Added bitcoind container 'user' parameter #1987
Conversation
Added 'user' parameter to bitcoind service, to ensure container is launched as 'umbrel' user. This in turn ensures all files created by the container have the expected user:group (umbrel:umbrel). This update resolves permission related errors encountered by third party apps (e.g. Electrs), when attempting to access bitcoin-knots .cookie file.
|
Thanks for this @rstmsn! We need to make sure that we don't accidentally break existing user's installations. For example, just adding this change will work for new app installs, but existing users would then have Before I do this though, @Retropex is the issue with knots |
|
Thanks @nmfretz. @Retropex may provide more clarity, however my understanding is that the 'bitcoin-knots' app used the 'bitcoin' app as a starting template, which was then customised to run the 'bitcoin-knots' client, as opposed to the 'bitcoin-core' client. As many other apps in the Umbrel eco system typically run as user '1000' (umbrel), so too should the 'bitcoin-knots' app/containers, to ensure these third party apps have sufficient priviledge to access/read files created by the 'bitcoin-knots' services. In terms of supporting historic installs, presumably something along the lines of 'chown -R umbrel:umbrel ~/umbrel/app-data/bitcoin-knots' would take care of this, if that could be included in the pre-start hook? Many thanks for your guidance, |
|
Thanks for the details @rstmsn! I just want to clarify the image build characteristics with @Retropex before we make the change.
The 'user' parameter was very likely not included in the original submission because the knots @Retropex is this maybe a new debian-based image build based on https://github.com/getumbrel/docker-bitcoind? I just want to make sure before we push a fix in case other changes are needed. |
|
Hello guys, Bitcoin Knots effectively seems to run in root, I have not hardcoded any users in the Dockerfile. I have effectively used your template with Bitcoin Core. |
Excellent, thanks for the confirmation @Retropex! What happened then is when the switch was made to using the debian-based template, user 1000:1000 was no longer defined in the Dockerfile like in the old lncm template. I will create a life-cycle hook to make sure we reset permissions for impacted users. |
|
| Severity | File | Description |
|---|---|---|
| ℹ️ | bitcoin-knots/docker-compose.yml |
Mounted file/directory "/bitcoin-knots/torrc" doesn't exist: The volume "${APP_DATA_DIR}/torrc:/etc/tor/torrc:ro" tries to mount the file/directory "/bitcoin-knots/torrc", but it is not present. This can lead to permission errors! |
| ℹ️ | bitcoin-knots/docker-compose.yml |
External port mapping "${APP_BITCOIN_KNOTS_P2P_PORT}:${APP_BITCOIN_KNOTS_INTERNAL_P2P_PORT}": Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.). |
| ℹ️ | bitcoin-knots/docker-compose.yml |
External port mapping "${APP_BITCOIN_KNOTS_RPC_PORT}:${APP_BITCOIN_KNOTS_INTERNAL_RPC_PORT}": Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.). |
| ℹ️ | bitcoin-knots/docker-compose.yml |
Potentially using unsafe user in service "server": The default container user "root" can lead to security vulnerabilities. If you are using the root user, please try to specify a different user (e.g. "1000:1000") in the compose file or try to set the UID/PUID and GID/PGID environment variables to 1000. |
| ℹ️ | bitcoin-knots/docker-compose.yml |
Using unsafe user "root" in service "i2pd_daemon": The user "root" can lead to security vulnerabilities. If possible please use a non-root user instead. |
bitcoin-knots/docker-compose.yml |
Invalid restart policy: The restart policy of the container "bitcoind" should be set to "on-failure". |
Legend
| Symbol | Description |
|---|---|
| ❌ | Error: This must be resolved before this PR can be merged. |
| Warning: This is highly encouraged to be resolved, but is not strictly mandatory. | |
| ℹ️ | Info: This is just for your information. |
|
I have added logic to the existing pre-start hook that recursively Tested on both a fresh install and an app update impacted by bitcoind running as root. Electrs connects successfully. Thanks again @rstmsn! Really appreciate it. |
|
Big thanks to both of you! |
Added 'user' parameter to bitcoind docker-compose service, to ensure container is launched as 'umbrel' user. This in turn ensures all files created by the container have the expected user:group (umbrel:umbrel).
This update resolves permission related errors encountered by third party apps (e.g. Electrs), when attempting to access bitcoin-knots .cookie file.