Closed jimmysong closed 4 years ago
Hey Jimmy, thank you for your interest. A hasty/dirty Dockerfile i'm currently using might be something like this:
FROM python:3.8
RUN apt-get update && apt-get install -y libusb-1.0-0-dev libudev-dev
WORKDIR /usr/src/app
ENV PYTHONUNBUFFERED 1
ENV PORT 8080
EXPOSE 8080
COPY requirements.txt .
RUN pip install -r requirements.txt
# specter-cloud stuff
RUN apt-get install -y vim apt-transport-https ca-certificates gnupg jq
#RUN pip install gsutil
RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
RUN curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
RUN apt-get update && apt-get install -y google-cloud-sdk fswatch
COPY ./specter_gcs.sh /usr/bin/specter_gcs.sh
ENV GOOGLE_APPLICATION_CREDENTIALS /usr/src/app/specter-cloud-zero.json
COPY . .
RUN pip install -e .
# Remark: The port is specified in GCR via the PORT env-var.
# This is already implemented in specter
# https://github.com/ahmetb/cloud-run-faq#how-do-i-make-my-web-application-compatible-with-cloud-run
CMD [ "python3", "-m" , "cryptoadvance.specter", "server", "--host=0.0.0.0" ]
Biggest no-go is, that it's using root as a user. So clearly, this is not what we want to publish publicly. It's on my radar to have them with proper tags matching releases and maybe othe bells and whistles.
What do you mean by "docker image with authentication" ? One could mount the .specter-folder into the container and or use a volume or ... ?
I just mean that the web interface should be customizable from the container setup, so listening on 0.0.0.0 instead of 127.0.0.1 and turning on login (using the rpc password).
Yes, listening on 0.0.0.0 is very reasonable for docker. That's easy to fulfill (see above CMD). However, the rpc-passoword is a thing which totally depends on the ~/.specter configuration. I guess that everyone who is using such a docker-image would probably mount the specter-folder into the container or create the setup he wants upfront as start part of the spinup-process.
Have a look at raspiblitz-installation-script for such an example here: https://github.com/rootzoll/raspiblitz/blob/v1.6/home.admin/config.scripts/bonus.cryptoadvance-specter.sh#L100-L104
Having such simple config by default is probably the best way for a dockerimage to behave.
Someone created a PR for a simple docker-compose-setup including Dockerfiles. See https://github.com/cryptoadvance/specter-desktop/pull/480/files Feel free to comment!
With compose file setup you can make it listen on any port including 0.0.0.0 if you got port forwarding from the container setup.
I got this setup running on my pine64 phone. Will share a compose file later
@nolim1t has created the excellent and slim and multi-arch docker-image-creation methods which we've forked here: https://github.com/cryptoadvance/docker-specter-desktop ... and where we already started to create images from: https://hub.docker.com/repository/docker/cryptoadvance/specter-desktop/general
We still need to integrate it into our release procedures and polish it a bit but apart from that, i think this issue can be closed from a docker perspective. Still, the access might be open after startup but i don't think that this is something which we should guarantee on the docker-layer. That is an issue which is also a problem without docker. So if someone starts specter with "--host 0.0.0." it's open by default. So maybe a flag would be better like "--access rpcpassword" which would change (if necessary) the authentication-method in the config.json.
@jimmysong what do you think?
Heres one of my docker compose files which runs a specter instance.
Basically binding specter to the docker IP and then forwarding the IP outbound to whatever interface you like .. which I chosen 0.0.0.0 (because docker controls the networking) gets around the need for --host 0.0.0.0
(unless its possible to do).
version: '3.8'
services:
bitcoin:
image: lncm/bitcoind:v0.20.1
container_name: bitcoin
volumes:
- ${PWD}/bitcoin:/root/yy.bitcoin
- ${PWD}/bitcoin:/data/.bitcoin
- ${PWD}/bitcoin:/data/bitcoin
restart: unless-stopped
ports:
- "8333:8333"
- "8332:8332"
stop_grace_period: 20m30s
networks:
net:
ipv4_address: 10.254.2.2
lnd:
image: lncm/lnd:v0.11.1-experimental
container_name: lnd
volumes:
- ${PWD}/lnd:/data/.lnd
- ${PWD}/lnd:/root/.lnd
- ${PWD}/bitcoin:/data/.bitcoin
- ${PWD}/bitcoin:/root/.bitcoin
restart: unless-stopped
ports:
- "10009:10009"
depends_on: [ tor ]
stop_grace_period: 10m30s
networks:
net:
ipv4_address: 10.254.2.3
specter-desktop:
image: lncm/specter-desktop:v0.8.1
container_name: specter-desktop
restart: unless-stopped
command: --host 10.254.2.4
ports:
- "25441:25441"
volumes:
- ${PWD}/bitcoin:/data/.bitcoin
- ${PWD}/specter:/data/.specter
- /dev:/dev
- /etc/udev:/etc/udev
stop_grace_period: 2m30s
networks:
net:
ipv4_address: 10.254.2.4
tor:
image: "lncm/tor:0.4.4.5"
container_name: tor
restart: unless-stopped
ports:
- "9090:9090"
- "9050:29050"
- "9051:29051"
volumes:
- "${PWD}/tor/torrc:/etc/tor/torrc"
- "${PWD}/tor/data:/var/lib/tor/"
- "${PWD}/tor/run:/var/run/tor/"
networks:
net:
ipv4_address: 10.254.1.3
networks:
net:
ipam:
driver: default
config:
- subnet: 10.254.0.0/16
Happy to test it out in the next couple of weeks. Looks great!
I'll close this issue for now. Please feel free to reopen if anything is missing!
I would love to see a docker image with authentication for using Specter server. It already runs locally, so having the ability to customize it to connect to a locally running node would be great, as well.