diff --git a/.github/workflows/build_push_ecr.yml b/.github/workflows/build_push_ecr.yml index 8e46065..0e1ca85 100644 --- a/.github/workflows/build_push_ecr.yml +++ b/.github/workflows/build_push_ecr.yml @@ -50,7 +50,7 @@ jobs: ECR_REPOSITORY_HEAD="${ECR_REPOSITORY}-head" docker build --pull -f docker/Dockerfile_head \ - --build-arg "GH_TOKEN=${{ secrets.GHCR_TOKEN }}" \ + --build-arg "GH_TOKEN=${{ secrets.GH_READONLY_PAT }}" \ -t $ECR_REGISTRY/$ECR_REPOSITORY_HEAD:$IMAGE_TAG . docker push $ECR_REGISTRY/$ECR_REPOSITORY_HEAD:$IMAGE_TAG @@ -62,8 +62,8 @@ jobs: # Build a docker container and push it to ECR so that it can be deployed to ECS. # compute-node workers - docker build --pull -f docker/Dockerfile \ - --build-arg "GH_TOKEN=${{ secrets.GHCR_TOKEN }}" \ + docker build --pull -f docker/Dockerfile_worker \ + --build-arg "GH_TOKEN=${{ secrets.GH_READONLY_PAT }}" \ -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index 7e07820..0000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,104 +0,0 @@ -FROM --platform=linux/amd64 golang:1.21-bookworm AS builder - -WORKDIR /src - -ADD . /src - -ARG GH_TOKEN - -RUN git config --global url."https://${GH_TOKEN}@github.com".insteadOf "https://github.com" -ENV GOPRIVATE="github.com/upshot-tech/" -RUN go mod download && \ - go mod tidy && \ - make all - -########################### -FROM --platform=linux/amd64 python:3.12-slim-bookworm - -WORKDIR /app - -## curl, unzip other utilities -#! libssl-dev - BLS_RUNTIME dependency -#! gh - to doenaload release from priv repo -RUN apt update && \ - apt -y dist-upgrade && \ - apt install -y --no-install-recommends \ - tzdata \ - curl \ - unzip \ - ca-certificates \ - gh && \ - rm -rf /var/cache/apt/* && \ - python3 -m pip install --upgrade pip - # libssl-dev \ # - temporary use libssl 1.1 TODO: Should use fresher libssl - -# libssl 1.1 -RUN curl -o ./libssl.deb -sSL http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.0g-2ubuntu4_amd64.deb && \ - dpkg -i ./libssl.deb && \ - rm ./libssl.deb - -# gomplete for updating config with env vars -RUN GOMPLATE_VER="v3.11.6" && \ - curl -o /usr/local/bin/gomplate -sSL https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VER}/gomplate_linux-amd64 && \ - chmod 755 /usr/local/bin/gomplate - -# get the runtime -RUN curl -o ./runtime.tar.gz -sSL https://github.com/blocklessnetwork/runtime/releases/download/v0.3.1/blockless-runtime.ubuntu-20.04.x86_64.tar.gz && \ - mkdir /app/runtime && tar -xvkf ./runtime.tar.gz -C /app/runtime - -ARG GH_TOKEN -ARG BLS_EXTENSION_VER -# If BLS_EXTENSION_VER install the version else install latest -RUN if [ -n $BLS_EXTENSION_VER]; then \ - gh release download $BLS_EXTENSION_VER \ - --repo "upshot-tech/upshot-blockless-extension" \ - --pattern '*linux-amd64.tar.gz' \ - --output upshot-extension.tar.gz; \ - else \ - gh release download $(gh release list --repo "upshot-tech/upshot-blockless-extension" | grep Latest | awk '{print($1)}') \ - --repo "upshot-tech/upshot-blockless-extension" \ - --pattern '*linux-amd64.tar.gz' \ - --output upshot-extension.tar.gz; \ - fi && \ - mkdir -p /app/runtime/extensions && \ - tar -xvkf ./upshot-extension.tar.gz -C /app/runtime/extensions && \ - rm ./upshot-extension.tar.gz - -## setup -RUN mkdir /app/keys -COPY --from=builder /src/dist/upshot-node upshot-node -COPY --from=builder /src/dist/upshot-keys upshot-keys - -# Smoke test -RUN /app/runtime/bls-runtime --help && \ - /app/runtime/extensions/upshot-blockless-extension --help - -# TODO: to decrease number of installed tools, => size of the image and Increase security posture -# should move aws cli into another image -# Install AWS CLI so we can use to backup to IPFS s3 compatible storage providers -RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \ - && unzip awscliv2.zip -d /usr/src && rm -f awscliv2.zip \ - && /usr/src/aws/install --bin-dir /usr/bin - -## run script -COPY ./docker/run.sh ./run.sh -RUN chmod +x ./run.sh - -ENV AWS_ACCESS_KEY_ID= -ENV AWS_SECRET_ACCESS_KEY= -ENV S3_HOST="${S3_HOST:-https://s3.filebase.com}" -ENV KEY_PATH="" -ENV KEY_PASSWORD="" -ENV CHAIN_RPC_NODE="http://0.0.0.0:26657" -ENV NODE_KEY_PATH=/app/keys/priv.bin -ENV WORKSPACE_ROOT=/tmp/node -ENV RUNETIME_PATH=/app/runtime -ENV REST_API=8080 -ENV P2P_PORT=9527 -ENV GH_TOKEN=$GH_TOKEN - -EXPOSE 8080 9527 -# VOLUME ${APP_PATH} - -## run script -ENTRYPOINT ["/app/run.sh"] diff --git a/docker/Dockerfile.Operator b/docker/Dockerfile.Operator index 3fa991d..4b308f3 100644 --- a/docker/Dockerfile.Operator +++ b/docker/Dockerfile.Operator @@ -1,5 +1,5 @@ # syntax = devthefuture/dockerfile-x -FROM ./docker/Dockerfile +FROM ./docker/Dockerfile_worker COPY ./docker/requirements.txt /tmp/ RUN pip install --requirement /tmp/requirements.txt COPY . /tmp/ \ No newline at end of file diff --git a/docker/Dockerfile_head b/docker/Dockerfile_head index f83e5b3..64f7331 100644 --- a/docker/Dockerfile_head +++ b/docker/Dockerfile_head @@ -1,14 +1,13 @@ FROM --platform=linux/amd64 golang:1.21-bookworm AS builder -WORKDIR /src ADD . /src - +WORKDIR /src ARG GH_TOKEN - RUN git config --global url."https://${GH_TOKEN}@github.com".insteadOf "https://github.com" ENV GOPRIVATE="github.com/upshot-tech/" RUN go mod download && \ + go mod tidy && \ make all ########################### diff --git a/docker/Dockerfile_worker b/docker/Dockerfile_worker new file mode 100644 index 0000000..97c9a75 --- /dev/null +++ b/docker/Dockerfile_worker @@ -0,0 +1,87 @@ +FROM --platform=linux/amd64 golang:1.21-bookworm AS builder + +ADD . /src +WORKDIR /src +ARG GH_TOKEN +RUN git config --global url."https://${GH_TOKEN}@github.com".insteadOf "https://github.com" +ENV GOPRIVATE="github.com/upshot-tech/" + +RUN go mod download && \ + go mod tidy && \ + make all + +########################### +FROM --platform=linux/amd64 python:3.12-slim-bookworm +ENV DEBIAN_FRONTEND=noninteractive \ + USERNAME=appuser \ + APP_PATH=/data + +## curl, unzip other utilities +#! libssl-dev - BLS_RUNTIME dependency # - temporary use libssl 1.1 TODO: Should use fresher libssl +#! gh - to downaload release from priv repo +RUN apt update && \ + apt -y dist-upgrade && \ + apt install -y --no-install-recommends \ + tzdata \ + ca-certificates \ + libssl-dev \ + gh && \ + echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list && \ + apt update && \ + apt install -y --no-install-recommends -t testing \ + zlib1g \ + libgnutls30 \ + perl-base \ + libsqlite3-0 && \ + rm -rf /var/cache/apt/* && \ + python3 -m pip install --upgrade pip + +ENV BLS_RUNTIME="v0.3.1" \ + RUNETIME_PATH=/app/runtime + +WORKDIR /tmp +ADD https://github.com/blocklessnetwork/runtime/releases/download/${BLS_RUNTIME}/blockless-runtime.linux-latest.x86_64.tar.gz /tmp/runtime.tar.gz +RUN mkdir -p /app/runtime && \ + tar -xvkf /tmp/runtime.tar.gz -C /app/runtime && \ + rm /tmp/runtime.tar.gz +# ENV RUNETIME_PATH=/app/runtime + +# RUN BLS_RUNTIME="v0.3.1" && \ +# curl -o ./runtime.tar.gz -sSL https://github.com/blocklessnetwork/runtime/releases/download/${BLS_RUNTIME}/blockless-runtime.linux-latest.x86_64.tar.gz && \ +# mkdir -p /app/runtime && tar -xvkf ./runtime.tar.gz -C /app/runtime +# ENV RUNETIME_PATH=/app/runtime + +ARG GH_TOKEN +ARG BLS_EXTENSION_VER +# If BLS_EXTENSION_VER install the version else install latest +RUN if [ -n $BLS_EXTENSION_VER]; then \ + gh release download $BLS_EXTENSION_VER \ + --repo "upshot-tech/upshot-blockless-extension" \ + --pattern '*linux-amd64.tar.gz' \ + --output upshot-extension.tar.gz; \ + else \ + gh release download $(gh release list --repo "upshot-tech/upshot-blockless-extension" | grep Latest | awk '{print($1)}') \ + --repo "upshot-tech/upshot-blockless-extension" \ + --pattern '*linux-amd64.tar.gz' \ + --output upshot-extension.tar.gz; \ + fi && \ + mkdir -p /app/runtime/extensions && \ + tar -xvkf ./upshot-extension.tar.gz -C /app/runtime/extensions && \ + rm ./upshot-extension.tar.gz + +COPY --from=builder /src/dist/upshot-node /usr/local/bin/upshot-node +COPY --from=builder /src/dist/upshot-keys /usr/local/bin/upshot-keys + +# Smoke test +RUN /app/runtime/bls-runtime --help && \ + /app/runtime/extensions/upshot-blockless-extension --help + +RUN groupadd -g 1001 ${USERNAME} \ + && useradd -m -d ${APP_PATH} -u 1001 -g 1001 ${USERNAME} + +USER ${USERNAME} + +VOLUME ${APP_PATH} +EXPOSE 8080 9527 + +ENTRYPOINT ["upshot-node"]