fix(ci): Better permission and cache dirs handling in Docker (#9323)

* Use gosu only once

* Remove `COLORBT_SHOW_HIDDEN`

* Simplify Dockerfile

* Remove `check_directory_files` from entrypoint

* Remove check for `ZEBRA_CONF_PATH` in entrypoint

* Simplify ownership setting for `ZEBRA_CACHE_DIR`

* Simplify ownership setting for `LOG_FILE`

* Refactor Dockerfile & entrypoint

* Refactor vars in Dockerfile

* fmt

* Use `chown` for `ZEBRA_CONF_PATH`

* `run_cargo_test` -> `run_test`

* Make `run_test` runnable with gosu

* Cosmetics

* Don't pre-compile Zebra

* Revert: "Don't pre-compile Zebra"

* Fix the custom conf test

* Reintroduce `CARGO_HOME` in Dockerfile

* Pass `FEATURES` as env var to entrypoint

* Fix ARGs in Dockerfile

* Revert "Remove `COLORBT_SHOW_HIDDEN`"

This reverts commit 960d5ca.

* Specify cache state dir in CI

* Specify lwd cache dir in CI

* refactor: reorganize variables and avoid running entrypoint commands in subshell (#9326)

* refactor(docker): improve container configuration and security

- Optimize Dockerfile build stages and environment variables
- Improve file operations with proper ownership
- Streamline entrypoint script privilege management

* refactor(docker): enhance user management and directory ownership

- Add HOME argument back to ensure proper user home directory setup
- Implement ownership change for the user's home directory

* refactor(docker): remove redundant cache directory setup

- Eliminate explicit creation and ownership setting for LWD and Zebra cache directories in Dockerfile.
- Introduce default values for cache directories in entrypoint script, allowing for environment variable overrides.

* fix: run all cargo commands as user

* chore: reduce diff

* fix: revert to more robust command array

---------

Co-authored-by: Gustavo Valverde <[email protected]>
Co-authored-by: Gustavo Valverde <[email protected]>

Author: upbqdn

.github/workflows/sub-ci-integration-tests-gcp.yml

@@ -108,7 +108,7 @@ jobs:
       app_name: zebrad
       test_id: sync-past-checkpoint
       test_description: Test full validation sync from a cached state
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_CHECKPOINT_SYNC=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_CHECKPOINT_SYNC=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       needs_zebra_state: true
       saves_to_disk: false
       disk_suffix: checkpoint
@@ -178,7 +178,7 @@ jobs:
       app_name: zebrad
       test_id: update-to-tip
       test_description: Test syncing to tip with a Zebra tip state
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_UPDATE_SYNC=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_UPDATE_SYNC=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       needs_zebra_state: true
       # update the disk on every PR, to increase CI speed
       saves_to_disk: true
@@ -209,7 +209,7 @@ jobs:
       test_id: checkpoints-mainnet
       test_description: Generate Zebra checkpoints on mainnet
       # TODO: update the test to use {{ input.network }} instead?
-      test_variables: "-e NETWORK=Mainnet -e GENERATE_CHECKPOINTS_MAINNET=1"
+      test_variables: "-e NETWORK=Mainnet -e GENERATE_CHECKPOINTS_MAINNET=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       needs_zebra_state: true
       # test-update-sync updates the disk on every PR, so we don't need to do it here
       saves_to_disk: false
@@ -285,7 +285,7 @@ jobs:
       app_name: zebrad
       test_id: checkpoints-testnet
       test_description: Generate Zebra checkpoints on testnet
-      test_variables: "-e NETWORK=Testnet -e GENERATE_CHECKPOINTS_TESTNET=1"
+      test_variables: "-e NETWORK=Testnet -e GENERATE_CHECKPOINTS_TESTNET=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       network: "Testnet"
       needs_zebra_state: true
       # update the disk on every PR, to increase CI speed
@@ -316,7 +316,7 @@ jobs:
       app_name: lightwalletd
       test_id: lwd-full-sync
       test_description: Test lightwalletd full sync
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_FULL_SYNC=1 -e ZEBRA_TEST_LIGHTWALLETD=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_FULL_SYNC=1 -e ZEBRA_TEST_LIGHTWALLETD=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       # This test runs for longer than 6 hours, so it needs multiple jobs
       is_long_test: true
       needs_zebra_state: true
@@ -351,7 +351,7 @@ jobs:
       app_name: lightwalletd
       test_id: lwd-update-sync
       test_description: Test lightwalletd update sync with both states
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_UPDATE_SYNC=1 -e ZEBRA_TEST_LIGHTWALLETD=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_UPDATE_SYNC=1 -e ZEBRA_TEST_LIGHTWALLETD=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra -e LWD_CACHE_DIR=/home/zebra/.cache/lwd"
       needs_zebra_state: true
       needs_lwd_state: true
       saves_to_disk: true
@@ -379,7 +379,7 @@ jobs:
       app_name: lightwalletd
       test_id: fully-synced-rpc
       test_description: Test lightwalletd RPC with a Zebra tip state
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_RPC_CALL=1 -e ZEBRA_TEST_LIGHTWALLETD=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_RPC_CALL=1 -e ZEBRA_TEST_LIGHTWALLETD=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       needs_zebra_state: true
       saves_to_disk: false
     secrets: inherit
@@ -401,7 +401,7 @@ jobs:
       app_name: lightwalletd
       test_id: lwd-send-transactions
       test_description: Test sending transactions via lightwalletd
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_TRANSACTIONS=1 -e ZEBRA_TEST_LIGHTWALLETD=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_TRANSACTIONS=1 -e ZEBRA_TEST_LIGHTWALLETD=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra -e LWD_CACHE_DIR=/home/zebra/.cache/lwd"
       needs_zebra_state: true
       needs_lwd_state: true
       saves_to_disk: false
@@ -424,7 +424,7 @@ jobs:
       app_name: lightwalletd
       test_id: lwd-grpc-wallet
       test_description: Test gRPC calls via lightwalletd
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_GRPC=1 -e ZEBRA_TEST_LIGHTWALLETD=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_LWD_GRPC=1 -e ZEBRA_TEST_LIGHTWALLETD=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra -e LWD_CACHE_DIR=/home/zebra/.cache/lwd"
       needs_zebra_state: true
       needs_lwd_state: true
       saves_to_disk: false
@@ -451,7 +451,7 @@ jobs:
       app_name: zebrad
       test_id: get-block-template
       test_description: Test getblocktemplate RPC method via Zebra's rpc server
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_GET_BLOCK_TEMPLATE=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_GET_BLOCK_TEMPLATE=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       needs_zebra_state: true
       needs_lwd_state: false
       saves_to_disk: false
@@ -474,7 +474,7 @@ jobs:
       app_name: zebrad
       test_id: submit-block
       test_description: Test submitting blocks via Zebra's rpc server
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_SUBMIT_BLOCK=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_SUBMIT_BLOCK=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       needs_zebra_state: true
       needs_lwd_state: false
       saves_to_disk: false
@@ -497,7 +497,7 @@ jobs:
       app_name: zebra-scan
       test_id: scanner-tests
       test_description: Tests the scanner.
-      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_SCANNER=1"
+      test_variables: "-e NETWORK=${{ inputs.network || vars.ZCASH_NETWORK }} -e TEST_SCANNER=1 -e ZEBRA_CACHE_DIR=/home/zebra/.cache/zebra"
       needs_zebra_state: true
       needs_lwd_state: false
       saves_to_disk: false

.github/workflows/sub-ci-unit-tests-docker.yml

@@ -181,7 +181,7 @@ jobs:
     with:
       test_id: "custom-conf"
       docker_image: ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ inputs.image_digest }}
-      test_variables: '-e ZEBRA_CONF_PATH="zebrad/tests/common/configs/custom-conf.toml"'
+      test_variables: '-e ZEBRA_CONF_PATH="/home/zebra/zebrad/tests/common/configs/custom-conf.toml"'
       grep_patterns: '-e "extra_coinbase_data:\sSome\(\"do you even shield\?\"\)"'
 
   failure-issue:

docker/Dockerfile

@@ -3,32 +3,29 @@
 
 # If you want to include a file in the Docker image, add it to .dockerignore.
 #
-# We are using 4 (TODO: 5) stages:
+# We use 4 (TODO: 5) stages:
 # - deps: installs build dependencies and sets default values
-# - tests: builds tests binaries
+# - tests: prepares a test image
 # - release: builds release binaries
-# - runtime: runs the release binaries
+# - runtime: prepares the release image
 # - TODO: Add a `monitoring` stage
 #
 # We first set default values for build arguments used across the stages.
 # Each stage must define the build arguments (ARGs) it uses.
 
-# Build zebrad with these features
-#
-# Keep these argument defaults in sync with GitHub vars.RUST_PROD_FEATURES
+ARG RUST_VERSION=1.85.0
+
+# Keep in sync with vars.RUST_PROD_FEATURES in GitHub
 # https://github.com/ZcashFoundation/zebra/settings/variables/actions
 ARG FEATURES="default-release-binaries"
 
-ARG USER="zebra"
 ARG UID=10001
-ARG GID=10001
+ARG GID=${UID}
+ARG USER="zebra"
 ARG HOME="/home/${USER}"
+ARG CARGO_HOME="${HOME}/.cargo"
 
-ARG RUST_VERSION=1.85.0
-# In this stage we download all system requirements to build the project
-#
-# It also captures all the build arguments to be used as environment variables.
-# We set defaults for the arguments, in case the build does not include this information.
+# This stage prepares Zebra's build deps and captures build args as env vars.
 FROM rust:${RUST_VERSION}-bookworm AS deps
 SHELL ["/bin/bash", "-xo", "pipefail", "-c"]
 
@@ -39,25 +36,20 @@ RUN apt-get -qq update && \
     protobuf-compiler \
     && rm -rf /var/lib/apt/lists/* /tmp/*
 
-# Build arguments and variables set for tracelog levels and debug information
-ARG RUST_LOG
-ENV RUST_LOG=${RUST_LOG:-info}
-
-ARG RUST_BACKTRACE
-ENV RUST_BACKTRACE=${RUST_BACKTRACE:-1}
-
-ARG RUST_LIB_BACKTRACE
-ENV RUST_LIB_BACKTRACE=${RUST_LIB_BACKTRACE:-1}
-
-ARG COLORBT_SHOW_HIDDEN
-ENV COLORBT_SHOW_HIDDEN=${COLORBT_SHOW_HIDDEN:-1}
-
+# Build arguments and variables
 ARG CARGO_INCREMENTAL
 ENV CARGO_INCREMENTAL=${CARGO_INCREMENTAL:-0}
 
-ARG SHORT_SHA
-# If this is not set, it must be an empty string, so Zebra can try an alternative git commit source:
+ARG CARGO_HOME
+ENV CARGO_HOME=${CARGO_HOME}
+
+ARG FEATURES
+ENV FEATURES=${FEATURES}
+
+# If this is not set, it must be an empty string, so Zebra can try an
+# alternative git commit source:
 # https://github.com/ZcashFoundation/zebra/blob/9ebd56092bcdfc1a09062e15a0574c94af37f389/zebrad/src/application.rs#L179-L182
+ARG SHORT_SHA
 ENV SHORT_SHA=${SHORT_SHA:-}
 
 # This stage builds tests without running them.
@@ -66,9 +58,6 @@ ENV SHORT_SHA=${SHORT_SHA:-}
 # An entrypoint.sh is only available in this step for easier test handling with variables.
 FROM deps AS tests
 
-ARG FEATURES
-ENV FEATURES=${FEATURES}
-
 # Skip IPv6 tests by default, as some CI environment don't have IPv6 available
 ARG ZEBRA_SKIP_IPV6_TESTS
 ENV ZEBRA_SKIP_IPV6_TESTS=${ZEBRA_SKIP_IPV6_TESTS:-1}
@@ -80,20 +69,18 @@ ARG UID
 ENV UID=${UID}
 ARG GID
 ENV GID=${GID}
-ARG HOME
-ENV HOME=${HOME}
 ARG USER
 ENV USER=${USER}
+ARG HOME
 
-RUN addgroup --gid ${GID} ${USER} && \
-    adduser --gid ${GID} --uid ${UID} --home ${HOME} ${USER}
+RUN addgroup --quiet --gid ${GID} ${USER} && \
+    adduser --quiet --gid ${GID} --uid ${UID} --home ${HOME} ${USER} --disabled-password --gecos ""
 
 # Set the working directory for the build.
 WORKDIR ${HOME}
-ENV CARGO_HOME="${HOME}/.cargo/"
 
 # Build Zebra test binaries, but don't run them
-
+#
 # Leverage a cache mount to /usr/local/cargo/registry/
 # for downloaded dependencies, a cache mount to /usr/local/cargo/git/db
 # for git repository dependencies, and a cache mount to ${HOME}/target/ for
@@ -136,30 +123,22 @@ COPY --from=tianon/gosu:bookworm /gosu /usr/local/bin/
 ENV ZEBRA_CONF_PATH="${HOME}/.config/zebrad.toml"
 COPY --chown=${UID}:${GID} ./docker/default-zebra-config.toml ${ZEBRA_CONF_PATH}
 
-ENV LWD_CACHE_DIR="${HOME}/.cache/lwd"
-RUN mkdir -p ${LWD_CACHE_DIR} && \
-    chown -R ${UID}:${GID} ${LWD_CACHE_DIR}
+# As the build has already run with the root user,
+# we need to set the correct permissions for the home and cargo home dirs owned by it.
+RUN chown -R ${UID}:${GID} "${HOME}" && \
+    chown -R ${UID}:${GID} "${CARGO_HOME}"
 
-# Use the same cache dir as in the production environment.
-ENV ZEBRA_CACHE_DIR="${HOME}/.cache/zebra"
-RUN mkdir -p ${ZEBRA_CACHE_DIR} && \
-    chown -R ${UID}:${GID} ${ZEBRA_CACHE_DIR}
-
-COPY ./ ${HOME}
-RUN chown -R ${UID}:${GID} ${HOME}
-
-COPY ./docker/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY --chown=${UID}:${GID} ./ ${HOME}
+COPY --chown=${UID}:${GID} ./docker/entrypoint.sh /usr/local/bin/entrypoint.sh
 
 ENTRYPOINT [ "entrypoint.sh", "test" ]
 
-# In this stage we build a release (generate the zebrad binary)
+# This stage builds the zebrad release binary.
 #
-# This step also adds `cache mounts` as this stage is completely independent from the
-# `test` stage. This step is a dependency for the `runtime` stage, which uses the resulting
-# zebrad binary from this step.
+# It also adds `cache mounts` as this stage is completely independent from the
+# `test` stage. The resulting zebrad binary is used in the `runtime` stage.
 FROM deps AS release
 
-ARG FEATURES
 ARG HOME
 
 RUN --mount=type=bind,source=tower-batch-control,target=tower-batch-control \
@@ -184,8 +163,8 @@ RUN --mount=type=bind,source=tower-batch-control,target=tower-batch-control \
     cargo build --locked --release --features "${FEATURES}" --package zebrad --bin zebrad && \
     cp ${HOME}/target/release/zebrad /usr/local/bin
 
-# This step starts from scratch using Debian and only adds the resulting binary
-# from the `release` stage.
+# This stage starts from scratch using Debian and copies the built zebrad binary
+# from the `release` stage along with other binaries and files.
 FROM debian:bookworm-slim AS runtime
 
 ARG FEATURES
@@ -209,28 +188,22 @@ ARG UID
 ENV UID=${UID}
 ARG GID
 ENV GID=${GID}
-ARG HOME
-ENV HOME=${HOME}
 ARG USER
 ENV USER=${USER}
+ARG HOME
 
-RUN addgroup --gid ${GID} ${USER} && \
-    adduser --gid ${GID} --uid ${UID} --home ${HOME} ${USER}
+RUN addgroup --quiet --gid ${GID} ${USER} && \
+    adduser --quiet --gid ${GID} --uid ${UID} --home ${HOME} ${USER} --disabled-password --gecos ""
 
 WORKDIR ${HOME}
 
 # We set the default locations of the conf and cache dirs according to the XDG
 # spec: https://specifications.freedesktop.org/basedir-spec/latest/
 
+RUN chown -R ${UID}:${GID} ${HOME}
+
 ARG ZEBRA_CONF_PATH="${HOME}/.config/zebrad.toml"
 ENV ZEBRA_CONF_PATH=${ZEBRA_CONF_PATH}
-COPY --chown=${UID}:${GID} ./docker/default-zebra-config.toml ${ZEBRA_CONF_PATH}
-
-ARG ZEBRA_CACHE_DIR="${HOME}/.cache/zebra"
-ENV ZEBRA_CACHE_DIR=${ZEBRA_CACHE_DIR}
-RUN mkdir -p ${ZEBRA_CACHE_DIR} && chown -R ${UID}:${GID} ${ZEBRA_CACHE_DIR}
-
-RUN chown -R ${UID}:${GID} ${HOME}
 
 # We're explicitly NOT using the USER directive here.
 # Instead, we run as root initially and use gosu in the entrypoint.sh
@@ -240,9 +213,9 @@ RUN chown -R ${UID}:${GID} ${HOME}
 
 # Copy the gosu binary to be able to run the entrypoint as non-root user
 COPY --from=tianon/gosu:bookworm /gosu /usr/local/bin/
-
 COPY --from=release /usr/local/bin/zebrad /usr/local/bin/
-COPY ./docker/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY --chown=${UID}:${GID} ./docker/default-zebra-config.toml ${ZEBRA_CONF_PATH}
+COPY --chown=${UID}:${GID} ./docker/entrypoint.sh /usr/local/bin/entrypoint.sh
 
 ENTRYPOINT [ "entrypoint.sh" ]
 CMD ["zebrad"]