flare-foundation
diff --git a/‎.github/workflows/build-binary.yaml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/build-binary.yaml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/build-container.yml‎
Lines changed: 101 additions & 16 deletions b/‎.github/workflows/build-container.yml‎
Lines changed: 101 additions & 16 deletions
diff --git a/‎Dockerfile‎
Lines changed: 6 additions & 5 deletions b/‎Dockerfile‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎Dockerfile.dless‎
Lines changed: 62 additions & 0 deletions b/‎Dockerfile.dless‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎README-docker.md‎
Lines changed: 25 additions & 22 deletions b/‎README-docker.md‎
Lines changed: 25 additions & 22 deletions
@@ -8,7 +8,7 @@ on:
     tags:
 
 env:
-  go_version: 1.21.8
+  go_version: 1.22.12
 
 jobs:
   build:
@@ -24,7 +24,6 @@ jobs:
       with:
         go-version: ${{ env.go_version }}
 
-
     - run: echo "IMAGE_TAG=dev" >> $GITHUB_ENV
       if: ${{ github.ref_name }} == 'main'
     - run: echo "IMAGE_TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV
@@ -33,6 +32,8 @@ jobs:
     - run: sudo apt-get update -y && sudo apt-get install -y rsync
     - name: build
       id: build
+      env:
+        GOPATH: ${{ github.workspace }}/go              
       run: |
         cd avalanchego
         ./scripts/build.sh
 
@@ -1,47 +1,132 @@
 name: container-images
 
-
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "main", "feature/**" ]
     tags: [ "v*" ]
 
 jobs:
-  build-and-push:
-    runs-on: ubuntu-latest
+  build-and-push-matrix:
+    name: Build & Push Matrix
+    runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
       packages: write
+      id-token: write
+    env:
+      USE_DOCKER_HUB: true
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: docker/setup-qemu-action@v1
-    - uses: docker/setup-buildx-action@v1
+    - uses: docker/setup-qemu-action@v3
+    - uses: docker/setup-buildx-action@v3
 
     - run: echo "IMAGE_TAG=dev" >> $GITHUB_ENV
-      if: github.ref_name == 'main'
+      if: github.ref_name == 'main' || startsWith(github.ref_name, 'feature/')
     - run: echo "IMAGE_TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV
       if: startsWith(github.ref, 'refs/tags/v')
 
     - name: Login to ghcr.io
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Login to docker.io
-      uses: docker/login-action@v2
+      if: ${{ env.USE_DOCKER_HUB == 'true' }}
+      uses: docker/login-action@v3
       with:
         username: ${{ secrets.DOCKER_HUB_UID }}
         password: ${{ secrets.DOCKER_HUB_PAT }}
 
-    - name: Build image
-      run: |        
+    - name: Build standard image
+      run: |
+        TAGS="--tag ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}"
+
+        if [ "${USE_DOCKER_HUB}" = "true" ]; then
+          TAGS="$TAGS --tag ${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}"
+        fi
+
         docker buildx build \
-          --platform linux/amd64,linux/arm64 \
-          --tag ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }} \
-          --tag ${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }} \
+          --platform ${{ matrix.platform }} \
+          $TAGS \
           --file ./Dockerfile \
-          --output type=image,push=true .
+          --output type=image,push=true \
+          .
+
+    - name: Build distroless image
+      run: |
+        TAGS="--tag ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}"
+    
+        if [ "${USE_DOCKER_HUB}" = "true" ]; then
+          TAGS="$TAGS --tag ${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}"
+        fi
+
+        docker buildx build \
+          --platform ${{ matrix.platform }} \
+          $TAGS \
+          --file ./Dockerfile.dless \
+          --output type=image,push=true \
+          .
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3.8.1
+
+    - name: Sign ghcr images
+      shell: bash
+      env:
+        COSIGN_EXPERIMENTAL: 1
+      run: |
+        cosign sign --yes "ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}"
+        cosign sign --yes "ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}-dless"
+    
+    - name: Sign docker hub images
+      if: ${{ env.USE_DOCKER_HUB == 'true' }}
+      shell: bash
+      env:
+        COSIGN_EXPERIMENTAL: 1
+      run: |
+        cosign sign --yes "${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}"
+        cosign sign --yes "${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}-dless"
+
+    - name: Verify ghcr image signatures
+      shell: bash
+      env:
+        COSIGN_EXPERIMENTAL: 1
+      run: |
+        cosign verify \
+          --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+          "ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}"
+
+        cosign verify \
+          --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+          "ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }}-dless"
+    
+    - name: Verify docker hub image signatures
+      if: ${{ env.USE_DOCKER_HUB == 'true' }}
+      shell: bash
+      env:
+        COSIGN_EXPERIMENTAL: 1
+      run: |
+        cosign verify \
+          --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+          "${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}"
+
+        cosign verify \
+          --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-container.yml@${{ github.ref }} \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+          "${{ secrets.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}-dless"
@@ -1,4 +1,4 @@
-FROM golang:1.21 AS build
+FROM golang:1.22 AS build
 
 RUN apt-get update -y && \
     apt-get install -y rsync
@@ -14,7 +14,7 @@ WORKDIR /app/avalanchego/
 
 RUN /app/avalanchego/scripts/build.sh
 
-FROM ubuntu:24.10
+FROM ubuntu:24.04
 
 WORKDIR /app
 
@@ -32,9 +32,10 @@ ENV HTTP_HOST=0.0.0.0 \
     NETWORK_ID=costwo \
     AUTOCONFIGURE_PUBLIC_IP=1 \
     AUTOCONFIGURE_BOOTSTRAP=1 \
-    AUTOCONFIGURE_BOOTSTRAP_ENDPOINT=https://coston2.flare.network/ext/info \
+    AUTOCONFIGURE_BOOTSTRAP_ENDPOINT=https://coston2-bootstrap.flare.network/ext/info \
     EXTRA_ARGUMENTS="" \
-    BOOTSTRAP_BEACON_CONNECTION_TIMEOUT="1m"
+    BOOTSTRAP_BEACON_CONNECTION_TIMEOUT="1m" \
+    HTTP_ALLOWED_HOSTS="*"
 
 RUN apt-get update -y && \
     apt-get install -y curl jq
@@ -54,4 +55,4 @@ VOLUME [ "${CHAIN_CONFIG_DIR}" ]
 HEALTHCHECK CMD curl --fail http://localhost:${HTTP_PORT}/ext/health || exit 1
 
 ENTRYPOINT [ "/usr/bin/bash" ]
-CMD [ "/app/entrypoint.sh" ]
+CMD [ "/app/entrypoint.sh" ]
@@ -0,0 +1,62 @@
+FROM golang:1.22 AS build
+
+RUN apt-get update -y && \
+    apt-get install -y rsync
+
+WORKDIR /app/
+
+COPY ./.git /app/.git
+COPY ./avalanchego /app/avalanchego
+COPY ./config /app/config
+COPY ./coreth /app/coreth
+
+WORKDIR /app/avalanchego/
+
+RUN /app/avalanchego/scripts/build.sh
+
+RUN mkdir -p /app/conf/coston /app/conf/C /app/logs /app/db
+
+WORKDIR /entrypoint
+COPY entrypoint/main.go .
+RUN go build -ldflags="-s -w" -o /out/entrypoint main.go
+
+FROM gcr.io/distroless/base:nonroot AS final
+
+USER nonroot
+
+WORKDIR /app
+
+ENV HTTP_HOST=0.0.0.0 \
+    HTTP_PORT=9650 \
+    STAKING_PORT=9651 \
+    PUBLIC_IP= \
+    DB_DIR=/app/db \
+    DB_TYPE=leveldb \
+    BOOTSTRAP_IPS= \
+    BOOTSTRAP_IDS= \
+    CHAIN_CONFIG_DIR=/app/conf \
+    LOG_DIR=/app/logs \
+    LOG_LEVEL=info \
+    NETWORK_ID=costwo \
+    AUTOCONFIGURE_PUBLIC_IP=1 \
+    AUTOCONFIGURE_BOOTSTRAP=1 \
+    AUTOCONFIGURE_BOOTSTRAP_ENDPOINT=https://coston2-bootstrap.flare.network/ext/info \
+    EXTRA_ARGUMENTS="" \
+    BOOTSTRAP_BEACON_CONNECTION_TIMEOUT="1m" \
+    HTTP_ALLOWED_HOSTS="*"
+
+COPY --from=build --chown=nonroot:nonroot /app/conf /app/conf
+COPY --from=build --chown=nonroot:nonroot /app/logs /app/logs
+COPY --from=build --chown=nonroot:nonroot /app/db   /app/db
+
+COPY --from=build --chown=nonroot:nonroot /app/avalanchego/build /app/build
+COPY --from=build --chown=nonroot:nonroot /out/entrypoint /app/entrypoint
+
+EXPOSE ${STAKING_PORT}
+EXPOSE ${HTTP_PORT}
+
+VOLUME [ "${DB_DIR}" ]
+VOLUME [ "${LOG_DIR}" ]
+VOLUME [ "${CHAIN_CONFIG_DIR}" ]
+
+ENTRYPOINT [ "/app/entrypoint" ]
@@ -1,13 +1,17 @@
-# Flare & Coston2
+# go-flare
 
-Docker image for the Flare & Coston2 node implementation found on [github](https://github.com/flare-foundation/go-flare).
+Docker images for the go-flare node implementation found at [github](https://github.com/flare-foundation/go-flare).
+
+## Variants
+Images with `-dless` postfix are build using distroless base and are rootless.  
+Process runs under user `nonroot` with UID `65532`. You should chown your volume mounts to match this UID using `chown -R 65532:65532 /mnt/my/db`.
 
 ## Quickstart
 
 ```sh
 docker run -d \
 	-p 9650-9651:9650-9651 \
-	flarefoundation/flare:latest
+	flarefoundation/go-flare:<version>
 ```
 
 <b>Currently the default network is `costwo` but you can change that by providing a `NETWORK_ID` environment variable (i.e. `NETWORK_ID=flare`).</b>
@@ -53,9 +57,10 @@ These are the environment variables you can edit and their default values:
 | `NETWORK_ID` | `costwo` | The network id. The common ids are `flare \| costwo` |
 | `AUTOCONFIGURE_PUBLIC_IP` | `0` | Set to `1` to autoconfigure `PUBLIC_IP`, skipped if PUBLIC_IP is set |
 | `AUTOCONFIGURE_BOOTSTRAP` | `0` | Set to `1` to autoconfigure `BOOTSTRAP_IPS` and `BOOTSTRAP_IDS` |
-| `AUTOCONFIGURE_BOOTSTRAP_ENDPOINT` | `https://coston2.flare.network/ext/info` | Endpoint used for [bootstrapping](https://docs.avax.network/nodes/maintain/avalanchego-config-flags#bootstrapping) when `AUTOCONFIGURE_BOOTSTRAP` is enabled. Possible values are `https://coston2.flare.network/ext/info` or `https://flare.flare.network/ext/info`. |
+| `AUTOCONFIGURE_BOOTSTRAP_ENDPOINT` | `https://coston2-bootstrap.flare.network/ext/info` | Endpoint used for [bootstrapping](https://docs.avax.network/nodes/maintain/avalanchego-config-flags#bootstrapping) when `AUTOCONFIGURE_BOOTSTRAP` is enabled. Possible values are `https://coston2-bootstrap.flare.network/ext/info`, `https://flare-bootstrap.flare.network/ext/info`, `https://coston-bootstrap.flare.network/ext/info` or `https://songbird-bootstrap.flare.network/ext/info`. |
 | `AUTOCONFIGURE_FALLBACK_ENDPOINTS` | _(empty)_ | Comma-divided fallback bootstrap endpoints, used if `AUTOCONFIGURE_BOOTSTRAP_ENDPOINT` is not valid (not whitelisted / unreachable / etc), tested from first-to-last until one is valid |
 | `BOOTSTRAP_BEACON_CONNECTION_TIMEOUT` | `1m` | Set the duration value (eg. `45s` / `5m` / `1h`) for [--bootstrap-beacon-connection-timeout](https://docs.avax.network/nodes/maintain/avalanchego-config-flags#--bootstrap-beacon-connection-timeout-duration) AvalancheGo flag. | 
+| `HTTP_ALLOWED_HOSTS` | `*` | Blocks RPC calls unless they originate from these hostnames. | 
 | `EXTRA_ARGUMENTS` | | Extra arguments passed to flare binary |
 
 
@@ -73,13 +78,13 @@ The external API configuration is set to only respond to API calls so it offload
   "coreth-admin-api-enabled": false,
   "coreth-admin-api-dir": "",
   "eth-apis": [
-    "public-eth",
-    "public-eth-filter",
+    "eth",
+    "eth-filter",
     "net",
     "web3",
-    "internal-public-eth",
-    "internal-public-blockchain",
-    "internal-public-transaction-pool"
+    "internal-eth",
+    "internal-blockchain",
+    "internal-transaction"
   ],
 }
 ```
@@ -94,22 +99,20 @@ Similarly to the external API configuration, this one also responds to API calls
   "coreth-admin-api-enabled": false,
   "coreth-admin-api-dir": "",
   "eth-apis": [
-    "public-eth",
-    "public-eth-filter",
-    "private-admin",
-    "public-debug",
-    "private-debug",
+    "eth",
+    "eth-filter",
+    "admin",
+    "debug",
     "net",
     "debug-tracer",
     "web3",
-    "internal-public-eth",
-    "internal-public-blockchain",
-    "internal-public-transaction-pool",
-    "internal-public-tx-pool",
-    "internal-public-debug",
-    "internal-private-debug",
-    "internal-public-account",
-    "internal-private-personal"
+    "internal-eth",
+    "internal-blockchain",
+    "internal-transaction",
+    "internal-tx-pool",
+    "internal-debug",
+    "internal-account",
+    "internal-personal"
   ],
 }
 ```