Can not run docker under nobody:nogroup user because staking key/cert can't be created

[lcgogo]

Describe the bug
I want to run avalanchego under nobody:nogroup by docker.
But the staking key/cert is always created by avalanchego automatically under /home even after add --staking-enabled false option

VER=1.6.5
docker run -it --name avalanchego-${VER} \
  --user nobody:nogroup \
  -v /data/avalanchego:/data/avalanchego \
  -p 9650:9650 -p 9651:9651 \
  avaplatform/avalanchego:v${VER} \
  /avalanchego/build/avalanchego \
  --db-dir /data/avalanchego \
  --chain-config-dir /data/avalanchego \
  --subnet-config-dir /data/avalanchego \
  --staking-enabled false --http-host 0.0.0.0
couldn't load node config: couldn't generate staking key/cert: couldn't create path for cert: mkdir /nonexistent: permission denied

To Reproduce
Steps to reproduce the behavior.

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots

Operating System
ubuntu 20.04

Additional context
I think need an option to define the homeDir instead of $HOME in config/flags.go and the db-dir chain-config-dir

// Results of parsing the CLI
var (
        defaultNetworkName     = constants.MainnetName
        homeDir                = os.ExpandEnv("$HOME")
        prefixedAppName        = fmt.Sprintf(".%s", constants.AppName)
        defaultDataDir         = filepath.Join(homeDir, prefixedAppName)

By submitting this issue I agree to the Terms and Conditions of the Developer Accelerator Program.

[ceyonur]

You can create a key in memory (not persisted) with staking-ephemeral-cert-enabled, it would create a different cert in each run. Thanks for the feedback, we will look into this further.
It's also strongly dis-advised to use staking-enabled=false for mainnet.

[charly37]

Similar issue here. This prevent avalanche to run in some kubernetes distribution like openshift which assign a random (non root) user when starting a container:

PS C:\Code> docker run --user 1005:1005 avax
couldn't load node config: couldn't generate staking key/cert: couldn't create path for cert: mkdir /.avalanchego: permission denied

I tried to give you a way to reproduce:

run the "base image" you use in your dockerfile "golang:1.17.1-buster" (

avalanchego/scripts/local.Dockerfile

Line 13 in beb7ef9

FROM golang:1.17.1-buster

) with a random user (i put 1000)
docker run -it --user 1000:1000 golang:1.17.1-buster bash

then you will be in this docker and you can install avalanche (i simply use the last delivery)

mkdir /avax
cd /avax
curl -O -L https://github.com/ava-labs/avalanchego/releases/download/v1.6.5/avalanchego-linux-amd64-v1.6.5.tar.gz
ls -all
tar -xvf avalanchego-linux-amd64-v1.6.5.tar.gz

then start avalanche

./avalanchego-v1.6.5/avalanchego
couldn't load node config: couldn't generate staking key/cert: couldn't create path for cert: mkdir /.avalanchego: permission denied

I would suggest to not rely on "home" but rather the current folder and then everything on relative path or a parameter to specify a "main" folder like --path because it seems lot of options already have a default folder trying to write on /

--chain-config-dir string Chain specific configurations parent directory. Defaults to $HOME/.avalanchego/configs/chains/ (default "/.avalanchego/configs/chains")
--db-dir string Path to database directory (default "/.avalanchego/db")
--staking-tls-cert-file string Path to the TLS certificate for staking (default "/.avalanchego/staking/staker.crt")
--staking-tls-key-file string Path to the TLS private key for staking (default "/.avalanchego/staking/staker.key")
--subnet-config-dir string Subnet specific configurations parent directory. Defaults to $HOME/.avalanchego/configs/subnets/ (default "/.avalanchego/configs/subnets")

It would be more easy for users to have an option to fix a "base" path (my 2 cents)

[charly37]

You can create a key in memory (not persisted) with staking-ephemeral-cert-enabled, it would create a different cert in each run. Thanks for the feedback, we will look into this further. It's also strongly dis-advised to use staking-enabled=false for mainnet.

in memory is a solution but if the docker die you lost the information whereas if you use a file you can mount it as a volume and thus reattach it to another docker (not sure it make sense) to provide a redundancy/fail over solution (not sure if it make sense - do not know enough about the process behind)

[panbhatt]

Never ever try --staking-enabled option as false on MAINNET. it renders the complete OS useless and any avalanche binary would not work on that system.
tried this -> ./avalanchego --http-host=0.0.0.0 --log-dir=./datadir --db-dir=./datadir --staking-enabled false
NO OUTPUT/ NO LOGS, the process simply wont do anything..

So killed the process and this time ran with ./avalanchego --http-host=0.0.0.0 --log-dir=./datadir --db-dir=./datadir
Again, nothing happens.

Deleted entire directory and the .avalanchego directory in the HOME Dir. Tried restarting nothing happens.
Downloaded fresh new binary on the system (DEBIAN) -> NOTHING HAPPENS again, no logs and nothing.

[github-actions]

This issue has become stale because it has been open 60 days with no activity. Adding the lifecycle/frozen label will cause this issue to ignore lifecycle events.

[StephenButtolph]

It would be more easy for users to have an option to fix a "base" path

avalanchego supports this now with the --data-dir flag.