Skip to content

feat: provide distroless/read-only image (#1151) #1152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aimxhaisse wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: provide distroless/read-only image (#1151) #1152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@

## Upcoming Release
### Features Added
- Add Docker build for hardened security environments
- Update Netty to 4.2.9.Final
- New `--logging-format` CLI option to select structured logging formats (PLAIN, ECS, GCP, LOGSTASH, GELF) without requiring custom Log4j2 configuration files. Issue [#1144][issue_1144] via PR [#1146][PR_1146].

### Bugs Fixed

[issue_1151]: https://github.com/Consensys/web3signer/issues/1151
[issue_1144]: https://github.com/Consensys/web3signer/issues/1144
[PR_1146]: https://github.com/Consensys/web3signer/pull/1146

Expand Down
101 changes: 101 additions & 0 deletions docker/Dockerfile.distroless
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
FROM ubuntu:latest AS builder

# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
ARG VERSION
LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.name="Web3Signer" \
org.label-schema.description="Ethereum 2.0 Signing Service" \
org.label-schema.url="https://docs.web3signer.consensys.net" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/ConsenSys/web3signer.git" \
org.label-schema.vendor="Consensys" \
org.label-schema.version=$VERSION \
org.label-schema.schema-version="1.0"

# Web3Signer tar.gz file (from gradlew distTar)
ARG TAR_FILE
# Validate that the TAR_FILE argument is provided
RUN if [ -z "$TAR_FILE" ]; then echo "TAR_FILE build argument is required" && exit 1; fi
COPY "${TAR_FILE}" /tmp/web3signer.tar.gz

# Extract the tar.gz file and rename the directory
RUN mkdir -p /opt/web3signer && \
tar -xzf /tmp/web3signer.tar.gz -C /opt/web3signer --strip-components=1 && \
rm /tmp/web3signer.tar.gz

# This container is meant to be runnable on read-only
# filesystems. Java extracts at runtime dynamic libraries from JAR
# files in /tmp. For Web3signer this is limited to the blst library,
# we extract it here in advance and remove it from the JAR to prevent
# writes at runtime.
RUN apt-get -y update && apt-get -y install unzip zip && rm -rf /var/lib/apt/lists/*
RUN mkdir -p /tmp/native-libs /tmp/jar-repack && \
cd /tmp/jar-repack && \
unzip /opt/web3signer/lib/jblst-*.jar && \
cp supranational/blst/Linux/amd64/libblst.so /tmp/native-libs/ && \
rm -rf supranational/blst/Linux supranational/blst/Mac supranational/blst/Windows && \
zip -r /tmp/jblst-modified.jar . && \
mv /tmp/jblst-modified.jar /opt/web3signer/lib/$(basename /opt/web3signer/lib/jblst-*.jar) && \
rm -rf /tmp/jar-repack /tmp/supranational /tmp/META-INF

# Multiple packages have as a resource the log4j2.xml file in them, as
# we don't rely on the Gradle launch script (as it depends on a shell)
# we need to manually extract the one that matters to us to make sure
# it is used in priority.
RUN mkdir -p /opt/web3signer/config && \
unzip -j /opt/web3signer/lib/web3signer-app-*.jar log4j2.xml -d /opt/web3signer/config/

FROM gcr.io/distroless/java21-debian12:nonroot

WORKDIR /opt/web3signer

COPY --from=builder /opt/web3signer .
COPY --from=builder /tmp/native-libs native-libs

ENV WEB3SIGNER_HTTP_LISTEN_HOST="0.0.0.0"
ENV WEB3SIGNER_METRICS_HOST="0.0.0.0"

# List Exposed Ports
# Metrics, Rest API
EXPOSE 9001 9000 9000/udp

ARG VERSION

# This is somewhat complex because we can't use the entrypoint script
# generated by gradle (there's no shell or unix tools at hand).
#
# - The option -XX:-UsePerfData disables Java from storing perf data
# in /tmp, this is required if the intent is to rely on read-only
# filesystems.
#
# - We override log4j2.xml to ensure it is the web3signer one that is
# used.
#
# - The rest of the settings are similar to what gradle's entrypoint
# provides.

ENTRYPOINT [ \
"java", \
"-XX:-UsePerfData", \
"-cp", \
"/opt/web3signer/lib/*", \
"-Dlog4j2.configurationFile=/opt/web3signer/config/log4j2.xml", \
"-Djava.library.path=/opt/web3signer/native-libs", \
"-Djna.library.path=/opt/web3signer/native-libs", \
"-Djna.noclasspath=true", \
"-Dvertx.disableFileCPResolving=true", \
"-Dlog4j.skipJansi=true", \
"-Dlog4j.shutdownHookEnabled=false", \
"-Dlog4j2.formatMsgNoLookups=true", \
"--enable-native-access=ALL-UNNAMED",\
"--add-opens", \
"java.base/jdk.internal.misc=ALL-UNNAMED", \
"--add-opens", \
"java.base/java.nio=ALL-UNNAMED", \
"-Dio.netty.tryReflectionSetAccessible=true", \
"--add-exports", \
"jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED", \
"tech.pegasys.web3signer.Web3SignerApp" \
]