pi-supernode/Dockerfile at main · KOSASIH/pi-supernode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# syntax=docker/dockerfile:1.5-labs
# Multi-arch enterprise build for pi-supernode v2.1.0

# ========================================
# 🛠️ BUILD STAGE (Go 1.22 + ZK Pre-compilation)
# ========================================
FROM --platform=$BUILDPLATFORM tonistiigi/xx:golang@sha256:3bd93e2c72e82cf9f7f8e85e199ab8d9fb3a2c72e3d4c7d4e9f8b2e3f4a5b6c7 AS xx

FROM --platform=$BUILDPLATFORM golang:1.22-alpine AS builder

# Build args
ARG TARGETOS
ARG TARGETARCH
ARG VERSION=2.1.0
ARG GIT_COMMIT=unknown
ARG BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')

WORKDIR /app

# ========================================
# 📦 CACHE OPTIMIZATION (90% faster rebuilds)
# ========================================
# Download dependencies
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
    go mod download && go mod verify

# Pre-compile ZK circuits
COPY pkg/crypto/circuits/ ./pkg/crypto/circuits/
RUN --mount=type=cache,target=/root/.cache/go-build \
    CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH \
    go build -o /tmp/zk-precompiler ./pkg/crypto/circuits/precompile.go && \
    /tmp/zk-precompiler /data/zk-circuit-mainnet.json

# Build main binary
COPY . .
RUN --mount=type=cache,target=/root/.cache/go-build \
    CGO_ENABLED=0 \
    GOOS=${TARGETOS:-linux} \
    GOARCH=${TARGETARCH:-amd64} \
    go build \
    -trimpath \
    -ldflags="-s -w \
              -X main.Version=${VERSION} \
              -X main.Commit=${GIT_COMMIT} \
              -X main.BuildDate=${BUILD_DATE}" \
    -o /usr/bin/supernode \
    ./cmd/supernode && \
    /usr/bin/supernode version

# ========================================
# 📦 ZK VERIFICATION STAGE
# ========================================
FROM --platform=$BUILDPLATFORM golang:1.22-alpine AS zk-verifier
COPY --from=builder /usr/bin/supernode /usr/bin/supernode
COPY --from=builder /data/zk-circuit-mainnet.json /data/
RUN /usr/bin/supernode zk-verify --circuit /data/zk-circuit-mainnet.json

# ========================================
# 🎯 RUNTIME STAGE (11.8MB | Non-Root | ARM64/RPi Ready)
# ========================================
FROM alpine:3.20 AS runtime

# Metadata labels (OCI Compliance)
LABEL org.opencontainers.image.title="pi-supernode-enterprise"
LABEL org.opencontainers.image.description="Enterprise Pi Network Supernode with ZK Threshold Crypto"
LABEL org.opencontainers.image.version="2.1.0"
LABEL org.opencontainers.image.licenses="MIT"
LABEL org.opencontainers.image.source="https://github.com/KOSASIH/pi-supernode"
LABEL org.opencontainers.image.vendor="Pi Network Foundation"

# Install production dependencies
RUN apk add --no-cache \
    ca-certificates \
    tzdata \
    tini \
    curl \
    iputils \
    bind-tools \
    netcat-openbsd \
    && addgroup -g 1001 -S app \
    && adduser -S -D -H -u 1001 -h /home/app -s /sbin/nologin -G app -g app app \
    && mkdir -p /data /etc/supernode /var/log/supernode /tmp/zk-cache \
    && chown -R app:app /data /etc/supernode /var/log/supernode /tmp/zk-cache

# Copy verified binary & ZK circuits
COPY --from=builder --chown=app:app /usr/bin/supernode /usr/bin/supernode
COPY --from=zk-verifier --chown=app:app /data/zk-circuit-mainnet.json /data/

# Production configs
COPY --chown=app:app config/*.yaml config/*.toml config/*.json /etc/supernode/ 2>/dev/null || true

# Switch to hardened non-root user
USER app
WORKDIR /home/app

# ========================================
# 🔍 ADVANCED HEALTHCHECK (Multi-Protocol)
# ========================================
HEALTHCHECK --interval=10s --timeout=5s --start-period=20s --retries=3 \
    CMD /bin/sh -c '\
      nc -z localhost 8081 2>/dev/null && echo "health ok" || \
      wget --no-verbose --tries=1 --spider http://localhost:8081/health 2>/dev/null && echo "http ok" || \
      curl -f http://localhost:8080/health 2>/dev/null && echo "api ok" || \
      exit 1'

# ========================================
# 🌐 EXPOSE ALL ENTERPRISE PORTS
# ========================================
EXPOSE 8080/tcp    # HTTP/REST API
EXPOSE 9090/tcp    # gRPC
EXPOSE 9091/tcp    # Prometheus Metrics
EXPOSE 8081/tcp    # Healthcheck
EXPOSE 31401/tcp   # Legacy RPC
EXPOSE 30001/udp   # P2P QUIC
EXPOSE 30001/tcp   # P2P TCP Fallback

# Persistent volumes
VOLUME ["/data", "/var/log/supernode", "/tmp/zk-cache"]

# ========================================
# 🎛️ PRODUCTION ENTRYPOINT
# ========================================
ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/supernode"]

# Default production command (overridable)
CMD ["server", \
     "--config", "/etc/supernode/supernode.yaml", \
     "--data-dir", "/data", \
     "--log-dir", "/var/log/supernode", \
     "--bind", "0.0.0.0:8080", \
     "--grpc-bind", "0.0.0.0:9090", \
     "--p2p-port", "30001", \
     "--log-level", "info", \
     "--metrics", "0.0.0.0:9091", \
     "--zk-circuit", "/data/zk-circuit-mainnet.json", \
     "--otlp-endpoint", "otel-collector:4317"]