Improve Dockerfile and .dockerignore to minimize files being copied

.dockerignore

@@ -3,4 +3,26 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
-.github
+# git
+.git
+.gitignore
+.github
+
+# docs
+README.md
+CODE_OF_CONDUCT.md
+MAINTAINERS.md
+LICENSE
+
+# docker/podman
+Dockerfile
+
+# go
+staticcheck.conf
+.golangci.yml
+.whitesource
+
+# misc
+.DS_Store
+.env
+deployment

.github/workflows/docker-release.yml

@@ -66,6 +66,8 @@ jobs:
           context: .
           file: ./images/multi-platform/Dockerfile
           platforms: linux/amd64,linux/arm64,linux/s390x
+          build-args: |
+            VERSION=${{ env.VERSION }}
           push: true
           tags: |
             docker.io/${{ env.IMAGE_PREFIX }}/fabric-x-orderer:${{ env.VERSION }}

Makefile

@@ -16,9 +16,11 @@
 #	- docker-local: builds a single-platform image for the host’s OS/architecture
 #   - docker-multiarch: wrapper that triggers docker builds for multiple platforms
 
-TAG ?= latest
+# Docker image vars
 DOCKERFILE ?= images/multi-platform/Dockerfile
-DOCKER_IMAGE ?= arma
+IMAGE_NAMESPACE = docker.io/hyperledger
+IMAGE_NAME = fabric-x-orderer
+VERSION = latest
 
 .PHONY: basic-checks
 basic-checks: check-license check-dco check-protos linter
@@ -79,46 +81,14 @@ sample-tests:
 	(cd node/examples; bash ./scripts/build_docker.sh)
 	(bash ./node/examples/scripts/run_sample.sh)
 
-.PHONY: docker
-docker:
-	docker build -t $(DOCKER_IMAGE) --no-cache -f $(DOCKERFILE) .
-
-# Build for current OS/architecture
-.PHONY: docker-local
-docker-local:
-	@echo "Building local Docker image: $(DOCKER_IMAGE):$(TAG)"
-	docker build \
-		-f images/multi-platform/Dockerfile \
-		-t $(DOCKER_IMAGE):$(TAG) \
-		.
-
-.PHONY: docker-multiarch
-docker-multiarch:
-	@echo "Building images for all platforms locally..."
-	make docker-linux-amd64
-	make docker-linux-arm64
-	make docker-linux-s390x
-
-.PHONY: docker-linux-amd64
-docker-linux-amd64:
-	@echo "Building linux/amd64"
-	docker buildx build --platform linux/amd64 -f $(DOCKERFILE) -t $(DOCKER_IMAGE):linux-amd64 --load .
-
-.PHONY: docker-linux-arm64
-docker-linux-arm64:
-	@echo "Building linux/arm64"
-	docker buildx build --platform linux/arm64 -f $(DOCKERFILE) -t $(DOCKER_IMAGE):linux-arm64 --load .
-
-.PHONY: docker-linux-s390x
-docker-linux-s390x:
-	@echo "Building linux/s390x"
-	docker buildx build --platform linux/s390x -f $(DOCKERFILE) -t $(DOCKER_IMAGE):linux-s390x --load .
-
-
-
-
-
-
-
-
-
+# Build the HLFX Orderer image
+.PHONY: build-image
+build-image:
+	@echo "Building the image ${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION}..."
+	@./scripts/build_image.sh -t ${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION} -f ${DOCKERFILE} --build-arg VERSION=${VERSION}
+
+# Build the HLFX Orderer multiplatform image
+.PHONY: build-multiplatform-image
+build-multiplatform-image:
+	@echo "Building the multiplatform image ${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION}..."
+	@./scripts/build_image.sh -t ${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION} -f ${DOCKERFILE} --multiplatform --build-arg VERSION=${VERSION}

README.md

@@ -1,11 +1,10 @@
 # Hyperledger Fabric-X Orderer
 
-This repository contains the ordering service of fabric-x. 
+This repository contains the ordering service of fabric-x.
 The ordering service is based on the Arma protocol:
 
 "Arma: a scalable Byzantine Fault Tolerant ordering service".
 
-
 ## Abstract
 
 Arma is a Byzantine Fault Tolerant (BFT) consensus system designed to achieve horizontal scalability across all hardware
@@ -36,15 +35,15 @@ Clients submit transactions to the routers, whereas blocks are consumed from the
 
 More details on the internal architecture and inner workings of Arma can be found in the white paper: [https://ia.cr/2024/808]
 
-
 ## Client API
 
 Arma provides a gRPC service for submitting transactions and consuming blocks. This service is identical to Fabric's "Atomic Broadcast API".
 The gRPC service is defined here: [https://github.com/hyperledger/fabric-protos/blob/main/orderer/ab.proto]
 
 It defines two services:
--	The `Broadcast` service allows a client to submit transactions for ordering by the ordering servers.
--	The `Deliver` service allows clients to consume ordered blocks.
+
+- The `Broadcast` service allows a client to submit transactions for ordering by the ordering servers.
+- The `Deliver` service allows clients to consume ordered blocks.
 
 ```protobuf
 service AtomicBroadcast {
@@ -88,41 +87,53 @@ signatures.
 Arma is composed of 4 types of servers: `router`, `batcher`, `consensus` and `assembler`; also known as "server roles".
 To start a server use the arma CLI tool:
 
-* To run a router node:
-   ```bash
-   ./arma router --config=arma-config/Party1/router_node_config.yaml
-   ```
-* To run a batcher node:
-   ```bash
-   ./arma batcher --config=arma-config/Party1/batcher_node_1_config.yaml
-   ```
-* To run a consenter node:
-   ```bash
-   ./arma consensus --config=arma-config/Party1/consenter_node_config.yaml
-   ```
-* To run an assembler node:
-   ```bash
-   ./arma assembler --config=arma-config/Party1/assembler_node_config.yaml
-   ```
+- To run a router node:
+
+  ```bash
+  ./arma router --config=arma-config/Party1/router_node_config.yaml
+  ```
+
+- To run a batcher node:
+
+  ```bash
+  ./arma batcher --config=arma-config/Party1/batcher_node_1_config.yaml
+  ```
+
+- To run a consenter node:
+
+  ```bash
+  ./arma consensus --config=arma-config/Party1/consenter_node_config.yaml
+  ```
+
+- To run an assembler node:
+
+  ```bash
+  ./arma assembler --config=arma-config/Party1/assembler_node_config.yaml
+  ```
 
 Each server role expects a config file, specified in the command line (mandatory).
 For more details please refer to [arma-deployment](deployment/README.md).
 
+## Build Docker image locally
+
+To build the Docker image locally with either `Docker` or `Podman`, run:
+
+```bash
+make build-image
+```
+
 ### Starting with a genesis block
 
 The local configuration of each node points to the location of the genesis block.  
-That way, when a node starts up, it bootstraps from the genesis block and extract its shared configuration. 
+That way, when a node starts up, it bootstraps from the genesis block and extract its shared configuration.
 
 NOTE: All parties and all servers must be given the same genesis block.
 If a genesis block is not found, Arma will fail to start.
 
-
 ## Configuration and deployment
 
 For more information about deployment of Arma, please refer to [arma-deployment](deployment/README.md).
 
-
-
 ## Tools
-Armageddon is a command-line tool that provides a simple way to config an ARMA network, for more information please refer to [armageddon](cmd/armageddon/README.md).
 
+Armageddon is a command-line tool that provides a simple way to config an ARMA network, for more information please refer to [armageddon](cmd/armageddon/README.md).

images/multi-platform/Dockerfile

@@ -1,3 +1,4 @@
+#
 # Copyright IBM Corp. All Rights Reserved.
 #
 # SPDX-License-Identifier: Apache-2.0
@@ -7,37 +8,51 @@ FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25.5 AS builder
 # Build arguments used for cross-compiling
 ARG TARGETOS
 ARG TARGETARCH
+
+# Environment vars
 ENV GOOS=${TARGETOS}
 ENV GOARCH=${TARGETARCH}
-ENV CGO_ENABLED=0 \
-    GO111MODULE=on
+ENV GO111MODULE=on
+ENV CGO_ENABLED=0
+
 WORKDIR /src
 
-# Now copy rest of the source
+# Copy build files (managed through .dockerignore)
 COPY . .
 
+RUN ls -la .
+
 # Build using your Makefile target
 RUN make binary
 
-# -----------------------------------------------------------------------------
-# Stage 2: Production Image (UBI-micro)
-# -----------------------------------------------------------------------------
-FROM registry.access.redhat.com/ubi9/ubi-micro:9.5 AS prod
+###########################################
+# Stage 2: Production runtime image
+###########################################
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 AS prod
 
-# Add a non-root user for security (UBI-micro has no useradd)
+ARG VERSION=1.0
 
-USER 10001
-WORKDIR /app
+# Add non-root user (10001) without installing extra packages
+RUN /usr/sbin/useradd -u 10001 -r -g root -s /sbin/nologin -c "Hyperledger Fabric-X Orderer user" orderer && \
+    mkdir -p /home/orderer && \
+    chown -R 10001:0 /home/orderer && \
+    chmod 0755 /home/orderer
 
 # Copy in the statically built binaries from builder
 COPY --from=builder /src/bin/arma /usr/local/bin/arma
 COPY --from=builder /src/bin/armageddon /usr/local/bin/armageddon
 
-# OCI labels (strongly recommended for prod images)
-LABEL name="arma-service" \
-      vendor="IBM" \
-      maintainer="IBM Research Decentralized Trust Group" \
-      summary="ARMA Service Production Image" \
-      description="Lightweight and secure Go application running on UBI-micro" \
-      license="Apache-2.0"
+# OCI metadata labels
+LABEL name="fabric-x-orderer" \
+    maintainer="IBM Research Decentralized Trust Group" \
+    version="${VERSION}" \
+    description="Hyperledger Fabric-X Orderer service packaged in a UBI image" \
+    license="Apache-2.0" \
+    vendor="IBM"
+
+# Use non-root user and set workdir using BIN argument
+USER 10001
+WORKDIR /home/orderer
+
+# Default entrypoint
 ENTRYPOINT ["/usr/local/bin/arma"]