Add diag image for docker (#633)

stdevMac · web-flow · commit 37b367cc4f49 · 2026-02-10T21:46:41.000+04:00
* feat: add diag image for docker

* fix: update dockerignore

* fix: update trivy to not run in diag
diff --git a/.dockerignore b/.dockerignore
@@ -145,4 +145,10 @@ arbitrum-nitro-testnode/
 **/test-data/
 **/test-vectors/
 **/large-files/
-**/sample-data/ 
+**/sample-data/
+
+# Re-include scripts needed for Docker builds (must be at end to override earlier exclusions)
+!scripts/
+!scripts/build/
+!scripts/build/*
+!scripts/diag-entrypoint.sh
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -14,6 +14,8 @@ on:
         description: Dockerfile
         required: true
         default: Dockerfile
+        type: choice
+        options: [Dockerfile, Dockerfile.diag]
       build-config:
         description: Build configuration
         required: true
@@ -46,9 +48,11 @@ jobs:
     with:
       runner: ${{ matrix.runner }}
       group_name: core
-      image_name: ${{ github.event.inputs.image-name }}
-      dockerfile_path: ${{ github.event.inputs.dockerfile }}
+      image_name: ${{ inputs.image-name }}
+      dockerfile_path: ${{ inputs.dockerfile }}
       platforms: ${{ matrix.platform }}
+      # Skip Trivy for diagnostic image - JetBrains tools have transitive dependency CVEs we cannot fix
+      run_trivy: ${{ inputs.dockerfile == 'Dockerfile' }}
       pre_build_script: |
         sudo rm -rf /usr/share/dotnet
         sudo rm -rf /opt/ghc
@@ -63,11 +67,11 @@ jobs:
         docker system prune -af --volumes
         df -h
       docker_build_args: |
-        BUILD_CONFIG=${{ github.event.inputs.build-config }}
+        BUILD_CONFIG=${{ inputs.build-config }}
         BUILD_TIMESTAMP=${{ github.run_number }}
         CI=true
         COMMIT_HASH=${{ github.sha }}
-      additional_tags: ${{ github.event.inputs.tag }}${{ matrix.arch_suffix }}
+      additional_tags: ${{ inputs.tag }}${{ matrix.arch_suffix }}
 
   Create-Manifest:
     name: Create multi-arch manifest
@@ -90,9 +94,11 @@ jobs:
           password: ${{ steps.jfrog.outputs.oidc-token }}
 
       - name: Create and push multi-arch manifest
+        env:
+          IMAGE_NAME: ${{ inputs.image-name }}
+          TAG: ${{ inputs.tag }}
         run: |
-          IMAGE_BASE="nethermind.jfrog.io/core-oci-local-dev/${{ github.event.inputs.image-name }}"
-          TAG="${{ github.event.inputs.tag }}"
+          IMAGE_BASE="nethermind.jfrog.io/core-oci-local-dev/${IMAGE_NAME}"
           
           echo "🔍 Preparing multi-arch manifest creation..."
           
diff --git a/Dockerfile.diag b/Dockerfile.diag
@@ -0,0 +1,94 @@
+# SPDX-FileCopyrightText: 2025 Demerzel Solutions Limited
+# SPDX-License-Identifier: LGPL-3.0-only
+
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0.100-noble AS build
+
+ARG BUILD_CONFIG=Release
+ARG BUILD_TIMESTAMP
+ARG CI
+ARG COMMIT_HASH
+ARG TARGETARCH
+
+WORKDIR /src
+
+# Copy source files
+COPY src/Nethermind src/Nethermind
+COPY src/Nethermind.Arbitrum src/Nethermind.Arbitrum
+COPY src/Directory.Build.props .
+COPY src/nuget.config .
+
+# Resolve .NET RID architecture from Docker TARGETARCH
+RUN arch=$([ "$TARGETARCH" = "amd64" ] && echo "x64" || echo "$TARGETARCH") && \
+    echo "$arch" > /tmp/dotnet-arch
+
+# Install JetBrains dotMemory (architecture-specific)
+RUN arch=$(cat /tmp/dotnet-arch) && \
+    dotnet add src/Nethermind/src/Nethermind/Nethermind.Runner/Nethermind.Runner.csproj \
+      package JetBrains.dotMemory.Console.linux-$arch --package-directory /tmp/packages
+
+# Build Arbitrum plugin
+RUN arch=$(cat /tmp/dotnet-arch) && \
+    dotnet publish src/Nethermind.Arbitrum/Nethermind.Arbitrum.csproj -c $BUILD_CONFIG -a $arch -o /arbitrum-plugin --sc false \
+      -p:BuildTimestamp=$BUILD_TIMESTAMP -p:Commit=$COMMIT_HASH -p:DeterministicSourcePaths=false
+
+# Build main Nethermind Runner
+RUN arch=$(cat /tmp/dotnet-arch) && \
+    dotnet publish src/Nethermind/src/Nethermind/Nethermind.Runner/Nethermind.Runner.csproj -c $BUILD_CONFIG -a $arch -o /publish --sc false \
+      -p:BuildTimestamp=$BUILD_TIMESTAMP -p:Commit=$COMMIT_HASH -p:DeterministicSourcePaths=false
+
+# Copy Arbitrum plugin to plugins directory
+RUN mkdir -p /publish/plugins && \
+    cp /arbitrum-plugin/Nethermind.Arbitrum.* /publish/plugins/
+
+# Copy Stylus native libraries to maintain relative structure from plugin assembly
+RUN mkdir -p /publish/plugins/Arbos/Stylus && \
+    cp -r /arbitrum-plugin/Arbos/Stylus/runtimes /publish/plugins/Arbos/Stylus/ && \
+    echo "Stylus libraries copied:" && \
+    find /publish/plugins/Arbos/Stylus -name "*.so" -o -name "*.dylib" -o -name "*.dll" | sort
+
+# Copy configuration files
+COPY src/Nethermind.Arbitrum/Properties/configs /publish/configs
+COPY src/Nethermind.Arbitrum/Properties/chainspec /publish/chainspec
+
+# Create data directory
+RUN mkdir -p /publish/data
+
+# Install diagnostic tools
+RUN dotnet tool install -g dotnet-dump && \
+    dotnet tool install -g dotnet-gcdump && \
+    dotnet tool install -g dotnet-trace && \
+    dotnet tool install -g JetBrains.dotTrace.GlobalTools
+
+FROM mcr.microsoft.com/dotnet/aspnet:10.0.0-noble
+
+# Fix CVE-2025-68973 - Update gpgv package
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends gpgv=2.4.4-2ubuntu17.4 && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /nethermind
+
+VOLUME /nethermind/diag
+VOLUME /nethermind/keystore
+VOLUME /nethermind/logs
+VOLUME /nethermind/nethermind_db
+
+# Expose ports for JSON-RPC, Engine API, and metrics
+EXPOSE 8545 8551 6060
+
+# Copy application from build stage
+COPY --from=build /publish .
+
+# Copy diagnostic tools
+COPY --from=build /root/.dotnet/tools /opt/diag-tools
+COPY --from=build /tmp/packages/jetbrains.dotmemory.console.*/**/tools /opt/diag-tools/dotmemory
+
+# Copy diagnostic entrypoint script
+COPY --chmod=0755 scripts/diag-entrypoint.sh entrypoint.sh
+
+ENV PATH="$PATH:/opt/diag-tools:/opt/diag-tools/dotmemory"
+
+STOPSIGNAL SIGINT
+
+ENTRYPOINT ["./entrypoint.sh"]
diff --git a/scripts/diag-entrypoint.sh b/scripts/diag-entrypoint.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: 2025 Demerzel Solutions Limited
+# SPDX-License-Identifier: LGPL-3.0-only
+
+set -eo pipefail
+
+start_dotmemory() {
+  echo "Starting dotMemory..."
+
+  exec dotmemory start \
+    --save-to-dir=/nethermind/diag/dotmemory \
+    --service-output \
+    ./nethermind -- "$@"
+}
+
+start_dotnet_trace() {
+  echo "Starting dotnet-trace..."
+
+  exec dotnet-trace collect \
+    -o /nethermind/diag/dotnet.nettrace \
+    --show-child-io \
+    -- ./nethermind "$@"
+}
+
+start_dottrace() {
+  echo "Starting dotTrace..."
+
+  exec dottrace start \
+    --framework=netcore \
+    --profiling-type=timeline \
+    --propagate-exit-code \
+    --save-to=/nethermind/diag/dottrace \
+    --service-output=on \
+    -- ./nethermind "$@"
+}
+
+case "$DIAG_WITH" in
+  "")
+    exec ./nethermind "$@"
+    ;;
+  dotmemory)
+    start_dotmemory "$@"
+    ;;
+  dotnet-trace)
+    start_dotnet_trace "$@"
+    ;;
+  dottrace)
+    start_dottrace "$@"
+    ;;
+  *)
+    printf '\e[31mUnknown DIAG_WITH value: %q\e[0m\n' "$DIAG_WITH" >&2
+    exit 2
+    ;;
+esac
