docker-compose with minimal PID namespace and non-root permissions (#2397)

* Feat: only share the erigon container PID namespace with rpcdaemon instead of the entire host PID namespace.

* Feat: remove host UID:GUID mapping from erigon and rpcdaemon containers in favour of erigon user in Dockerfile. Adapted Makefile to pre-create mounted volumes to avoid permission issues at runtime.

* Feat: docker volume directories should always be owned by erigon user(1000:1000) regardless of the user that invoked the make command.

* Fix: don't chown here which breaks docker volume mounts.

* Fix: remove ERIGON_HOME Makefile variable and simplify recipe.

Dockerfile

@@ -17,4 +17,8 @@ COPY --from=builder /app/build/bin/* /usr/local/bin/
 
 WORKDIR /var/lib/erigon
 
+RUN adduser -H -u 1000 -g 1000 -D erigon
+RUN chown -R erigon:erigon /var/lib/erigon
+USER erigon
+
 EXPOSE 8545 8546 30303 30303/udp 30304 30304/udp 8080 9090 6060

Makefile

@@ -21,9 +21,13 @@ go-version:
 docker:
 	docker build -t turbo-geth:latest --build-arg git_commit='${GIT_COMMIT}' --build-arg git_branch='${GIT_BRANCH}' --build-arg git_tag='${GIT_TAG}' .
 
+xdg_data_home :=  ~/.local/share
+ifdef XDG_DATA_HOME
+	xdg_data_home = $(XDG_DATA_HOME)
+endif
 docker-compose:
-	# Uses host's PID,UID,GID. It required to open Erigon's DB from another process (RPCDaemon local-mode)
-	UID_GID=$(shell id -u):$(shell id -g) docker-compose up
+	mkdir -p $(xdg_data_home)/erigon $(xdg_data_home)/erigon-grafana $(xdg_data_home)/erigon-prometheus; \
+	docker-compose up
 
 # debug build allows see C stack traces, run it with GOTRACEBACK=crash. You don't need debug build for C pit for profiling. To profile C code use SETCGOTRCKEBACK=1
 dbg:

README.md

@@ -232,7 +232,7 @@ or
 XDG_DATA_HOME=/preferred/data/folder make docker-compose
 ```
 
-Makefile uses host's PID,UID,GID. It required to open Erigon's DB from another process (RPCDaemon local-mode).
+Makefile creates the initial directories for erigon, prometheus and grafana. The PID namespace is shared between erigon and rpcdaemon which is required to open Erigon's DB from another process (RPCDaemon local-mode).
 See: https://github.com/ledgerwatch/erigon/pull/2392/files
 
 Windows support for docker-compose is not ready yet. Please help us with .ps1 port

docker-compose.yml

@@ -6,8 +6,6 @@ services:
     image: thorax/erigon:latest
     build: .
     command: erigon --datadir=/var/lib/erigon --metrics --metrics.addr=0.0.0.0 --metrics.port=6060 --private.api.addr=0.0.0.0:9090 --pprof --pprof.addr=0.0.0.0 --pprof.port=6061
-    user: ${UID_GID:-1000:1000} # Uses host's PID,UID,GID. It required to open Erigon's DB from another process (RPCDaemon local-mode)
-    pid: host
     volumes:
       - ${XDG_DATA_HOME:-~/.local/share}/erigon:/var/lib/erigon
     ports:
@@ -19,7 +17,7 @@ services:
 
   prometheus:
     image: prom/prometheus:v2.28.1
-    user: ${UID_GID:-1000:1000}
+    user: 1000:1000 # Uses erigon user from Dockerfile
     command: --log.level=warn --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus --web.console.libraries=/usr/share/prometheus/console_libraries --web.console.templates=/usr/share/prometheus/consoles
     ports:
       - "9090:9090"
@@ -30,7 +28,7 @@ services:
 
   grafana:
     image: grafana/grafana:8.0.6
-    user: ${UID_GID:-1000:1000}
+    user: 1000:1000 # Uses erigon user from Dockerfile
     ports:
       - "3000:3000"
     volumes:
@@ -43,8 +41,7 @@ services:
   rpcdaemon:
     image: thorax/erigon:latest
     command: rpcdaemon --datadir /var/lib/erigon --private.api.addr=erigon:9090 --http.addr=0.0.0.0 --http.vhosts=* --http.corsdomain=* --http.api=eth,debug,net
-    user: ${UID_GID:-1000:1000} # Uses host's PID,UID,GID. It required to open Erigon's DB from another process (RPCDaemon local-mode)
-    pid: host
+    pid: service:erigon # Use erigon's PID namespace. It's required to open Erigon's DB from another process (RPCDaemon local-mode)
     volumes:
       - ${XDG_DATA_HOME:-~/.local/share}/erigon:/var/lib/erigon
     ports: