From aa3ccdccece0d283ea2c4795ceb5ec210d236726 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 7 Jul 2025 16:00:00 +0200 Subject: [PATCH 01/12] Add debug containers --- docker-compose-testnet.yml | 80 ++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 80 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 160 insertions(+) diff --git a/docker-compose-testnet.yml b/docker-compose-testnet.yml index d59b2fa..176e54e 100644 --- a/docker-compose-testnet.yml +++ b/docker-compose-testnet.yml @@ -11,6 +11,22 @@ services: - bitcoin-testnet-data:/opt/bitcoin/.bitcoin/db - ./config-testnet/bitcoin/bitcoin.conf:/opt/bitcoin/.bitcoin/bitcoin.conf + bitcoin-debug: + image: debian:12 + pid: service:bitcoin + network_mode: service:bitcoin + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - bitcoin + profiles: + - debug + litecoin: image: flarefoundation/litecoin:0.21.3 restart: on-failure:3 @@ -23,6 +39,22 @@ services: - litecoin-testnet-data:/opt/litecoin/.litecoin/db - ./config-testnet/litecoin/litecoin.conf:/opt/litecoin/.litecoin/litecoin.conf + litecoin-debug: + image: debian:12 + pid: service:litecoin + network_mode: service:litecoin + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - litecoin + profiles: + - debug + dogecoin: image: flarefoundation/dogecoin:1.14.9 restart: on-failure:3 @@ -35,6 +67,22 @@ services: - dogecoin-testnet-data:/opt/dogecoin/.dogecoin/db - ./config-testnet/dogecoin/dogecoin.conf:/opt/dogecoin/.dogecoin/dogecoin.conf + dogecoin-debug: + image: debian:12 + pid: service:dogecoin + network_mode: service:dogecoin + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - dogecoin + profiles: + - debug + rippled: image: flarefoundation/rippled:2.4.0 restart: on-failure:3 @@ -52,6 +100,22 @@ services: - ./config-testnet/ripple/rippled.conf:/opt/ripple/.ripple/rippled.conf - ./config-testnet/ripple/validators.txt:/opt/ripple/.ripple/validators.txt + rippled-debug: + image: debian:12 + pid: service:rippled + network_mode: service:rippled + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - rippled + profiles: + - debug + algorand: image: flarefoundation/algorand:4.1.2 ports: @@ -64,6 +128,22 @@ services: - ./config-testnet/algorand/config.json:/opt/algorand/.algorand/config.json - ./config-testnet/algorand/algod.token:/opt/algorand/.algorand/algod.token + algorand-debug: + image: debian:12 + pid: service:algorand + network_mode: service:algorand + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - algorand + profiles: + - debug + volumes: bitcoin-testnet-data: litecoin-testnet-data: diff --git a/docker-compose.yml b/docker-compose.yml index c6740c9..5c08548 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,6 +10,22 @@ services: - bitcoin-data:/opt/bitcoin/.bitcoin/db - ./config/bitcoin/bitcoin.conf:/opt/bitcoin/.bitcoin/bitcoin.conf + bitcoin-debug: + image: debian:12 + pid: service:bitcoin + network_mode: service:bitcoin + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - bitcoin + profiles: + - debug + litecoin: image: flarefoundation/litecoin:0.21.3 restart: on-failure:3 @@ -21,6 +37,22 @@ services: - litecoin-data:/opt/litecoin/.litecoin/db - ./config/litecoin/litecoin.conf:/opt/litecoin/.litecoin/litecoin.conf + litecoin-debug: + image: debian:12 + pid: service:litecoin + network_mode: service:litecoin + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - litecoin + profiles: + - debug + dogecoin: image: flarefoundation/dogecoin:1.14.9 restart: on-failure:3 @@ -32,6 +64,22 @@ services: - dogecoin-data:/opt/dogecoin/.dogecoin/db - ./config/dogecoin/dogecoin.conf:/opt/dogecoin/.dogecoin/dogecoin.conf + dogecoin-debug: + image: debian:12 + pid: service:dogecoin + network_mode: service:dogecoin + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - dogecoin + profiles: + - debug + rippled: image: flarefoundation/rippled:2.4.0 restart: on-failure:3 @@ -49,6 +97,22 @@ services: - ./config/ripple/rippled.conf:/opt/ripple/.ripple/rippled.conf - ./config/ripple/validators.txt:/opt/ripple/.ripple/validators.txt + rippled-debug: + image: debian:12 + pid: service:rippled + network_mode: service:rippled + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - rippled + profiles: + - debug + algorand: image: flarefoundation/algorand:4.1.2 ports: @@ -62,6 +126,22 @@ services: - ./config/algorand/config.json:/opt/algorand/.algorand/config.json - ./config/algorand/algod.token:/opt/algorand/.algorand/algod.token + algorand-debug: + image: debian:12 + pid: service:algorand + network_mode: service:algorand + privileged: true + command: | + bash -c " + apt-get update && + apt-get install -y curl jq netcat-openbsd tcpdump strace && + sleep infinity + " + depends_on: + - algorand + profiles: + - debug + volumes: bitcoin-data: litecoin-data: From 508cf204e239ce52783780c2b90ea02d03950da5 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 7 Jul 2025 16:00:51 +0200 Subject: [PATCH 02/12] Add debug containers instructions --- README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README.md b/README.md index 74632cf..f3e9b18 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,34 @@ docker compose stop bitcoin You can check the bootstrap process with the `hc.sh` script. `./hc ` +# Debugging + +Distroless images do not contain a shell to run commands for debugging. Sidecar debug containers, attached to the main container through shared namespaces, need to be used. + +All containers: +``` +docker compose --profile debug up -d +``` + +Single container: +``` +docker compose up -d bitcoin-debug +``` + +Example commands: +``` +# show processes of main and debug container +docker compose exec bitcoin-debug ps aux + +# show contents of PID 1 (main container process) root directory +docker compose exec bitcoin-debug ls -lha /proc/1/root/ + +# show contents of bitcoin node directory +docker compose exec bitcoin-debug ls -lha /proc/1/root/opt/bitcoin/ +``` + +Add tools by specifying them in `docker-compose.yml` `-debug` services or use your own debugging image. + # Logs ``` From 1e1fa9ec60b4c7e256f1392fa0b2a7d1acb67848 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Tue, 8 Jul 2025 15:18:22 +0200 Subject: [PATCH 03/12] Add debugging image --- images/debug/Dockerfile | 18 ++++++++++++++++++ images/debug/build.sh | 1 + 2 files changed, 19 insertions(+) create mode 100644 images/debug/Dockerfile create mode 100755 images/debug/build.sh diff --git a/images/debug/Dockerfile b/images/debug/Dockerfile new file mode 100644 index 0000000..a50759d --- /dev/null +++ b/images/debug/Dockerfile @@ -0,0 +1,18 @@ +# syntax=docker/dockerfile:1.3-labs +FROM debian:12 as final + +RUN apt-get update && apt-get install -y \ + curl \ + jq \ + procps \ + netcat-openbsd \ + tcpdump \ + strace \ + net-tools \ + iproute2 \ + vim \ + nano \ + less \ + tree + +ENTRYPOINT ["/bin/bash"] \ No newline at end of file diff --git a/images/debug/build.sh b/images/debug/build.sh new file mode 100755 index 0000000..128da07 --- /dev/null +++ b/images/debug/build.sh @@ -0,0 +1 @@ +docker build -t flarefoundation/distroless-debug:1.0.0 . From 46334214f2f7581300f39c5027922f5916632357 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Tue, 8 Jul 2025 15:18:56 +0200 Subject: [PATCH 04/12] Update debugging instructions --- README.md | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index f3e9b18..e35c7f8 100644 --- a/README.md +++ b/README.md @@ -74,29 +74,34 @@ You can check the bootstrap process with the `hc.sh` script. `./hc --pid=container: \ + flarefoundation/distroless-debug:1.0.0 ``` Example commands: ``` +# attach to running bitcoin node's namespaces +# and open an interactive terminal +docker run \ + --rm -it --privileged \ + --net=container:bitcoin --pid=container:bitcoin \ + flarefoundation/distroless-debug:1.0.0 + # show processes of main and debug container -docker compose exec bitcoin-debug ps aux +ps aux # show contents of PID 1 (main container process) root directory -docker compose exec bitcoin-debug ls -lha /proc/1/root/ +ls -lha /proc/1/root/ # show contents of bitcoin node directory -docker compose exec bitcoin-debug ls -lha /proc/1/root/opt/bitcoin/ +ls -lha /proc/1/root/opt/bitcoin/ ``` -Add tools by specifying them in `docker-compose.yml` `-debug` services or use your own debugging image. +Add tools by specifying them in `./images/debug/Dockerfile` or use your own debugging image. # Logs From b05e6b761ad7064061bcb3d372fc7b260c628e2d Mon Sep 17 00:00:00 2001 From: Benjamin Date: Tue, 8 Jul 2025 15:23:34 +0200 Subject: [PATCH 05/12] Remove debug services, add container names to nodes --- docker-compose-testnet.yml | 85 +++----------------------------------- docker-compose.yml | 85 +++----------------------------------- 2 files changed, 10 insertions(+), 160 deletions(-) diff --git a/docker-compose-testnet.yml b/docker-compose-testnet.yml index 176e54e..208d6bc 100644 --- a/docker-compose-testnet.yml +++ b/docker-compose-testnet.yml @@ -1,5 +1,6 @@ services: bitcoin: + container_name: bitcoin image: flarefoundation/bitcoin:29.0 restart: on-failure:3 environment: @@ -11,23 +12,8 @@ services: - bitcoin-testnet-data:/opt/bitcoin/.bitcoin/db - ./config-testnet/bitcoin/bitcoin.conf:/opt/bitcoin/.bitcoin/bitcoin.conf - bitcoin-debug: - image: debian:12 - pid: service:bitcoin - network_mode: service:bitcoin - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - bitcoin - profiles: - - debug - litecoin: + container_name: litecoin image: flarefoundation/litecoin:0.21.3 restart: on-failure:3 environment: @@ -39,23 +25,8 @@ services: - litecoin-testnet-data:/opt/litecoin/.litecoin/db - ./config-testnet/litecoin/litecoin.conf:/opt/litecoin/.litecoin/litecoin.conf - litecoin-debug: - image: debian:12 - pid: service:litecoin - network_mode: service:litecoin - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - litecoin - profiles: - - debug - dogecoin: + container_name: dogecoin image: flarefoundation/dogecoin:1.14.9 restart: on-failure:3 environment: @@ -67,23 +38,8 @@ services: - dogecoin-testnet-data:/opt/dogecoin/.dogecoin/db - ./config-testnet/dogecoin/dogecoin.conf:/opt/dogecoin/.dogecoin/dogecoin.conf - dogecoin-debug: - image: debian:12 - pid: service:dogecoin - network_mode: service:dogecoin - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - dogecoin - profiles: - - debug - rippled: + container_name: rippled image: flarefoundation/rippled:2.4.0 restart: on-failure:3 environment: @@ -100,23 +56,8 @@ services: - ./config-testnet/ripple/rippled.conf:/opt/ripple/.ripple/rippled.conf - ./config-testnet/ripple/validators.txt:/opt/ripple/.ripple/validators.txt - rippled-debug: - image: debian:12 - pid: service:rippled - network_mode: service:rippled - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - rippled - profiles: - - debug - algorand: + container_name: algorand image: flarefoundation/algorand:4.1.2 ports: - ${BIND_IP}:18080:8080 @@ -128,22 +69,6 @@ services: - ./config-testnet/algorand/config.json:/opt/algorand/.algorand/config.json - ./config-testnet/algorand/algod.token:/opt/algorand/.algorand/algod.token - algorand-debug: - image: debian:12 - pid: service:algorand - network_mode: service:algorand - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - algorand - profiles: - - debug - volumes: bitcoin-testnet-data: litecoin-testnet-data: diff --git a/docker-compose.yml b/docker-compose.yml index 5c08548..b8d2e6d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,6 @@ services: bitcoin: + container_name: bitcoin image: flarefoundation/bitcoin:29.0 restart: on-failure:3 environment: @@ -10,23 +11,8 @@ services: - bitcoin-data:/opt/bitcoin/.bitcoin/db - ./config/bitcoin/bitcoin.conf:/opt/bitcoin/.bitcoin/bitcoin.conf - bitcoin-debug: - image: debian:12 - pid: service:bitcoin - network_mode: service:bitcoin - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - bitcoin - profiles: - - debug - litecoin: + container_name: litecoin image: flarefoundation/litecoin:0.21.3 restart: on-failure:3 environment: @@ -37,23 +23,8 @@ services: - litecoin-data:/opt/litecoin/.litecoin/db - ./config/litecoin/litecoin.conf:/opt/litecoin/.litecoin/litecoin.conf - litecoin-debug: - image: debian:12 - pid: service:litecoin - network_mode: service:litecoin - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - litecoin - profiles: - - debug - dogecoin: + container_name: dogecoin image: flarefoundation/dogecoin:1.14.9 restart: on-failure:3 environment: @@ -64,23 +35,8 @@ services: - dogecoin-data:/opt/dogecoin/.dogecoin/db - ./config/dogecoin/dogecoin.conf:/opt/dogecoin/.dogecoin/dogecoin.conf - dogecoin-debug: - image: debian:12 - pid: service:dogecoin - network_mode: service:dogecoin - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - dogecoin - profiles: - - debug - rippled: + container_name: rippled image: flarefoundation/rippled:2.4.0 restart: on-failure:3 environment: @@ -97,23 +53,8 @@ services: - ./config/ripple/rippled.conf:/opt/ripple/.ripple/rippled.conf - ./config/ripple/validators.txt:/opt/ripple/.ripple/validators.txt - rippled-debug: - image: debian:12 - pid: service:rippled - network_mode: service:rippled - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - rippled - profiles: - - debug - algorand: + container_name: algorand image: flarefoundation/algorand:4.1.2 ports: - ${BIND_IP}:6332:8080 @@ -126,22 +67,6 @@ services: - ./config/algorand/config.json:/opt/algorand/.algorand/config.json - ./config/algorand/algod.token:/opt/algorand/.algorand/algod.token - algorand-debug: - image: debian:12 - pid: service:algorand - network_mode: service:algorand - privileged: true - command: | - bash -c " - apt-get update && - apt-get install -y curl jq netcat-openbsd tcpdump strace && - sleep infinity - " - depends_on: - - algorand - profiles: - - debug - volumes: bitcoin-data: litecoin-data: From 32062b8e4c1e349dc4ba8a3ee5a4ad4de06a6a70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20=C5=A0kiljan?= Date: Fri, 8 Aug 2025 10:36:09 +0200 Subject: [PATCH 06/12] pin image to hash --- images/debug/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/debug/Dockerfile b/images/debug/Dockerfile index a50759d..227d80e 100644 --- a/images/debug/Dockerfile +++ b/images/debug/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1.3-labs -FROM debian:12 as final +FROM debian:12@sha256:b6507e340c43553136f5078284c8c68d86ec8262b1724dde73c325e8d3dcdeba as final RUN apt-get update && apt-get install -y \ curl \ From d4295e561ef0cea0a14f3f15c0271de7d0329d79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20=C5=A0kiljan?= Date: Mon, 11 Aug 2025 16:47:14 +0200 Subject: [PATCH 07/12] add debug image release pipeline and instructions --- .github/workflows/release-debug.yml | 99 +++++++++++++++++++++++++++++ README.md | 13 +++- 2 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/release-debug.yml diff --git a/.github/workflows/release-debug.yml b/.github/workflows/release-debug.yml new file mode 100644 index 0000000..54b2a36 --- /dev/null +++ b/.github/workflows/release-debug.yml @@ -0,0 +1,99 @@ +name: release debugging image + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + push: + tags: + - "**" + paths: + - images/debug + pull_request: + branches: [ "main" ] + paths: + - images/debug + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + IMAGE_NAME: flarefoundation/distroless-debug + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: 'v2.5.3' + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=tag + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: images/debug + file: Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} \ No newline at end of file diff --git a/README.md b/README.md index e35c7f8..5dd8af6 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Attaching a debug container: docker run \ --rm -it --privileged \ --net=container: --pid=container: \ - flarefoundation/distroless-debug:1.0.0 + ghcr.io/flare-foundation/flarefoundation/distroless-debug:1.0.0 ``` Example commands: @@ -89,7 +89,7 @@ Example commands: docker run \ --rm -it --privileged \ --net=container:bitcoin --pid=container:bitcoin \ - flarefoundation/distroless-debug:1.0.0 + ghcr.io/flare-foundation/flarefoundation/distroless-debug:1.0.0 # show processes of main and debug container ps aux @@ -103,6 +103,15 @@ ls -lha /proc/1/root/opt/bitcoin/ Add tools by specifying them in `./images/debug/Dockerfile` or use your own debugging image. +## Releasing debug image with Github Actions + +Add a tag to trigger the release pipeline. The tagged commit needs to have made changes to images/debug directory. Pull requests also trigger the build pipeline, but do not push the image to registry. + +``` +git tag -a -m "" +git push origin +``` + # Logs ``` From c5d90f82098e5410cf8ded9945911e3475667740 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20=C5=A0kiljan?= Date: Tue, 12 Aug 2025 15:56:10 +0200 Subject: [PATCH 08/12] add image version --- images/debug/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/images/debug/Dockerfile b/images/debug/Dockerfile index 227d80e..9acd16e 100644 --- a/images/debug/Dockerfile +++ b/images/debug/Dockerfile @@ -1,6 +1,8 @@ # syntax=docker/dockerfile:1.3-labs FROM debian:12@sha256:b6507e340c43553136f5078284c8c68d86ec8262b1724dde73c325e8d3dcdeba as final +ARG VERSION=v1.0.0 + RUN apt-get update && apt-get install -y \ curl \ jq \ From ed2e5827e02a7b5d863fffacd93da5dac1ce942e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20=C5=A0kiljan?= Date: Tue, 12 Aug 2025 15:56:57 +0200 Subject: [PATCH 09/12] add debug image release pipeline and instructions --- .github/workflows/release-debug.yml | 31 +++++++++++++++++++---------- README.md | 12 ++++++----- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release-debug.yml b/.github/workflows/release-debug.yml index 54b2a36..498be37 100644 --- a/.github/workflows/release-debug.yml +++ b/.github/workflows/release-debug.yml @@ -1,4 +1,4 @@ -name: release debugging image +name: Release debugging image # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by @@ -7,19 +7,17 @@ name: release debugging image on: push: - tags: - - "**" - paths: - - images/debug + branches: [ "main" ] + tags: [ "*" ] + paths: [ "images/debug/**" ] pull_request: branches: [ "main" ] - paths: - - images/debug + paths: [ "images/debug/**" ] env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io - IMAGE_NAME: flarefoundation/distroless-debug + IMAGE_NAME: ${{ github.repository }}/distroless-debug jobs: build: @@ -35,6 +33,17 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + - name: Get image tag + id: get_image_tag + run: | + VERSION=$(grep "^ARG VERSION=" images/debug/Dockerfile \ + | cut -d'=' -f2 \ + | tr -d '"' \ + | tr -d "'" \ + | tr -d [:space:]) + echo $VERSION + echo "image_tag=${VERSION}" >> $GITHUB_OUTPUT + # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign @@ -66,8 +75,11 @@ jobs: uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # tag image with version specified in ARG VERSION in Dockerfile if event is a push + # or with given tag if event is tag tags: | - type=ref,event=tag + type=semver,pattern={{version}},value=${{ steps.get_image_tag.outputs.image_tag }},enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/') }} + type=ref,event=tag,enable=${{ startsWith(github.ref, 'refs/tags/') }} # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action @@ -76,7 +88,6 @@ jobs: uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: context: images/debug - file: Dockerfile push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/README.md b/README.md index 804b5a7..05ca5da 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ Attaching a debug container: docker run \ --rm -it --privileged \ --net=container: --pid=container: \ - ghcr.io/flare-foundation/flarefoundation/distroless-debug:1.0.0 + ghcr.io/flare-foundation/connected-chains-docker/distroless-debug:1.0.0 ``` Example commands: @@ -94,7 +94,7 @@ Example commands: docker run \ --rm -it --privileged \ --net=container:bitcoin --pid=container:bitcoin \ - ghcr.io/flare-foundation/flarefoundation/distroless-debug:1.0.0 + ghcr.io/flare-foundation/connected-chains-docker/distroless-debug:1.0.0 # show processes of main and debug container ps aux @@ -110,11 +110,13 @@ Add tools by specifying them in `./images/debug/Dockerfile` or use your own debu ## Releasing debug image with Github Actions -Add a tag to trigger the release pipeline. The tagged commit needs to have made changes to images/debug directory. Pull requests also trigger the build pipeline, but do not push the image to registry. +Commits to main with changes to `images/debug/**` context will automatically trigger a rebuild and push of image, with tag sourced from `ARG VERSION=` (suffixes and prefix 'v' allowed) in Dockerfile. + +For development purposes, you can also trigger the pipeline with a custom tag like so (the commit still needs to have made changes to `images/debug/**` context): ``` -git tag -a -m "" -git push origin +git tag -a -m "" +git push origin ``` # Logs From 40f33006133da41162d7d3b6d5d1fe9faf7ecbe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20=C5=A0kiljan?= Date: Tue, 12 Aug 2025 16:49:49 +0200 Subject: [PATCH 10/12] add image verification --- .github/workflows/release-debug.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-debug.yml b/.github/workflows/release-debug.yml index 498be37..0bb4a49 100644 --- a/.github/workflows/release-debug.yml +++ b/.github/workflows/release-debug.yml @@ -107,4 +107,17 @@ jobs: DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} \ No newline at end of file + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + - name: Verify ghcr image signatures + if: ${{ github.event_name != 'pull_request' }} + shell: bash + env: + COSIGN_EXPERIMENTAL: 1 + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "${TAGS}" | xargs -I {} cosign verify \ + --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/release-debug.yml@${{ github.ref }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + "{}@${DIGEST}" \ No newline at end of file From f073e7a27788ab7efb1ab0e334b3d4d2a534122c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20=C5=A0kiljan?= Date: Tue, 12 Aug 2025 17:14:59 +0200 Subject: [PATCH 11/12] better :latest control --- .github/workflows/release-debug.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release-debug.yml b/.github/workflows/release-debug.yml index 0bb4a49..12e23fb 100644 --- a/.github/workflows/release-debug.yml +++ b/.github/workflows/release-debug.yml @@ -79,7 +79,10 @@ jobs: # or with given tag if event is tag tags: | type=semver,pattern={{version}},value=${{ steps.get_image_tag.outputs.image_tag }},enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/') }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} type=ref,event=tag,enable=${{ startsWith(github.ref, 'refs/tags/') }} + flavor: | + latest=false # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action From 539539fe5638e27b1ed3cb6dc8bb0de35ec5328f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20=C5=A0kiljan?= Date: Tue, 12 Aug 2025 17:20:47 +0200 Subject: [PATCH 12/12] fix default branch name --- .github/workflows/release-debug.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-debug.yml b/.github/workflows/release-debug.yml index 12e23fb..17dc9d1 100644 --- a/.github/workflows/release-debug.yml +++ b/.github/workflows/release-debug.yml @@ -79,7 +79,7 @@ jobs: # or with given tag if event is tag tags: | type=semver,pattern={{version}},value=${{ steps.get_image_tag.outputs.image_tag }},enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/') }} - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} type=ref,event=tag,enable=${{ startsWith(github.ref, 'refs/tags/') }} flavor: | latest=false