Skip to content

added entrypoint as root to update dirs perms #1799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sam0x17 merged 4 commits into from
Jul 1, 2025
Merged

added entrypoint as root to update dirs perms #1799

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2a856fd
added entrypoint as root to update dirs perms
l0r1s Jun 30, 2025
77f9f9f
handle both types of args --foo=bar and --foo=bar for overrided base-…
l0r1s Jun 30, 2025
8920446
fix the default as /data for base path
l0r1s Jun 30, 2025
839d7cb
Merge branch 'devnet-ready' into fix/docker-perms
l0r1s Jul 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 27 additions & 5 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ FROM ${BASE_IMAGE} AS subtensor
# ---- security hardening: create least-privilege user ----
RUN addgroup --system --gid 10001 subtensor && \
adduser --system --uid 10001 --gid 10001 --home /home/subtensor --disabled-password subtensor

# Install gosu for privilege dropping
RUN apt-get update && apt-get install -y gosu && \
rm -rf /var/lib/apt/lists/*

# Writable data directory to be used as --base-path
RUN mkdir -p /data && chown -R subtensor:subtensor /data
Expand All @@ -61,10 +65,17 @@ COPY --chown=subtensor:subtensor --from=prod_builder /build/chainspecs/*.json ./
COPY --from=prod_builder /build/target/production/node-subtensor /usr/local/bin/
RUN chown subtensor:subtensor /usr/local/bin/node-subtensor

# Copy and prepare entrypoint
COPY ./scripts/docker_entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

EXPOSE 30333 9933 9944
USER subtensor
ENTRYPOINT ["node-subtensor"]
CMD ["--base-path","/data"]

# Run entrypoint as root to handle permissions, then drop to subtensor user
# in the script
USER root
ENTRYPOINT ["/entrypoint.sh"]
CMD ["--base-path", "/data"]

###############################################################################
# ---------- 4. Local build stage --------------------------------------------
Expand All @@ -84,6 +95,10 @@ FROM ${BASE_IMAGE} AS subtensor-local
RUN addgroup --system --gid 10001 subtensor && \
adduser --system --uid 10001 --gid 10001 --home /home/subtensor --disabled-password subtensor

# Install gosu for privilege dropping
RUN apt-get update && apt-get install -y gosu && \
rm -rf /var/lib/apt/lists/*

RUN mkdir -p /data && chown -R subtensor:subtensor /data
WORKDIR /home/subtensor

Expand All @@ -93,11 +108,18 @@ COPY --chown=subtensor:subtensor --from=local_builder /build/chainspecs/*.json .
COPY --from=local_builder /build/target/release/node-subtensor /usr/local/bin/
RUN chown subtensor:subtensor /usr/local/bin/node-subtensor

# Copy and prepare entrypoint
COPY ./scripts/docker_entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Generate a local chainspec for convenience (run as root before user switch)
RUN node-subtensor build-spec --disable-default-bootnode --raw --chain local > /localnet.json \
&& chown subtensor:subtensor /localnet.json

EXPOSE 30333 9933 9944
USER subtensor
ENTRYPOINT ["node-subtensor"]

# Run entrypoint as root to handle permissions, then drop to subtensor user
# in the script
USER root
ENTRYPOINT ["/entrypoint.sh"]
CMD ["--base-path","/data","--chain","/localnet.json"]
56 changes: 56 additions & 0 deletions scripts/docker_entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#!/bin/sh
set -e

# Store original arguments to pass to the final exec call
original_args="$@"

# Set default values
base_path='/data'
chain_spec=''

# Parse arguments to find the real --base-path and --chain, handles both
# --key value and --key=value formats.
while [ $# -gt 0 ]; do
case "$1" in
--base-path)
# Check if the next argument exists and is not another option
if [ -n "$2" ] && ! expr "$2" : '--' > /dev/null; then
base_path="$2"
shift
fi
;;
--base-path=*)
base_path="${1#*=}"
;;
--chain)
# Check if the next argument exists and is not another option
if [ -n "$2" ] && ! expr "$2" : '--' > /dev/null; then
chain_spec="$2"
shift
fi
;;
--chain=*)
chain_spec="${1#*=}"
;;
esac
shift
done

echo "entrypoint: ensuring permissions for base path: ${base_path}"
mkdir -p "$base_path"
chown -R subtensor:subtensor "$base_path"

# Check if a chain spec was provided and if it's an existing file
if [ -n "$chain_spec" ] && [ -f "$chain_spec" ]; then
echo "entrypoint: ensuring permissions for chain spec: ${chain_spec}"
chown subtensor:subtensor "$chain_spec"
fi

# Also check for the hardcoded /tmp/blockchain directory
if [ -d "/tmp/blockchain" ]; then
chown -R subtensor:subtensor /tmp/blockchain
fi

# Execute node-subtensor with the original, unmodified arguments
echo "executing: gosu subtensor node-subtensor $original_args"
exec gosu subtensor node-subtensor $original_args
Loading