fix: move entrypoint scripts from /opt to home directory

[DeVikingMark]

Fixes #4670

Moves entrypoint scripts from /opt to user home directory in Docker containers.

Changes:

• Updated docker/standalone.Dockerfile
• Updated docker/multiplexer.Dockerfile
• Updated docker/txsim/Dockerfile

Before: Scripts copied to /opt/entrypoint.sh
After: Scripts copied to ${CELESTIA_APP_HOME}/entrypoint.sh

[rootulp]

How was this PR tested? Can you please try building Docker images with this change, running them, and verifying the entrypoint.sh script is still invoked correctly? Perhaps also manually inspecting the produced Docker image to ensure the entrypoint.sh script is moved to the correct place.

[DeVikingMark]

Hi @rootulp! Thanks for the comment. I've tested the changes, and HERE'S what I got.

docker build -t celestia-node-test .

docker run --rm celestia-node-test:latest ls -la /home/celestia/entrypoint.sh

docker run --rm celestia-node-test:latest celestia

docker run --rm celestia-node-test:latest env | grep -E "(NODE_TYPE|P2P_NETWORK|CELESTIA_HOME)"

[rootulp]

The CLI output is for celestia-node which is different from celestia-app.

[DeVikingMark]

1. Building Docker images

docker build -f docker/standalone.Dockerfile -t celestia-app-standalone .

docker build -f docker/multiplexer.Dockerfile -t celestia-app-multiplexer .

docker build -f docker/txsim/Dockerfile -t celestia-app-txsim .

2. Checking entrypoint.sh placement

docker run --rm --entrypoint="" celestia-app-standalone ls -la /home/celestia/.celestia-app/entrypoint.sh

docker build -f docker/multiplexer.Dockerfile -t celestia-app-multiplexer .

docker run --rm --entrypoint="" celestia-app-txsim ls -la /home/celestia/.celestia-app/entrypoint.sh

3. Verifying entrypoint functionality

docker run --rm celestia-app-standalone start --help

docker run --rm celestia-app-multiplexer start --help

docker run --rm celestia-app-txsim --help

[rootulp]

@DeVikingMark why does this PR modify the Dockerfiles if the motivating issue is only for local_devnet: #4670

[DeVikingMark]

Hey @rootulp, sorry for the late answer,

While #4670 specifically mentions local_devnet, the underlying issue was that entrypoint scripts were being copied to /opt/entrypoint.sh, which requires root permissions.

The /opt directory requires root permissions, which isn't great for security. Moving everything to the user's home directory (${CELESTIA_APP_HOME}) is cleaner and more secure.

So I figured if we're fixing this pattern, we might as well fix it everywhere - standalone, multiplexer, and txsim containers.

Does that make sense?

[rootulp]

That makes sense but I'm hesitant to include this without getting user feedback from node operators that use the existing Docker images. I don't want to break them unnecessarily.

[rach-id]

I guess a first feedback should come from the devops team. cc @sysrex

[sysrex]

why would the entrypoint reside in the home folder? this has always been in /opt just like for node https://github.com/celestiaorg/celestia-node/blob/main/Dockerfile#L69

• also most installations will mount /home/celestia/.celestia-app on additional disks for obvious reasons, which means this can have unintended consequences.

[DeVikingMark]

@sysrex thanks for the feedback! I've updated the pullrequest to apply changes only to local_devnet

[rootulp]

I've updated the pullrequest to apply changes only to local_devnet

txsim can be used outside of local_devnet

[rootulp]

I've re-read the original issue and I still don't understand the concrete problem and proposal. I think we need more clarity in #4670 before we try implementing it.

[rootulp]

Also now the PR description is out of date. IMO let's close this for now and ask for clarity in the original issue.