nethermind icon indicating copy to clipboard operation
nethermind copied to clipboard

Published 20 hours ago verified publisher icon NethermindEth

[Security] In which dirs does Nethermind need write permissions while running Docker?

Open luarx opened this issue 1 year ago • 5 comments

Description I am trying to run Nethermind with with limited write permissions

Actual behavior When I try to do that, I see this error Failed to create CoreCLR, HRESULT: 0x8007000E

Expected behavior I would like to run Nethermind with limited r/w permissions, could you point out which dirs need Nethermind to write, please? 🙏

Configuration

    "--config",
    "gnosis_archive",
    "--datadir",
    "/mnt/ethereum/data", (r/w permissions enabled)
    "--baseDbPath",
    "/mnt/ethereum/db",  (r/w permissions enabled)
    "--JsonRpc.Enabled",
    "true",
    "--JsonRpc.Host",
    "0.0.0.0",
    "--JsonRpc.Port",
    "8545",
    "--JsonRpc.EnginePort",
    "9545",
    "--JsonRpc.EngineHost",
    "0.0.0.0",
    "--JsonRpc.JwtSecretFile",
    "/mnt/jwtsecret/jwtsecret"  (r/w permissions enabled)

Desktop (please complete the following information): Please provide the following information regarding your setup:

  • Version: 1.22.0
  • Installation Method: Docker
  • Consensus Client: lighthouse:v4.4.1

Logs Failed to create CoreCLR, HRESULT: 0x8007000E

luarx avatar Jan 18 '24 12:01 luarx

Judging by the error message, it looks like you're not using the official Docker image. Please provide more details on how you run it, with which image, the exact command, etc., so we can diagnose the issue.

rubo avatar Jan 19 '24 21:01 rubo

We are using the official docker image: nethermind/nethermind:1.22.0 in Kubernetes 👀 Running it with the default image command and the options that I shared above and trying to limit r/w permissions using readOnlyRootFilesystem: true

luarx avatar Jan 23 '24 12:01 luarx

I'm afraid it won't work that way. The error code 0x8007000E means "out of resources", in this case, file system-related resources. When that error is thrown, Nethermind is not even initialized, as the error comes from the .NET runtime when it's starting up. My guess is something is wrong with mounted volume permissions, or the temp directory is not write-accessible. You may find some workarounds here.

rubo avatar Jan 23 '24 16:01 rubo

Thanks for pointing out to the root cause @rubo, will check 🙌

Maybe it is a thing to consider when releasing a Docker image with a non-root user by default (discussed here). Being able to run a Docker image with a read only root file system is also a security recommendation 🙏 Wdyt?

luarx avatar Jan 24 '24 01:01 luarx

Yeah, we'll check the possibility for that, but I'm not sure it can be easily achieved.

rubo avatar Jan 25 '24 20:01 rubo