search

ava-labs / avalanchego

Go implementation of an Avalanche node.
https://avax.network
BSD 3-Clause "New" or "Revised" License
2.12k stars 671 forks source link

Can not run docker under nobody:nogroup user because staking key/cert can't be created #949

Closed lcgogo closed 11 months ago

lcgogo commented 2 years ago

Describe the bug I want to run avalanchego under nobody:nogroup by docker. But the staking key/cert is always created by avalanchego automatically under /home even after add --staking-enabled false option

VER=1.6.5
docker run -it --name avalanchego-${VER} \
  --user nobody:nogroup \
  -v /data/avalanchego:/data/avalanchego \
  -p 9650:9650 -p 9651:9651 \
  avaplatform/avalanchego:v${VER} \
  /avalanchego/build/avalanchego \
  --db-dir /data/avalanchego \
  --chain-config-dir /data/avalanchego \
  --subnet-config-dir /data/avalanchego \
  --staking-enabled false --http-host 0.0.0.0
couldn't load node config: couldn't generate staking key/cert: couldn't create path for cert: mkdir /nonexistent: permission denied

To Reproduce Steps to reproduce the behavior.

Expected behavior A clear and concise description of what you expected to happen.

Screenshots

截屏2021-11-12 下午12 17 20

Operating System ubuntu 20.04

Additional context I think need an option to define the homeDir instead of $HOME in config/flags.go and the db-dir chain-config-dir

// Results of parsing the CLI
var (
        defaultNetworkName     = constants.MainnetName
        homeDir                = os.ExpandEnv("$HOME")
        prefixedAppName        = fmt.Sprintf(".%s", constants.AppName)
        defaultDataDir         = filepath.Join(homeDir, prefixedAppName)

By submitting this issue I agree to the Terms and Conditions of the Developer Accelerator Program.

ceyonur commented 2 years ago

You can create a key in memory (not persisted) with staking-ephemeral-cert-enabled, it would create a different cert in each run. Thanks for the feedback, we will look into this further. It's also strongly dis-advised to use staking-enabled=false for mainnet.

charly37 commented 2 years ago

Similar issue here. This prevent avalanche to run in some kubernetes distribution like openshift which assign a random (non root) user when starting a container:

PS C:\Code> docker run --user 1005:1005 avax
couldn't load node config: couldn't generate staking key/cert: couldn't create path for cert: mkdir /.avalanchego: permission denied

I tried to give you a way to reproduce:

run the "base image" you use in your dockerfile "golang:1.17.1-buster" (https://github.com/ava-labs/avalanchego/blob/beb7ef948871748ccc4e560d156bc8c4610d62c7/scripts/local.Dockerfile#L13) with a random user (i put 1000) docker run -it --user 1000:1000 golang:1.17.1-buster bash

then you will be in this docker and you can install avalanche (i simply use the last delivery)

mkdir /avax
cd /avax
curl -O -L https://github.com/ava-labs/avalanchego/releases/download/v1.6.5/avalanchego-linux-amd64-v1.6.5.tar.gz
ls -all
tar -xvf avalanchego-linux-amd64-v1.6.5.tar.gz

then start avalanche

./avalanchego-v1.6.5/avalanchego
couldn't load node config: couldn't generate staking key/cert: couldn't create path for cert: mkdir /.avalanchego: permission denied

I would suggest to not rely on "home" but rather the current folder and then everything on relative path or a parameter to specify a "main" folder like --path because it seems lot of options already have a default folder trying to write on /

--chain-config-dir string Chain specific configurations parent directory. Defaults to $HOME/.avalanchego/configs/chains/ (default "/.avalanchego/configs/chains") --db-dir string Path to database directory (default "/.avalanchego/db") --staking-tls-cert-file string Path to the TLS certificate for staking (default "/.avalanchego/staking/staker.crt") --staking-tls-key-file string Path to the TLS private key for staking (default "/.avalanchego/staking/staker.key") --subnet-config-dir string Subnet specific configurations parent directory. Defaults to $HOME/.avalanchego/configs/subnets/ (default "/.avalanchego/configs/subnets")

It would be more easy for users to have an option to fix a "base" path (my 2 cents)

charly37 commented 2 years ago

You can create a key in memory (not persisted) with staking-ephemeral-cert-enabled, it would create a different cert in each run. Thanks for the feedback, we will look into this further. It's also strongly dis-advised to use staking-enabled=false for mainnet.

in memory is a solution but if the docker die you lost the information whereas if you use a file you can mount it as a volume and thus reattach it to another docker (not sure it make sense) to provide a redundancy/fail over solution (not sure if it make sense - do not know enough about the process behind)

panbhatt commented 1 year ago

Never ever try --staking-enabled option as false on MAINNET. it renders the complete OS useless and any avalanche binary would not work on that system. tried this -> ./avalanchego --http-host=0.0.0.0 --log-dir=./datadir --db-dir=./datadir --staking-enabled false NO OUTPUT/ NO LOGS, the process simply wont do anything..

So killed the process and this time ran with ./avalanchego --http-host=0.0.0.0 --log-dir=./datadir --db-dir=./datadir Again, nothing happens.

Deleted entire directory and the .avalanchego directory in the HOME Dir. Tried restarting nothing happens. Downloaded fresh new binary on the system (DEBIAN) -> NOTHING HAPPENS again, no logs and nothing.

github-actions[bot] commented 1 year ago

This issue has become stale because it has been open 60 days with no activity. Adding the lifecycle/frozen label will cause this issue to ignore lifecycle events.

StephenButtolph commented 11 months ago

It would be more easy for users to have an option to fix a "base" path

avalanchego supports this now with the --data-dir flag.