Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce chiseled Docker image #6467

Merged
merged 24 commits into from
Mar 5, 2024
Merged

Introduce chiseled Docker image #6467

merged 24 commits into from
Mar 5, 2024

Conversation

rubo
Copy link
Contributor

@rubo rubo commented Jan 6, 2024

Resolves #6567

Changes

This PR introduces an additional chiseled rootless Docker image for enhanced security: Dockerfile.chiseled

As chiseled images don't support package managers to install Snappy required by some of Nethermind components, those components have been updated not to require Snappy installation as follows:

  • The obsolete Snappy.Standard package that provides bindings for the native Snappy library has been replaced with the newer Snappier package implemented in C#
  • The RocksDB package has been replaced with Nethermind.RocksDB.Runtimes package that uses the official binaries from Meta that don't require Snappy installation
  • The release workflow now builds two images -- regular and chiseled
  • All Snappy dependencies have been removed from the codebase

These changes greatly simplify Nethermind installation and docs, eliminating any prerequisites that are especially annoying for RHEL-like distros.

Types of changes

What types of changes does your code introduce?

  • Bugfix (a non-breaking change that fixes an issue)
  • New feature (a non-breaking change that adds functionality)
  • Breaking change (a change that causes existing functionality not to work as expected)
  • Optimization
  • Refactoring
  • Documentation update
  • Build-related changes
  • Other: Description

Testing

Requires testing

  • Yes
  • No

If yes, did you write tests?

  • Yes
  • No

Notes on testing

This PR must be tested thoroughly on all the supported platforms and CPU architectures.

Documentation

Requires documentation update

  • Yes
  • No

Requires explanation in Release Notes

  • Yes
  • No

Since this release, Nethermind no longer needs the Snappy dependency (libsnappy-dev) on Linux.

This release introduces a new chiseled rootless Docker image for enhanced security.
These image tags have the -chiseled suffix and run the Nethermind process on behalf of the non-root app user with UID/GID of 64198.

@rubo rubo force-pushed the feature/chiseled branch from dbaed30 to aaa833b Compare January 13, 2024 00:51
@rubo rubo marked this pull request as ready for review March 4, 2024 15:51
@rubo rubo requested a review from a team as a code owner March 4, 2024 15:51
@rubo rubo requested a review from matilote March 4, 2024 16:26
Copy link
Member

@matilote matilote left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on the Docker/workflows side

@rubo rubo merged commit ddfe5fa into master Mar 5, 2024
67 checks passed
@rubo rubo deleted the feature/chiseled branch March 5, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Run Nethermind Docker image as non-root by default
3 participants