From 400d25d54ab2fff71114975cf3f39bfbac8c0bb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire=20Henry?= Date: Wed, 19 Apr 2017 15:32:27 +0200 Subject: [PATCH] Docker: do not export the RPC port by default. --- scripts/Dockerfile.binaries.in | 5 +--- scripts/alphanet.sh | 41 ++++++++++++++++++++++---------- scripts/docker_entrypoint.inc.sh | 18 ++++++++++---- 3 files changed, 42 insertions(+), 22 deletions(-) diff --git a/scripts/Dockerfile.binaries.in b/scripts/Dockerfile.binaries.in index d0c34f540..a78ea81b8 100644 --- a/scripts/Dockerfile.binaries.in +++ b/scripts/Dockerfile.binaries.in @@ -5,7 +5,7 @@ LABEL distro_style="apk" distro="alpine" distro_long="alpine-$alpine_version" ar RUN adduser -S tezos && \ apk update && \ apk upgrade && \ - apk add sudo bash libssl1.0 libsodium libev gmp git nginx && \ + apk add sudo bash libssl1.0 libsodium libev gmp git && \ rm -f /var/cache/apk/* && \ echo 'tezos ALL=(ALL:ALL) NOPASSWD:ALL' > /etc/sudoers.d/tezos && \ chmod 440 /etc/sudoers.d/tezos && \ @@ -30,9 +30,6 @@ RUN sudo cp scripts/docker_entrypoint.sh /usr/local/bin/tezos && \ RUN sudo mkdir -p /var/run/tezos && \ sudo chown tezos /var/run/tezos -RUN sudo mkdir -p /run/nginx && \ - sudo cp scripts/nginx.conf /etc/nginx - ENV EDITOR=vi VOLUME /var/run/tezos diff --git a/scripts/alphanet.sh b/scripts/alphanet.sh index 7f4139e50..b364325d7 100755 --- a/scripts/alphanet.sh +++ b/scripts/alphanet.sh @@ -162,6 +162,9 @@ assert_container() { } start_container() { + if [ "$#" -ge 2 ] && [ "$1" = "--rpc-port" ] ; then + docker_export_rpc="-p $2:8732" + fi if check_container; then assert_container_uptodate else @@ -170,13 +173,11 @@ start_container() { fi docker rm "$docker_container" || true > /dev/null 2>&1 echo "Launching the docker container..." - docker run --rm -dit -p "$port:$port" -p "8732:80" \ - -v $docker_volume:/var/run/tezos \ + docker run --rm -dit -p "$port:$port" $docker_export_rpc \ + -v "$docker_volume:/var/run/tezos" \ --entrypoint /bin/sh \ --name "$docker_container" \ "$docker_image" > /dev/null - docker exec --user root --detach "$docker_container" \ - nginx -c /etc/nginx/nginx.conf may_restore_identity may_restore_accounts fi @@ -198,7 +199,8 @@ stop_container() { ## Node #################################################################### init_node() { - docker exec "$docker_container" tezos init "$@" + docker exec "$docker_container" tezos init \ + "$@" --net-addr "[::]:$port" save_identity } @@ -332,7 +334,11 @@ run_client() { } run_shell() { - docker exec -it "$docker_container" bash + if [ $# -eq 0 ]; then + docker exec -it "$docker_container" bash + else + docker exec -it "$docker_container" bash -c "$@" + fi save_accounts } @@ -347,8 +353,8 @@ display_head() { start() { pull_image - start_container - init_node --net-addr "[::]:$port" "$@" + start_container "$@" + init_node "$@" start_node start_baker start_endorser @@ -417,11 +423,18 @@ update_script() { usage() { echo "Usage: $0 [GLOBAL_OPTIONS] [OPTIONS]" echo " Main commands:" - echo " $0 start [OPTIONS] (passed to tezos-node config init)" + echo " $0 start [--rpc-port ] [OPTIONS]" echo " Launch a full Tezos alphanet node in a docker container" echo " automatically generating a new network identity." - echo " An account my_account for a manager my_identity is also" + echo " An account 'my_account' for a manager 'my_identity' is also" echo " created to be used via the client." + echo " OPTIONS (others than --rpc-port) are directly passed to the" + echo " Tezos node, see '$0 shell tezos-node config --help'" + echo " for more details." + echo " By default, the RPC port is not exported outside the docker" + echo " container. WARNING: when exported some RPCs could be harmful" + echo " (e.g. 'inject_block', 'force_validation', ...), it is" + echo " advised not to export them publicly." echo " $0 " echo " Friendly or brutally stop the node." echo " $0 restart" @@ -447,7 +460,9 @@ usage() { echo " $0 endorser " echo " $0 shell" echo "Node configuration backup directory: $data_dir" - echo "Global options are currently restricted to: '--port '" + echo "Global options are currently limited to:" + echo " --port " + echo " change public the port Tezos node" } ## Dispatch ################################################################ @@ -503,7 +518,7 @@ case "$command" in if [ "$#" -eq 0 ] ; then usage ; exit 1 ; else shift ; fi case "$subcommand" in start) - start_container + start_container "$@" warn_script_uptodate ;; status) @@ -617,7 +632,7 @@ case "$command" in ;; shell) assert_uptodate - run_shell + run_shell "$@" ;; client) assert_uptodate diff --git a/scripts/docker_entrypoint.inc.sh b/scripts/docker_entrypoint.inc.sh index 857d9bce4..412bdd611 100644 --- a/scripts/docker_entrypoint.inc.sh +++ b/scripts/docker_entrypoint.inc.sh @@ -33,16 +33,24 @@ init() { rmdir "$data_dir/bak" cp ~/scripts/alphanet_version "$data_dir/alphanet_version" fi + if [ "$#" -ge 2 ] && [ "$1" = "--rpc-port" ] ; then + rpc_addr="[::]:8732" + shift 2 + else + rpc_addr="127.0.0.1:8732" + fi if [ ! -f "$node_dir/config.json" ]; then "$node" config init \ + "$@" \ --data-dir "$node_dir" \ - --rpc-addr "127.0.0.1:8732" \ - --log-output "$node_dir/log" \ - "$@" + --rpc-addr "$rpc_addr" \ + --log-output "$node_dir/log" else "$node" config update \ + "$@" \ --data-dir "$node_dir" \ - "$@" + --rpc-addr "$rpc_addr" \ + --log-output "$node_dir/log" fi if [ -f "$node_dir/identity.json" ]; then if ! "$node" identity check \ @@ -70,7 +78,7 @@ run_node() { ## Temporary hack until Pierre has debugged Lwt... export LWT_ASYNC_METHOD=none ## END of temporary hack - exec "$node" run --data-dir "$node_dir" "$@" + exec "$node" run "$@" --data-dir "$node_dir" } stop_node() {