[geth] make datadir, mount paths configurable, harden securityContext

dysnix/geth/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: geth
 description: Go-ethereum blockchain node Helm Chart
 
-version: 1.0.19
+version: 1.1.0
 appVersion: v1.14.8
 
 keywords:

dysnix/geth/templates/_config.tpl

@@ -59,7 +59,7 @@ IgnorePrice = 2
 
 {{ with .Values.config.node -}}
 [Node]
-DataDir = "/root/.ethereum"
+DataDir = "{{ $.Values.config.datadir }}"
 IPCPath = {{ .ipc.enabled | ternary .ipc.path "" | quote }}
 HTTPHost = {{ .http.enabled | ternary "0.0.0.0" "" | quote }}
 HTTPPort = {{ .http.port }}

dysnix/geth/templates/configmap-scripts.yaml

@@ -9,8 +9,8 @@ data:
     {{- include (print $.Template.BasePath "/scripts/_readiness.tpl") . | nindent 4 }}
   liveness.sh: |-
     {{- include (print $.Template.BasePath "/scripts/_liveness.tpl") . | nindent 4 }}
-  wait-for-sync.sh: |-
-    {{- include (print $.Template.BasePath "/scripts/_wait-for-sync.tpl") . | nindent 4 }}
+  startup.sh: |-
+    {{- include (print $.Template.BasePath "/scripts/_startup.tpl") . | nindent 4 }}
   {{- if or .Values.syncToS3.enabled .Values.initFromS3.enabled }}
   init-from-s3.sh: |-
     {{- include (print $.Template.BasePath "/scripts/_init-from-s3.tpl") . | nindent 4 }}

dysnix/geth/templates/s3-configmap.yaml

@@ -4,16 +4,12 @@ kind: ConfigMap
 metadata:
   name: {{ include "geth.fullname" . }}-s3-config
 data:
-  DATA_DIR: /root/.ethereum
+  DATA_DIR: {{ tpl .Values.s3config.local.datadir . | quote }}
+  ANCIENT_DIR: {{ tpl (tpl .Values.s3config.local.ancientDir .) . | quote }}
+  INITIALIZED_FILE: {{ tpl .Values.s3config.local.initializedFile . | quote }}
   SYNC_TO_S3: "False"
-  S3_BASE_URL: {{ tpl .Values.s3config.baseUrl . }}
-  S3_CHAINDATA_URL: {{ tpl .Values.s3config.chaindataUrl . }}
-  S3_ANCIENT_URL: {{ tpl .Values.s3config.ancientUrl . }}
+  S3_BASE_URL: {{ tpl .Values.s3config.remote.baseUrl . }}
+  S3_DATA_URL: {{ tpl .Values.s3config.remote.dataUrl . }}
+  S3_ANCIENT_URL: {{ tpl .Values.s3config.remote.ancientUrl . }}
   FORCE_INIT: {{ ternary "True" "False" .Values.initFromS3.force | quote }}
-  {{- with .Values.s3config.chaindataDir }}
-  CHAINDATA_DIR: {{ tpl . $ }}
-  {{- end }}
-  {{- with .Values.s3config.ancientDir }}
-  ANCIENT_DIR: {{ tpl . $ }}
-  {{- end }}
 {{- end }}

dysnix/geth/templates/s3-secret.yaml

@@ -4,7 +4,11 @@ kind: Secret
 metadata:
   name: {{ include "geth.fullname" . }}-s3-secret
 data:
-  S3_ENDPOINT_URL: {{ .Values.s3config.endpointUrl | toString | b64enc }}
-  AWS_ACCESS_KEY_ID: {{ .Values.s3config.accessKeyId | toString | b64enc }}
-  AWS_SECRET_ACCESS_KEY: {{ .Values.s3config.secretAccessKey | toString | b64enc }}
+  {{- with .Values.s3config.remote }}
+  {{- if .endpointUrl }}
+  S3_ENDPOINT_URL: {{ .endpointUrl | toString | b64enc }}
+  {{- end }}
+  AWS_ACCESS_KEY_ID: {{ .accessKeyId | toString | b64enc }}
+  AWS_SECRET_ACCESS_KEY: {{ .secretAccessKey | toString | b64enc }}
+  {{- end }}
 {{- end }}

dysnix/geth/templates/scripts/_init-from-s3.tpl

@@ -58,17 +58,17 @@ sync() {
   # https://github.com/peak/s5cmd/issues/532
   echo "Cleaning up local data..."
   rm -rf "$ANCIENT_DIR"
-  rm -rf "$CHAINDATA_DIR"
+  rm -rf "$DATA_DIR"
   # recreate data directories
-  mkdir -p "$CHAINDATA_DIR"
+  mkdir -p "$DATA_DIR"
   mkdir -p "$ANCIENT_DIR"
 
   echo "Starting download data from S3..."
   progress start
 
   # perform remote snapshot download and remove local objects which don't exist in snapshot
   # run two jobs in parallel, one for chaindata, second for ancient data
-  time "$S5CMD" --stat sync $EXCLUDE_ANCIENT "s3://${CHAINDATA_URL}/*" "${CHAINDATA_DIR}/" >/dev/null &
+  time "$S5CMD" --stat sync $EXCLUDE_ANCIENT "s3://${DATA_URL}/*" "${DATA_DIR}/" >/dev/null &
   download_chaindata=$!
   time nice "$S5CMD" --stat sync --part-size 200 --concurrency 2 $EXCLUDE_CHAINDATA "s3://${ANCIENT_URL}/*" "${ANCIENT_DIR}/" >/dev/null &
   download_ancient=$!

dysnix/geth/templates/scripts/_liveness.tpl

@@ -7,7 +7,7 @@
 set -e
 
 AGE_THRESHOLD=$1
-STATE_FILE=${2:-"/root/.ethereum/saved_block_number.txt"}
+STATE_FILE=${2:-"{{ .Values.config.datadir }}/saved_block_number.txt"}
 HTTP_PORT="{{ .Values.config.node.http.port }}"
 
 if [ -z "${AGE_THRESHOLD}" ] || [ -z "${STATE_FILE}" ]; then

dysnix/geth/templates/scripts/_s3-env.tpl

@@ -7,19 +7,18 @@ export EXCLUDE_ANCIENT="--exclude *.cidx --exclude *.ridx --exclude *.cdat --exc
 export EXCLUDE_CHAINDATA="--exclude *.ldb --exclude *.sst"
 
 # local directory structure config
-export DATA_DIR="${DATA_DIR:-/root/.ethereum}"
-export CHAINDATA_DIR="${CHAINDATA_DIR:-${DATA_DIR}/geth/chaindata}"
-export ANCIENT_DIR="${ANCIENT_DIR:-${CHAINDATA_DIR}/ancient}"
-export INITIALIZED_FILE="${DATA_DIR}/.initialized"
+export DATA_DIR="${DATA_DIR?DATA_DIR not provided.}"
+export ANCIENT_DIR="${ANCIENT_DIR?ANCIENT_DIR not provided.}"
+export INITIALIZED_FILE="${INITIALIZED_FILE?INITIALIZED_FILE not provided.}"
 
 # s3 directory structure config
 export S3_BASE_URL="${S3_BASE_URL?S3_BASE_URL not provided.}"
-export S3_CHAINDATA_URL="${S3_CHAINDATA_URL?S3_CHAINDATA_URL not provided.}"
+export S3_DATA_URL="${S3_DATA_URL?S3_DATA_URL not provided.}"
 export S3_ANCIENT_URL="${S3_ANCIENT_URL?S3_ANCIENT_URL not provided.}"
 export S_COMPLETED="/completed"
 export S_STATS="/stats"
 export S_LOCKFILE="/lockfile"
-export CHAINDATA_URL="${S3_BASE_URL}${S3_CHAINDATA_URL}"
+export DATA_URL="${S3_BASE_URL}${S3_DATA_URL}"
 export ANCIENT_URL="${S3_BASE_URL}${S3_ANCIENT_URL}"
 export COMPLETED_URL="${S3_BASE_URL}${S_COMPLETED}"
 export LOCKFILE_URL="${S3_BASE_URL}${S_LOCKFILE}"

dysnix/geth/templates/scripts/_sync-to-s3.tpl

@@ -39,8 +39,8 @@ sync() {
   echo "${HOSTNAME} $(date +%s)" | "$S5CMD" pipe "s3://${LOCKFILE_URL}"
 
   # perform upload of local data and remove destination objects which don't exist locally
-  # run two jobs in parallel, one for chaindata, second for ancient data
-  time "$S5CMD" --stat sync --delete $EXCLUDE_ANCIENT "${CHAINDATA_DIR}/" "s3://${CHAINDATA_URL}/" &
+  # run two jobs in parallel, one for trie db, second for ancient db
+  time "$S5CMD" --stat sync --delete $EXCLUDE_ANCIENT "${DATA_DIR}/" "s3://${DATA_URL}/" &
   upload_chaindata=$!
   time nice "$S5CMD" --stat sync --delete --part-size 200 --concurrency 2 $EXCLUDE_CHAINDATA "${ANCIENT_DIR}/" "s3://${ANCIENT_URL}/" &
   upload_ancient=$!

dysnix/geth/templates/statefulset.yaml

@@ -49,11 +49,27 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       initContainers:
+      {{- if .Values.init.chownData.enabled }}
+      - name: chown-data
+        image: "{{ .Values.init.chownData.image.repository }}:{{ .Values.init.chownData.image.tag }}"
+        imagePullPolicy: {{ .Values.init.chownData.image.pullPolicy | quote }}
+        securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
+        command: ["chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }}", "/data"]
+        volumeMounts:
+        - name: data
+          mountPath: /data
+      {{- end }}
       {{- if .Values.initFromS3.enabled }}
       {{- with .Values.s3config }}
       - name: init-from-s3
         image: "{{ .image.repository }}:{{ .image.tag }}"
         imagePullPolicy: {{ .image.pullPolicy | quote }}
+        {{- with $.Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
         - sh
         - /scripts/init-from-s3.sh
@@ -66,14 +82,18 @@ spec:
         - name: scripts
           mountPath: /scripts
         - name: data
-          mountPath: /root/.ethereum
+          mountPath: {{ $.Values.persistence.mountPath | default $.Values.config.datadir }}
       {{- end }}
       {{- end }}
       {{- if .Values.syncToS3.enabled }}
       {{- with .Values.s3config }}
       - name: sync-to-s3
         image: "{{ .image.repository }}:{{ .image.tag }}"
         imagePullPolicy: {{ .image.pullPolicy | quote }}
+        {{- with $.Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
         - /bin/sh
         - /scripts/sync-to-s3.sh
@@ -86,13 +106,17 @@ spec:
         - name: scripts
           mountPath: /scripts
         - name: data
-          mountPath: /root/.ethereum
+          mountPath: {{ $.Values.persistence.mountPath | default $.Values.config.datadir }}
       {{- end }}
       {{- with .Values.syncToS3.cronjob }}
       {{- if .enabled }}
       - name: disable-sync-to-s3
         image: "{{ .image.repository }}:{{ .image.tag }}"
         imagePullPolicy: {{ .image.pullPolicy | quote }}
+        {{- with $.Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
         - /bin/sh
         - /scripts/s3-cron.sh
@@ -127,6 +151,7 @@ spec:
           {{- tpl (toYaml .Values.argsOverride) $ | nindent 10 }}
         {{- else }}
         args:
+        - --datadir={{ .Values.config.datadir }}
         {{- with .Values.config.eth.network }}
         - --{{ . }}
         {{- end }}
@@ -191,7 +216,7 @@ spec:
         - name: config
           mountPath: /config
         - name: data
-          mountPath: /root/.ethereum
+          mountPath: {{ .Values.persistence.mountPath | default .Values.config.datadir }}
         - name: secrets
           mountPath: /secrets
         - name: scripts
@@ -226,6 +251,9 @@ spec:
           path: {{ .Values.persistence.hostPath.path }}
           type: {{ .Values.persistence.hostPath.type }}
       {{- end }}
+      {{- with .Values.extraVolumes }}
+      {{- tpl (toYaml .) $ | nindent 6 }}
+      {{- end }}
   {{- if eq .Values.persistence.type "pvc" }}
   volumeClaimTemplates:
   - metadata:

dysnix/geth/values.yaml

@@ -31,17 +31,19 @@ podLabels: {}
 podStatusLabels: {}
   # manualstatus: in-service
 
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  fsGroup: 10001
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  allowPrivilegeEscalation: false
+  privileged: false
+  runAsNonRoot: true
+  runAsUser: 10001
+  runAsGroup: 10001
   # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-  # runAsGroup: 1000
 
 ## By disabling we fix "Unknown config environment variable envvar=GETH_"
 ## Enable if your workload depends on this functionality
@@ -80,6 +82,17 @@ sidecarContainers: []
   #   - name: exporter
   #     containerPort: 9090
 
+## Extra volumeMounts for geth container, can be templated
+extraVolumeMounts: []
+  # - name: testvolume
+  #   mountPath: /test
+
+## Extra volumes, can be templated
+extraVolumes: []
+  # - name: testvolume
+  #   persistentVolumeClaim:
+  #     claimName: test-pvc
+
 ## Services config
 services:
   p2p:
@@ -156,6 +169,7 @@ ingress:
 persistence:
   type: pvc
   # type: hostPath
+  mountPath: ""                # don't forget to change .Values.config.datadir accordingly
   pvc:
     size: 900Gi                # starting point for snap-synced node as of 2023-09
     accessMode: ReadWriteOnce
@@ -230,12 +244,13 @@ startupProbe:
   exec:
     command:
       - sh
-      - /scripts/wait-for-sync.sh
+      - /scripts/startup.sh
 
 ## Main Geth config
 config:
   ## Use a utility like OpenSSL to create JWT via command: openssl rand -hex 32
   jwt: ""
+  datadir: /data
   eth:
     network: mainnet
     syncMode: snap
@@ -286,28 +301,45 @@ config:
     enabled: false
     port: 6061
 
+## initContainers configuration
+init:
+  chownData:
+    enabled: false
+    image:
+      repository: alpine
+      tag: 3.18
+      pullPolicy: IfNotPresent
+
 s3config:
   image:
     repository: peakcom/s5cmd
     tag: v2.2.2
     pullPolicy: IfNotPresent
-  # Any S3-compatible object storage service should be supported, but has only been tested with GCS.
-  # I.e. Amazon S3, MinIO, DigitalOcean Spaces, CloudFlare R2.
-  # endpointUrl: https://s3.amazonaws.com
-  endpointUrl: https://storage.googleapis.com
-  # Assuming your S3 bucket name is `my-snapshot-bucket` and base directory name is Helm release name
-  baseUrl: my-snapshot-bucket/{{ .Release.Name }}
-  # These are relative to baseUrl
-  chaindataUrl: /chaindata
-  ancientUrl: /ancient
-  # How to create access key
-  # AWS S3 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
-  # GCS    https://cloud.google.com/storage/docs/authentication/managing-hmackeys#create
-  accessKeyId: REPLACEME
-  secretAccessKey: REPLACEME
-  # override local paths
-  # chaindataDir: /root/.ethereum/geth/chaindata
-  # ancientDir: /root/.ethereum/geth/chaindata/ancient
+  # local storage config
+  local:
+    # directory containing the state you want to upload (can be templated)
+    datadir: "{{ .Values.config.datadir }}/geth/chaindata"
+    # directory containing ancient data you want to upload (can be templated)
+    ancientDir: "{{ .Values.s3config.local.datadir }}/ancient"
+    # this file marks node as already initialized from snapshot
+    # should be placed outside of the datadir you are uploading
+    initializedFile: "{{ .Values.config.datadir }}/.initialized"
+  # remote storage config
+  remote:
+    # Any S3-compatible object storage service should be supported, but has only been tested with GCS.
+    # I.e. Amazon S3, MinIO, DigitalOcean Spaces, CloudFlare R2.
+    # endpointUrl: https://storage.googleapis.com
+    endpointUrl: ""
+    # Assuming your S3 bucket name is `my-snapshot-bucket` and base directory name is Helm release name
+    baseUrl: my-snapshot-bucket/{{ .Release.Name }}
+    # These are relative to baseUrl
+    dataUrl: /chaindata
+    ancientUrl: /ancient
+    # How to create access key
+    # AWS S3 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
+    # GCS    https://cloud.google.com/storage/docs/authentication/managing-hmackeys#create
+    accessKeyId: REPLACEME
+    secretAccessKey: REPLACEME
 
 initFromS3:
   # enable initContainer