Merge pull request #3 from o1-labs/fix/docker-runtime

fix(deploy): add libssl3 to runtime image (fixes startup crash) + per-network compose

Author: dkijania

deploy/Dockerfile

@@ -1,12 +1,27 @@
-# Build the Mina light node.
+# Build the Mina light node (mina-relay + the mina-verify trust gate).
+#
+# It compiles mina-verify's recursive-proof verifier (proof-systems / kimchi), which
+# needs a C toolchain + openssl at build time and libssl at runtime.
+
 FROM rust:1-bookworm AS build
+# rust:1-bookworm (buildpack-deps based) already ships these, but be explicit so the
+# build can't silently depend on the base image's contents.
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        build-essential pkg-config libssl-dev git ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
 WORKDIR /src
 COPY . .
-RUN cargo build --release -p mina-light-node
+RUN cargo build --release --locked -p mina-light-node
+RUN strip target/release/mina-light-node
 
 FROM debian:bookworm-slim
-RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \
+# libssl3: the binary links openssl dynamically (openssl-sys in the dep tree).
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates libssl3 \
     && rm -rf /var/lib/apt/lists/*
 COPY --from=build /src/target/release/mina-light-node /usr/local/bin/mina-light-node
+# Out of the box: connect to devnet seeds and verify forever, no configuration.
+# Switch networks with `-e MINA_NETWORK=mainnet`.
 ENV MINA_NETWORK=devnet
+ENV RUST_LOG=info
 ENTRYPOINT ["mina-light-node"]

deploy/docker-compose.yml

@@ -1,12 +1,32 @@
-# Mina light node — joins p2p (mina-relay) + verifies (mina-verify).
-# TODO: add the verify sidecar (MinaProtocol/mina-verify mina-verify-server) once
-# the trust gate is wired, or run verification in-process.
+# Mina light node — joins p2p (mina-relay) + verifies every tip (mina-verify),
+# in-process. No sidecar, no configuration.
+#
+# One process follows exactly ONE network: the libp2p pnet key is derived from the
+# chain id, so a devnet swarm cannot even decrypt mainnet traffic, and Mina's network
+# config is process-global (set once). So it's one container per network — same image,
+# different MINA_NETWORK. Both services below build the same image.
+#
+#   docker compose -f deploy/docker-compose.yml up --build            # devnet (default)
+#   docker compose -f deploy/docker-compose.yml --profile mainnet up  # mainnet
 services:
-  mina-light-node:
+  devnet:
+    image: mina-light-node:latest
     build:
       context: ..
       dockerfile: deploy/Dockerfile
     environment:
       MINA_NETWORK: devnet
       RUST_LOG: info
+      # LIGHT_NODE_SECS unset => run forever.
+    restart: unless-stopped
+
+  mainnet:
+    image: mina-light-node:latest
+    profiles: ["mainnet"]
+    build:
+      context: ..
+      dockerfile: deploy/Dockerfile
+    environment:
+      MINA_NETWORK: mainnet
+      RUST_LOG: info
     restart: unless-stopped