Closed jorgecuesta closed 2 months ago
@okdas Please review this when you're back in office next week and see if any of the learnings / suggestions can transfer over to #495 which we should pick up then as well.
(Reviewed this on Geomesh branch as well), looks good to me.
@okdas PTAL
Re-running to make sure this passes but otherwise lgtm:
@Olshansk it is not going to pass because the origin of the PR is a branch from pokt-scan
organization which doesn't have permissions to push to our container registry.
@okdas Appreciate the context. What do you recommend as the solution here?
For example:
I understand the risk is low but just looking to you to make a call here.
@Olshansk the workaround would be to open a new PR under pokt-network
org, but I don't think we need to do that and should proceed with merging as is. The CI job seems to be failing on the very last step - and the image itself is built successfully.
THIS PR INCLUDES BREAKING CHANGES
app
user instead ofroot
Why?
A few Geo-Mesh users report to POKTscan about an issue with the new image after we adopt the one on the pokt-network/pocket-core repository on the latest RC.
They report that this image is using
root
as the user which is recommended to be avoided. There are a lot of blogs and documentation about this, here one of them from a well-known docker image user/company.Also, we detected a few things that could be enhanced on both, entry point and docker context.
The problem with having a public image using root right now is that pocket binary generates folders and files that now belong to the
root
user, so they will need to modify those permissions to belong to the properapp
user and group. To this, I added another optional entry point that could be used once to fix the permission issue and then start the container as before.Here you can see how to use it with docker-compose or docker
Changes:
app
user instead ofroot
.entrypoint.sh
allows the user to run all its internal commands with the proper--datadir
param. Now properly handle the start command when--keybase=false
is sent. Also, allow the user to pass the--datadir
as an env variable to omit it on the start command.