create lnd Docker container based on alpine and FROM scratch

[meeDamian]

This can be useful:

https://medium.com/@pierreprinetti/the-go-1-11-dockerfile-a3218319d191

[nolim1t]

Have you worked on a way to automate the following?

• lncli createwallet (and output the seed to a file)
• lncli unlock or at least have a way of piping the password to it ?

[meeDamian]

Create wallet should not happen automatically, but during the initial setup.

Unlock: yes I have a script for that, I'll share it a bit later, admittedly it wasn't trivial to figure it out 😅

[meeDamian]

@nolim1t

1. Login as root

2. Put this into /etc/lnd/unlock

   #!/bin/sh
   
   /bin/sleep 5s
   
   LN_ROOT=/home/ln/.lnd
   
   curl -s \
   	-H "Grpc-Metadata-macaroon: $(xxd -ps -u -c 1000 ${LN_ROOT}/admin.macaroon)" \
   	--cacert ${LN_ROOT}/tls.cert \
   	-d "{\"wallet_password\": \"$(cat /etc/lnd/pwd | tr -d '\n' | base64 -w0)\"}" \
   	https://localhost:8080/v1/unlockwallet > /dev/null 2>&1
   
   echo "$? $(date)" >> /etc/lnd/unlocks.log
   
   exit 0

3. Adjust your LN_ROOT path in code above

4. chmod 100 /etc/lnd/unlock

5. touch /etc/lnd/pwd

6. Put your lnd wallet password into pwd

7. chmod 400 /etc/lnd/pwd

8. Add ExecStartPost line to your /etc/systemd/system/lnd.service, so it looks something like this:

   $ sudo grep -A 2 Service /etc/systemd/system/lnd.service
   [Service]
   ExecStart=/usr/local/bin/lnd
   ExecStartPost=+/etc/lnd/unlock

Note: the assumption is that the attacker doesn't gain access to your root account, if they do all bets are off anyway…

[nolim1t]

Thanks this is useful information.

Yes createwallet shouldn't happen, but it needs to be controllable through another interface

[meeDamian]

REST interface perhaps, or RPC from Go code directly - but that requires deeper look.

[meeDamian]

@nolim1t I just took a look at the lnd Dockerfile you've made, and I actually like it quite a lot.

A few topics though:

• Why do you do final image as FROM alpine and not FROM scratch?
• Wouldn't it be better if configuration and/or unlocking of the lnd client happen from within another container that's setup to start before lnd?
• Doesn't lnd ever use SSL connections isn't copying root certs necessary (as per article in the first comment here)

[meeDamian]

Ah, I see you just copied the image from their official repo.

I think we should try getting rid of their start-lnd.sh file, as it contains a lot of options that will not be useful to us, and try to have it run from scratch ^^.

[nolim1t]

I haven’t had a chance to look at it too much but seeing you did claim that lnd works with a pruned node I’ll give it a try again.

[meeDamian]

I'm pretty sure we don't want to re-write autopilot logic which c-lightning currently lacks, so going ahead with lnd might be our best choice.

[meeDamian]

After digging-in for a while, having it run FROM scratch might be too much effort - lnd seems to rely on stuff like HOME directory, and some other stuff that any OS has, but are not avail in scratch.

That being said, I think we can live with the enormous overhead that alpine adds :P

I got lnd cross-compilation to work well already, except I'm not yet sure what exactly to expose in the final image…

[nolim1t]

this is done and actually working with the alpine images with lncm/pi-factory