Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added bitcoind container 'user' parameter #1987

Merged
merged 5 commits into from
Jan 7, 2025
Merged

Added bitcoind container 'user' parameter #1987

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3d940c3
Added bitcoind container 'user' parameter
rstmsn Dec 29, 2024
31cb1d1
Add chown logic to pre-start hook
nmfretz Jan 7, 2025
569f95a
Update version and release notes in manifest
nmfretz Jan 7, 2025
b8e6354
Remove unused variable
nmfretz Jan 7, 2025
a275eef
fix pre-start
nmfretz Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions bitcoin-knots/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: "3.7"

Check notice on line 1 in bitcoin-knots/docker-compose.yml

View workflow job for this annotation

GitHub Actions / Lint apps

Potentially using unsafe user in service "server" 

The default container user "root" can lead to security vulnerabilities. If you are using the root user, please try to specify a different user (e.g. "1000:1000") in the compose file or try to set the UID/PUID and GID/PGID environment variables to 1000.

services:
app_proxy:
Expand Down Expand Up @@ -45,12 +45,13 @@

bitcoind:
image: ghcr.io/retropex/bitcoin:v27.1@sha256:58553f26a73be8aed2c318e49fbbd3dc16e4e6158e4d75a59fcb42a2ce104e97
user: "1000:1000"
command: "${APP_BITCOIN_KNOTS_COMMAND}"
restart: unless-stopped

Check warning on line 50 in bitcoin-knots/docker-compose.yml

View workflow job for this annotation

GitHub Actions / Lint apps

Invalid restart policy 

The restart policy of the container "bitcoind" should be set to "on-failure".
stop_grace_period: 15m30s
volumes:
- "${APP_BITCOIN_KNOTS_DATA_DIR}:/data/.bitcoin"
ports:

Check notice on line 54 in bitcoin-knots/docker-compose.yml

View workflow job for this annotation

GitHub Actions / Lint apps

External port mapping "${APP_BITCOIN_KNOTS_P2P_PORT}:${APP_BITCOIN_KNOTS_INTERNAL_P2P_PORT}" 

Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.).

Check notice on line 54 in bitcoin-knots/docker-compose.yml

View workflow job for this annotation

GitHub Actions / Lint apps

External port mapping "${APP_BITCOIN_KNOTS_RPC_PORT}:${APP_BITCOIN_KNOTS_INTERNAL_RPC_PORT}" 

Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.).
- "${APP_BITCOIN_KNOTS_P2P_PORT}:${APP_BITCOIN_KNOTS_INTERNAL_P2P_PORT}"
- "${APP_BITCOIN_KNOTS_RPC_PORT}:${APP_BITCOIN_KNOTS_INTERNAL_RPC_PORT}"
networks:
Expand All @@ -61,7 +62,7 @@
image: getumbrel/tor:0.4.7.8@sha256:2ace83f22501f58857fa9b403009f595137fa2e7986c4fda79d82a8119072b6a
user: "1000:1000"
restart: on-failure
volumes:

Check notice on line 65 in bitcoin-knots/docker-compose.yml

View workflow job for this annotation

GitHub Actions / Lint apps

Mounted file/directory "/bitcoin-knots/torrc" doesn't exist 

The volume "${APP_DATA_DIR}/torrc:/etc/tor/torrc:ro" tries to mount the file/directory "/bitcoin-knots/torrc", but it is not present. This can lead to permission errors!
- ${APP_DATA_DIR}/torrc:/etc/tor/torrc:ro
- ${TOR_DATA_DIR}:/data
environment:
Expand All @@ -72,7 +73,7 @@

i2pd_daemon:
image: purplei2p/i2pd:release-2.44.0@sha256:d154a599793c393cf9c91f8549ba7ece0bb40e5728e1813aa6dd4c210aa606f6
user: "root"

Check notice on line 76 in bitcoin-knots/docker-compose.yml

View workflow job for this annotation

GitHub Actions / Lint apps

Using unsafe user "root" in service "i2pd_daemon" 

The user "root" can lead to security vulnerabilities. If possible please use a non-root user instead.
command: --sam.enabled=true --sam.address=0.0.0.0 --sam.port=7656 --loglevel=error
restart: on-failure
volumes:
Expand Down
1 change: 0 additions & 1 deletion bitcoin-knots/exports.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,6 @@ for var in \
RPC_AUTH \
INTERNAL_RPC_PORT \
INTERNAL_P2P_PORT \
INTERNAL_tor_PORT \
COMMAND \
RPC_HIDDEN_SERVICE \
P2P_HIDDEN_SERVICE \
Expand Down
19 changes: 19 additions & 0 deletions bitcoin-knots/hooks/pre-start
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,24 @@
#!/usr/bin/env bash

# Recursively chown the bitcoind data directory if this is an install impacted by the bitcoind container running as root.

APP_DIR="$(dirname "${BASH_SOURCE[0]}")/.."
BITCOIND_DATA_DIR="${APP_DIR}/data/bitcoin"
IS_BITCOIND_PERMISSIONS_SET="${APP_DIR}/data/IS_BITCOIND_PERMISSIONS_SET"

# If no blocks directory exists, we write out the file to indicate that this is a fresh install with correct permissions.
if [[ ! -d "${BITCOIND_DATA_DIR}/blocks" ]] && [[ ! -d "${BITCOIND_DATA_DIR}/testnet3/blocks" ]] && [[ ! -d "${BITCOIND_DATA_DIR}/signet/blocks" ]] && [[ ! -d "${BITCOIND_DATA_DIR}/regtest/blocks" ]]
then
touch "${IS_BITCOIND_PERMISSIONS_SET}"
fi

# If the file exists, we know that the permissions have already been set.
if [[ ! -f "${IS_BITCOIND_PERMISSIONS_SET}" ]]
then
chown -R 1000:1000 "${BITCOIND_DATA_DIR}"
touch "${IS_BITCOIND_PERMISSIONS_SET}"
fi

# Delay booting Bitcoin until the RPC and P2P Tor Hidden Services are ready

HIDDEN_SERVICE_FILE="${TOR_DATA_DIR}/app-${APP_ID}-rpc/hostname"
Expand Down
5 changes: 3 additions & 2 deletions bitcoin-knots/umbrel-app.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ implements:
- bitcoin
category: bitcoin
name: Bitcoin Knots
version: "27.1.2-swappable.3"
version: "27.1.2-swappable.4"
tagline: Run your personal node powered by Bitcoin Knots
description: >-
Take control of your digital sovereignty by running a Bitcoin node that aligns with your needs and preferences.
Expand All @@ -25,7 +25,8 @@ gallery:
path: ""
defaultPassword: ""
releaseNotes: >-
Important bug fixes.
This release fixes a bug that prevented some apps from connecting to Bitcoin Knots.


**🔔 And in case you missed it:**

Expand Down
Loading