Merge pull request #402 from logos-blockchain/arjentix/fix-docker-permissions

Use docker volumes and cache docker Rust builds

.dockerignore

@@ -26,11 +26,20 @@ Thumbs.db
 ci_scripts/
 
 # Documentation
+docs/
 *.md
 !README.md
 
-# Configs (copy selectively if needed)
+# Non-build project files
+completions/
 configs/
-
-# License
+Justfile
+clippy.toml
+rustfmt.toml
+flake.nix
+flake.lock
 LICENSE
+
+# Docker compose files (not needed inside build)
+docker-compose*.yml
+**/docker-compose*.yml

docker-compose.override.yml

@@ -11,17 +11,17 @@ services:
     depends_on:
       - logos-blockchain-node-0
       - indexer_service
-    volumes: !override
-      - ./configs/docker-all-in-one/sequencer:/etc/sequencer_service
+    volumes:
+      - ./configs/docker-all-in-one/sequencer_config.json:/etc/sequencer_service/sequencer_config.json
 
   indexer_service:
     depends_on:
       - logos-blockchain-node-0
     volumes:
-      - ./configs/docker-all-in-one/indexer/indexer_config.json:/etc/indexer_service/indexer_config.json
+      - ./configs/docker-all-in-one/indexer_config.json:/etc/indexer_service/indexer_config.json
 
   explorer_service:
     depends_on:
       - indexer_service
     environment:
-      - INDEXER_RPC_URL=http://indexer_service:8779
+      - INDEXER_RPC_URL=http://indexer_service:8779

explorer_service/Dockerfile

@@ -22,7 +22,13 @@ WORKDIR /explorer_service
 COPY . .
 
 # Build the app
-RUN cargo leptos build --release -vv
+RUN --mount=type=cache,target=/usr/local/cargo/registry/index \
+    --mount=type=cache,target=/usr/local/cargo/registry/cache \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/explorer_service/target \
+    cargo leptos build --release -vv \
+    && cp /explorer_service/target/release/explorer_service /usr/local/bin/explorer_service \
+    && cp -r /explorer_service/target/site /explorer_service/site_output
 
 FROM debian:trixie-slim AS runtime
 WORKDIR /explorer_service
@@ -33,10 +39,10 @@ RUN apt-get update -y \
   && rm -rf /var/lib/apt/lists/*
 
 # Copy the server binary to the /explorer_service directory
-COPY --from=builder /explorer_service/target/release/explorer_service /explorer_service/
+COPY --from=builder /usr/local/bin/explorer_service /explorer_service/
 
 # /target/site contains our JS/WASM/CSS, etc.
-COPY --from=builder /explorer_service/target/site /explorer_service/site
+COPY --from=builder /explorer_service/site_output /explorer_service/site
 
 # Copy Cargo.toml as it’s needed at runtime
 COPY --from=builder /explorer_service/Cargo.toml /explorer_service/

indexer/service/Dockerfile

@@ -51,32 +51,34 @@ RUN cargo chef prepare --bin indexer_service --recipe-path recipe.json
 FROM chef AS builder
 COPY --from=planner /indexer_service/recipe.json recipe.json
 # Build dependencies only (this layer will be cached)
-RUN cargo chef cook --bin indexer_service --release --recipe-path recipe.json
+RUN --mount=type=cache,target=/usr/local/cargo/registry/index \
+    --mount=type=cache,target=/usr/local/cargo/registry/cache \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/indexer_service/target \
+    cargo chef cook --bin indexer_service --release --recipe-path recipe.json
 
 # Copy source code
 COPY . .
 
-# Build the actual application
-RUN cargo build --release --bin indexer_service
-
-# Strip debug symbols to reduce binary size
-RUN strip /indexer_service/target/release/indexer_service
+# Build the actual application and copy the binary out of the cache mount
+RUN --mount=type=cache,target=/usr/local/cargo/registry/index \
+    --mount=type=cache,target=/usr/local/cargo/registry/cache \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/indexer_service/target \
+    cargo build --release --bin indexer_service \
+    && strip /indexer_service/target/release/indexer_service \
+    && cp /indexer_service/target/release/indexer_service /usr/local/bin/indexer_service
 
 # Runtime stage - minimal image
 FROM debian:trixie-slim
 
-# Install runtime dependencies
-RUN apt-get update \
- && apt-get install -y gosu jq \
- && rm -rf /var/lib/apt/lists/*
-
 # Create non-root user for security
 RUN useradd -m -u 1000 -s /bin/bash indexer_service_user && \
-    mkdir -p /indexer_service /etc/indexer_service && \
-    chown -R indexer_service_user:indexer_service_user /indexer_service /etc/indexer_service
+    mkdir -p /indexer_service /etc/indexer_service /var/lib/indexer_service && \
+    chown -R indexer_service_user:indexer_service_user /indexer_service /etc/indexer_service /var/lib/indexer_service
 
 # Copy binary from builder
-COPY --from=builder --chown=indexer_service_user:indexer_service_user /indexer_service/target/release/indexer_service /usr/local/bin/indexer_service
+COPY --from=builder --chown=indexer_service_user:indexer_service_user /usr/local/bin/indexer_service /usr/local/bin/indexer_service
 
 # Copy r0vm binary from builder
 COPY --from=builder --chown=indexer_service_user:indexer_service_user /usr/local/bin/r0vm /usr/local/bin/r0vm
@@ -84,9 +86,7 @@ COPY --from=builder --chown=indexer_service_user:indexer_service_user /usr/local
 # Copy logos blockchain circuits from builder
 COPY --from=builder --chown=indexer_service_user:indexer_service_user /root/.logos-blockchain-circuits /home/indexer_service_user/.logos-blockchain-circuits
 
-# Copy entrypoint script
-COPY indexer/service/docker-entrypoint.sh /docker-entrypoint.sh
-RUN chmod +x /docker-entrypoint.sh
+VOLUME /var/lib/indexer_service
 
 # Expose default port
 EXPOSE 8779
@@ -105,9 +105,7 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
 # Run the application
 ENV RUST_LOG=info
 
-USER root
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
+USER indexer_service_user
 
 WORKDIR /indexer_service
 CMD ["indexer_service", "/etc/indexer_service/indexer_config.json"]

indexer/service/docker-compose.yml

@@ -10,5 +10,8 @@ services:
     volumes:
       # Mount configuration
       - ./configs/indexer_config.json:/etc/indexer_service/indexer_config.json
-      # Mount data folder
-      - ./data:/var/lib/indexer_service
+      # Mount data volume
+      - indexer_data:/var/lib/indexer_service
+
+volumes:
+  indexer_data:

indexer/service/docker-entrypoint.sh

@@ -1,29 +0,0 @@
-#!/bin/sh
-
-# This is an entrypoint script for the indexer_service Docker container,
-# it's not meant to be executed outside of the container.
-
-set -e
-
-CONFIG="/etc/indexer_service/indexer_config.json"
-
-# Check config file exists
-if [ ! -f "$CONFIG" ]; then
-  echo "Config file not found: $CONFIG" >&2
-  exit 1
-fi
-
-# Parse home dir
-HOME_DIR=$(jq -r '.home' "$CONFIG")
-
-if [ -z "$HOME_DIR" ] || [ "$HOME_DIR" = "null" ]; then
-  echo "'home' key missing in config" >&2
-  exit 1
-fi
-
-# Give permissions to the data directory and switch to non-root user
-if [ "$(id -u)" = "0" ]; then
-  mkdir -p "$HOME_DIR"
-  chown -R indexer_service_user:indexer_service_user "$HOME_DIR"
-  exec gosu indexer_service_user "$@"
-fi

sequencer/service/Dockerfile

@@ -26,7 +26,7 @@ RUN ARCH=$(uname -m); \
     else \
         echo "Using manual build for $ARCH"; \
         git clone --depth 1 --branch release-3.0 https://github.com/risc0/risc0.git; \
-        git clone --depth 1 --branch r0.1.94.0 https://github.com/risc0/rust.git; \
+        git clone --depth 1 --branch r0.1.91.0 https://github.com/risc0/rust.git; \
         cd /risc0; \
         cargo install --path rzup; \
         rzup build --path /rust rust --verbose; \
@@ -55,7 +55,11 @@ FROM chef AS builder
 ARG STANDALONE
 COPY --from=planner /sequencer_service/recipe.json recipe.json
 # Build dependencies only (this layer will be cached)
-RUN if [ "$STANDALONE" = "true" ]; then \
+RUN --mount=type=cache,target=/usr/local/cargo/registry/index \
+    --mount=type=cache,target=/usr/local/cargo/registry/cache \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/sequencer_service/target \
+    if [ "$STANDALONE" = "true" ]; then \
       cargo chef cook --bin sequencer_service --features standalone --release --recipe-path recipe.json; \
     else \
       cargo chef cook --bin sequencer_service --release --recipe-path recipe.json; \
@@ -64,31 +68,29 @@ RUN if [ "$STANDALONE" = "true" ]; then \
 # Copy source code
 COPY . .
 
-# Build the actual application
-RUN if [ "$STANDALONE" = "true" ]; then \
+# Build the actual application and copy the binary out of the cache mount
+RUN --mount=type=cache,target=/usr/local/cargo/registry/index \
+    --mount=type=cache,target=/usr/local/cargo/registry/cache \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/sequencer_service/target \
+    if [ "$STANDALONE" = "true" ]; then \
       cargo build --release --features standalone --bin sequencer_service; \
     else \
       cargo build --release --bin sequencer_service; \
-    fi
-
-# Strip debug symbols to reduce binary size
-RUN strip /sequencer_service/target/release/sequencer_service
+    fi \
+    && strip /sequencer_service/target/release/sequencer_service \
+    && cp /sequencer_service/target/release/sequencer_service /usr/local/bin/sequencer_service
 
 # Runtime stage - minimal image
 FROM debian:trixie-slim
 
-# Install runtime dependencies
-RUN apt-get update \
- && apt-get install -y gosu jq \
- && rm -rf /var/lib/apt/lists/*
-
 # Create non-root user for security
 RUN useradd -m -u 1000 -s /bin/bash sequencer_user && \
-    mkdir -p /sequencer_service /etc/sequencer_service && \
-    chown -R sequencer_user:sequencer_user /sequencer_service /etc/sequencer_service
+    mkdir -p /sequencer_service /etc/sequencer_service /var/lib/sequencer_service && \
+    chown -R sequencer_user:sequencer_user /sequencer_service /etc/sequencer_service /var/lib/sequencer_service
 
 # Copy binary from builder
-COPY --from=builder --chown=sequencer_user:sequencer_user /sequencer_service/target/release/sequencer_service /usr/local/bin/sequencer_service
+COPY --from=builder --chown=sequencer_user:sequencer_user /usr/local/bin/sequencer_service /usr/local/bin/sequencer_service
 
 # Copy r0vm binary from builder
 COPY --from=builder --chown=sequencer_user:sequencer_user /usr/local/bin/r0vm /usr/local/bin/r0vm
@@ -96,9 +98,7 @@ COPY --from=builder --chown=sequencer_user:sequencer_user /usr/local/bin/r0vm /u
 # Copy logos blockchain circuits from builder
 COPY --from=builder --chown=sequencer_user:sequencer_user /root/.logos-blockchain-circuits /home/sequencer_user/.logos-blockchain-circuits
 
-# Copy entrypoint script
-COPY sequencer/service/docker-entrypoint.sh /docker-entrypoint.sh
-RUN chmod +x /docker-entrypoint.sh
+VOLUME /var/lib/sequencer_service
 
 # Expose default port
 EXPOSE 3040
@@ -120,9 +120,7 @@ ENV RUST_LOG=info
 # Set explicit location for r0vm binary
 ENV RISC0_SERVER_PATH=/usr/local/bin/r0vm
 
-USER root
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
+USER sequencer_user
 
 WORKDIR /sequencer_service
 CMD ["sequencer_service", "/etc/sequencer_service/sequencer_config.json"]

sequencer/service/docker-compose.yml

@@ -10,5 +10,8 @@ services:
     volumes:
       # Mount configuration file
       - ./configs/docker/sequencer_config.json:/etc/sequencer_service/sequencer_config.json
-      # Mount data folder
-      - ./data:/var/lib/sequencer_service
+      # Mount data volume
+      - sequencer_data:/var/lib/sequencer_service
+
+volumes:
+  sequencer_data:

sequencer/service/docker-entrypoint.sh

@@ -1,29 +0,0 @@
-#!/bin/sh
-
-# This is an entrypoint script for the sequencer_service Docker container,
-# it's not meant to be executed outside of the container.
-
-set -e
-
-CONFIG="/etc/sequencer/service/sequencer_config.json"
-
-# Check config file exists
-if [ ! -f "$CONFIG" ]; then
-  echo "Config file not found: $CONFIG" >&2
-  exit 1
-fi
-
-# Parse home dir
-HOME_DIR=$(jq -r '.home' "$CONFIG")
-
-if [ -z "$HOME_DIR" ] || [ "$HOME_DIR" = "null" ]; then
-  echo "'home' key missing in config" >&2
-  exit 1
-fi
-
-# Give permissions to the data directory and switch to non-root user
-if [ "$(id -u)" = "0" ]; then
-  mkdir -p "$HOME_DIR"
-  chown -R sequencer_user:sequencer_user "$HOME_DIR"
-  exec gosu sequencer_user "$@"
-fi