix.target == 'test' && 'test-' || '' }}{{branch}}-{{sha}}-${{ env.NOW }} - type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test' || 'latest=auto' }} - type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test' || '' }} - type=edge,event=pull_request,suffix=-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test' || '' }} - type=ref,event=tag + type=semver,pattern={{raw}} + type=semver,pattern={{major}} + type=edge,event=pr,suffix={{sha}}-${{ env.NOW }} + type=ref,event=tag,suffix={{sha}}-${{ env.NOW }} + type=ref,event=pr,suffix={{sha}}-${{ env.NOW }} + type=ref,event=branch,prefix=${{ matrix.target == 'test' && 'test' || '' }}-{{branch}},suffix={{sha}}-${{ env.NOW }} - name: Configure GHA cache uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6 From f4ded09b112fe546359f96c1000bf5b89452948f Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 15:04:13 +0100 Subject: [PATCH 10/11] explicitly set prefix for each tag --- .github/workflows/build-docker.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index ab4362bd44..23ce4ca7b1 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -49,15 +49,12 @@ jobs: uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 #v5 with: images: centrifugeio/centrifuge-chain - flavor: | - prefix=${{ matrix.target == 'test' && 'test' || 'latest=auto' }} tags: | - type=semver,pattern={{raw}} - type=semver,pattern={{major}} - type=edge,event=pr,suffix={{sha}}-${{ env.NOW }} - type=ref,event=tag,suffix={{sha}}-${{ env.NOW }} - type=ref,event=pr,suffix={{sha}}-${{ env.NOW }} - type=ref,event=branch,prefix=${{ matrix.target == 'test' && 'test' || '' }}-{{branch}},suffix={{sha}}-${{ env.NOW }} + type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || '' }} + type=edge,event=pr,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }} + type=ref,event=tag,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }} + type=ref,event=pr,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }} + type=ref,event=branch,prefix=${{ matrix.target == 'test' && 'test-' || '' }}-{{branch}},suffix={{sha}}-${{ env.NOW }} - name: Configure GHA cache uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6 From 1749241a8ba7456978cad5d82a3d2a35c864ae24 Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Fri, 24 Nov 2023 16:01:59 +0100 Subject: [PATCH 11/11] fix user creation in docker --- docker/centrifuge-chain/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/centrifuge-chain/Dockerfile b/docker/centrifuge-chain/Dockerfile index fbf826bc90..8ba49e4e5c 100644 --- a/docker/centrifuge-chain/Dockerfile +++ b/docker/centrifuge-chain/Dockerfile @@ -57,7 +57,7 @@ FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* ; # Because of the following, all data and config directories need to be owned by UID and GID 1000 - RUN groupadd --gid 1000 centrifuge && useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge + RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge RUN mkdir -p /data && \ chown -R centrifuge:centrifuge /data && \