Docker Image enhancement and better CLI support. #1603
Conversation
…Entrypoint file to handle few edge cases. Details: *. Modifications to Dockerfile allow for the container to be run as app user instead of root. *. Added a new shell script named fix_permissions.sh to fix ownership issues related to running containers. *. Updated Dockerfile to use this new script. *. Added a .dockerignore file to help maintain a cleaner Docker build context, excluding unnecessary files. *. Modifications to entrypoint.sh allow user to run all the internal commands of it with the proper --datadir param. Now properly handle the start command when --keybase=false is sent. Also allow user to pass the --datadir as env variable to omit it on start command.
In this commit, we have updated the warning and info messages in the 'entrypoint.sh' script for better clarity. The 'fix_permissions.sh' script has been renamed to 'change_datadir_ownership_to_app.sh' and has had its comment section and message notifications elaborated for better understanding. Changes have been reflected in the Dockerfile.
…ns.sh" to "change_datadir_ownership_to_app.sh"
There was a problem hiding this comment.
I think this is great!
I do want one other pair of eyes from an operator to make sure I didn't miss anything, but it has a 👍 from me.
@okdas @msmania @nodiesBlade Can one of you PTAL and review?
|
(Reviewed this on Geomesh branch as well), looks good to me. |
|
@okdas PTAL |
|
Re-running to make sure this passes but otherwise lgtm: 
|
|
@Olshansk it is not going to pass because the origin of the PR is a branch from |
|
@okdas Appreciate the context. What do you recommend as the solution here? For example:
I understand the risk is low but just looking to you to make a call here. |
|
@Olshansk the workaround would be to open a new PR under |
THIS PR INCLUDES BREAKING CHANGES
appuser instead ofrootWhy?
A few Geo-Mesh users report to POKTscan about an issue with the new image after we adopt the one on the pokt-network/pocket-core repository on the latest RC.
They report that this image is using
rootas the user which is recommended to be avoided. There are a lot of blogs and documentation about this, here one of them from a well-known docker image user/company.Also, we detected a few things that could be enhanced on both, entry point and docker context.
The problem with having a public image using root right now is that pocket binary generates folders and files that now belong to the
rootuser, so they will need to modify those permissions to belong to the properappuser and group. To this, I added another optional entry point that could be used once to fix the permission issue and then start the container as before.Here you can see how to use it with docker-compose or docker
Changes:
appuser instead ofroot.entrypoint.shallows the user to run all its internal commands with the proper--datadirparam. Now properly handle the start command when--keybase=falseis sent. Also, allow the user to pass the--datadiras an env variable to omit it on the start command.