diff --git a/CHANGELOG.md b/CHANGELOG.md index 6df95535f..2a43fe490 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,11 +2,13 @@ ## Upcoming Release ### Features Added +- Add Docker build for hardened security environments - Update Netty to 4.2.9.Final - New `--logging-format` CLI option to select structured logging formats (PLAIN, ECS, GCP, LOGSTASH, GELF) without requiring custom Log4j2 configuration files. Issue [#1144][issue_1144] via PR [#1146][PR_1146]. ### Bugs Fixed +[issue_1151]: https://github.com/Consensys/web3signer/issues/1151 [issue_1144]: https://github.com/Consensys/web3signer/issues/1144 [PR_1146]: https://github.com/Consensys/web3signer/pull/1146 diff --git a/docker/Dockerfile.distroless b/docker/Dockerfile.distroless new file mode 100644 index 000000000..8b2b5ccd9 --- /dev/null +++ b/docker/Dockerfile.distroless @@ -0,0 +1,101 @@ +FROM ubuntu:latest AS builder + +# Build-time metadata as defined at http://label-schema.org +ARG BUILD_DATE +ARG VCS_REF +ARG VERSION +LABEL org.label-schema.build-date=$BUILD_DATE \ + org.label-schema.name="Web3Signer" \ + org.label-schema.description="Ethereum 2.0 Signing Service" \ + org.label-schema.url="https://docs.web3signer.consensys.net" \ + org.label-schema.vcs-ref=$VCS_REF \ + org.label-schema.vcs-url="https://github.com/ConsenSys/web3signer.git" \ + org.label-schema.vendor="Consensys" \ + org.label-schema.version=$VERSION \ + org.label-schema.schema-version="1.0" + +# Web3Signer tar.gz file (from gradlew distTar) +ARG TAR_FILE +# Validate that the TAR_FILE argument is provided +RUN if [ -z "$TAR_FILE" ]; then echo "TAR_FILE build argument is required" && exit 1; fi +COPY "${TAR_FILE}" /tmp/web3signer.tar.gz + +# Extract the tar.gz file and rename the directory +RUN mkdir -p /opt/web3signer && \ + tar -xzf /tmp/web3signer.tar.gz -C /opt/web3signer --strip-components=1 && \ + rm /tmp/web3signer.tar.gz + +# This container is meant to be runnable on read-only +# filesystems. Java extracts at runtime dynamic libraries from JAR +# files in /tmp. For Web3signer this is limited to the blst library, +# we extract it here in advance and remove it from the JAR to prevent +# writes at runtime. +RUN apt-get -y update && apt-get -y install unzip zip && rm -rf /var/lib/apt/lists/* +RUN mkdir -p /tmp/native-libs /tmp/jar-repack && \ + cd /tmp/jar-repack && \ + unzip /opt/web3signer/lib/jblst-*.jar && \ + cp supranational/blst/Linux/amd64/libblst.so /tmp/native-libs/ && \ + rm -rf supranational/blst/Linux supranational/blst/Mac supranational/blst/Windows && \ + zip -r /tmp/jblst-modified.jar . && \ + mv /tmp/jblst-modified.jar /opt/web3signer/lib/$(basename /opt/web3signer/lib/jblst-*.jar) && \ + rm -rf /tmp/jar-repack /tmp/supranational /tmp/META-INF + +# Multiple packages have as a resource the log4j2.xml file in them, as +# we don't rely on the Gradle launch script (as it depends on a shell) +# we need to manually extract the one that matters to us to make sure +# it is used in priority. +RUN mkdir -p /opt/web3signer/config && \ + unzip -j /opt/web3signer/lib/web3signer-app-*.jar log4j2.xml -d /opt/web3signer/config/ + +FROM gcr.io/distroless/java21-debian12:nonroot + +WORKDIR /opt/web3signer + +COPY --from=builder /opt/web3signer . +COPY --from=builder /tmp/native-libs native-libs + +ENV WEB3SIGNER_HTTP_LISTEN_HOST="0.0.0.0" +ENV WEB3SIGNER_METRICS_HOST="0.0.0.0" + +# List Exposed Ports +# Metrics, Rest API +EXPOSE 9001 9000 9000/udp + +ARG VERSION + +# This is somewhat complex because we can't use the entrypoint script +# generated by gradle (there's no shell or unix tools at hand). +# +# - The option -XX:-UsePerfData disables Java from storing perf data +# in /tmp, this is required if the intent is to rely on read-only +# filesystems. +# +# - We override log4j2.xml to ensure it is the web3signer one that is +# used. +# +# - The rest of the settings are similar to what gradle's entrypoint +# provides. + +ENTRYPOINT [ \ + "java", \ + "-XX:-UsePerfData", \ + "-cp", \ + "/opt/web3signer/lib/*", \ + "-Dlog4j2.configurationFile=/opt/web3signer/config/log4j2.xml", \ + "-Djava.library.path=/opt/web3signer/native-libs", \ + "-Djna.library.path=/opt/web3signer/native-libs", \ + "-Djna.noclasspath=true", \ + "-Dvertx.disableFileCPResolving=true", \ + "-Dlog4j.skipJansi=true", \ + "-Dlog4j.shutdownHookEnabled=false", \ + "-Dlog4j2.formatMsgNoLookups=true", \ + "--enable-native-access=ALL-UNNAMED",\ + "--add-opens", \ + "java.base/jdk.internal.misc=ALL-UNNAMED", \ + "--add-opens", \ + "java.base/java.nio=ALL-UNNAMED", \ + "-Dio.netty.tryReflectionSetAccessible=true", \ + "--add-exports", \ + "jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED", \ + "tech.pegasys.web3signer.Web3SignerApp" \ + ]