Support Web3signer distroless

Author: yorickdowne

.github/workflows/test-web3signer.yml

@@ -0,0 +1,48 @@
+name: Test Web3signer
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, synchronize, labeled, unlabeled]
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-web3signer:
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'test-web3signer') ||
+      contains(github.event.pull_request.labels.*.name, 'test-all') ||
+      github.event_name == 'push'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v4
+      - name: Create .env file
+        run: cp default.env .env
+      - name: Set Lighthouse/Geth/Web3signer
+        run: |
+          source ./.github/helper.sh
+          COMPOSE_FILE=lighthouse.yml:geth.yml:web3signer.yml
+          var=COMPOSE_FILE
+          set_value_in_env
+          WEB3SIGNER=true
+          var=WEB3SIGNER
+          set_value_in_env
+      - name: Start Lighthouse/Geth/Web3signer
+        run: ./ethd up
+      - name: Pause for 30 seconds
+        run: sleep 30
+      - name: Test Web3signer
+        run: ./.github/check-service.sh web3signer
+      - name: Test PostgreSQL
+        run: ./.github/check-service.sh postgres

default.env

@@ -404,8 +404,13 @@ VERO_DOCKER_REPO=ghcr.io/serenita-org/vero
 VERO_DOCKERFILE=Dockerfile.binary
 
 # Web3Signer
+# Use latest-distroless or <vx.y>-distroless for a distroless setup
 W3S_DOCKER_TAG=latest
+# Set to "true" for distroless and read-only Docker
+W3S_READ_ONLY=false
 W3S_DOCKER_REPO=consensys/web3signer
+# Use Dockerfile.custom-network for a custom devnet NETWORK. Doesn't support distroless.
+W3S_DOCKERFILE=Dockerfile.slim
 PG_DOCKER_TAG=18-trixie
 
 # Besu
@@ -494,4 +499,4 @@ DOCKER_ROOT=/var/lib/docker
 DOCKER_SOCK=/var/run/docker.sock
 
 # Used by ethd update - please do not adjust
-ENV_VERSION=55
+ENV_VERSION=56

web3signer.yml

@@ -19,6 +19,7 @@ services:
     pull_policy: never
     volumes:
       - web3signer-slashing-data:/var/lib/postgres-data:ro
+      - web3signer-keys:/var/lib/web3signer
     environment:
       - PG_DOCKER_TAG=${PG_DOCKER_TAG}
       - PG_ALIAS=${PG_ALIAS}
@@ -42,10 +43,10 @@ services:
       args:
         - DOCKER_TAG=${W3S_DOCKER_TAG:-latest}
         - DOCKER_REPO=${W3S_DOCKER_REPO:-consensys/web3signer}
-      dockerfile: Dockerfile.binary
+      dockerfile: ${W3S_DOCKERFILE}
     image: web3signer:local
     pull_policy: never
-    user: web3signer
+    user: 10000:10000
     volumes:
       - web3signer-keys:/var/lib/web3signer
       - /etc/localtime:/etc/localtime:ro
@@ -61,16 +62,16 @@ services:
     depends_on:
       w3s-init:
         condition: service_completed_successfully
+    read_only: ${W3S_READ_ONLY:-false}
     <<: *logging
-    entrypoint:
-      - docker-entrypoint.sh
-      - /opt/web3signer/bin/web3signer
+    command:
       - --key-store-path=/var/lib/web3signer/keys
       - --metrics-enabled
       - --metrics-host-allowlist=*
       - --http-host-allowlist=*
       - --logging=${LOG_LEVEL:-info}
       - eth2
+      - --network=${NETWORK}
       - --enable-key-manager-api=true
       - --slashing-protection-db-url=jdbc:postgresql://${PG_ALIAS:-${NETWORK}-postgres}/web3signer
       - --slashing-protection-db-username=postgres

web3signer/Dockerfile.binary web3signer/Dockerfile.custom-networkweb3signer/Dockerfile.binary renamed to web3signer/Dockerfile.custom-network

@@ -21,10 +21,10 @@ RUN set -eux; \
 # Create data mount point with permissions
 RUN mkdir -p /var/lib/web3signer/keys && chown -R ${USER}:${USER} /var/lib/web3signer && chmod -R 700 /var/lib/web3signer
 # Cannot assume buildkit, hence no chmod
-COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
+COPY --chown=${USER}:${USER} ./docker-entrypoint-custom-network.sh /usr/local/bin/docker-entrypoint.sh
 # Belt and suspenders
 RUN chmod -R 755 /usr/local/bin/*
 
 USER ${USER}
 
-ENTRYPOINT ["/opt/web3signer/bin/web3signer"]
+ENTRYPOINT ["docker-entrypoint.sh", "/opt/web3signer/bin/web3signer"]

web3signer/Dockerfile.slim

@@ -0,0 +1,6 @@
+ARG DOCKER_TAG=latest
+ARG DOCKER_REPO=consensys/web3signer
+
+FROM ${DOCKER_REPO}:${DOCKER_TAG}
+
+USER 10000:10000

web3signer/docker-entrypoint-custom-network.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# Because we're oh-so-clever with custom NETWORK, we may need to remove what's already passed in.
+__strip_network_args() {
+  local arg
+  __args=()
+  for arg in "$@"; do
+    if [[ ! "${arg}" = "--network=${NETWORK}" ]]; then
+      __args+=("${arg}")
+    fi
+  done
+}
+
+
+if [[ "${NETWORK}" =~ ^https?:// ]]; then
+  echo "Custom testnet at ${NETWORK}"
+  repo=$(awk -F'/tree/' '{print $1}' <<< "${NETWORK}")
+  branch=$(awk -F'/tree/' '{print $2}' <<< "${NETWORK}" | cut -d'/' -f1)
+  config_dir=$(awk -F'/tree/' '{print $2}' <<< "${NETWORK}" | cut -d'/' -f2-)
+  echo "This appears to be the ${repo} repo, branch ${branch} and config directory ${config_dir}."
+  # For want of something more amazing, let's just fail if git fails to pull this
+  set -e
+  if [[ ! -d "/var/lib/web3signer/testnet/${config_dir}" ]]; then
+    mkdir -p /var/lib/web3signer/testnet
+    cd /var/lib/web3signer/testnet
+    git init --initial-branch="${branch}"
+    git remote add origin "${repo}"
+    git config core.sparseCheckout true
+    echo "${config_dir}" > .git/info/sparse-checkout
+    git pull origin "${branch}"
+  fi
+  set +e
+  __network="--network=/var/lib/web3signer/testnet/${config_dir}/config.yaml"
+
+  __strip_network_args "$@"
+  set -- "${__args[@]}"
+else
+  __network=""
+fi
+
+# Word splitting is desired for the command line parameters
+# shellcheck disable=SC2086
+exec "$@" ${__network}

web3signer/docker-entrypoint-flyway.sh

@@ -1,6 +1,9 @@
 #!/bin/bash
 set -Eeu
 
+# Permissions
+chown -R 10000:10000 /var/lib/web3signer
+
 # Configuration
 db_url="postgresql://postgres:postgres@${PG_ALIAS}:5432/web3signer"
 check_query="SELECT 1 FROM pg_database WHERE datname = current_database() AND datcollversion <> (SELECT collversion FROM pg_collation WHERE collname = 'en_US.utf8' LIMIT 1);"
@@ -49,4 +52,26 @@ if [[ -f "${data_dir}/PG_VERSION" ]]; then
   fi
 fi
 
+if [[ -f /var/lib/web3signer/.migration_fatal_error ]]; then
+    echo "An error occurred during \"ethd update\" and slashing protection database migration, that makes it unsafe to start Web3signer."
+    echo "Until this is manually remedied, Web3signer will refuse to start up."
+    echo "Aborting."
+    echo
+    echo "If this issue has since been resolved, you can remove the \".migration_fatal_error\" marker file in Web3signer's"
+    echo "Docker volume."
+    echo
+    echo "ONLY remove the marker file if the issue has been resolved. You risk slashing otherwise."
+    sleep 30
+    exit 1
+fi
+
+if [[ -f /var/lib/web3signer/.migration_error ]]; then
+    echo "An error occurred during \"ethd update\", while switching to a new version of PostgreSQL."
+    echo "Web3signer will start, but won't work until PostgreSQL's version matches the slashing protection database"
+    echo "version."
+    echo
+    echo "If this issue has since been resolved, you can remove the \".migration_error\" marker file in Web3signer's"
+    echo "Docker volume."
+fi
+
 exec "$@"