guild-operators
guild-operators copied to clipboard
Published
20 hours ago •
cardano-community
cardano-community
Docker container - Enabling Mithril client with 'no-new-privileges'
When using the Guild's Docker image and enabling the Mithril client: MITHRIL_DOWNLOAD: Y, if no-new-privileges is enabled, Mithril init fails (see log below).
The script is using sudo when creating the file: /opt/cardano/cnode/mithril/mithril.env, which no-new-privileges is preventing... The directory /opt/cardano/cnode/mithril/ is owned by the user: guild, so it should be able to create the file without elevated privs... Would it be possible to remove the script's sudo requirement here?
Docker compose.yml:
services:
cardano-relay:
image: cardanocommunity/cardano-node:10.1.4
environment:
MITHRIL_DOWNLOAD: Y # (Y|N) Download latest Mithril snapshot if no db exists
security_opt:
- no-new-privileges
Container log:
_____ _ __ __ ____ __
/ ___/_ __(_) /__/ / / __ \___ ___ _______ _/ /____ _______
/ (_ / // / / / _ / / /_/ / _ \/ -_) __/ _ `/ __/ _ \/ __(_-<
\___/\_,_/_/_/\_,_/ \____/ .__/\__/_/ \_,_/\__/\___/_/ /___/
/_/
NETWORK: preview /opt/cardano/cnode/files-custom/topology.json
ENTRYPOINT_PROCESS: cnode.sh
NODE: 8653eac6ef31 - Port:6000 -
cardano-node 10.1.4 - linux-x86_64 - ghc-8.10
git rev 1f63dbf2ab39e0b32bf6901dc203866d3e37de08
Creating /opt/cardano/cnode/mithril/mithril.env...
Info: Setting minimal environment variables supporting only the Mithril client use case.
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
/opt/cardano/cnode/scripts/mithril.library: line 360: /opt/cardano/cnode/mithril/mithril.env: No such file or directory
