fix CVE, pebble

README.md

@@ -16,34 +16,35 @@ docker run --name bsc \
   -v .../var:/geth/var \
   -d 11notes/bsc:[tag] \
     geth \
-    --datadir "/geth/var" \
-    --config "/geth/etc/config.toml"  \
-    --cache 66560  \
-    --history.transactions=0 \
-    --syncmode=full \
-    --tries-verify-mode=local \
-    --pruneancient \
-    --db.engine=pebble \
-    --state.scheme=path \
-    --ws \
-      --ws.addr 0.0.0.0 \
-      --ws.api net,web3,eth,txpool \
-      --ws.origins '*' \
-    --http \
-      --http.addr 0.0.0.0 \
-      --http.api net,web3,eth,txpool \
-      --http.corsdomain '*' \
-      --http.vhosts '*' \
-    --log.format=json \
-    --nat extip:$(curl -s ip.anon.global) \
-    --metrics \
-      --metrics.expensive \
-      --metrics.influxdbv2 \
-      --metrics.influxdb.endpoint "http://127.0.0.1:8086" \
-      --metrics.influxdb.token "**********************************************" \
-      --metrics.influxdb.organization "Binance" \
-      --metrics.influxdb.bucket "bsc" \
-      --metrics.influxdb.tags "host=bsc"
+      --datadir "/geth/var" \
+      --config "/geth/etc/config.toml"  \
+      --cache 66560  \
+      --history.transactions=0 \
+      --syncmode=full \
+      --tries-verify-mode=local \
+      --pruneancient \
+      --db.engine=pebble \
+      --state.scheme=path \
+      --ws \
+        --ws.addr 0.0.0.0 \
+        --ws.api net,web3,eth,txpool \
+        --ws.origins '*' \
+      --http \
+        --http.addr 0.0.0.0 \
+        --http.api net,web3,eth,txpool \
+        --http.corsdomain '*' \
+        --http.vhosts '*' \
+      --maxpeers 64 \
+      --nat extip:$(curl -sL ip.anon.global) \
+      --log.format=json
+      --metrics \
+        --metrics.expensive \
+        --metrics.influxdbv2 \
+        --metrics.influxdb.endpoint "http://127.0.0.1:8086" \
+        --metrics.influxdb.token "**********************************************" \
+        --metrics.influxdb.organization "Binance" \
+        --metrics.influxdb.bucket "bsc" \
+        --metrics.influxdb.tags "host=bsc"
 ```
 
 ## Defaults
@@ -57,6 +58,11 @@ docker run --name bsc \
 | `api` | http://${IP}:8545 | HTTP endpoint |
 | `api` | http://${IP}:8546 | WS endpoint |
 
+## Environment
+| Parameter | Value | Default |
+| --- | --- | --- |
+| `TZ` | [Time Zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) | null |
+
 ## Parent image
 * [11notes/alpine:stable](https://github.com/11notes/docker-alpine)
 

amd64.dockerfile

@@ -27,6 +27,16 @@
     cd /go/bsc; \
     git checkout ${APP_VERSION};
 
+  # fix security
+  RUN set -ex; \    
+    sed -i 's#google.golang.org/grpc v1.51.0#google.golang.org/grpc v1.56.3#g' /go/bsc/go.mod; \    
+    sed -i 's#github.com/consensys/gnark-crypto v0.10.0#github.com/consensys/gnark-crypto v0.12.0#g' /go/bsc/go.mod; \
+    sed -i 's#golang.org/x/net v0.10.0#golang.org/x/net v0.17.0#g' /go/bsc/go.mod; \
+    sed -i 's#golang.org/x/crypto v0.12.0#golang.org/x/crypto v0.17.0#g' /go/bsc/go.mod; \
+    cd /go/bsc; \
+    go mod tidy; \
+    make -j $(nproc);
+
   RUN set -ex; \
     cd /go/bsc; \
     make -j $(nproc);

rootfs/geth/etc/config.toml

@@ -1,62 +1,43 @@
 [Eth]
-NetworkId = 714
-SyncMode = "full"
-NoPruning = false
-NoPrefetch = false
+NetworkId = 56
 LightPeers = 100
-DatabaseCache = 512
-DatabaseFreezer = ""
-TrieCleanCache = 256
-TrieDirtyCache = 256
-TriesInMemory = 128
-TrieTimeout = 3600000000000
-EnablePreimageRecording = false
+TrieTimeout = 150000000000
 
 [Eth.Miner]
-GasFloor = 30000000
-GasCeil = 40000000
-GasPrice = 10000000000
+GasCeil = 140000000
+GasPrice = 3000000000
 Recommit = 10000000000
 
 [Eth.TxPool]
 Locals = []
 NoLocals = true
 Journal = "transactions.rlp"
 Rejournal = 3600000000000
-PriceLimit = 10000000000
+PriceLimit = 3000000000
 PriceBump = 10
-AccountSlots = 16
-GlobalSlots = 4096
-AccountQueue = 64
-GlobalQueue = 1024
-Lifetime = 10800000000000
+AccountSlots = 200
+GlobalSlots = 8000
+AccountQueue = 200
+GlobalQueue = 4000
 
+[Eth.GPO]
+Blocks = 20
+Percentile = 60
+OracleThreshold = 1000
 
 [Node]
 IPCPath = "geth.ipc"
 HTTPHost = "0.0.0.0"
-NoUSB = true
-InsecureUnlockAllowed = true
+InsecureUnlockAllowed = false
 HTTPPort = 8545
 HTTPVirtualHosts = ["*"]
 HTTPModules = ["eth", "net", "web3", "txpool", "parlia"]
-WSHost = "0.0.0.0"
 WSPort = 8546
+WSModules = ["net", "web3", "eth"]
 
 [Node.P2P]
-MaxPeers = 50
+MaxPeers = 200
 NoDiscovery = false
 StaticNodes = []
-TrustedNodes = []
-EnableMsgEvents = false
-
-[Node.HTTPTimeouts]
-ReadTimeout = 30000000000
-WriteTimeout = 30000000000
-IdleTimeout = 120000000000
-
-[Node.LogConfig]
-FilePath = "bsc.log"
-MaxBytesSize = 10485760
-Level = "info"
-FileRoot = ""
+ListenAddr = ":30311"
+EnableMsgEvents = false

rootfs/usr/local/bin/entrypoint.sh

@@ -1,5 +1,15 @@
 #!/bin/ash
-  if [ -z "${1}" ]; then
+  CMD="${1}"
+  case "${CMD}" in
+    init)
+      log-json info "download latest snapshot from 48club"
+      cd ${APP_ROOT}/var
+      wget -q -O - $(curl -f -L -s c | grep -Eo 'https://snapshots.48.club/geth.pbss.\S+.tar.zst') | zstd -cd | tar -xvf - --strip-components=2
+      CMD=""
+    ;;
+  esac
+
+  if [ -z "${CMD}" ]; then
     log-json info "starting default geth configuration"
     set -- "geth" \
       --datadir "${APP_ROOT}/var" \
@@ -21,16 +31,8 @@
         --http.corsdomain '*' \
         --http.vhosts '*' \
       --maxpeers 64 \
-      --nat extip:$(curl -s ip.anon.global) \
+      --nat extip:$(curl -sL ip.anon.global) \
       --log.format=json
-  else
-    case "${1}" in
-      init)
-        log-json info "download latest snapshot from 48club"
-        cd ${APP_ROOT}/var
-        wget -q -O - $(curl -f -L -s https://github.com/48Club/bsc-snapshots | grep -Eo 'https://snapshots.48.club/geth.full.\S+.tar.zst') | zstd -cd | tar -xvf - --strip-components=2
-      ;;
-    esac
   fi
 
   exec "$@"