Dockerfile Parts (#428)

* De-duplicate Dockerfiles by using a bash file to concatenate common parts Resolves #375. Dockerfiles are still committed to the repo to avoid a dependency on bash. * Add a CI job to confirm the committed dockerfiles are the currently generated ones * Create dedicated Dockerfiles per processor network Ensures the compromising of network-specific dependencies doesn't lead to a compromise of the build process for all processors. * Dockerfile corrections * Correct call to build processor Docker image in tests/processor
2025-12-09 04:39:24 +00:00 · 2023-11-12 23:55:15 -05:00
parent c328e5ea68
commit 351436a258
32 changed files with 511 additions and 154 deletions
--- a/orchestration/coins/bitcoin/Dockerfile
+++ b/orchestration/coins/bitcoin/Dockerfile
@@ -1,10 +1,17 @@
-# Configure Environment
-FROM alpine:latest as builder
+FROM debian:bookworm-slim as mimalloc
+
+RUN apt update && apt upgrade -y && apt install -y gcc g++ make cmake git
+RUN git clone https://github.com/microsoft/mimalloc && \
+  cd mimalloc && \
+  mkdir -p out/secure && \
+  cd out/secure && \
+  cmake -DMI_SECURE=ON ../.. && \
+  make && \
+  cp ./libmimalloc-secure.so ../../../libmimalloc.so
+FROM alpine:latest as bitcoin

 ENV BITCOIN_VERSION=25.1

-WORKDIR /home/bitcoin
-
 RUN apk --no-cache add git gnupg

 # Download Bitcoin
@@ -23,34 +30,18 @@ RUN grep bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz SHA256SUMS | sha256s
 # Prepare Image
 RUN tar xzvf bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz
 RUN mv bitcoin-${BITCOIN_VERSION}/bin/bitcoind .
-
-# Also build mimalloc
-FROM debian:bookworm-slim as mimalloc
-
-RUN apt update && apt upgrade -y && apt install -y gcc g++ make cmake git
-RUN git clone https://github.com/microsoft/mimalloc && \
-  cd mimalloc && \
-  mkdir -p out/secure && \
-  cd out/secure && \
-  cmake -DMI_SECURE=ON ../.. && \
-  make && \
-  cp ./libmimalloc-secure.so ../../../libmimalloc.so
-
-# Build the actual image
 FROM debian:bookworm-slim as image

 COPY --from=mimalloc libmimalloc.so /usr/lib
 RUN echo "/usr/lib/libmimalloc.so" >> /etc/ld.so.preload

-# Upgrade packages
 RUN apt update && apt upgrade -y && apt autoremove -y && apt clean
-
 # Switch to a non-root user
 RUN useradd --system --create-home --shell /sbin/nologin bitcoin
 USER bitcoin
 WORKDIR /home/bitcoin

-COPY --from=builder --chown=bitcoin /home/bitcoin/bitcoind /bin
+COPY --from=bitcoin --chown=bitcoin bitcoind /bin
 COPY ./scripts /scripts

 EXPOSE 8332 8333 18332 18333 18443 18444
--- a/orchestration/coins/bitcoin/Dockerfile.bitcoin
+++ b/orchestration/coins/bitcoin/Dockerfile.bitcoin
@@ -0,0 +1,22 @@
+FROM alpine:latest as bitcoin
+
+ENV BITCOIN_VERSION=25.1
+
+RUN apk --no-cache add git gnupg
+
+# Download Bitcoin
+RUN wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz \
+  && wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS \
+  && wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS.asc
+
+# Verify all sigs and check for a valid signature from laanwj -- 71A3
+RUN git clone https://github.com/bitcoin-core/guix.sigs && \
+  cd guix.sigs/builder-keys && \
+  find . -iname '*.gpg' -exec gpg --import {} \; && \
+  gpg --verify --status-fd 1 --verify ../../SHA256SUMS.asc ../../SHA256SUMS | grep "^\[GNUPG:\] VALIDSIG.*71A3B16735405025D447E8F274810B012346C9A6"
+
+RUN grep bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz SHA256SUMS | sha256sum -c
+
+# Prepare Image
+RUN tar xzvf bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz
+RUN mv bitcoin-${BITCOIN_VERSION}/bin/bitcoind .
--- a/orchestration/coins/bitcoin/Dockerfile.bitcoin.end
+++ b/orchestration/coins/bitcoin/Dockerfile.bitcoin.end
@@ -0,0 +1,10 @@
+# Switch to a non-root user
+RUN useradd --system --create-home --shell /sbin/nologin bitcoin
+USER bitcoin
+WORKDIR /home/bitcoin
+
+COPY --from=bitcoin --chown=bitcoin bitcoind /bin
+COPY ./scripts /scripts
+
+EXPOSE 8332 8333 18332 18333 18443 18444
+# VOLUME ["/home/bitcoin/.bitcoin"]
--- a/orchestration/coins/monero/Dockerfile
+++ b/orchestration/coins/monero/Dockerfile
@@ -1,4 +1,14 @@
-FROM alpine:latest as builder
+FROM alpine:latest as mimalloc
+
+RUN apk update && apk upgrade && apk --no-cache add gcc g++ libc-dev make cmake git
+RUN git clone https://github.com/microsoft/mimalloc && \
+  cd mimalloc && \
+  mkdir -p out/secure && \
+  cd out/secure && \
+  cmake -DMI_SECURE=ON ../.. && \
+  make && \
+  cp ./libmimalloc-secure.so ../../../libmimalloc.so
+FROM alpine:latest as monero

 # https://downloads.getmonero.org/cli/monero-linux-x64-v0.18.3.1.tar.bz2
 # Verification will fail if MONERO_VERSION doesn't match the latest
@@ -8,17 +18,6 @@ FROM alpine:latest as builder
 # Most publish a asc file for each release / build architecture ¯\_(ツ)_/¯
 ENV MONERO_VERSION=0.18.3.1

-WORKDIR /home/monero
-
-RUN apk update && apk --no-cache add gcc g++ libc-dev make cmake git
-RUN git clone https://github.com/microsoft/mimalloc && \
-  cd mimalloc && \
-  mkdir -p out/secure && \
-  cd out/secure && \
-  cmake -DMI_SECURE=ON ../.. && \
-  make && \
-  cp ./libmimalloc-secure.so ../../../libmimalloc.so
-
 RUN apk --no-cache add gnupg

 # Download Monero
@@ -30,17 +29,15 @@ RUN gpg --keyserver hkp://keyserver.ubuntu.com:80 --keyserver-options no-self-si
  gpg --verify hashes-v${MONERO_VERSION}.txt && \
  grep "$(sha256sum monero-linux-x64-v${MONERO_VERSION}.tar.bz2 | cut -c 1-64)" hashes-v${MONERO_VERSION}.txt

-# Cleanup
+# Extract it
 RUN tar -xvjf monero-linux-x64-v${MONERO_VERSION}.tar.bz2 --strip-components=1
-
-# Build the actual image
 FROM alpine:latest as image

-COPY --from=builder /home/monero/libmimalloc.so /usr/lib
+COPY --from=mimalloc libmimalloc.so /usr/lib
 ENV LD_PRELOAD=libmimalloc.so

-# Upgrade packages
-RUN apk update && apk upgrade && apk --no-cache add gcompat
+RUN apk update && apk upgrade
+RUN apk --no-cache add gcompat

 # Switch to a non-root user
 # System user (not a human), shell of nologin, no password assigned
@@ -48,7 +45,7 @@ RUN adduser -S -s /sbin/nologin -D monero
 USER monero

 WORKDIR /home/monero
-COPY --from=builder --chown=monero /home/monero/monerod /bin
+COPY --from=monero --chown=monero monerod /bin
 ADD scripts /scripts

 EXPOSE 18080 18081
--- a/orchestration/coins/monero/Dockerfile.monero
+++ b/orchestration/coins/monero/Dockerfile.monero
@@ -0,0 +1,23 @@
+FROM alpine:latest as monero
+
+# https://downloads.getmonero.org/cli/monero-linux-x64-v0.18.3.1.tar.bz2
+# Verification will fail if MONERO_VERSION doesn't match the latest
+# due to the way monero publishes releases. They overwrite a single hashes.txt
+# file with each release, meaning we can only grab the SHA256 of the latest
+# release.
+# Most publish a asc file for each release / build architecture ¯\_(ツ)_/¯
+ENV MONERO_VERSION=0.18.3.1
+
+RUN apk --no-cache add gnupg
+
+# Download Monero
+RUN wget https://downloads.getmonero.org/cli/monero-linux-x64-v${MONERO_VERSION}.tar.bz2
+
+# Verify Binary -- fingerprint from https://github.com/monero-project/monero-site/issues/1949
+ADD ./temp/hashes-v${MONERO_VERSION}.txt .
+RUN gpg --keyserver hkp://keyserver.ubuntu.com:80 --keyserver-options no-self-sigs-only --receive-keys 81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92 && \
+  gpg --verify hashes-v${MONERO_VERSION}.txt && \
+  grep "$(sha256sum monero-linux-x64-v${MONERO_VERSION}.tar.bz2 | cut -c 1-64)" hashes-v${MONERO_VERSION}.txt
+
+# Extract it
+RUN tar -xvjf monero-linux-x64-v${MONERO_VERSION}.tar.bz2 --strip-components=1
--- a/orchestration/coins/monero/Dockerfile.monero.end
+++ b/orchestration/coins/monero/Dockerfile.monero.end
@@ -0,0 +1,13 @@
+RUN apk --no-cache add gcompat
+
+# Switch to a non-root user
+# System user (not a human), shell of nologin, no password assigned
+RUN adduser -S -s /sbin/nologin -D monero
+USER monero
+
+WORKDIR /home/monero
+COPY --from=monero --chown=monero monerod /bin
+ADD scripts /scripts
+
+EXPOSE 18080 18081
+# VOLUME /home/monero/.bitmonero