From 9309426ed2cc406d8ff6d37bc84c536b7e7b5431 Mon Sep 17 00:00:00 2001
From: Abit <abitmore@users.noreply.github.com>
Date: Sun, 30 Oct 2022 21:58:15 +0100
Subject: [PATCH 1/8] Update Docker Hub repository path to a variable

---
 .github/workflows/build-docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 3c9dad5d9..fd75ec386 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -41,4 +41,4 @@ jobs:
       with:
         context: .
         push: true
-        tags: bitshares/bitshares-core:${{ env.DOCKER_PUSH_TAG }}
+        tags: ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG }}

From 6abef1822ec7579aa4867aaf3ac9e6242779fd6f Mon Sep 17 00:00:00 2001
From: Abit <abitmore@users.noreply.github.com>
Date: Mon, 31 Oct 2022 01:03:11 +0100
Subject: [PATCH 2/8] Push the major.minor version tag to Docker Hub too

---
 .github/workflows/build-docker.yml | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index fd75ec386..a1a5d134e 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -17,6 +17,15 @@ jobs:
         fi
         echo "DOCKER_PUSH_TAG=${DOCKER_PUSH_TAG}"
         echo "DOCKER_PUSH_TAG=${DOCKER_PUSH_TAG}" >> $GITHUB_ENV
+        VERSION_MAJOR=`echo "${DOCKER_PUSH_TAG}" | cut -f1 -d'.'`
+        if [ "${VERSION_MAJOR}" != "${DOCKER_PUSH_TAG}" ]; then
+          VERSION_MINOR=`echo "${DOCKER_PUSH_TAG}" | cut -f2 -d'.'`
+          DOCKER_PUSH_TAG_SHORT=${VERSION_MAJOR}.${VERSION_MINOR}
+          if [ "${DOCKER_PUSH_TAG_SHORT}" != "${DOCKER_PUSH_TAG}" ]; then
+            echo "DOCKER_PUSH_TAG_SHORT=${DOCKER_PUSH_TAG_SHORT}"
+            echo "DOCKER_PUSH_TAG_SHORT=${DOCKER_PUSH_TAG_SHORT}" >> $GITHUB_ENV
+          fi
+        fi
     - name: Test tag
       if: env.DOCKER_PUSH_TAG != ''
       run: echo "${DOCKER_PUSH_TAG}"
@@ -35,10 +44,19 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - name: Push to DockerHub
-      if: env.DOCKER_PUSH_TAG != ''
+    - name: Push to DockerHub (for branches)
+      if: env.DOCKER_PUSH_TAG != '' && env.DOCKER_PUSH_TAG_SHORT == ''
       uses: docker/build-push-action@v3
       with:
         context: .
         push: true
         tags: ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG }}
+    - name: Push to DockerHub (for tags)
+      if: env.DOCKER_PUSH_TAG != '' && env.DOCKER_PUSH_TAG_SHORT != ''
+      uses: docker/build-push-action@v3
+      with:
+        context: .
+        push: true
+        tags: |
+          ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG }}
+          ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG_SHORT }}

From 673035b92ad3e368ed9fa3dabdf3ae5823398192 Mon Sep 17 00:00:00 2001
From: abitmore <abitmore@users.noreply.github.com>
Date: Mon, 31 Oct 2022 15:02:26 +0000
Subject: [PATCH 3/8] Update Docker user and group

- Set UID to 10000 and GID to 10001 statically
- Run with the bitshares user
---
 Dockerfile | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 52d4cc040..c6f1bdf7f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,7 +52,10 @@ RUN \
 	-DGRAPHENE_DISABLE_UNITY_BUILD=ON \
         . && \
     make witness_node cli_wallet get_dev_key && \
-    install -s programs/witness_node/witness_node programs/genesis_util/get_dev_key programs/cli_wallet/cli_wallet /usr/local/bin && \
+    install -s programs/witness_node/witness_node \
+               programs/genesis_util/get_dev_key \
+               programs/cli_wallet/cli_wallet \
+            /usr/local/bin && \
     #
     # Obtain version
     mkdir -p /etc/bitshares && \
@@ -62,7 +65,8 @@ RUN \
 
 # Home directory $HOME
 WORKDIR /
-RUN useradd -s /bin/bash -m -d /var/lib/bitshares bitshares
+RUN groupadd -g 10001 bitshares
+RUN useradd -u 10000 -g bitshares -s /bin/bash -m -d /var/lib/bitshares --no-log-init bitshares
 ENV HOME /var/lib/bitshares
 RUN chown bitshares:bitshares -R /var/lib/bitshares
 
@@ -83,5 +87,7 @@ RUN chmod a+x /usr/local/bin/bitsharesentry.sh
 # Make Docker send SIGINT instead of SIGTERM to the daemon
 STOPSIGNAL SIGINT
 
+USER bitshares:bitshares
+
 # default execute entry
 CMD ["/usr/local/bin/bitsharesentry.sh"]

From cd5a1d83fe85e47f7dd25f07272364e18e3774c8 Mon Sep 17 00:00:00 2001
From: abitmore <abitmore@users.noreply.github.com>
Date: Tue, 1 Nov 2022 01:04:44 +0000
Subject: [PATCH 4/8] Drop root privileges in bitsharesentry.sh instead

This is a temporary solution compatible with older images.
---
 Dockerfile               | 2 +-
 docker/bitsharesentry.sh | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c6f1bdf7f..8e657a244 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -87,7 +87,7 @@ RUN chmod a+x /usr/local/bin/bitsharesentry.sh
 # Make Docker send SIGINT instead of SIGTERM to the daemon
 STOPSIGNAL SIGINT
 
-USER bitshares:bitshares
+#USER bitshares:bitshares
 
 # default execute entry
 CMD ["/usr/local/bin/bitsharesentry.sh"]
diff --git a/docker/bitsharesentry.sh b/docker/bitsharesentry.sh
index 58a2cd515..262d1c29a 100644
--- a/docker/bitsharesentry.sh
+++ b/docker/bitsharesentry.sh
@@ -84,10 +84,14 @@ fi
 ln -f -s /etc/bitshares/config.ini /var/lib/bitshares
 ln -f -s /etc/bitshares/logging.ini /var/lib/bitshares
 
+chown -R bitshares:bitshares /var/lib/bitshares
+
 # Plugins need to be provided in a space-separated list, which
 # makes it necessary to write it like this
 if [[ ! -z "$BITSHARESD_PLUGINS" ]]; then
-   exec "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} --plugins "${BITSHARESD_PLUGINS}"
+   exec /usr/bin/setpriv --reuid=bitshares --regid=bitshares --clear-groups \
+     "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} --plugins "${BITSHARESD_PLUGINS}"
 else
-   exec "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS}
+   exec /usr/bin/setpriv --reuid=bitshares --regid=bitshares --clear-groups \
+     "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS}
 fi

From 233dbb77a1646194f631eaefdb20769170a2ef79 Mon Sep 17 00:00:00 2001
From: abitmore <abitmore@users.noreply.github.com>
Date: Tue, 1 Nov 2022 19:07:09 +0000
Subject: [PATCH 5/8] Use Docker Multistage Builds

---
 Dockerfile | 44 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 11 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8e657a244..ac3f1c1c4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,8 @@
-FROM phusion/baseimage:focal-1.2.0
-MAINTAINER The bitshares decentralized organisation
-
+# The image for building
+FROM phusion/baseimage:focal-1.2.0 as build
 ENV LANG=en_US.UTF-8
+
+# Install dependencies
 RUN \
     apt-get update && \
     apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
@@ -63,13 +64,39 @@ RUN \
     cd / && \
     rm -rf /bitshares-core
 
-# Home directory $HOME
+# The final image
+FROM phusion/baseimage:focal-1.2.0
+LABEL maintainer="The bitshares decentralized organisation"
+ENV LANG=en_US.UTF-8
+
+# Install required libraries
+RUN \
+    apt-get update && \
+    apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
+    apt-get update && \
+    apt-get install --no-install-recommends -y \
+      libcurl4 \
+      ca-certificates \
+    && \
+    mkdir -p /etc/bitshares && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY --from=build /usr/local/bin/* /usr/local/bin/
+COPY --from=build /etc/bitshares/version /etc/bitshares/
+
 WORKDIR /
 RUN groupadd -g 10001 bitshares
 RUN useradd -u 10000 -g bitshares -s /bin/bash -m -d /var/lib/bitshares --no-log-init bitshares
 ENV HOME /var/lib/bitshares
 RUN chown bitshares:bitshares -R /var/lib/bitshares
 
+# default exec/config files
+ADD docker/default_config.ini /etc/bitshares/config.ini
+ADD docker/default_logging.ini /etc/bitshares/logging.ini
+ADD docker/bitsharesentry.sh /usr/local/bin/bitsharesentry.sh
+RUN chmod a+x /usr/local/bin/bitsharesentry.sh
+
 # Volume
 VOLUME ["/var/lib/bitshares", "/etc/bitshares"]
 
@@ -78,16 +105,11 @@ EXPOSE 8090
 # p2p service:
 EXPOSE 1776
 
-# default exec/config files
-ADD docker/default_config.ini /etc/bitshares/config.ini
-ADD docker/default_logging.ini /etc/bitshares/logging.ini
-ADD docker/bitsharesentry.sh /usr/local/bin/bitsharesentry.sh
-RUN chmod a+x /usr/local/bin/bitsharesentry.sh
-
 # Make Docker send SIGINT instead of SIGTERM to the daemon
 STOPSIGNAL SIGINT
 
+# Temporarily commented out due to permission issues cuased by older versions, to be restored in a future version
 #USER bitshares:bitshares
 
 # default execute entry
-CMD ["/usr/local/bin/bitsharesentry.sh"]
+ENTRYPOINT ["/usr/local/bin/bitsharesentry.sh"]

From 501cec475762ca358458829c7321902f83d0db67 Mon Sep 17 00:00:00 2001
From: abitmore <abitmore@users.noreply.github.com>
Date: Tue, 1 Nov 2022 19:13:15 +0000
Subject: [PATCH 6/8] Do not install fish

---
 Dockerfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index ac3f1c1c4..242073577 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,7 +30,6 @@ RUN \
       libtool \
       doxygen \
       ca-certificates \
-      fish \
     && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

From 65befca9ed58153cf305d030ceced5ddaf88506d Mon Sep 17 00:00:00 2001
From: abitmore <abitmore@users.noreply.github.com>
Date: Tue, 1 Nov 2022 23:41:53 +0000
Subject: [PATCH 7/8] Upgrade libraries in the entry script

---
 docker/bitsharesentry.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docker/bitsharesentry.sh b/docker/bitsharesentry.sh
index 262d1c29a..4f8bd9566 100644
--- a/docker/bitsharesentry.sh
+++ b/docker/bitsharesentry.sh
@@ -86,6 +86,9 @@ ln -f -s /etc/bitshares/logging.ini /var/lib/bitshares
 
 chown -R bitshares:bitshares /var/lib/bitshares
 
+# Get the latest security updates
+apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
+
 # Plugins need to be provided in a space-separated list, which
 # makes it necessary to write it like this
 if [[ ! -z "$BITSHARESD_PLUGINS" ]]; then

From cdc03c7040fff1ae28fac0f961f85348cb83bda2 Mon Sep 17 00:00:00 2001
From: Abit <abitmore@users.noreply.github.com>
Date: Mon, 7 Nov 2022 01:01:40 +0100
Subject: [PATCH 8/8] Fix a typo in a comment

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 242073577..b948626e9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -107,7 +107,7 @@ EXPOSE 1776
 # Make Docker send SIGINT instead of SIGTERM to the daemon
 STOPSIGNAL SIGINT
 
-# Temporarily commented out due to permission issues cuased by older versions, to be restored in a future version
+# Temporarily commented out due to permission issues caused by older versions, to be restored in a future version
 #USER bitshares:bitshares
 
 # default execute entry