feat: provide distroless/read-only image (#1151)#1152
feat: provide distroless/read-only image (#1151)#1152aimxhaisse wants to merge 1 commit intoConsensys:masterfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
docker/Dockerfile.distroless
Outdated
| # we need to manually extract the one that matters to us to make sure | ||
| # it is used in priority. | ||
| RUN mkdir -p /opt/web3signer/config && \ | ||
| unzip -j /opt/web3signer/lib/web3signer-app-develop.jar log4j2.xml -d /opt/web3signer/config/ |
There was a problem hiding this comment.
Hardcoded jar version breaks non-develop builds
Medium Severity
The jar name web3signer-app-develop.jar is hardcoded, but the gradle task's tarball uses project.version which can be any version string. For tagged releases (e.g., "25.12.0"), the jar inside the tarball would be named web3signer-app-25.12.0.jar, causing this unzip command to fail because the hardcoded filename won't exist. This prevents the Dockerfile from being used for release builds.
aimxhaisse
force-pushed
the
feat/distroless
branch
from
b2f23e7 to
40674be
Compare
This PR adds a new Dockerfile that runs Web3signer from a distroless image (i.e: with no shell). This means we can't use the gradle facilities that rely on an entrypoint script anymore so instead it overrides the entrypoint. Additionally, this image can be ran in a read-only environment: it prepares in the build step the runtime extractions that Java does at start in /tmp so that they are not required anymore and also the logging configuration.
aimxhaisse
force-pushed
the
feat/distroless
branch
from
40674be to
5aa0220
Compare
| RUN mkdir -p /tmp/native-libs /tmp/jar-repack && \ | ||
| cd /tmp/jar-repack && \ | ||
| unzip /opt/web3signer/lib/jblst-*.jar && \ | ||
| cp supranational/blst/Linux/amd64/libblst.so /tmp/native-libs/ && \ |
There was a problem hiding this comment.
Native library extraction hardcodes amd64 architecture
Medium Severity
The native libblst.so library extraction hardcodes the amd64 architecture path. The project supports multi-arch Docker builds (Linux/amd64 and Linux/arm64), but this Dockerfile only copies supranational/blst/Linux/amd64/libblst.so. Building for ARM64 systems will produce a non-functional image with an incompatible native library, causing runtime failures when the BLS signing functionality is used.
| # we need to manually extract the one that matters to us to make sure | ||
| # it is used in priority. | ||
| RUN mkdir -p /opt/web3signer/config && \ | ||
| unzip -j /opt/web3signer/lib/web3signer-app-*.jar log4j2.xml -d /opt/web3signer/config/ |
There was a problem hiding this comment.
with the latest changes, we are not bundling log4j2.xml anymore.
|
2 participants
This PR adds a new Dockerfile that runs Web3signer from a distroless image (i.e: with no shell) and read-only mode (no write to disk at runtime).
This has been running for months both in testnet and in a production environment at scale.
Fixed Issue(s)
fixes #1151
Documentation
doc-change-requiredlabel to this PR if updates are required.Changelog
Testing
Note
Introduces a hardened Docker build and documents it.
docker/Dockerfile.distrolessto run on distroless Java 21 (nonroot) with read-only filesystemlibblst.sofromjblst-*and repack the JAR to prevent runtime writes; extractlog4j2.xmltoconfigENTRYPOINTwith JVM flags, classpath, logging config, native lib paths; expose9000/9001CHANGELOG.mdto note the new Docker build and reference issue#1151Written by Cursor Bugbot for commit 5aa0220. This will update automatically on new commits. Configure here.