Merge pull request inkonchain#14 from inkonchain/fix/fix-flatten

flatten
erfanainul · Oct 30, 2024 · 6718164 · 6718164
2 parents f62e97c + f3546f7
commit 6718164
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 14 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -10,10 +10,13 @@ services:
       - 30303:30303/udp # P2P UDP (currently unused)
       - 7301:6060 # metrics
     volumes:
-      - ./geth:/data
-      - ./var:/var
+      - ./geth:/data:rw
+      - ./var:/var:rw
     env_file:
       - .env.ink-sepolia
+    user: "1000:1000"
+    environment:
+      - GETH_DATA_DIR=/data
   op-node:
     build:
       context: .
@@ -27,6 +30,7 @@ services:
       - 7300:7300 # metrics
       - 6060:6060 # pprof
     volumes:
-      - ./var:/var
+      - ./var:/var:rw
     env_file:
       - .env.ink-sepolia
+    user: "1000:1000"
diff --git a/op-geth/Dockerfile b/op-geth/Dockerfile
@@ -16,17 +16,28 @@ RUN go run build/ci.go install -static ./cmd/geth
 FROM golang:1.21 AS run-op-geth
 
 RUN apt-get update && \
-    apt-get install netcat-openbsd && \
-    apt-get install -y jq curl supervisor && \
-    rm -rf /var/lib/apt/lists
+    apt-get install -y --no-install-recommends \
+    netcat-openbsd \
+    jq \
+    curl \
+    supervisor && \
+    rm -rf /var/lib/apt/lists/*
+
 RUN mkdir -p /var/log/supervisor
 
+# Create non-root user
+RUN useradd -m -u 1000 -s /bin/bash opuser
+
 WORKDIR /app
 
 COPY --from=build-op-geth /app/build/bin/geth ./
 COPY op-geth/config /config
 COPY op-geth/entrypoint.sh ./entrypoint.sh
 RUN chmod +x ./entrypoint.sh
 
+# Set proper ownership
+RUN chown -R opuser:opuser /app /var/log/supervisor
+
+USER opuser
 
 ENTRYPOINT [ "./entrypoint.sh" ]
diff --git a/op-node/Dockerfile b/op-node/Dockerfile
@@ -16,16 +16,28 @@ RUN cd op-node && make VERSION=$VERSION op-node
 FROM golang:1.21
 
 RUN apt-get update && \
-    apt-get install netcat-openbsd && \
-    apt-get install -y jq curl supervisor && \
-    rm -rf /var/lib/apt/lists
+    apt-get install -y --no-install-recommends \
+    netcat-openbsd \
+    jq \
+    curl \
+    supervisor && \
+    rm -rf /var/lib/apt/lists/*
+
 RUN mkdir -p /var/log/supervisor
 
+# Create non-root user
+RUN useradd -m -u 1000 -s /bin/bash opuser
+
 WORKDIR /app
 
 COPY --from=build-op-node /app/op-node/bin/op-node ./
 COPY op-node/config /config
 COPY op-node/entrypoint.sh entrypoint.sh
 RUN chmod +x ./entrypoint.sh
 
+# Set proper ownership
+RUN chown -R opuser:opuser /app /var/log/supervisor
+
+USER opuser
+
 ENTRYPOINT [ "./entrypoint.sh" ]
diff --git a/setup.sh b/setup.sh
@@ -58,11 +58,14 @@ else
   echo -e "${BLUE}Skipping snapshot fetch.${NC}\n"
 fi
 
-# Create the `var` directory structure
+# Create the `var` directory structure with proper permissions
 echo -e "${GRAY}Creating var/secrets directory structure...${NC}"
 mkdir -p var/secrets
 if [ $? -eq 0 ]; then
-  echo -e "${GREEN}↳ Directory structure created.${NC}\n"
+  # Set directory permissions
+  chmod 777 var
+  chmod 777 var/secrets
+  echo -e "${GREEN}↳ Directory structure created with proper permissions.${NC}\n"
 else
   echo -e "${RED}↳ Error creating directory structure.${NC}\n"
   exit 1
@@ -72,7 +75,9 @@ fi
 echo -e "${GRAY}Generating secret for the engine API secure communication...${NC}"
 openssl rand -hex 32 > var/secrets/jwt.txt
 if [ $? -eq 0 ]; then
-  echo -e "${GREEN}↳ Secret generated and saved to var/secrets/jwt.txt.${NC}\n"
+  # Set jwt.txt permissions
+  chmod 666 var/secrets/jwt.txt
+  echo -e "${GREEN}↳ Secret generated and saved to var/secrets/jwt.txt with proper permissions.${NC}\n"
 else
   echo -e "${RED}↳ Error generating secret.${NC}\n"
   exit 1
@@ -95,26 +100,43 @@ if [ -f $RENAMED_SNAPSHOT_FILE_NAME ]; then
       echo -e "${GRAY}Decompressing and extracting $RENAMED_SNAPSHOT_FILE_NAME... ${ITALIC}(will take a few minutes...)${NC}"
       tar -xzf $RENAMED_SNAPSHOT_FILE_NAME
       if [ $? -eq 0 ]; then
-        echo -e "${GREEN}↳ Decompression and extraction complete.${NC}\n"
+        # Set permissions for geth directory
+        chmod -R 777 geth
+        echo -e "${GREEN}↳ Decompression and extraction complete with proper permissions.${NC}\n"
       else
         echo -e "${RED}↳ Error during decompression and extraction.${NC}\n"
         exit 1
       fi
     else
       echo -e "Preserving existing geth directory.${NC}\n"
+      # Set permissions for existing geth directory
+      chmod -R 777 geth
     fi
   else
     echo -e "${GRAY}geth directory not found. Decompressing and extracting $RENAMED_SNAPSHOT_FILE_NAME...${NC}"
     tar -xzf $RENAMED_SNAPSHOT_FILE_NAME
     if [ $? -eq 0 ]; then
-      echo -e "${GREEN}Decompression and extraction complete.${NC}\n"
+      # Set permissions for new geth directory
+      chmod -R 777 geth
+      echo -e "${GREEN}Decompression and extraction complete with proper permissions.${NC}\n"
     else
       echo -e "${RED}Error during decompression and extraction.${NC}\n"
       exit 1
     fi
   fi
 else
   echo -e "${RED}$RENAMED_SNAPSHOT_FILE_NAME not found. Skipping decompression.${NC}\n"
+  # Ensure geth directory exists with proper permissions if it was created manually
+  if [ -d geth ]; then
+    chmod -R 777 geth
+  fi
 fi
 
+# Final permission check
+echo -e "${GRAY}Performing final permission check...${NC}"
+chmod -R 777 geth 2>/dev/null || true
+chmod -R 777 var
+chmod 666 var/secrets/jwt.txt
+echo -e "${GREEN}↳ Permissions verified.${NC}\n"
+
 echo -e "${WHITE}The Ink Node is ready to be started. Run it with:${NC}\n${BLUE}  docker compose up${GRAY} # --build to force rebuild the images ${NC}"