Improved Docker image (ton-blockchain#1051)

* add github action for macOS 14 (arm64, M1)

* add github action (portable) for macOS 14 (arm64, M1)

* rename macOS arm64 output artifact

* Update libsodium on windows

* Compile libsodium

* Update build-windows.bat

* use upgraded libsodium 1.0.20; use compiled static libsodium for Windows instead of precompiled;

* revert libsodium 1.0.20; use compiled static libsodium for Windows instead of precompiled;

* use upgraded libsodium 1.0.20; use compiled static libsodium for Windows instead of precompiled;

* fix libsodium version 1.0.19; use compiled static libsodium for Windows instead of precompiled;

* try 1.0.20 libsodium precompiled on github

* try 1.0.18 libsodium precompiled on github

* try windows build on win server 2019

* and use PlatformToolset=v142

* use cmake -G "Visual Studio 16 2019"

* fix path to msvc 2019 on github

* separate github windows build on win server 2019 and build on win server 2022

* Update assembly/native/build-windows-2019.bat

add retry mechanism

Co-authored-by: Dr. Awesome Doge <[email protected]>

* rework docker image; provide installation, configuration and troubleshooting guidelines; add nc, ifconfig, netstat and iptraf-ng utilities for troubleshooting;

* put back control.template

* add tcpdump and curl to the docker image;
update default validator ports;
add kubernetes deployment guidelines with network=host;
test metalLB load balancer

* tested metalLB load balancer

* tested aws deployment

* tested gcp deployment

* todo ali cloud and storage mount points, currently only the networking was tested

* add storage/pv/pvc; repair broken links, adjust docu

* change to dynamic storage provisioning without node affinity (statefulSet+headless service)
WIP

* modify gcp deployment WIP

* modify aws deployment WIP

* add resource requests/limits

* some docu changes

* some docu changes; aws tested

* support $DUMP_URL parameter as well as $ZFS_POOL_NAME;
add pv and plzip to docker image for dump extraction;
use mainnet dump by default in k8s deployments;

* support $DUMP_URL parameter as well as $ZFS_POOL_NAME;
add pv and plzip to docker image for dump extraction;
use mainnet dump by default in k8s deployments;
add AliCloud support

* minor remarks, final tests

* remove ZFS_POOL_NAME parameter

* improve docker github action - run test and add release tag, compile against arm64

* set docker test timeout

* test if validator-engine inside the docker image is valid

* test if validator-engine inside the docker image is valid

* test if validator-engine inside the docker image is valid

* adjust recommended node values for ali cloud deployment

---------

Co-authored-by: neodiX <[email protected]>
Co-authored-by: Dr. Awesome Doge <[email protected]>

.github/workflows/docker-ubuntu-image.yml

@@ -20,22 +20,49 @@ jobs:
  submodules: 'recursive'
 
  - name: Set up QEMU
- uses: docker/setup-qemu-action@v1
+ uses: docker/setup-qemu-action@v3
 
  - name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v1
+ uses: docker/setup-buildx-action@v3
 
  - name: Login to GitHub Container Registry
- uses: docker/login-action@v1
+ uses: docker/login-action@v3
  with:
  registry: ${{ env.REGISTRY }}
  username: ${{ github.repository_owner }}
  password: ${{ secrets.GITHUB_TOKEN }}
 
+ - name: Build and export to Docker
+ uses: docker/build-push-action@v6
+ with:
+ load: true
+ context: ./
+ tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test
+
+ - name: Test
+ run: |
+ docker run --rm -e "TEST=1" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test
+
+ - name: Get next tag
+ id: tag
+ run: |
+ git fetch --all --tags
+ git tag -l
+ NEW_TAG=v$(date +'%Y.%m')
+ FOUND=$(git tag -l | grep $NEW_TAG | wc -l)
+ if [ $FOUND -eq 0 ]; then
+ echo "TAG=$NEW_TAG" >> $GITHUB_OUTPUT
+ else
+ echo "TAG=$NEW_TAG-$FOUND" >> $GITHUB_OUTPUT
+ fi
+
  - name: Build and push
  id: docker_build
- uses: docker/build-push-action@v2
+ uses: docker/build-push-action@v6
  with:
+ platforms: linux/amd64,linux/arm64
  push: true
  context: ./
- tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+ tags: |
+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.TAG }}

Dockerfile

@@ -1,10 +1,15 @@
-FROM ubuntu:22.04 as builder
+FROM ubuntu:22.04 AS builder
 RUN apt-get update && \
- DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential cmake clang openssl libssl-dev zlib1g-dev gperf wget git ninja-build libsecp256k1-dev libsodium-dev libmicrohttpd-dev liblz4-dev pkg-config autoconf automake libtool libjemalloc-dev && \
- rm -rf /var/lib/apt/lists/*
-ENV CC clang
-ENV CXX clang++
-ENV CCACHE_DISABLE 1
+ DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential cmake clang openssl libssl-dev zlib1g-dev gperf wget git ninja-build libsecp256k1-dev libsodium-dev libmicrohttpd-dev liblz4-dev pkg-config autoconf automake libtool libjemalloc-dev lsb-release software-properties-common gnupg
+
+RUN wget https://apt.llvm.org/llvm.sh && \
+ chmod +x llvm.sh && \
+ ./llvm.sh 16 all && \
+ rm -rf /var/lib/apt/lists/*
+
+ENV CC=/usr/bin/clang-16
+ENV CXX=/usr/bin/clang++-16
+ENV CCACHE_DISABLE=1
 
 WORKDIR /
 RUN mkdir ion
@@ -13,13 +18,13 @@ WORKDIR /ion
 COPY ./ ./
 
 RUN mkdir build && \
- cd build && \
- cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DPORTABLE=1 -DTON_ARCH= -DTON_USE_JEMALLOC=ON .. && \
- ninja storage-daemon storage-daemon-cli tonlibjson fift func validator-engine validator-engine-console generate-random-id dht-server lite-client
+ cd build && \
+ cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DPORTABLE=1 -DTON_ARCH= -DTON_USE_JEMALLOC=ON .. && \
+ ninja storage-daemon storage-daemon-cli tonlibjson fift func validator-engine validator-engine-console generate-random-id dht-server lite-client
 
 FROM ubuntu:22.04
 RUN apt-get update && \
- apt-get install -y wget libatomic1 openssl libsecp256k1-dev libsodium-dev libmicrohttpd-dev liblz4-dev libjemalloc-dev && \
+ apt-get install -y wget curl libatomic1 openssl libsecp256k1-dev libsodium-dev libmicrohttpd-dev liblz4-dev libjemalloc-dev htop net-tools netcat iptraf-ng jq tcpdump pv plzip && \
  rm -rf /var/lib/apt/lists/*
 
 RUN mkdir -p /var/ion-work/db && \
@@ -33,7 +38,7 @@ COPY --from=builder /ion/build/validator-engine-console/validator-engine-console
 COPY --from=builder /ion/build/utils/generate-random-id /usr/local/bin/
 
 WORKDIR /var/ion-work/db
-COPY ./docker/init.sh ./docker/control.template ./
-RUN chmod +x init.sh
+COPY ./docker/init.sh ./docker/control.template /var/ton-work/scripts/
+RUN chmod +x /var/ton-work/scripts/init.sh
 
 ENTRYPOINT ["/var/ion-work/db/init.sh"]

docker/control.template

@@ -6,4 +6,4 @@
  "permissions" : 15
  }
  ]
- }
+ }

docker/init.sh

@@ -1,14 +1,28 @@
 #!/usr/bin/env bash
 
-# global config 
-if [ ! -z "$GCONFURL" ]; then
+if [ ! -z "$TEST" ]; then
+ echo -e "Running simple validator-engine test..."
+ validator-engine -h
+ test $? -eq 2 || { echo "simple validator-engine test failed"; exit 1; }
+ exit 0;
+fi
+
+# global config
+if [ ! -z "$GLOBAL_CONFIG_URL" ]; then
  echo -e "\e[1;32m[+]\e[0m Downloading provided global config."
  wget -q $GCONFURL -O /var/ion-work/db/ion-global.config
 else
- echo -e "\e[1;33m[=]\e[0m No global config provided, downloading default."
+ echo -e "\e[1;33m[=]\e[0m No global config provided, downloading mainnet default."
  #wget -q https://api.tontech.io/ton/wallet-mainnet.autoconf.json -O /var/ion-work/db/ion-global.config
 fi
 
+if [ -z "$VALIDATOR_PORT" ]; then
+ VALIDATOR_PORT=30001
+ echo -e "\e[1;33m[=]\e[0m Using default VALIDATOR_PORT $VALIDATOR_PORT udp"
+else
+ echo -e "\e[1;33m[=]\e[0m Using VALIDATOR_PORT $VALIDATOR_PORT udp"
+fi
+
 # Init local config with IP:PORT
 if [ ! -z "$PUBLIC_IP" ]; then
  if [ -z "$CONSOLE_PORT" ]; then
@@ -21,27 +35,80 @@ else
  exit 1
 fi
 
+if [ ! -f "/var/ton-work/db/config.json" ]; then
+ echo -e "\e[1;32m[+]\e[0m Initializing validator-engine:"
+ echo validator-engine -C /var/ton-work/db/ton-global.config --db /var/ton-work/db --ip "$PUBLIC_IP:$VALIDATOR_PORT"
+ validator-engine -C /var/ton-work/db/ton-global.config --db /var/ton-work/db --ip "$PUBLIC_IP:$VALIDATOR_PORT"
+ test $? -eq 0 || { echo "Cannot initialize validator-engine"; exit 2; }
+fi
+
+if [ ! -z "$DUMP_URL" ]; then
+ echo -e "\e[1;32m[+]\e[0m Using provided dump $DUMP_URL"
+ if [ ! -f "dump_downloaded" ]; then
+ echo -e "\e[1;32m[+]\e[0m Downloading dump..."
+ curl --retry 10 --retry-delay 30 -Ls $DUMP_URL | pv | plzip -d -n8 | tar -xC /var/ton-work/db
+ touch dump_downloaded
+ else
+ echo -e "\e[1;32m[+]\e[0m Dump has been already used."
+ fi
+fi
+
+if [ -z "$STATE_TTL" ]; then
+ STATE_TTL=86400
+ echo -e "\e[1;33m[=]\e[0m Using default STATE_TTL $STATE_TTL"
+else
+ echo -e "\e[1;33m[=]\e[0m Using STATE_TTL $STATE_TTL"
+fi
+
+if [ -z "$ARCHIVE_TTL" ]; then
+ ARCHIVE_TTL=86400
+ echo -e "\e[1;33m[=]\e[0m Using default ARCHIVE_TTL $ARCHIVE_TTL"
+else
+ echo -e "\e[1;33m[=]\e[0m Using ARCHIVE_TTL $ARCHIVE_TTL"
+fi
+
+if [ -z "$THREADS" ]; then
+ THREADS=8
+ echo -e "\e[1;33m[=]\e[0m Using default THREADS $THREADS"
+else
+ echo -e "\e[1;33m[=]\e[0m Using THREADS $THREADS"
+fi
+
+if [ -z "$VERBOSITY" ]; then
+ VERBOSITY=3
+ echo -e "\e[1;33m[=]\e[0m Using default VERBOSITY $VERBOSITY"
+else
+ echo -e "\e[1;33m[=]\e[0m Using VERBOSITY $VERBOSITY"
+fi
+
+if [ -z "$CONSOLE_PORT" ]; then
+ CONSOLE_PORT=30002
+ echo -e "\e[1;33m[=]\e[0m Using default CONSOLE_PORT $CONSOLE_PORT tcp"
+else
+ echo -e "\e[1;33m[=]\e[0m Using CONSOLE_PORT $CONSOLE_PORT tcp"
+fi
+
 # Generating server certificate
 if [ -f "./server" ]; then
  echo -e "\e[1;33m[=]\e[0m Found existing server certificate, skipping"
-else 
+else
  echo -e "\e[1;32m[+]\e[0m Generating and installing server certificate for remote control"
  read -r SERVER_ID1 SERVER_ID2 <<< $(generate-random-id -m keys -n server)
  echo "Server IDs: $SERVER_ID1 $SERVER_ID2"
  cp server /var/ion-work/db/keyring/$SERVER_ID1
 fi
 
 # Generating client certificate
-if [ -f "./client" ]; then 
+if [ -f "./client" ]; then
  echo -e "\e[1;33m[=]\e[0m Found existing client certificate, skipping"
 else
  read -r CLIENT_ID1 CLIENT_ID2 <<< $(generate-random-id -m keys -n client)
  echo -e "\e[1;32m[+]\e[0m Generated client private certificate $CLIENT_ID1 $CLIENT_ID2"
  echo -e "\e[1;32m[+]\e[0m Generated client public certificate"
  # Adding client permissions
- sed -e "s/CONSOLE-PORT/\"$(printf "%q" $CONSOLE_PORT)\"/g" -e "s~SERVER-ID~\"$(printf "%q" $SERVER_ID2)\"~g" -e "s~CLIENT-ID~\"$(printf "%q" $CLIENT_ID2)\"~g" control.template > control.new
- sed -e "s~\"control\"\ \:\ \[~$(printf "%q" $(cat control.new))~g" config.json > config.json.new
- mv config.json.new config.json
+ sed -e "s/CONSOLE-PORT/\"$(printf "%q" $CONSOLE_PORT)\"/g" -e "s~SERVER-ID~\"$(printf "%q" $SERVER_ID2)\"~g" -e "s~CLIENT-ID~\"$(printf "%q" $CLIENT_ID2)\"~g" /var/ton-work/scripts/control.template > control.new
+ sed -e "s~\"control\"\ \:\ \[~$(printf "%q" $(cat control.new))~g" /var/ton-work/db/config.json > config.json.new
+ mv config.json.new /var/ton-work/db/config.json
 fi
 
 # Liteserver
@@ -50,20 +117,25 @@ if [ -z "$LITESERVER" ]; then
 else
  if [ -f "./liteserver" ]; then
  echo -e "\e[1;33m[=]\e[0m Found existing liteserver certificate, skipping"
- else 
+ else
  echo -e "\e[1;32m[+]\e[0m Generating and installing liteserver certificate for remote control"
  read -r LITESERVER_ID1 LITESERVER_ID2 <<< $(generate-random-id -m keys -n liteserver)
  echo "Liteserver IDs: $LITESERVER_ID1 $LITESERVER_ID2"
  cp liteserver /var/ion-work/db/keyring/$LITESERVER_ID1
+
  if [ -z "$LITE_PORT" ]; then
- LITE_PORT="43679"
+ LITE_PORT=30003
+ echo -e "\e[1;33m[=]\e[0m Using default LITE_PORT $LITE_PORT tcp"
+ else
+ echo -e "\e[1;33m[=]\e[0m Using LITE_PORT $LITE_PORT tcp"
  fi
+
  LITESERVERS=$(printf "%q" "\"liteservers\":[{\"id\":\"$LITESERVER_ID2\",\"port\":\"$LITE_PORT\"}")
- sed -e "s~\"liteservers\"\ \:\ \[~$LITESERVERS~g" config.json > config.json.liteservers
- mv config.json.liteservers config.json
+ sed -e "s~\"liteservers\"\ \:\ \[~$LITESERVERS~g" /var/ton-work/db/config.json > config.json.liteservers
+ mv config.json.liteservers /var/ton-work/db/config.json
  fi
 fi
 
 echo -e "\e[1;32m[+]\e[0m Running validator-engine"
 
-exec validator-engine -c /var/ion-work/db/config.json -C /var/ion-work/db/ion-global.config --db /var/ion-work/db
+exec validator-engine -c /var/ion-work/db/config.json -C /var/ion-work/db/ion-global.config --db /var/ion-work/db

docker/ton-ali.yaml

@@ -0,0 +1,121 @@
+apiVersion: "apps/v1"
+kind: StatefulSet
+metadata:
+ name: validator-engine-pod
+ labels:
+ name: validator-engine-pod
+spec:
+ volumeClaimTemplates:
+ - metadata:
+ name: validator-engine-pvc
+ spec:
+ storageClassName: alicloud-disk-ssd
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 800Gi
+ serviceName: validator-engine-srv-headless
+ replicas: 1
+ selector:
+ matchLabels:
+ name: validator-engine-pod
+ template:
+ metadata:
+ labels:
+ name: validator-engine-pod
+ spec:
+ containers:
+ - name: validator-engine-container
+ image: ghcr.io/neodix42/ton:latest
+ env:
+ - name: PUBLIC_IP
+ value: "<PUBLIC_IP>"
+ - name: GLOBAL_CONFIG_URL
+ value: "https://api.tontech.io/ton/wallet-mainnet.autoconf.json"
+ - name: DUMP_URL
+ value: "https://dump.ton.org/dumps/latest.tar.lz"
+ - name: LITESERVER
+ value: "true"
+ - name: VALIDATOR_PORT
+ value: "30001"
+ - name: CONSOLE_PORT
+ value: "30002"
+ - name: LITE_PORT
+ value: "30003"
+ - name: STATE_TTL
+ value: "86400"
+ - name: ARCHIVE_TTL
+ value: "86400"
+ - name: THREADS
+ value: "8"
+ - name: VERBOSITY
+ value: "3"
+ ports:
+ - containerPort: 30001
+ protocol: UDP
+ - containerPort: 30002
+ protocol: TCP
+ - containerPort: 30003
+ protocol: TCP
+ volumeMounts:
+ - mountPath: "/var/ton-work/db"
+ name: validator-engine-pvc
+ resources:
+ requests:
+ memory: "64Gi"
+ cpu: "16"
+ limits:
+ memory: "128Gi"
+ cpu: "32"
+---
+kind: Service
+apiVersion: v1
+metadata:
+ name: validator-engine-srv
+ annotations:
+ service.beta.kubernetes.io/alibaba-cloud-loadbalancer-eip-ids: "<ELASTIC_IP_ID>"
+ service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
+spec:
+ type: LoadBalancer
+ externalTrafficPolicy: Local
+ ports:
+ - name: validator-udp
+ nodePort: 30001
+ port: 30001
+ targetPort: 30001
+ protocol: UDP
+ - name: console-tcp
+ nodePort: 30002
+ port: 30002
+ targetPort: 30002
+ protocol: TCP
+ - name: ls-tcp
+ nodePort: 30003
+ port: 30003
+ targetPort: 30003
+ protocol: TCP
+ selector:
+ name: validator-engine-pod
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: validator-engine-srv-headless
+spec:
+ clusterIP: None
+ ports:
+ - name: validator-udp
+ port: 30001
+ targetPort: 30001
+ protocol: UDP
+ - name: console-tcp
+ port: 30002
+ targetPort: 30002
+ protocol: TCP
+ - name: ls-tcp
+ port: 30003
+ targetPort: 30003
+ protocol: TCP
+ selector:
+ name: validator-engine-pod