ORA-190 Refactor upshot-compute-node Dockerfile and push to ECS (#9)

.github/workflows/build_push_ecr.yml

@@ -0,0 +1,54 @@
+# This workflow will build and push a new container image to Amazon ECR,
+# and then will deploy a new task definition to Amazon ECS which will be run by Fargate when a release is created
+name: Build and Push docker image to ECR
+
+on:
+  push:
+    branches:
+      - staging
+      - vlad/ora-190-ensure-all-repos-are-deployable-on-aws-cloud-with-a-merge
+
+concurrency:
+  group: ${{ github.ref  }}
+  cancel-in-progress: true
+jobs:
+  deploy-staging:
+    name: Build and Push docker image
+    runs-on: ubuntu-latest
+    environment: staging
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Build, tag, and push image to Amazon ECR
+        id: compute-node-build-image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: upshot-compute-node-staging
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          # Build a docker container and push it to ECR so that it can be deployed to ECS.
+          # To build it with particular BLS_EXTENSION version pass --build-arg "BLS_EXTENSION_VER=RELEASE_NAME"
+          # If BLS_EXTENSION_VER is not passed will be built with the latest available version
+          docker build -f docker/Dockerfile \
+              --build-arg "GH_TOKEN=${{ secrets.GHCR_TOKEN }}" \
+              -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+
+          # Tag and push with latest
+          docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+

docker/Dockerfile

@@ -1,55 +1,99 @@
-FROM --platform=linux/amd64 ubuntu:latest 
+FROM --platform=linux/amd64 golang:1.21-bookworm AS builder
 
-ARG ghcr_token
+WORKDIR /src
+
+ADD . /src
+
+RUN go mod download && \
+    make all
+
+###########################
+FROM --platform=linux/amd64 python:3.12-slim-bookworm
 
 WORKDIR /app
 
 ## curl, unzip other utilities
-RUN apt-get update && \
-  apt-get install --no-install-recommends --assume-yes curl unzip pv ca-certificates gnupg2 python3 python3-pip
+#! libssl-dev - BLS_RUNTIME dependency
+#! gh - to doenaload release from priv repo
+RUN apt update && \
+    apt -y dist-upgrade && \
+    apt install -y --no-install-recommends \
+      tzdata \
+      curl \
+      unzip \
+      ca-certificates \
+      gh && \
+    rm -rf /var/cache/apt/*
+      # libssl-dev \  # - temporary use libssl 1.1 TODO: Should use fresher libssl
+
+# libssl 1.1
+RUN curl -o ./libssl.deb -sSL http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.0g-2ubuntu4_amd64.deb && \
+    dpkg -i ./libssl.deb && \
+    rm ./libssl.deb
 
 # gomplete for updating config with env vars
-RUN curl -o ./gomplate -sSL https://github.com/hairyhenderson/gomplate/releases/download/v3.10.0/gomplate_linux-amd64
-RUN chmod 755 gomplate
+RUN GOMPLATE_VER="v3.11.6" && \
+    curl -o /usr/local/bin/gomplate -sSL https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VER}/gomplate_linux-amd64 && \
+    chmod 755 /usr/local/bin/gomplate
 
 # get the runtime
 RUN curl -o ./runtime.tar.gz -sSL https://github.com/blocklessnetwork/runtime/releases/download/v0.3.1/blockless-runtime.ubuntu-20.04.x86_64.tar.gz
 RUN mkdir /app/runtime && tar -xvkf ./runtime.tar.gz -C /app/runtime
 RUN python3 -m pip install --upgrade pip
 
-# get the upshot-extension
-RUN curl -L -s -H "Authorization: token ${ghcr_token}" -H 'Accept:application/octet-stream' "https://api.github.com/repos/upshot-tech/upshot-blockless-extension/releases/assets/144563646" -o upshot-extension.tar.gz
-RUN mkdir /app/runtime/extensions && tar -xvkf ./upshot-extension.tar.gz -C /app/runtime/extensions
+ARG GH_TOKEN
+ARG BLS_EXTENSION_VER
+# If BLS_EXTENSION_VER install the version else install latest
+RUN if [ -n $BLS_EXTENSION_VER]; then \
+      gh release download $BLS_EXTENSION_VER \
+        --repo "upshot-tech/upshot-blockless-extension" \
+        --pattern '*linux-amd64.tar.gz' \
+        --output upshot-extension.tar.gz; \
+    else \
+      gh release download $(gh release list --repo "upshot-tech/upshot-blockless-extension" | grep Latest | awk '{print($1)}') \
+        --repo "upshot-tech/upshot-blockless-extension" \
+        --pattern '*linux-amd64.tar.gz' \
+        --output upshot-extension.tar.gz; \
+    fi && \
+    mkdir -p /app/runtime/extensions && \
+    tar -xvkf ./upshot-extension.tar.gz -C /app/runtime/extensions && \
+    rm ./upshot-extension.tar.gz
 
-# libssl 1.1
-RUN curl -o ./libssl.deb -sSL http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.0g-2ubuntu4_amd64.deb
-RUN dpkg -i ./libssl.deb
+## setup
+RUN mkdir /app/keys
+COPY --from=builder /src/dist/upshot-node upshot-node
+COPY --from=builder /src/dist/upshot-keys upshot-keys
+
+# Smoke test
+RUN /app/runtime/bls-runtime --help && \
+    /app/runtime/extensions/upshot-blockless-extension --help
 
+# TODO: to decrease number of installed tools, => size of the image and Increase security posture
+#       should move aws cli into another image
 # Install AWS CLI so we can use to backup to IPFS s3 compatible storage providers
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
   && unzip awscliv2.zip -d /usr/src && rm -f awscliv2.zip \
   && /usr/src/aws/install --bin-dir /usr/bin
 
-## setup 
-RUN mkdir /app/keys
-COPY ./dist/upshot-node upshot-node
-COPY ./dist/upshot-keys upshot-keys
-
 ## run script
 COPY ./docker/run.sh ./run.sh
 RUN chmod +x ./run.sh
 
 ENV AWS_ACCESS_KEY_ID=
 ENV AWS_SECRET_ACCESS_KEY=
 ENV S3_HOST="${S3_HOST:-https://s3.filebase.com}"
+
 ENV KEY_PATH=""
 ENV KEY_PASSWORD=""
 ENV CHAIN_RPC_NODE="http://0.0.0.0:26657"
 ENV NODE_KEY_PATH=/app/keys/priv.bin
 ENV WORKSPACE_ROOT=/tmp/node
-ENV RUNETIME_PATH=/app/runtime 
+ENV RUNETIME_PATH=/app/runtime
 ENV REST_API=8080
 ENV P2P_PORT=9527
 
+EXPOSE 8080 9527
+# VOLUME ${APP_PATH}
+
 ## run script
-ENTRYPOINT ["/app/run.sh"]
+ENTRYPOINT ["/app/run.sh"]