Skip to content

Commit

Permalink
Explicit permissions for scripts in docker images (eth-educators#1125)
Browse files Browse the repository at this point in the history
* Explicit permissions for scripts in docker images

* Couple more chown fixes
  • Loading branch information
yorickdowne authored Dec 25, 2022
1 parent b8fb9ef commit 819b9b1
Show file tree
Hide file tree
Showing 25 changed files with 212 additions and 122 deletions.
10 changes: 7 additions & 3 deletions besu/Dockerfile.binary
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ FROM hyperledger/besu:${DOCKER_TAG}
# Unused but included to avoid warnings
ARG BUILD_TARGET

ARG USER=besu
ARG UID=10001
# GID 10002 is deliberate so it can exchange secret with CL
ARG GID=10002
Expand All @@ -20,10 +21,13 @@ RUN set -eux; \
gosu nobody true

# Create data mount point with permissions
RUN mkdir -p /var/lib/besu/ee-secret && chown -R besu:besu /var/lib/besu && chmod -R 700 /var/lib/besu && chmod 777 /var/lib/besu/ee-secret
RUN mkdir -p /var/lib/besu/ee-secret && chown -R ${USER}:${USER} /var/lib/besu && chmod -R 700 /var/lib/besu && chmod 777 /var/lib/besu/ee-secret

COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER besu
USER ${USER}

ENTRYPOINT ["/opt/besu/bin/besu"]
8 changes: 5 additions & 3 deletions besu/Dockerfile.source
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,11 @@ RUN adduser \

RUN mkdir -p /var/lib/besu/ee-secret && chown -R besu:besu /var/lib/besu && chmod -R 700 /var/lib/besu && chmod 777 /var/lib/besu/ee-secret

# Copy executable
COPY --from=builder /usr/src/besu/build/install/besu/. /opt/besu/
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --from=builder --chown=${USER}:${USER} /usr/src/besu/build/install/besu/. /opt/besu/
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

Expand Down
12 changes: 8 additions & 4 deletions erigon/Dockerfile.binary
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,22 @@ FROM thorax/erigon:${DOCKER_TAG}
# Unused, this is here to avoid build time complaints
ARG BUILD_TARGET

ARG USER=erigon
ARG UID=10001
# GID 10002 is deliberate so it can exchange secret with CL
ARG GID=10002

USER root

RUN apk --no-cache add shadow bash su-exec && groupmod -g "${GID}" erigon && usermod -u "${UID}" -g "${GID}" erigon
RUN apk --no-cache add shadow bash su-exec && groupmod -g "${GID}" ${USER} && usermod -u "${UID}" -g "${GID}" ${USER}

RUN mkdir -p /var/lib/erigon/ee-secret && chown -R erigon:erigon /var/lib/erigon && chmod -R 700 /var/lib/erigon && chmod 777 /var/lib/erigon/ee-secret
RUN mkdir -p /var/lib/erigon/ee-secret && chown -R ${USER}:${USER} /var/lib/erigon && chmod -R 700 /var/lib/erigon && chmod 777 /var/lib/erigon/ee-secret

COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER erigon
USER ${USER}

ENTRYPOINT ["erigon"]
13 changes: 7 additions & 6 deletions erigon/Dockerfile.source
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ ARG BUILD_TARGET
RUN apk update && apk add --no-cache make gcc g++ musl-dev linux-headers git bash

WORKDIR /src
RUN bash -c "git clone --recurse-submodules -j8 https://github.com/ledgerwatch/erigon.git && cd erigon && git config advice.detachedHead false && git fetch --all --tags && git checkout ${BUILD_TARGET} && make erigon && make rpcdaemon"
RUN bash -c "git clone --recurse-submodules -j8 https://github.com/ledgerwatch/erigon.git && cd erigon && git config advice.detachedHead false && git fetch --all --tags && git checkout ${BUILD_TARGET} && make erigon"

# Pull all binaries into a second stage deploy container
FROM alpine:3
Expand All @@ -34,12 +34,13 @@ RUN adduser \
--ingroup "${USER}" \
"${USER}"

RUN mkdir -p /var/lib/erigon/ee-secret && chown -R erigon:erigon /var/lib/erigon && chmod -R 700 /var/lib/erigon && chmod 777 /var/lib/erigon/ee-secret
RUN mkdir -p /var/lib/erigon/ee-secret && chown -R ${USER}:${USER} /var/lib/erigon && chmod -R 700 /var/lib/erigon && chmod 777 /var/lib/erigon/ee-secret

# Copy executable
COPY --from=builder /src/erigon/build/bin/erigon /usr/local/bin/
COPY --from=builder /src/erigon/build/bin/rpcdaemon /usr/local/bin/
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --from=builder --chown=${USER}:${USER} /src/erigon/build/bin/erigon /usr/local/bin/
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

Expand Down
5 changes: 4 additions & 1 deletion geth/Dockerfile.binary
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,10 @@ RUN adduser \

RUN mkdir -p /var/lib/goethereum/ee-secret && chown -R ${USER}:${USER} /var/lib/goethereum && chmod -R 700 /var/lib/goethereum && chmod 777 /var/lib/goethereum/ee-secret

COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

Expand Down
8 changes: 5 additions & 3 deletions geth/Dockerfile.source
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,11 @@ RUN adduser \

RUN mkdir -p /var/lib/goethereum/ee-secret && chown -R ${USER}:${USER} /var/lib/goethereum && chmod -R 700 /var/lib/goethereum && chmod 777 /var/lib/goethereum/ee-secret

# Copy executable
COPY --from=builder /src/go-ethereum/build/bin/geth /usr/local/bin/
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --from=builder --chown=${USER}:${USER} /src/go-ethereum/build/bin/geth /usr/local/bin/
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

Expand Down
4 changes: 3 additions & 1 deletion grafana/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ RUN mkdir -p /etc/grafana/provisioning/dashboards/
RUN mkdir -p /etc/grafana/provisioning/datasources/
COPY ./dashboard.yml /etc/grafana/provisioning/dashboards/
COPY ./datasource.yml /etc/grafana/provisioning/datasources/
COPY ./provision-dashboards.sh /usr/local/bin/
COPY --chown=grafana:grafana ./provision-dashboards.sh /usr/local/bin/
COPY ./nethermind_dashboard.json /tmp/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

ENTRYPOINT [ "/run.sh" ]
15 changes: 10 additions & 5 deletions lighthouse/Dockerfile.binary
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,10 @@ RUN adduser \

# Create data mount point with permissions
RUN mkdir -p /var/lib/lighthouse/beacon/ee-secret && chown -R ${USER}:${USER} /var/lib/lighthouse/beacon && chmod -R 700 /var/lib/lighthouse/beacon && chmod 777 /var/lib/lighthouse/beacon/ee-secret
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

ARG USER=lhvalidator
ARG UID=10000
Expand All @@ -45,10 +48,12 @@ RUN set -eux; \
# verify that the binary works
gosu nobody true

# Scripts that handle permissions
COPY ./validator-import.sh /usr/local/bin/
COPY ./validator-exit.sh /usr/local/bin/
COPY ./docker-entrypoint-vc.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./validator-import.sh /usr/local/bin/
COPY --chown=${USER}:${USER} ./validator-exit.sh /usr/local/bin/
COPY --chown=${USER}:${USER} ./docker-entrypoint-vc.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

# For voluntary exit
ENV KEYSTORE=nonesuch
Expand Down
20 changes: 11 additions & 9 deletions lighthouse/Dockerfile.source
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,10 @@ RUN adduser \

# Create data mount point with permissions
RUN mkdir -p /var/lib/lighthouse/beacon/ee-secret && chown -R ${USER}:${USER} /var/lib/lighthouse/beacon && chmod -R 700 /var/lib/lighthouse/beacon && chmod 777 /var/lib/lighthouse/beacon/ee-secret
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

ARG USER=lhvalidator
ARG UID=10000
Expand All @@ -72,14 +75,13 @@ RUN adduser \
# Create data mount point with permissions
RUN mkdir -p /var/lib/lighthouse/validators && chown ${USER}:${USER} /var/lib/lighthouse/validators && chmod 700 /var/lib/lighthouse/validators

# Copy executable
#COPY --from=builder /usr/local/cargo/bin/lighthouse /usr/local/bin/
COPY --from=builder /root/.cargo/bin/lighthouse /usr/local/bin/

# Scripts that handle permissions
COPY ./validator-import.sh /usr/local/bin/
COPY ./validator-exit.sh /usr/local/bin/
COPY ./docker-entrypoint-vc.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --from=builder --chown=${USER}:${USER} /root/.cargo/bin/lighthouse /usr/local/bin/
COPY --chown=${USER}:${USER} ./validator-import.sh /usr/local/bin/
COPY --chown=${USER}:${USER} ./validator-exit.sh /usr/local/bin/
COPY --chown=${USER}:${USER} ./docker-entrypoint-vc.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

# For voluntary exit
ENV KEYSTORE=nonesuch
Expand Down
12 changes: 10 additions & 2 deletions lodestar/Dockerfile.binary
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ RUN adduser \

RUN mkdir -p /var/lib/lodestar/consensus/ee-secret && chown -R ${USER}:${USER} /var/lib/lodestar/consensus && chmod -R 700 /var/lib/lodestar/consensus && chmod 777 /var/lib/lodestar/consensus/ee-secret

# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

ARG USER=lsvalidator
ARG UID=10000

Expand All @@ -40,7 +45,10 @@ RUN adduser \

# Create data mount point with permissions
RUN mkdir -p /var/lib/lodestar/validators && chown -R ${USER}:${USER} /var/lib/lodestar/validators && chmod 700 /var/lib/lodestar/validators
COPY ./docker-entrypoint.sh /usr/local/bin/
COPY ./docker-entrypoint-vc.sh /usr/local/bin/

# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint-vc.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

ENTRYPOINT ["node", "--max-old-space-size=6144", "/usr/app/node_modules/.bin/lodestar"]
29 changes: 18 additions & 11 deletions lodestar/Dockerfile.source
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ARG DOCKER_TAG
ARG BUILD_TARGET

RUN apk update && apk add --no-cache git g++ make python3 bash && rm -rf /var/cache/apk/*
RUN ln -s /usr/bin/python3 /usr/bin/python
#RUN ln -s /usr/bin/python3 /usr/bin/python

WORKDIR /usr/app

Expand All @@ -16,16 +16,6 @@ FROM node:18-alpine

RUN apk update && apk add --no-cache ca-certificates tzdata bash su-exec && rm -rf /var/cache/apk/*

WORKDIR /usr/app
COPY --from=build /usr/app .
RUN ln -s ../../packages/cli/lib/index.js node_modules/.bin/lodestar


# Scripts
COPY ./validator-import.sh /usr/local/bin/
COPY ./docker-entrypoint.sh /usr/local/bin/
COPY ./docker-entrypoint-vc.sh /usr/local/bin/

ARG USER=lsconsensus
ARG UID=10002

Expand All @@ -41,6 +31,15 @@ RUN adduser \

RUN mkdir -p /var/lib/lodestar/consensus/ee-secret && chown -R ${USER}:${USER} /var/lib/lodestar/consensus && chmod -R 700 /var/lib/lodestar/consensus && chmod 777 /var/lib/lodestar/consensus/ee-secret

WORKDIR /usr/app
COPY --from=build --chown=${USER}:${USER} /usr/app .
RUN ln -s ../../packages/cli/lib/index.js node_modules/.bin/lodestar

# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

ARG USER=lsvalidator
ARG UID=10000

Expand All @@ -57,4 +56,12 @@ RUN adduser \
# Create data mount point with permissions
RUN mkdir -p /var/lib/lodestar/validators && chown -R ${USER}:${USER} /var/lib/lodestar/validators && chmod 700 /var/lib/lodestar/validators

# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./validator-import.sh /usr/local/bin/
COPY --chown=${USER}:${USER} ./docker-entrypoint-vc.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER lsconsensus

ENTRYPOINT ["node", "--max-old-space-size=6144", "/usr/app/node_modules/.bin/lodestar"]
7 changes: 5 additions & 2 deletions nethermind/Dockerfile.binary
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,11 @@ RUN set -eux; \
RUN chown -R ${USER}:${USER} /nethermind
RUN mkdir -p /var/lib/nethermind/ee-secret && chown -R ${USER}:${USER} /var/lib/nethermind && chmod -R 700 /var/lib/nethermind && chmod 777 /var/lib/nethermind/ee-secret

COPY --from=dasel /usr/local/bin/dasel /usr/local/bin/
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --from=dasel --chown=${USER}:${USER} /usr/local/bin/dasel /usr/local/bin/
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

Expand Down
7 changes: 5 additions & 2 deletions nethermind/Dockerfile.dev
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,11 @@ RUN set -eux; \
RUN chown -R ${USER}:${USER} /nethermind
RUN mkdir -p /var/lib/nethermind/ee-secret && chown -R ${USER}:${USER} /var/lib/nethermind && chmod -R 700 /var/lib/nethermind && chmod 777 /var/lib/nethermind/ee-secret

COPY --from=dasel /usr/local/bin/dasel /usr/local/bin/
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --from=dasel --chown=${USER}:${USER} /usr/local/bin/dasel /usr/local/bin/
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

Expand Down
10 changes: 7 additions & 3 deletions nethermind/Dockerfile.source
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,17 @@ RUN adduser \

WORKDIR /nethermind

COPY --from=build /nethermind/out .
# Cannot assume buildkit, hence no chmod
COPY --from=build --chown=${USER}:${USER} /nethermind/out .

RUN chown -R ${USER}:${USER} /nethermind
RUN mkdir -p /var/lib/nethermind/ee-secret && chown -R ${USER}:${USER} /var/lib/nethermind && chmod -R 700 /var/lib/nethermind && chmod 777 /var/lib/nethermind/ee-secret

COPY --from=dasel /usr/local/bin/dasel /usr/local/bin/
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --from=dasel --chown=${USER}:${USER} /usr/local/bin/dasel /usr/local/bin/
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

Expand Down
8 changes: 5 additions & 3 deletions nimbus-el/Dockerfile.source
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,11 @@ RUN adduser \

RUN mkdir -p /var/lib/nimbus/ee-secret && chown -R ${USER}:${USER} /var/lib/nimbus && chmod 700 /var/lib/nimbus && chmod 777 /var/lib/nimbus/ee-secret

# Copy executable
COPY --from=builder /usr/src/nimbus-eth1/build/nimbus /usr/local/bin/nimbus
COPY ./docker-entrypoint.sh /usr/local/bin/
# Cannot assume buildkit, hence no chmod
COPY --from=builder --chown=${USER}:${USER} /usr/src/nimbus-eth1/build/nimbus /usr/local/bin/nimbus
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

Expand Down
Loading

0 comments on commit 819b9b1

Please sign in to comment.