095a76cd20
Three stacked bugs made "switch version" silently fail / crash-loop, and the data-access mismatch corrupted a node's index during recovery attempts. Backend renderer: - sync_quadlet_unit ignored the per-app pinned version and re-rendered the quadlet with the manifest's :latest every reconcile tick, reverting any switch. Factor the install-time catalog/pin resolution into a shared resolve_catalog_image() and call it in BOTH install_fresh and sync_quadlet_unit. - The renderer folded manifest `entrypoint: ["sh","-lc"]` into Exec=, which only worked when the image entrypoint was a passthrough shell wrapper. The versioned images use ENTRYPOINT ["bitcoind"], so Exec=sh -lc ... became `bitcoind sh -lc ...` and crash-looped. Emit a real Entrypoint= override; exec_changed now also compares Entrypoint=. Images: - Build all bitcoin images (Core + Knots, every version) as container-root (USER removed) like the legacy :latest image. Chain data is owned by the data_uid (container uid 102); root reads it via CAP_DAC_OVERRIDE (granted in the manifest). A non-root USER (the previous uid 1000) can't read existing chain data → "Error initializing block database". Still fully rootless: container-root maps to the unprivileged host service user. Catalog: - bitcoin-knots versions[]: 29.3.knots20260508/20260507/20260210 + 29.2.knots20251110, "latest" tracking newest. - bitcoin-core versions[]: add 29.2 + a "latest" entry. All images rebuilt root and published to the mirror. Frontend: - AppSidebar version dropdown: rename the latest option to "Always use the latest version" (no v prefix), fix right padding, and guarantee the current selection matches a real option (was rendering blank). - New InstallVersionModal: full-screen version chooser shown from the App Store / Discover install button for multi-version apps (Bitcoin Knots/Core), app icon + "Install <name>", latest pre-selected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
36 lines
1.8 KiB
Docker
36 lines
1.8 KiB
Docker
# Bitcoin Knots — minimal rootless image built from the OFFICIAL upstream release.
|
|
#
|
|
# Knots previously had NO Dockerfile (the :latest tag was built/pushed by hand).
|
|
# The CANONICAL, verified build path is scripts/build-bitcoin-image.sh, which
|
|
# downloads the upstream tarball, verifies SHA-256 + the OpenPGP signature
|
|
# (fail-closed, Luke-Jr release key), and tags/pushes
|
|
# <registry>/bitcoin-knots:<version>. Knots version strings embed a build date,
|
|
# e.g. 29.3.knots20260508 — the full string is the tag.
|
|
#
|
|
# Build (binaries must be pre-fetched + verified into ./bin — see the script):
|
|
# scripts/build-bitcoin-image.sh knots 29.3.knots20260508
|
|
FROM debian:bookworm-slim
|
|
ARG KNOTS_VERSION=29.3.knots20260508
|
|
RUN set -eux; \
|
|
apt-get update; \
|
|
apt-get install -y --no-install-recommends ca-certificates; \
|
|
rm -rf /var/lib/apt/lists/*; \
|
|
useradd -m -u 1000 -s /bin/bash bitcoin; \
|
|
mkdir -p /home/bitcoin/.bitcoin; \
|
|
chown -R bitcoin:bitcoin /home/bitcoin
|
|
# bin/ holds the SHA-256 + GPG-verified bitcoind / bitcoin-cli (Knots, Guix-built,
|
|
# x86_64-linux-gnu) extracted from the official release tarball.
|
|
COPY bin/bitcoind /usr/local/bin/bitcoind
|
|
COPY bin/bitcoin-cli /usr/local/bin/bitcoin-cli
|
|
RUN chmod 0755 /usr/local/bin/bitcoind /usr/local/bin/bitcoin-cli
|
|
# Run as (container) root, like the legacy hand-built :latest image. Rootless
|
|
# Podman maps container-root to the unprivileged host service user; the manifest
|
|
# grants CAP_DAC_OVERRIDE so bitcoind can read its data dir, which the
|
|
# orchestrator chowns to the data_uid (host 100101 / container uid 102), not to
|
|
# this image's `bitcoin` user. A non-root USER can't read existing chain data and
|
|
# bitcoind crash-loops with "Error initializing block database".
|
|
WORKDIR /home/bitcoin
|
|
VOLUME ["/home/bitcoin/.bitcoin"]
|
|
EXPOSE 8332 8333
|
|
ENTRYPOINT ["bitcoind"]
|