diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 032cff5ade..b3ccb5d521 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -11,7 +11,8 @@ on: pull_request: paths: - ".github/workflows/build-docker.yml" - - "docker/centrifuge-chain/Dockerfile" + - "docker/" + - ".dockerignore" concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}${{ github.event_name }} cancel-in-progress: true @@ -22,26 +23,38 @@ jobs: target: [ release, test ] runs-on: ubuntu-latest-8-cores permissions: - contents: write + contents: write # to update the GH release w/ Docker tags + packages: write # to upload images to ghcr + id-token: write steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4 with: fetch-depth: 0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 #v3 - - name: DockerHub Login - uses: docker/login-action@v3 + + # - name: DockerHub Registry Login + # uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d + # with: + # username: ${{ secrets.DOCKER_HUB_USERNAME }} + # password: ${{ secrets.DOCKER_HUB_TOKEN }} + + - name: Github Registry login + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_TOKEN }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - run: echo "NOW=$(date -u +%y-%m-%d)" >> $GITHUB_ENV + - run: echo "NOW=$(date -u +%Y-%m-%d)" >> $GITHUB_ENV - name: Setup docker metadata id: meta uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 #v5 with: - images: centrifugeio/centrifuge-chain + images: | + ghcr.io/centrifuge/centrifuge-chain + ${{ github.event_name != 'pull_request' && 'centrifugeio/centrifuge-chain' || ''}} tags: | type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || '' }} type=raw,value=latest,enable=${{ github.event_name == 'release' }} @@ -56,6 +69,7 @@ jobs: core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || ''); core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); + - run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV - name: Build and push centrifugeio/centrifuge-chain uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 #v5 with: @@ -63,7 +77,10 @@ jobs: file: ./docker/centrifuge-chain/Dockerfile build-args: | FEATURES=${{ matrix.target == 'test' && 'fast-runtime' || '' }} - push: ${{ github.event_name != 'pull_request' }} + BUILD_DATE=${{ env.NOW }} + VERSION=${{env.VERSION}} + # Always push, either to ghcr or Dockerhub + push: true tags: ${{ steps.meta.outputs.tags }} # Cache options: # https://docs.docker.com/build/ci/github-actions/cache/ @@ -82,14 +99,14 @@ jobs: repository: centrifuge/centrifuge-chain short-description: ${{ github.event.repository.description }} enable-url-completion: true - + - name: Update GitHub release if: github.event_name == 'release' && matrix.target == 'release' uses: softprops/action-gh-release@v1 with: append_body: true body: | - **Docker tags:** + **Docker tags:** ${{ steps.meta.outputs.tags }} - if: failure() diff --git a/docker/centrifuge-chain/Dockerfile b/docker/centrifuge-chain/Dockerfile index 7cbe624e51..a9a7f08fe5 100644 --- a/docker/centrifuge-chain/Dockerfile +++ b/docker/centrifuge-chain/Dockerfile @@ -27,43 +27,56 @@ FROM --platform=linux/amd64 docker.io/paritytech/ci-linux:production as builder # and simply download the binaries here. Some short of hash or integrity check would need to # happen to make sure the binary is what we want. FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy + ARG BUILD_DATE + ARG VERSION + # Standard OCI labels + # https://github.com/opencontainers/image-spec/blob/main/annotations.md + LABEL io.centrifuge.image.vendor="Centrifuge" \ + org.opencontainers.image.created= \ + org.opencontainers.image.authors="protocol@k-f.co" \ + org.opencontainers.image.title="centrifugeio/centrifuge-chain" \ + org.opencontainers.image.description="Centrifuge, the layer 1 of RWA. This is the official Centrifuge (para)chain image" \ + org.opencontainers.image.source="https://github.com/centrifuge/centrifuge-chain/" \ + org.opencontainers.image.created="${BUILD_DATE}" \ + org.opencontainers.image.documentation="https://github.com/centrifuge/centrifuge-chain/blob/main/README.md" \ + org.opencontainers.image.version="$VERSION" \ + org.opencontainers.image.licenses="GPL-3" \ + org.opencontainers.image.base.name="ubuntu/jammy" \ + org.opencontainers.image.base.digest="ubuntu@sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b" + # org.opencontainers.image.url= \ - LABEL io.centrifuge.image.authors="protocol@k-f.co" \ - io.centrifuge.image.vendor="Centrifuge" \ - io.centrifuge.image.title="centrifugeio/centrifuge-chain" \ - io.centrifuge.image.description="Centrifuge, the layer 1 of RWA. This is the official Centrifuge (para)chain image" \ - io.centrifuge.image.source="https://github.com/centrifuge/centrifuge-chain/blob/main/docker/centrifuge-chain/Dockerfile" \ - io.centrifuge.image.created="${BUILD_DATE}" - # Add chain resources to image - COPY node/res /resources/ - - COPY --from=builder /centrifuge-chain/target/release/centrifuge-chain /usr/local/bin - RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* ; + RUN apt-get update && apt-get install -y curl jq + RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* # Because of the following, all data and config directories need to be owned by UID and GID 1000 RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge + + COPY node/res /resources/ + COPY --from=builder /centrifuge-chain/target/release/centrifuge-chain /usr/local/bin/ - RUN mkdir -p /data && \ + COPY docker/scripts /centrifuge/scripts + RUN chmod +x /centrifuge/scripts/* && \ + ln -s /centrifuge/scripts/* /usr/local/bin/ + + RUN mkdir -p /data && \ chown -R centrifuge:centrifuge /data && \ chown -R centrifuge:centrifuge /resources && \ - chown -R centrifuge:centrifuge /usr/local/bin/centrifuge-chain && \ - chown -R centrifuge:centrifuge /centrifuge/ - - COPY ./docker/scripts/entrypoint.sh /centrifuge/entrypoint.sh - RUN chown -R centrifuge:centrifuge /centrifuge/entrypoint.sh && chmod +x /centrifuge/entrypoint.sh + chown -R centrifuge:centrifuge /centrifuge/ # Running as an non-root is a good security practice # in some cases the container can be forced to run as root overriding the next line # but by default we want to enforce this. USER centrifuge +WORKDIR /centrifuge # checks RUN ldd /usr/local/bin/centrifuge-chain && \ /usr/local/bin/centrifuge-chain --version +RUN set -e && command -v check-node-ready && command -v entrypoint.sh EXPOSE 30333 9933 9944 VOLUME ["/data"] -ENTRYPOINT ["/centrifuge/entrypoint.sh"] +ENTRYPOINT ["entrypoint.sh"] CMD ["--help"] diff --git a/docker/scripts/check-node-ready b/docker/scripts/check-node-ready new file mode 100644 index 0000000000..f31db3a081 --- /dev/null +++ b/docker/scripts/check-node-ready @@ -0,0 +1,27 @@ +#!/bin/bash + +# Contact port 9933 and store the response +response=$(curl -s http://localhost:9933/health) + +# Extract the number of peers and the syncing status from the response +peers=$(echo "$response" | jq '.peers') +isSyncing=$(echo "$response" | jq '.isSyncing') + +# Check that the number of peers is more than 0 +if [ "$peers" -gt 0 ]; then + echo "Node has peers." +else + echo "Error: Node has no peers. Check the logs" + exit 1 +fi + +# Check that syncing is false +if [ "$isSyncing" == "false" ]; then + echo "Node is synched." +else + echo "Error: Node is still syncing but has peers. Check again later" + exit 1 +fi + +echo "Health check passed." +exit 0