Skip to content

Commit

Permalink
feat: root as default docker user (#4684)
Browse files Browse the repository at this point in the history
  • Loading branch information
LesnyRumcajs authored Aug 28, 2024
1 parent 7e6d643 commit 6ba5c96
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 34 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@
individually. The previous behavior, to validate the sum of the snapshots, can
be achieved via `forest-tool snapshot validate-diffs`.

- [#4672](https://github.com/ChainSafe/forest/issues/4672) The default user in
Docker images is now `root`. This facilitates usage, especially when mounting
volumes and dealing with surprising permission errors. Note that the default
data directory is now `/root/.local/share/forest` and not
`/home/forest/.local/share/forest`. The directory will **not** be migrated
automatically. Please adapt your configurations accordingly. If you've been
switching to `root` manually in your workflows you can now remove that step.

### Added

- [#3959](https://github.com/ChainSafe/forest/issues/3959) Added support for the
Expand Down
19 changes: 2 additions & 17 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -62,33 +62,18 @@ RUN --mount=type=cache,sharing=private,target=/root/.cargo/registry \
# A slim image contains only forest binaries
FROM ubuntu:22.04 AS slim-image

ARG SERVICE_USER=forest
ARG SERVICE_GROUP=forest
ARG DATA_DIR=/home/forest/.local/share/forest

ENV DEBIAN_FRONTEND="noninteractive"
# Install binary dependencies
RUN apt-get update && \
apt-get install --no-install-recommends -y ca-certificates && \
rm -rf /var/lib/apt/lists/*
RUN update-ca-certificates

# Create user and group and assign appropriate rights to the forest binaries
RUN addgroup --gid 1000 ${SERVICE_GROUP} && \
adduser --uid 1000 --ingroup ${SERVICE_GROUP} --disabled-password --gecos "" ${SERVICE_USER}

# Copy forest daemon and cli binaries from the build-env
COPY --from=build-env --chown=${SERVICE_USER}:${SERVICE_GROUP} /forest_out/* /usr/local/bin/

# Initialize data directory with proper permissions
RUN mkdir -p ${DATA_DIR} && \
chown -R ${SERVICE_USER}:${SERVICE_GROUP} ${DATA_DIR}

USER ${SERVICE_USER}
WORKDIR /home/${SERVICE_USER}
COPY --from=build-env /forest_out/* /usr/local/bin/

# Basic verification of dynamically linked dependencies
RUN forest -V && forest-cli -V && forest-tool -V
RUN forest -V && forest-cli -V && forest-tool -V && forest-wallet -V

ENTRYPOINT ["forest"]

Expand Down
14 changes: 2 additions & 12 deletions Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -45,25 +45,15 @@ RUN --mount=type=cache,sharing=private,target=/root/.cargo/registry \
##
FROM alpine:3

ARG SERVICE_USER=forest
ARG SERVICE_GROUP=forest

# Install binary dependencies
RUN apk update && \
apk add --no-cache ca-certificates
RUN update-ca-certificates

# Create user and group and assign appropriate rights to the forest binaries
RUN addgroup --gid 1000 ${SERVICE_GROUP} && \
adduser --uid 1000 --ingroup ${SERVICE_GROUP} --disabled-password --gecos "" ${SERVICE_USER}

# Copy forest daemon and cli binaries from the build-env
COPY --from=build-env --chown=${SERVICE_USER}:${SERVICE_GROUP} /forest_out/* /usr/local/bin/

USER ${SERVICE_USER}
WORKDIR /home/${SERVICE_USER}
COPY --from=build-env /forest_out/* /usr/local/bin/

# Basic verification of dynamically linked dependencies
RUN forest -V && forest-cli -V && forest-tool -V
RUN forest -V && forest-cli -V && forest-tool -V && forest-wallet -V

ENTRYPOINT ["forest"]
4 changes: 2 additions & 2 deletions documentation/src/docker.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,12 +84,12 @@ docker volume create forest-data
```

Now, whenever you create a new Forest container, attach the volume to where the
data is stored `/home/forest/.local/share/forest`.
data is stored `/root/.local/share/forest`.

```shell
❯ docker run --init -it --rm \
--ulimit nofile=8192 \
--volume forest-data:/home/forest/.local/share/forest \
--volume forest-data:/root/.local/share/forest \
--name forest ghcr.io/chainsafe/forest:latest --chain calibnet
--auto-download-snapshot
```
Expand Down
3 changes: 0 additions & 3 deletions scripts/devnet/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,6 @@ services:
- lotus net id > ${LOTUS_DATA_DIR}/PEER_ID

forest:
user: root
depends_on:
lotus_config:
condition: service_completed_successfully
Expand Down Expand Up @@ -208,7 +207,6 @@ services:
forest --genesis ${LOTUS_DATA_DIR}/devgen.car --config ${FOREST_DATA_DIR}/forest_config.toml --save-token ${FOREST_DATA_DIR}/token.jwt --rpc-address 0.0.0.0:${FOREST_RPC_PORT}
forest_offline:
user: root
depends_on:
lotus_config:
condition: service_completed_successfully
Expand Down Expand Up @@ -257,7 +255,6 @@ services:
# At the moment of writing, Forest was not able to connect to a devnet node using its config.
# This is a workaround to force the connection.
forest_connecter:
user: root
depends_on:
forest:
condition: service_healthy
Expand Down

0 comments on commit 6ba5c96

Please sign in to comment.