f726587ac6
Running Dockerfile.slim with a fresh named volume crashed on startup:
[NODE] open chain: open badger: Error Creating Dir: "/data/chain"
error: mkdir /data/chain: permission denied
Docker copies the mount-point's directory ownership (from the image)
into a new named volume at first attach. In the previous Dockerfile
/data was created implicitly by the VOLUME directive, which means it
was owned by root — but the container runs as the unprivileged
`dchain` user, so it couldn't `mkdir /data/chain` on first boot.
Fix: explicitly `mkdir /data && chown dchain:dchain /data` in the
same RUN that creates the user, before the VOLUME directive. Fresh
volumes now inherit dchain:dchain ownership automatically; no
operator-side `docker run --user root chown` workaround needed.
Operators already running with a root-owned volume from before this
fix need to chown once manually:
docker run --rm -v dchain_data:/data --user root alpine \
sh -c 'chown -R 100:101 /data'
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
72 lines
2.6 KiB
Docker
72 lines
2.6 KiB
Docker
# Production image for dchain-node.
|
|
#
|
|
# Differs from the repo-root Dockerfile in two ways:
|
|
# 1. No testdata / contract WASMs baked in — a fresh node uses the native
|
|
# username_registry (shipped in-binary) and starts with an empty keys
|
|
# directory; identities and optional WASM contracts come in via
|
|
# mounted volumes or docker-compose bind mounts.
|
|
# 2. Builds only `node` and `client` — no wallet/peerid helpers that
|
|
# aren't needed in production.
|
|
#
|
|
# The resulting image is ~20 MB vs ~60 MB for the dev one, and has no
|
|
# pre-installed keys that an attacker could exploit to impersonate a
|
|
# testnet validator.
|
|
|
|
# ---- build stage ----
|
|
FROM golang:1.25-alpine AS builder
|
|
WORKDIR /app
|
|
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
|
|
COPY . .
|
|
|
|
# Build-time version metadata. All four args are injected via -ldflags -X
|
|
# into go-blockchain/node/version so `node --version` and
|
|
# /api/well-known-version report the real commit, not the "dev" default.
|
|
# Callers pass these with `docker build --build-arg VERSION_TAG=... …`;
|
|
# the deploy/single/update.sh script derives them from git automatically.
|
|
ARG VERSION_TAG=dev
|
|
ARG VERSION_COMMIT=none
|
|
ARG VERSION_DATE=unknown
|
|
ARG VERSION_DIRTY=false
|
|
|
|
RUN LDFLAGS="-s -w \
|
|
-X go-blockchain/node/version.Tag=${VERSION_TAG} \
|
|
-X go-blockchain/node/version.Commit=${VERSION_COMMIT} \
|
|
-X go-blockchain/node/version.Date=${VERSION_DATE} \
|
|
-X go-blockchain/node/version.Dirty=${VERSION_DIRTY}" && \
|
|
CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="$LDFLAGS" -o /bin/node ./cmd/node && \
|
|
CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="$LDFLAGS" -o /bin/client ./cmd/client
|
|
|
|
# ---- runtime stage ----
|
|
FROM alpine:3.19
|
|
|
|
RUN apk add --no-cache ca-certificates tzdata
|
|
|
|
# Run as unprivileged user by default. Operators can override with --user root
|
|
# if they need to bind privileged ports (shouldn't be necessary behind Caddy).
|
|
#
|
|
# IMPORTANT: /data must exist + be owned by dchain BEFORE the VOLUME
|
|
# directive. Docker copies the directory ownership of the mount point
|
|
# into any fresh named volume at first-attach time; skip this and
|
|
# operators get "mkdir: permission denied" when the node tries to
|
|
# create /data/chain as the dchain user.
|
|
RUN addgroup -S dchain && adduser -S -G dchain dchain \
|
|
&& mkdir -p /data \
|
|
&& chown dchain:dchain /data
|
|
|
|
COPY --from=builder /bin/node /usr/local/bin/node
|
|
COPY --from=builder /bin/client /usr/local/bin/client
|
|
|
|
USER dchain
|
|
|
|
# Default data location; override in compose with a named volume.
|
|
VOLUME /data
|
|
|
|
# libp2p P2P port + HTTP (serves /api/*, /metrics, /api/ws).
|
|
EXPOSE 4001/tcp
|
|
EXPOSE 8080/tcp
|
|
|
|
ENTRYPOINT ["/usr/local/bin/node"]
|