testnet4 in a SAFER container (bitcoin core, lightning core, ckpool, cpuminer)

[mocacinno]

This topic is replacing the (very cluttered) topic https://bitcointalk.org/index.php?topic=5496494


TL;DR; => Jump straight to your usecase
i only want to run a node, maybe a wallet aswell
i want to get involved by running a lightning node on  testnet4
i want to run a solo mining pool on testnet4
eventough it's not a good idear, i want to cpu mine on testnet4


I got interested in testnet4, but at that time it was pretty hard for most people to run a node, let alone mine or open a lightning node on testnet4. That's why i decided to build a couple of containers based on ubuntu 24.04's image.

The problem is/was that the official ubuntu 24.04 image already contains a bunch of vulnerability's, and we need to run the container in privileged mode...
A second problem is/was that i decided to "combine" services into one container: "node + lightning", "node + cpuminer", "node + ckpool", "node + lighting + cpuminer + ckpool". This made the setup really hard to maintain.

Instead of moving foreward in the direction i took, i decided to re-design the containers from the ground up, using the (much safer) minimal Base Container Images provided by SuSe and (if possible) separating the different services making them easyer to maintain. I compile the tools using the BCI-base image, then copy over library's and binary's into the BCI-minimal image... This way the attack vector is allmost completely gone (dockerhub's free scan tool no longer finds a single vulnerability in my new container images, but offcourse, nothing is absolute, so it's well possible undisclosed vulnerability's still exist).

Because i did a complete re-design of the container images, i closed the old (cluttered) thread and started fresh.
Notice for people running the "old" images: don't worry... It's not like the old images are unsafe to run... The vulnerability's found in ubuntu's 24.04 base image are present in allmost all containers you find on the internet. They'll probably be present on your "regular" OS or your webserver aswell. Running the images i previously created doesn't necessarily put you in harms way, you're probably just as secure as ~95% of the people out there... It's just that i want you to be MORE secure, so do consider moving to the new container images

Want to have a visual representation of what i did... Just look here. The tags starting with bci_ are the new containers, the other ones are the "old" containers... You should immediately notice the "new" bci_ containers have the string "None found" under "vulnerability's", whilst the old ones have quite a few. You should also notice the "new" bci_ containers are much smaller (due to the fact only the strictly necessary components are included, making the attact surface as small as possible)

[mocacinno]

Container image #1: only bitcoin core with sqlite3 wallet enabled

branch home + extra info: https://github.com/mocacinno/btc_testnet4/tree/bci_node

This image contains bitcoin core, with the pull request for testnet4 applied. The useage is pretty simple... You'll need:

• a linux host, running docker
• a path to store the persistent data (blocks, wallets,...)

Once you have these, just copy this docker-compose.yml file on your local system:
https://raw.githubusercontent.com/mocacinno/btc_testnet4/bci_node/docker-compose.yml

modify the docker-compose.yml (for example, change the user, password, port and LOCAL paths). Then run

Code:

docker-compose up -d

If you want to check if your wallet is running, you can use the most common linux tools like "top" or "ps", or you can look at your local mountpoint (see prereqs), it should now contain a folder "testnet4" which contains your "debug.log"...

Making a wallet, receiving tBTC,...

Code:

docker exec -it bitcoind /bin/bash
bitcoin-cli -testnet4 -rpcuser=demo -rpcpassword=demo -rpcport=5000 createwallet walletname
#or, if you already created a wallet
bitcoin-cli -testnet4 -rpcuser=demo -rpcpassword=demo -rpcport=5000 loadwallet walletname
bitcoin-cli -testnet4 -rpcuser=demo -rpcpassword=demo -rpcport=5000 getnewaddress
#now use one of the 3 or 4 tBTC4 faucets to get some funds
bitcoin-cli -testnet4 -rpcuser=demo -rpcpassword=demo -rpcport=5000 listunspent 0

If you don't trust me (and eventough i personally think i'm trustworthy, i have never given you any reason to actually trust me), you can build the image all by yourself aswell... Just use my dockerfile:
https://raw.githubusercontent.com/mocacinno/btc_testnet4/bci_node/Dockerfile

Open it, read what i did, and once you verified that i did a good thing, execute

Code:

docker build -t whatever_image_name_you_want:whatever_tag_you_want .

then use the docker-compose.yml i provided and change the image name, user, pass,... and run

Code:

docker-compose up -d

[mocacinno]

Container image #2: bitcoin core with sqlite3 wallet enabled + lightning core 24.02.2

branch home + extra info: https://github.com/mocacinno/btc_testnet4/tree/bci_lightning

This image contains bitcoin core, with the pull request for testnet4 applied and lightning core 24.02.2.
This one is a little bit "odd". I decided to split services into seperate containers as much as possible, but lightning core is so intertwained with bitcoin core, it was to hard to seperate them into different containers... So bitcoin core and lightning core are bundled...

This being said, it's still pretty easy to run. The prereqs are

• a linux host, running docker
• a path to store the persistent bitcoin core data (blocks, wallets,...)
• a path to store the persistent lightning core data

Once you have these, just copy this docker-compose.yml file on your local system:
https://raw.githubusercontent.com/mocacinno/btc_testnet4/bci_lightning/docker-compose.yml

modify the docker-compose.yml (for example, change the user, password, port and LOCAL paths). Then run

Code:

docker-compose up -d

Now, i did notice that lightningd does not always start properly... It might be necessary to enter the container and actually start lightningd yourself

Code:

docker exec -it bitcoind /bin/bash
lightningd --plugin-dir /opt/lightningd/plugins/ --bitcoin-datadir /root/.bitcoin/testnet4 --bitcoin-rpcuser demo --bitcoin-rpcpassword demo --bitcoin-rpcconnect 127.0.0.1 --bitcoin-rpcport 5000 --testnet --log-file=/tmp/lightning.log --daemon

once your lightning daemon is running, the fun can start 

Code:

docker exec -it bitcoind /bin/bash
lightning-cli --testnet getinfo
lightning-cli --testnet listunspent
#create a new address
lightning-cli --testnet newaddr
#FUND this address, tx needs 6 confirms to show up!!!
#check funds
lightning-cli --testnet listfunds
#connect to a second lightning node on testnet4
lightning-cli --testnet connect 02dcee61e0aecb430296c5129bc2f07e5ccf791ac408389443d30333e6eaba52c9@54.38.124.151
#create (and fund) the channel
lightning-cli --testnet fundchannel 02dcee61e0aecb430296c5129bc2f07e5ccf791ac408389443d30333e6eaba52c9 200000 urgent true 1
#create an invoice
lightning-cli --testnet invoice 5000 pay500 demo 3600
#copy the bolt11 value
#pay the invoice
lightning-cli --testnet pay lntb50n1pn9p9npsp5zf6tyfhcthxry9e3ueax4ccwgwj459ypvuuut65pckwt0wx0k6eqpp5hkzd9x2wy69pznyrlfck3ey7g96canuflr7lqq2ru5guy3xhe7uqdq8v3jk6mccqp29qxpqysgq2zz9ac35rh6rla8tdl627jwpfaltl39qufrg5eewpw9flldcl8kjum30r9g3zj6ltd23qa85ccanzup367vm5l0qq2szpff2fs5xndgqa0674s
lightning-cli --testnet listunspent

If you don't trust me (and eventough i personally think i'm trustworthy, i have never given you any reason to actually trust me), you can build the image all by yourself aswell... Just use my dockerfile:
https://raw.githubusercontent.com/mocacinno/btc_testnet4/bci_lightning/Dockerfile

Open it, read what i did, and once you verified that i did a good thing, execute

Code:

docker build -t whatever_image_name_you_want:whatever_tag_you_want .

then use the docker-compose.yml i provided and change the image name, user, pass,... and run

Code:

docker-compose up -d

[mocacinno]

Container image #3: ckpool

branch home + extra info: https://github.com/mocacinno/btc_testnet4/tree/bci_ckpool

This image contains only ckpool + basic config for ckpool. The docker-compose.yml provided combines the bitcoin core container with the ckpool container. The "node" container will run the node, the ckpool container will run the actual mining pool.
The basic container image contains a ckpool.conf file with a 0% donation to my address... If you want something else, you'll have to edit the docker-compose.yml to mount your own local ckpool.conf file over /ckpool.conf inside the container.

The prereqs are:

• a linux host, running docker
• a path to store the persistent data (blocks, wallets,...)

Once you have these, just copy this docker-compose.yml file on your local system:
https://raw.githubusercontent.com/mocacinno/btc_testnet4/bci_ckpool/docker-compose.yml

modify the docker-compose.yml (for example, change the user, password, port and LOCAL paths). Then run

Code:

docker-compose up -d

If you don't trust me (and eventough i personally think i'm trustworthy, i have never given you any reason to actually trust me), you can build the image all by yourself aswell... Just use my dockerfile:
https://raw.githubusercontent.com/mocacinno/btc_testnet4/bci_ckpool/Dockerfile

Open it, read what i did, and once you verified that i did a good thing, execute

Code:

docker build -t whatever_image_name_you_want:whatever_tag_you_want .

then use the docker-compose.yml i provided and change the image name, user, pass,... and run

Code:

docker-compose up -d

[mocacinno]

Container image #4: cpuminer

branch home + extra info: https://github.com/mocacinno/btc_testnet4/tree/bci_cpuminer

This image contains only contains a compiled version of JaDDee's cpuminer. The provided docker-compose.yml starts a bitcoin core node image AND a second cpuminer container. The node will run the node (duh), and the cpuminer container runs a cpuminer process. Pay special attention to the docker-compose.yml, if you don't replace my tBTC4 addy by yours, you'll be mining for me instead of yourself 

note on cpu mining: the diff on testnet4 is already pretty high. Without an ASIC, you won't mine much... However, from time to time, no block is found for >20 minutes, and at that time the diff drops to 1 and you have a (very small) chance of solving a block (you are still competing against ASIC's tough, so your odds are not that good).

The prereqs are:

• a linux host, running docker
• a path to store the persistent data (blocks, wallets,...)

Once you have these, just copy this docker-compose.yml file on your local system:
https://raw.githubusercontent.com/mocacinno/btc_testnet4/bci_cpuminer/docker-compose.yml

modify the docker-compose.yml (for example, change the user, password, port and LOCAL paths). Then run

Code:

docker-compose up -d

If you don't trust me (and eventough i personally think i'm trustworthy, i have never given you any reason to actually trust me), you can build the image all by yourself aswell... Just use my dockerfile:
https://raw.githubusercontent.com/mocacinno/btc_testnet4/bci_cpuminer/Dockerfile

Open it, read what i did, and once you verified that i did a good thing, execute

Code:

docker build -t whatever_image_name_you_want:whatever_tag_you_want .

then use the docker-compose.yml i provided and change the image name, user, pass,... and run

Code:

docker-compose up -d

[mocacinno]

reserved for future container image (i'm thinking about compiling a block explorer)

[mocacinno]

reserved for future container image (i'm thinking about compiling an electrum server)

[NotATether]

Notice for people running the "old" images: don't worry... It's not like the old images are unsafe to run... The vulnerability's found in ubuntu's 24.04 base image are present in allmost all containers you find on the internet. They'll probably be present on your "regular" OS or your webserver aswell.

Erm, is there something I'm missing here? What is this vulnerability that is (according to you) omnipresent in all containers? And webservers?

The only critical flaw I've heard of recently is SnailLoad, but that only breaks VPNs and privacy, and it doesn't have anything to do with containers.

Can you link to me a CVE or something like that?

[mocacinno]

Notice for people running the "old" images: don't worry... It's not like the old images are unsafe to run... The vulnerability's found in ubuntu's 24.04 base image are present in allmost all containers you find on the internet. They'll probably be present on your "regular" OS or your webserver aswell.

Erm, is there something I'm missing here? What is this vulnerability that is (according to you) omnipresent in all containers? And webservers?

The only critical flaw I've heard of recently is SnailLoad, but that only breaks VPNs and privacy, and it doesn't have anything to do with containers.

Can you link to me a CVE or something like that?

In the latest scan of a container based on ubuntu:24:04, i get the following critical vulnerability's:
- CVE-2024-36016
- CVE-2024-26923
- CVE-2023-52433
- CVE-2023-4921
- CVE-2023-42756
- CVE-2023-35001
- CVE-2023-3390

there's also a list of 43 medium severity vulnerability's and 41 low severity... But i'm not going to list those..

But all in all 7 high + 46 medium + 41 low = 94 vulnerability's...

In a BCI minimal base image, there are exactly 0 vulnerability's that have been detected... doesn't mean there are none, but i'm pretty sure the BCI_minimal base image is safer than the ubuntu:24.04... And i'm not just saying this as a lifelong fan (and professional user) of Sles... The scan was done by docker scout, which should be agnostic when it comes to the choice of base image to base ones container on.

By the way, i'm not claiming those vulnerability's are exploitable per se... That's why i posted a notice for people not to panic... I just want to build a container image that's as safe as possible, so it makes sense to chose a base image that's as minimal and as safe as possible.