create lnd Docker container based on alpine and FROM scratch about dockerfiles HOT 11 CLOSED

Have you worked on a way to automate the following?

• lncli createwallet (and output the seed to a file)
• lncli unlock or at least have a way of piping the password to it ?

from dockerfiles.

Create wallet should not happen automatically, but during the initial setup.

Unlock: yes I have a script for that, I'll share it a bit later, admittedly it wasn't trivial to figure it out 😅

from dockerfiles.

@nolim1t

1. Login as root

2. Put this into /etc/lnd/unlock

   #!/bin/sh
   
   /bin/sleep 5s
   
   LN_ROOT=/home/ln/.lnd
   
   curl -s \
   	-H "Grpc-Metadata-macaroon: $(xxd -ps -u -c 1000 ${LN_ROOT}/admin.macaroon)" \
   	--cacert ${LN_ROOT}/tls.cert \
   	-d "{\"wallet_password\": \"$(cat /etc/lnd/pwd | tr -d '\n' | base64 -w0)\"}" \
   	https://localhost:8080/v1/unlockwallet > /dev/null 2>&1
   
   echo "$? $(date)" >> /etc/lnd/unlocks.log
   
   exit 0

3. Adjust your LN_ROOT path in code above

4. chmod 100 /etc/lnd/unlock

5. touch /etc/lnd/pwd

6. Put your lnd wallet password into pwd

7. chmod 400 /etc/lnd/pwd

8. Add ExecStartPost line to your /etc/systemd/system/lnd.service, so it looks something like this:

   $ sudo grep -A 2 Service /etc/systemd/system/lnd.service
   [Service]
   ExecStart=/usr/local/bin/lnd
   ExecStartPost=+/etc/lnd/unlock

Note: the assumption is that the attacker doesn't gain access to your root account, if they do all bets are off anyway…

from dockerfiles.

Thanks this is useful information.

Yes createwallet shouldn't happen, but it needs to be controllable through another interface

from dockerfiles.

REST interface perhaps, or RPC from Go code directly - but that requires deeper look.

from dockerfiles.

@nolim1t I just took a look at the lnd Dockerfile you've made, and I actually like it quite a lot.

A few topics though:

• Why do you do final image as FROM alpine and not FROM scratch?
• Wouldn't it be better if configuration and/or unlocking of the lnd client happen from within another container that's setup to start before lnd?
• Doesn't lnd ever use SSL connections isn't copying root certs necessary (as per article in the first comment here)

from dockerfiles.

Ah, I see you just copied the image from their official repo.

I think we should try getting rid of their start-lnd.sh file, as it contains a lot of options that will not be useful to us, and try to have it run from scratch ^^.

from dockerfiles.

I haven’t had a chance to look at it too much but seeing you did claim that lnd works with a pruned node I’ll give it a try again.

from dockerfiles.

I'm pretty sure we don't want to re-write autopilot logic which c-lightning currently lacks, so going ahead with lnd might be our best choice.

from dockerfiles.

After digging-in for a while, having it run FROM scratch might be too much effort - lnd seems to rely on stuff like HOME directory, and some other stuff that any OS has, but are not avail in scratch.

That being said, I think we can live with the enormous overhead that alpine adds :P

I got lnd cross-compilation to work well already, except I'm not yet sure what exactly to expose in the final image…

from dockerfiles.

this is done and actually working with the alpine images with lncm/pi-factory

from dockerfiles.