Skip to content

Support Web3signer distroless #2559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yorickdowne wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Support Web3signer distroless #2559

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/build-clients.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,12 @@ jobs:
test_cl: false
test_el: false
test_vc: false
- env: |-
CORE_FILES=web3signer.yml
W3S_DOCKERFILE=Dockerfile.source
test_cl: false
test_el: false
test_vc: false
- env: |-
COMPOSE_FILE=nimbus-vp.yml
NIMVP_DOCKERFILE=Dockerfile.source
Expand Down
80 changes: 80 additions & 0 deletions .github/workflows/test-web3signer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
name: Test Web3signer

defaults:
run:
shell: bash

on:
push:
branches: [main]
pull_request:
types: [opened, synchronize, labeled, unlabeled]
branches: [main]

concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
test-web3signer:
if: |
contains(github.event.pull_request.labels.*.name, 'test-web3signer') ||
contains(github.event.pull_request.labels.*.name, 'test-all') ||
github.event_name == 'push'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Docker buildx
uses: docker/setup-buildx-action@v4
- name: Create .env file
run: cp default.env .env
- name: Set Lighthouse/Geth/Web3signer
run: |
source ./.github/helper.sh
CORE_FILES=lighthouse.yml:geth.yml:web3signer.yml
var=CORE_FILES
set_value_in_env
FEE_RECIPIENT=0xDccf8451070a86183eE70D330C4c43b686E9CF86
var=FEE_RECIPIENT
set_value_in_env
WEB3SIGNER=true
var=WEB3SIGNER
set_value_in_env
W3S_DOCKER_TAG=latest
var=W3S_DOCKER_TAG
set_value_in_env
W3S_READ_ONLY=false
var=W3S_READ_ONLY
set_value_in_env
- name: Start Lighthouse/Geth/Web3signer
run: ./ethd up
- name: Pause for 30 seconds
run: sleep 30
- name: Test Web3signer
run: ./.github/check-service.sh web3signer
- name: Test PostgreSQL
run: ./.github/check-service.sh postgres
- name: Test version
run: ./ethd version
- name: Set distroless
run: |
source ./.github/helper.sh
W3S_DOCKER_TAG=latest-distroless
var=W3S_DOCKER_TAG
set_value_in_env
W3S_READ_ONLY=true
var=W3S_READ_ONLY
set_value_in_env
- name: Rebuild Web3signer image
run: ./ethd cmd build --pull
- name: Start Lighthouse/Geth/Web3signer
run: ./ethd up
Comment thread
yorickdowne marked this conversation as resolved.
- name: Pause for 30 seconds
run: sleep 30
- name: Test Web3signer
run: ./.github/check-service.sh web3signer
- name: Test PostgreSQL
run: ./.github/check-service.sh postgres
- name: Test version
run: ./ethd version
9 changes: 8 additions & 1 deletion default.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,8 +404,15 @@ VERO_DOCKER_REPO=ghcr.io/serenita-org/vero
VERO_DOCKERFILE=Dockerfile.binary

# Web3Signer
# SRC build target can be a tag, a branch, or a pr as "pr-ID"
W3S_SRC_BUILD_TARGET=master
W3S_SRC_REPO=https://github.com/Consensys/web3signer
# Use latest-distroless or <vx.y>-distroless for a distroless setup
W3S_DOCKER_TAG=latest
# Set to "true" for distroless and read-only Docker
W3S_READ_ONLY=false
W3S_DOCKER_REPO=consensys/web3signer
W3S_DOCKERFILE=Dockerfile.binary
PG_DOCKER_TAG=18-trixie

# Besu
Expand Down Expand Up @@ -494,4 +501,4 @@ DOCKER_ROOT=/var/lib/docker
DOCKER_SOCK=/var/run/docker.sock

# Used by ethd update - please do not adjust
ENV_VERSION=55
ENV_VERSION=56
25 changes: 23 additions & 2 deletions ethd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ set -Eeuo pipefail
__project_name="Eth Docker"
__app_name="Ethereum node"
Comment thread
pietjepuk2 marked this conversation as resolved.
__sample_service="consensus"
__min_env_version=55
__min_env_version=56
__docker_exe="docker"
__old_docker=0
__docker_sudo=""
Expand Down Expand Up @@ -1124,6 +1124,16 @@ __source_build() {
fi
;;
esac
case "${COMPOSE_FILE}" in
*web3signer.yml*)
var="W3S_DOCKERFILE"
__get_value_from_env "${var}" "${__env_file}" "__value"
# shellcheck disable=SC2154
if [[ "${__value}" = "Dockerfile.source" ]]; then
__docompose build --pull --no-cache web3signer
fi
;;
esac
case "${COMPOSE_FILE}" in
*mev-boost.yml*)
var="MEV_DOCKERFILE"
Expand Down Expand Up @@ -5816,6 +5826,7 @@ config() {

version() {
local var
local w3s_exec=""

grep "^This is" README.md
echo
Expand Down Expand Up @@ -5939,7 +5950,17 @@ version() {
# Web3signer version
case "${__value}" in
*web3signer.yml*)
__docompose exec web3signer /opt/web3signer/bin/web3signer --version
var=W3S_DOCKER_TAG
__get_value_from_env "${var}" "${__env_file}" "${var}"
var=W3S_DOCKERFILE
__get_value_from_env "${var}" "${__env_file}" "${var}"
if [[ "${W3S_DOCKERFILE}" = "Dockerfile.binary" && "${W3S_DOCKER_TAG}" =~ distroless ]]; then
w3s_exec="java -cp /opt/web3signer/lib/* tech.pegasys.web3signer.Web3SignerApp"
else
w3s_exec="/opt/web3signer/bin/web3signer"
fi
# shellcheck disable=SC2086
__docompose exec web3signer ${w3s_exec} --version
echo
__docompose exec postgres pg_config --version
echo
Expand Down
13 changes: 8 additions & 5 deletions web3signer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ services:
pull_policy: never
volumes:
- web3signer-slashing-data:/var/lib/postgres-data:ro
- web3signer-keys:/var/lib/web3signer
environment:
- PG_DOCKER_TAG=${PG_DOCKER_TAG}
- PG_ALIAS=${PG_ALIAS}
Expand All @@ -40,15 +41,18 @@ services:
build:
context: ./web3signer
args:
- BUILD_TARGET=${W3S_SRC_BUILD_TARGET:-$$(git describe --tags $$(git rev-list --tags --max-count=1))}
- SRC_REPO=${W3S_SRC_REPO:-https://github.com/Consensys/web3signer}
- DOCKER_TAG=${W3S_DOCKER_TAG:-latest}
- DOCKER_REPO=${W3S_DOCKER_REPO:-consensys/web3signer}
dockerfile: Dockerfile.binary
dockerfile: ${W3S_DOCKERFILE}
image: web3signer:local
pull_policy: never
user: web3signer
user: 10000:10000
volumes:
- web3signer-keys:/var/lib/web3signer
- /etc/localtime:/etc/localtime:ro
read_only: ${W3S_READ_ONLY:-false}
environment:
- JAVA_OPTS=${W3S_HEAP:--Xmx6g}
Copy link
Copy Markdown
Contributor

@pietjepuk2 pietjepuk2 May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently this does not work with 'distroless' (according to Codex at least).

The web3signer script in the original image did

eval "set -- $(
          printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $WEB3SIGNER_OPTS" |
          xargs -n1 |
          sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
          tr '\n' ' '
      )" '"$@"'

  exec "$JAVACMD" "$@"

But distroless does not.

Can set JAVA_TOOL_OPTIONS instead, but... only for distroless? Or also for regular image?

Copy link
Copy Markdown
Collaborator Author

@yorickdowne yorickdowne May 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

read_only is a Docker option. This absolutely works. So well in fact they had to fix Web3signer-distroless because it'd break when I turned that on: Consensys/web3signer#1175

Copy link
Copy Markdown
Collaborator Author

@yorickdowne yorickdowne May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AH ok, JAVA_OPTS. Yeah this likely doesn't work in distroless. We can point that out to Consensys as a bug

Copy link
Copy Markdown
Collaborator Author

@yorickdowne yorickdowne May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's leave that for another PR. JAVA_TOOL_OPTIONS is a good choice; we'd need to verify it doesn't interfere with what regular web3signer is doing

- NETWORK=${NETWORK}
Expand All @@ -62,15 +66,14 @@ services:
w3s-init:
condition: service_completed_successfully
<<: *logging
entrypoint:
- docker-entrypoint.sh
- /opt/web3signer/bin/web3signer
command:
- --key-store-path=/var/lib/web3signer/keys
- --metrics-enabled
- --metrics-host-allowlist=*
- --http-host-allowlist=*
- --logging=${LOG_LEVEL:-info}
- eth2
- --network=${NETWORK}
- --enable-key-manager-api=true
- --slashing-protection-db-url=jdbc:postgresql://${PG_ALIAS:-${NETWORK}-postgres}/web3signer
- --slashing-protection-db-username=postgres
Expand Down
26 changes: 1 addition & 25 deletions web3signer/Dockerfile.binary
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,6 @@
# hadolint global ignore=DL3007,DL3008,DL3059
ARG DOCKER_TAG=latest
ARG DOCKER_REPO=consensys/web3signer

FROM ${DOCKER_REPO}:${DOCKER_TAG}

ARG USER=web3signer
ARG UID=10000

USER root

RUN groupmod -g "${UID}" ${USER} && usermod -u "${UID}" -g "${UID}" ${USER}

RUN set -eux; \
apt-get update; \
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get install -y --no-install-recommends gosu ca-certificates tzdata git git-lfs; \
rm -rf /var/lib/apt/lists/*; \
# verify that the binary works
gosu nobody true

# Create data mount point with permissions
RUN mkdir -p /var/lib/web3signer/keys && chown -R ${USER}:${USER} /var/lib/web3signer && chmod -R 700 /var/lib/web3signer
# Cannot assume buildkit, hence no chmod
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

ENTRYPOINT ["/opt/web3signer/bin/web3signer"]
USER 10000:10000
72 changes: 72 additions & 0 deletions web3signer/Dockerfile.source
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# hadolint global ignore=DL3007,DL3008,DL3059
# Build Web3signer in a stock Ubuntu container
FROM eclipse-temurin:25-jdk-noble AS builder

# This is here to avoid build-time complaints
ARG DOCKER_TAG
ARG DOCKER_REPO

RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates git

ARG BUILD_TARGET
ARG SRC_REPO

WORKDIR /usr/src

ARG SRC_DIR=web3signer
RUN bash -eo pipefail <<'EOF'
git clone "$SRC_REPO" "$SRC_DIR"
cd "$SRC_DIR"
git config advice.detachedHead false
git fetch --all --tags
CLEANED=$(echo "$BUILD_TARGET" | sed 's/\$\$(/$(/g')
TARGET=$(eval echo "$CLEANED")
echo "Build $TARGET from $SRC_REPO"
if [[ "$TARGET" =~ ^pr-[1-9][0-9]*$ ]]; then
git fetch origin pull/$(echo "$TARGET" | cut -d '-' -f 2)/head:build-pr
git checkout build-pr
else
git checkout "$TARGET"
fi
git submodule update --init --recursive --jobs $(nproc)
./gradlew installDist
EOF


# Pull all binaries into a second stage deploy Ubuntu container
FROM eclipse-temurin:25-jre-noble

RUN apt-get update && DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get install -y --no-install-recommends \
ca-certificates \
tzdata \
git \
git-lfs \
adduser \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

ARG USER=web3signer
ARG UID=10000

# See https://stackoverflow.com/a/55757473/12429735RUN
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/usr/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
"${USER}"

# Create data mount point with permissions
RUN mkdir -p /var/lib/web3signer/keys && chown -R ${USER}:${USER} /var/lib/web3signer && chmod -R 700 /var/lib/web3signer

# Cannot assume buildkit, hence no chmod
COPY --from=builder --chown=${USER}:${USER} /usr/src/web3signer/build/install/web3signer/. /opt/web3signer/
COPY --chown=${USER}:${USER} ./docker-entrypoint.sh /usr/local/bin/
# Belt and suspenders
RUN chmod -R 755 /usr/local/bin/*

USER ${USER}

ENTRYPOINT ["docker-entrypoint.sh", "/opt/web3signer/bin/web3signer"]
25 changes: 25 additions & 0 deletions web3signer/docker-entrypoint-flyway.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
#!/bin/bash
set -Eeu

# Permissions
mkdir -p /var/lib/web3signer/keys && chown -R 10000:10000 /var/lib/web3signer

# Configuration
db_url="postgresql://postgres:postgres@${PG_ALIAS}:5432/web3signer"
check_query="SELECT 1 FROM pg_database WHERE datname = current_database() AND datcollversion <> (SELECT collversion FROM pg_collation WHERE collname = 'en_US.utf8' LIMIT 1);"
Expand Down Expand Up @@ -49,4 +52,26 @@ if [[ -f "${data_dir}/PG_VERSION" ]]; then
fi
fi

if [[ -f /var/lib/web3signer/.migration_fatal_error ]]; then
echo "An error occurred during \"ethd update\" and slashing protection database migration, that makes it unsafe to start Web3signer."
echo "Until this is manually remedied, Web3signer will refuse to start up."
echo "Aborting."
echo
echo "If this issue has since been resolved, you can remove the \".migration_fatal_error\" marker file in Web3signer's"
echo "Docker volume."
echo
echo "ONLY remove the marker file if the issue has been resolved. You risk slashing otherwise."
sleep 30
exit 1
fi

if [[ -f /var/lib/web3signer/.migration_error ]]; then
echo "An error occurred during \"ethd update\", while switching to a new version of PostgreSQL."
echo "Web3signer will start, but won't work until PostgreSQL's version matches the slashing protection database"
echo "version."
echo
echo "If this issue has since been resolved, you can remove the \".migration_error\" marker file in Web3signer's"
echo "Docker volume."
fi

exec "$@"
Loading
Loading