Skip to content

Commit

Permalink
docker-compose with minimal PID namespace and non-root permissions (e…
Browse files Browse the repository at this point in the history
…rigontech#2397)

* Feat: only share the erigon container PID namespace with rpcdaemon instead of the entire host PID namespace.

* Feat: remove host UID:GUID mapping from erigon and rpcdaemon containers in favour of erigon user in Dockerfile. Adapted Makefile to pre-create mounted volumes to avoid permission issues at runtime.

* Feat: docker volume directories should always be owned by erigon user(1000:1000) regardless of the user that invoked the make command.

* Fix: don't chown here which breaks docker volume mounts.

* Fix: remove ERIGON_HOME Makefile variable and simplify recipe.
  • Loading branch information
mariuspod authored Jul 19, 2021
1 parent b7c3c15 commit d085bf9
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 9 deletions.
4 changes: 4 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,8 @@ COPY --from=builder /app/build/bin/* /usr/local/bin/

WORKDIR /var/lib/erigon

RUN adduser -H -u 1000 -g 1000 -D erigon
RUN chown -R erigon:erigon /var/lib/erigon
USER erigon

EXPOSE 8545 8546 30303 30303/udp 30304 30304/udp 8080 9090 6060
8 changes: 6 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,13 @@ go-version:
docker:
docker build -t turbo-geth:latest --build-arg git_commit='${GIT_COMMIT}' --build-arg git_branch='${GIT_BRANCH}' --build-arg git_tag='${GIT_TAG}' .

xdg_data_home := ~/.local/share
ifdef XDG_DATA_HOME
xdg_data_home = $(XDG_DATA_HOME)
endif
docker-compose:
# Uses host's PID,UID,GID. It required to open Erigon's DB from another process (RPCDaemon local-mode)
UID_GID=$(shell id -u):$(shell id -g) docker-compose up
mkdir -p $(xdg_data_home)/erigon $(xdg_data_home)/erigon-grafana $(xdg_data_home)/erigon-prometheus; \
docker-compose up

# debug build allows see C stack traces, run it with GOTRACEBACK=crash. You don't need debug build for C pit for profiling. To profile C code use SETCGOTRCKEBACK=1
dbg:
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ or
XDG_DATA_HOME=/preferred/data/folder make docker-compose
```

Makefile uses host's PID,UID,GID. It required to open Erigon's DB from another process (RPCDaemon local-mode).
Makefile creates the initial directories for erigon, prometheus and grafana. The PID namespace is shared between erigon and rpcdaemon which is required to open Erigon's DB from another process (RPCDaemon local-mode).
See: https://github.com/ledgerwatch/erigon/pull/2392/files

Windows support for docker-compose is not ready yet. Please help us with .ps1 port
Expand Down
9 changes: 3 additions & 6 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ services:
image: thorax/erigon:latest
build: .
command: erigon --datadir=/var/lib/erigon --metrics --metrics.addr=0.0.0.0 --metrics.port=6060 --private.api.addr=0.0.0.0:9090 --pprof --pprof.addr=0.0.0.0 --pprof.port=6061
user: ${UID_GID:-1000:1000} # Uses host's PID,UID,GID. It required to open Erigon's DB from another process (RPCDaemon local-mode)
pid: host
volumes:
- ${XDG_DATA_HOME:-~/.local/share}/erigon:/var/lib/erigon
ports:
Expand All @@ -19,7 +17,7 @@ services:

prometheus:
image: prom/prometheus:v2.28.1
user: ${UID_GID:-1000:1000}
user: 1000:1000 # Uses erigon user from Dockerfile
command: --log.level=warn --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus --web.console.libraries=/usr/share/prometheus/console_libraries --web.console.templates=/usr/share/prometheus/consoles
ports:
- "9090:9090"
Expand All @@ -30,7 +28,7 @@ services:

grafana:
image: grafana/grafana:8.0.6
user: ${UID_GID:-1000:1000}
user: 1000:1000 # Uses erigon user from Dockerfile
ports:
- "3000:3000"
volumes:
Expand All @@ -43,8 +41,7 @@ services:
rpcdaemon:
image: thorax/erigon:latest
command: rpcdaemon --datadir /var/lib/erigon --private.api.addr=erigon:9090 --http.addr=0.0.0.0 --http.vhosts=* --http.corsdomain=* --http.api=eth,debug,net
user: ${UID_GID:-1000:1000} # Uses host's PID,UID,GID. It required to open Erigon's DB from another process (RPCDaemon local-mode)
pid: host
pid: service:erigon # Use erigon's PID namespace. It's required to open Erigon's DB from another process (RPCDaemon local-mode)
volumes:
- ${XDG_DATA_HOME:-~/.local/share}/erigon:/var/lib/erigon
ports:
Expand Down

0 comments on commit d085bf9

Please sign in to comment.