refactor(cd): improve Docker and gcloud usage without Cloud Build (#3431)

* refactor (cd): overall pipeline improvement - Use a more ENV configurable Dockerfile - Remove cloudbuild dependency - Use compute optimized machine types - Use SSD instead of normal hard drives - Move Sentry endpoint to secrets - Use a single yml for auto & manual deploy - Migrate to Google Artifact Registry * refactor (cd): overall pipeline improvement - Use a more ENV configurable Dockerfile - Remove cloudbuild dependency - Use compute optimized machine types - Use SSD instead of normal hard drives - Move Sentry endpoint to secrets - Use a single yml for auto & manual deploy - Migrate to Google Artifact Registry * refactor (cd): use newer google auth action * fix (cd): use newer secret as gcp credential * fix (docker): do not create extra directories * fix (docker): ignore .github for caching purposes * fix (docker): use latest rust * fix: use a better name for manual deployment * refactor (docker): use standard directories for executable * fix (cd): most systems expect a "latest" tag Caching from the latest image is one of the main reasons to add this extra tag. Before this commit, the inline cache was not being used. * fix (cd): push the build image and the cache separately The inline cache exporter only supports `min` cache mode. To enable `max` cache mode, push the image and the cache separately by using the registry cache exporter. This also allows for smaller release images. * fix (cd): remove unused GHA cache We're leveraging the registry to cache the actions, instead of using the 10GB limits from Github Actions cache storage * refactor (cd): use cargo-chef for caching rust deps * fix (release): use newer debian to reduce vulnerabilities * fix (cd): use same zone, region and service accounts * fix (cd): use same disk size and type for all deployments * refactor (cd): activate interactive shells Use interactive shells for manual and test deployments. This allow greater flexibility if troubleshooting is needed inside the machines * fix (docker): do not build with different settings Compiling might be slow because different steps are compiling the same code 2-4 times because of the variations * fix(cd): use Mainnet instead of mainnet * fix(docker): remove tests as a runtime dependency * fix(cd): use default service account with cloud-platform scope * fix(cd): keep compatibility with gcr.io To prevent conflicts between registries, and migrate when the time is right, we'll keep pushing to both registries and use github actions cache to prevent conflicts between artifacts. * fix(docker): do not download zcash params twice * feat(docker): add google OS Config agent Use a separate step to have better flexibility in case a better approach is available * fix(docker): allow to use zebrad as a command * feat: add an image to inherit from with zcash params * refactor(docker): use cached zcash params from previous build * imp(cd): add double safety measure for production
2022-02-08 20:50:13 -04:00 · 2022-02-08 20:50:13 -04:00 · a872f1727a
parent 88aca26d30
commit a872f1727a
8 changed files with 303 additions and 139 deletions
--- a/docker/.dockerignore
+++ b/docker/.dockerignore
@ -2,4 +2,5 @@ target
 Dockerfile
 .dockerignore
 .git
 .github
 .gitignore
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@ -2,22 +2,31 @@ name: CD
 on:
  workflow_dispatch:
    inputs:
      network:
        default: 'Mainnet'
      checkpoint_sync:
        default: true
  push:
    branches:
      - main
 env:
  CARGO_INCREMENTAL: '1'
  NETWORK: Mainnet
  PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
-  REGION: us-east1
+  GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
-  ZONE: us-east1-b
+  GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
-  MACHINE_TYPE: n2d-standard-4
+  REGION: us-central1
-  DEPLOY_SA: cos-vm@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com
+  ZONE: us-central1-a
  MACHINE_TYPE: c2-standard-4
 jobs:
  build:
    name: Build images
    timeout-minutes: 60
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.4.0
      with:
@ -27,25 +36,61 @@ jobs:
      uses: rlespinasse/github-slug-action@v4
    # Setup gcloud CLI
-    - name: Set up gcloud SDK environment
+    - name: Authenticate to Google Cloud
-      uses: google-github-actions/setup-gcloud@v0.5.0
+      id: auth
      uses: google-github-actions/auth@v0.5.0
      with:
-        project_id: ${{ env.PROJECT_ID }}
+        credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
        service_account_key: ${{ secrets.GCLOUD_AUTH }}
-    # Build and push image to Google Container Registry
+    # Setup Docker Buildx to allow use of docker cache layers from GH
-    - name: Build
+    - name: Set up Docker Buildx
-      # Tagging w/ the commit SHA blocks the :latest tag on GCR
+      uses: docker/setup-buildx-action@v1
      run: |
        gcloud builds submit \
          --config cloudbuild.yaml \
          --substitutions SHORT_SHA="${{ env.GITHUB_SHA_SHORT }}",BRANCH_NAME="${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}"
-  deploy:
+    - name: Login to Google Artifact Registry
-    name: Deploy mainnet nodes
+      uses: docker/login-action@v1.12.0
      with:
        registry: us-docker.pkg.dev
        username: _json_key
        password: ${{ secrets.GOOGLE_CREDENTIALS }}
    - name: Login to Google Container Registry
      uses: docker/login-action@v1.12.0
      with:
        registry: gcr.io
        username: _json_key
        password: ${{ secrets.GOOGLE_CREDENTIALS }}
    # Build and push image to Google Artifact Registry
    - name: Build & push
      id: docker_build
      uses: docker/build-push-action@v2.8.0
      with:
        target: runtime
        context: .
        file: ./docker/Dockerfile.build
        tags: |
          ${{ env.GAR_BASE }}/${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}:latest
          ${{ env.GAR_BASE }}/${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}:${{ env.GITHUB_SHA_SHORT }}
          ${{ env.GCR_BASE }}/${{ env.GITHUB_REPOSITORY_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_SLUG_URL }}/${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}:latest
          ${{ env.GCR_BASE }}/${{ env.GITHUB_REPOSITORY_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_SLUG_URL }}/${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}:${{ env.GITHUB_SHA_SHORT }}
        build-args: |
          NETWORK=${{ github.event.inputs.network || env.NETWORK }}
          SHORT_SHA=${{ env.GITHUB_SHA_SHORT }}
          RUST_BACKTRACE=1
          ZEBRA_SKIP_IPV6_TESTS="1"
          CHECKPOINT_SYNC=${{ github.event.inputs.checkpoint_sync || true }}
          SENTRY_DSN=${{ secrets.SENTRY_ENDPOINT }}
        push: true
        cache-from: type=gha
        cache-to: type=gha,mode=max
  deploy-nodes:
    name: Deploy Mainnet nodes
    needs: build
    runs-on: ubuntu-latest
    timeout-minutes: 30
    if: github.event_name == 'push' && github.ref == 'ref/head/main'
    steps:
      - uses: actions/checkout@v2.4.0
        with:
@ -55,23 +100,27 @@ jobs:
        uses: rlespinasse/github-slug-action@v4
      # Setup gcloud CLI
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v0.5.0
        with:
          credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
      - name: Set up gcloud SDK environment
        uses: google-github-actions/setup-gcloud@v0.5.0
        with:
          project_id: ${{ env.PROJECT_ID }}
          service_account_key: ${{ secrets.GCLOUD_AUTH }}
      # Create instance template from container image
      - name: Create instance template
        run: |
-          gcloud compute instance-templates create-with-container "zebrad-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}-${{ env.GITHUB_SHA_SHORT }}" \
+          gcloud compute instance-templates create-with-container zebrad-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}-${{ env.GITHUB_SHA_SHORT }} \
-          --container-image "gcr.io/${{ env.PROJECT_ID}}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG }}/${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}:${{ env.GITHUB_SHA_SHORT }}" \
+          --boot-disk-type=pd-ssd \
-          --create-disk name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }},auto-delete=yes,size=100GB,type=pd-balanced \
+          --container-image ${{ env.GAR_BASE }}/${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}:${{ env.GITHUB_SHA_SHORT }} \
          --create-disk name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }},auto-delete=yes,size=100GB,type=pd-ssd \
          --container-mount-disk mount-path="/zebrad-cache",name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }} \
          --machine-type ${{ env.MACHINE_TYPE }} \
          --service-account ${{ env.DEPLOY_SA }} \
          --scopes cloud-platform \
-          --tags zebrad \
+          --tags zebrad
      # Check if our destination instance group exists already
      - name: Check if instance group exists
@ -100,3 +149,45 @@ jobs:
          "zebrad-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}" \
          --version template="zebrad-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}-${{ env.GITHUB_SHA_SHORT }}" \
          --region "${{ env.REGION }}"
  deploy-instance:
    name: Deploy single instance
    needs: build
    runs-on: ubuntu-latest
    timeout-minutes: 30
    if: github.event_name == 'workflow_dispatch'
    steps:
      - uses: actions/checkout@v2.4.0
        with:
          persist-credentials: false
      - name: Inject slug/short variables
        uses: rlespinasse/github-slug-action@v4
      # Setup gcloud CLI
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v0.5.0
        with:
          credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
      - name: Set up gcloud SDK environment
        uses: google-github-actions/setup-gcloud@v0.5.0
        with:
          project_id: ${{ env.PROJECT_ID }}
      # Create instance template from container image
      - name: Manual deploy of a single instance running zebrad
        run: |
          gcloud compute instances create-with-container "zebrad-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}-${{ env.GITHUB_SHA_SHORT }}" \
          --boot-disk-size 100GB \
          --boot-disk-type=pd-ssd \
          --container-stdin \
          --container-tty \
          --container-image ${{ env.GAR_BASE }}/${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}:${{ env.GITHUB_SHA_SHORT }} \
          --create-disk name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }},auto-delete=yes,size=100GB,type=pd-ssd \
          --container-mount-disk mount-path='/zebrad-cache',name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }} \
          --machine-type ${{ env.MACHINE_TYPE }} \
          --zone ${{ env.ZONE }} \
          --tags zebrad
--- a/.github/workflows/manual-deploy.yml
+++ b/.github/workflows/manual-deploy.yml
@ -1,53 +0,0 @@
 name: Manual Deploy
 on:
  workflow_dispatch:
    inputs:
      network:
        default: 'Mainnet'
      checkpoint_sync:
        default: true
 env:
  PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
  ZONE: us-central1-a
  MACHINE_TYPE: n2-standard-4
  DEPLOY_SA: cos-vm@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com
 jobs:
  deploy:
    name: Deploy one zebrad node
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.4.0
      with:
        persist-credentials: false
    - name: Inject slug/short variables
      uses: rlespinasse/github-slug-action@v4
    - name: Set up gcloud
      uses: google-github-actions/setup-gcloud@v0.5.0
      with:
        project_id: ${{ env.PROJECT_ID }}
        service_account_key: ${{ secrets.GCLOUD_AUTH }}
    # Build and push image to Google Container Registry
    - name: Build
      # Tagging w/ the commit SHA blocks the :latest tag on GCR
      run: |
        gcloud builds submit \
          --config cloudbuild.yaml \
          --substitutions SHORT_SHA="${{ env.GITHUB_SHA_SHORT }}",BRANCH_NAME="${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}",_CHECKPOINT_SYNC="${{ github.event.inputs.checkpoint_sync }}",_NETWORK="${{ github.event.inputs.network }}"
    # Creates Compute Engine virtual machine instance w/ zebrad container and disks
    - name: Create instance running zebrad container image
      run: |
        gcloud compute instances create-with-container "zebrad-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}-${{ env.GITHUB_SHA_SHORT }}" \
        --container-image "gcr.io/${{ env.PROJECT_ID }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG }}/${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}:${{ env.GITHUB_SHA_SHORT }}" \
        --container-mount-disk mount-path='/zebrad-cache',name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }} \
        --create-disk name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }},auto-delete=yes,size=100GB,type=pd-balanced \
        --machine-type ${{ env.MACHINE_TYPE }} \
        --service-account ${{ env.DEPLOY_SA }} \
        --tags zebrad \
        --zone ${{ env.ZONE }}
--- a/.github/workflows/zcash-params.yml
+++ b/.github/workflows/zcash-params.yml
@ -0,0 +1,68 @@
 name: zcash-params
 on:
  workflow_dispatch:
  pull_request:
    path:
      - 'zebra-consensus/src/primitives/groth16/params.rs'
      - 'zebra-consensus/src/chain.rs'
      - 'zebrad/src/commands/start.rs'
      - '.github/workflows/zcash-params.yml'
 env:
  CARGO_INCREMENTAL: '1'
  PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
  GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
  GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
  IMAGE_NAME: zcash-params
 jobs:
  build:
    name: Build images
    timeout-minutes: 60
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.4.0
      with:
        persist-credentials: false
    - name: Inject slug/short variables
      uses: rlespinasse/github-slug-action@v4
    # Setup gcloud CLI
    - name: Authenticate to Google Cloud
      id: auth
      uses: google-github-actions/auth@v0.5.0
      with:
        credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
    # Setup Docker Buildx to allow use of docker cache layers from GH
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v1
    - name: Login to Google Artifact Registry
      uses: docker/login-action@v1.12.0
      with:
        registry: us-docker.pkg.dev
        username: _json_key
        password: ${{ secrets.GOOGLE_CREDENTIALS }}
    # Build and push image to Google Artifact Registry
    - name: Build & push
      id: docker_build
      uses: docker/build-push-action@v2.8.0
      with:
        target: builder
        context: .
        file: ./docker/Dockerfile.params
        tags: |
          ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:latest
          ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:${{ env.GITHUB_SHA_SHORT }}
        build-args: |
          SHORT_SHA=${{ env.GITHUB_SHA_SHORT }}
          ZEBRA_SKIP_IPV6_TESTS="1"
          SENTRY_DSN=${{ secrets.SENTRY_ENDPOINT }}
        push: true
        cache-from: type=gha
        cache-to: type=gha,mode=max
--- a/.github/workflows/zcashd-manual-deploy.yml
+++ b/.github/workflows/zcashd-manual-deploy.yml
@ -71,4 +71,4 @@ jobs:
          gcloud compute instance-groups managed rolling-action start-update \
          "zcashd-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}-${{ github.event.inputs.network }}" \
          --version template="zcashd-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}-${{ env.GITHUB_SHA_SHORT }}" \
-          --region "${{ env.REGION }}"
+          --region "${{ env.REGION }}"
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@ -1,25 +0,0 @@
 steps:
 - name: 'gcr.io/cloud-builders/docker'
  args: ['build',
        '--build-arg',
         'SHORT_SHA=$SHORT_SHA',
         '--build-arg',
         'checkpoint_sync=${_CHECKPOINT_SYNC}',
         '--build-arg',
         'network=${_NETWORK}',
         '--target',
         'zebrad-release',
         '-t',
         'gcr.io/$PROJECT_ID/zcashfoundation/zebra/$BRANCH_NAME:$SHORT_SHA',
         '-f',
         'docker/Dockerfile.build',
         '.']
 images:
 - 'gcr.io/$PROJECT_ID/zcashfoundation/zebra/$BRANCH_NAME:$SHORT_SHA'
 options:
    machineType: 'N1_HIGHCPU_32'
    substitution_option: 'ALLOW_LOOSE'
 timeout: 3600s # 60 mins
--- a/docker/Dockerfile.build
+++ b/docker/Dockerfile.build
@ -1,56 +1,102 @@
-# Builder image
+# This steps implement cargo-chef for docker layer caching
-FROM rust:buster as builder
+# We are using four stages:
 # - chef: installs cargo-chef
 # - planner: computes the recipe file
 # - builder: caches our dependencies and builds the binary
 # - tester: builds and run tests
 # - runtime: is our runtime environment
 FROM rust:bullseye as chef
 RUN cargo install cargo-chef --locked
 WORKDIR /app
-RUN apt-get update && \
+FROM chef AS planner
-	apt-get install -y --no-install-recommends \
+COPY . .
-	make cmake g++ gcc llvm libclang-dev clang ca-certificates
+RUN cargo chef prepare --recipe-path recipe.json
-RUN mkdir /zebra
+FROM chef AS builder
-WORKDIR /zebra
+COPY --from=planner /app/recipe.json recipe.json
-ARG SHORT_SHA
+# Install zebra build deps
-ENV SHORT_SHA $SHORT_SHA
+RUN apt-get -qq update && \
    apt-get -qq install -y --no-install-recommends \
    llvm \
    libclang-dev \
    clang \
    ca-certificates \
    ; \
    rm -rf /var/lib/apt/lists/* /tmp/*
-ENV RUST_BACKTRACE full
+# Install google OS Config agent
-ENV CARGO_HOME /zebra/.cargo/
+RUN apt-get -qq update && \
    apt-get -qq install -y --no-install-recommends \
    curl \
    lsb-release \
    ; \
    echo "deb http://packages.cloud.google.com/apt google-compute-engine-$(lsb_release -cs)-stable main" > /etc/apt/sources.list.d/google-compute-engine.list && \
    curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - && \
    apt-get -qq update  && \
    apt-get -qq install -y --no-install-recommends google-osconfig-agent && \
    rm -rf /var/lib/apt/lists/* /tmp/*
-RUN rustc -V; cargo -V; rustup -V
+# Optimize builds. In particular, regenerate-stateful-test-disks.yml was reaching the
 # GitHub Actions time limit (6 hours), so we needed to make it faster.
 ENV RUSTFLAGS -O
 ENV CARGO_HOME /app/.cargo/
 # Build dependencies - this is the caching Docker layer!
 RUN cargo chef cook --release --features enable-sentry --recipe-path recipe.json
 ARG RUST_BACKTRACE=1
 ENV RUST_BACKTRACE ${RUST_BACKTRACE}
 COPY . .
 # Build zebra
 RUN cargo build --locked --release --features enable-sentry --bin zebrad
-RUN cd zebrad/; cargo build --release --features enable-sentry
+FROM builder AS tester
 # Pre-download Zcash Sprout and Sapling parameters
 # TODO: do not hardcode the user /root/ even though is a safe assumption
 COPY --from=us-docker.pkg.dev/zealous-zebra/zebra/zcash-params /root/.zcash-params /root/.zcash-params
 # Skip IPv6 tests by default, as some CI environment don't have IPv6 available
 ARG ZEBRA_SKIP_IPV6_TESTS=1
 ENV ZEBRA_SKIP_IPV6_TESTS ${ZEBRA_SKIP_IPV6_TESTS}
 RUN cargo test --locked --release --features enable-sentry --workspace --no-run
 CMD ["cargo" "test" "--locked" "--release" "--features" "enable-sentry" "--workspace"]
 # Runner image
-FROM debian:buster-slim AS zebrad-release
+FROM debian:bullseye-slim AS runtime
 COPY --from=builder /app/target/release/zebrad /usr/local/bin
 COPY --from=us-docker.pkg.dev/zealous-zebra/zebra/zcash-params /root/.zcash-params /root/.zcash-params
 RUN apt-get update && \
-	apt-get install -y --no-install-recommends \
+    apt-get install -y --no-install-recommends \
-	ca-certificates
+    ca-certificates
 COPY --from=builder /zebra/target/release/zebrad /
 ARG CHECKPOINT_SYNC=true
 ARG NETWORK=Mainnet
-RUN printf "[consensus]\n" >> /zebrad.toml
+RUN set -ex; \
-RUN printf "checkpoint_sync = ${CHECKPOINT_SYNC}\n" >> /zebrad.toml
+  { \
-RUN printf "[metrics]\n" >> /zebrad.toml
+    echo "[consensus]"; \
-RUN printf "endpoint_addr = '0.0.0.0:9999'\n" >> /zebrad.toml
+    echo "checkpoint_sync = ${CHECKPOINT_SYNC}"; \
-RUN printf "[network]\n" >> /zebrad.toml
+    echo "[metrics]"; \
-RUN printf "network = '${NETWORK}'\n" >> /zebrad.toml
+    echo "endpoint_addr = '0.0.0.0:9999'"; \
-RUN printf "[state]\n" >> /zebrad.toml
+    echo "[network]"; \
-RUN printf "cache_dir = '/zebrad-cache'\n" >> /zebrad.toml
+    echo "network = '${NETWORK}'"; \
-RUN printf "[tracing]\n" >> /zebrad.toml
+    echo "[state]"; \
-RUN printf "endpoint_addr = '0.0.0.0:3000'\n" >> /zebrad.toml
+    echo "cache_dir = '/zebrad-cache'"; \
-RUN cat /zebrad.toml
+    echo "[tracing]"; \
-
+    echo "endpoint_addr = '0.0.0.0:3000'"; \
-# Pre-download Zcash Sprout and Sapling parameters
+  } > "zebrad.toml"
 RUN /zebrad download
 EXPOSE 3000 8233 18233
-ENV RUST_LOG debug
+ARG SHORT_SHA
-ENV RUST_BACKTRACE full
+ENV SHORT_SHA $SHORT_SHA
 ENV SENTRY_DSN https://94059ee72a44420286310990b7c614b5@o485484.ingest.sentry.io/5540918
-CMD [ "/zebrad", "-c", "/zebrad.toml", "start" ]
+ARG SENTRY_DSN
 ENV SENTRY_DSN ${SENTRY_DSN}
 CMD [ "zebrad", "-c", "zebrad.toml", "start" ]
--- a/docker/Dockerfile.params
+++ b/docker/Dockerfile.params
@ -0,0 +1,36 @@
 # This steps implement cargo-chef for docker layer caching
 # This image is for caching Zcash Sprout and Sapling parameters
 FROM rust:bullseye as chef
 RUN cargo install cargo-chef --locked
 WORKDIR /app
 FROM chef AS planner
 COPY . .
 RUN cargo chef prepare --recipe-path recipe.json
 FROM chef AS builder
 COPY --from=planner /app/recipe.json recipe.json
 # Install zebra build deps
 RUN apt-get -qq update && \
    apt-get -qq install -y --no-install-recommends \
    llvm \
    libclang-dev \
    clang \
    ca-certificates \
    ; \
    rm -rf /var/lib/apt/lists/* /tmp/*
 # Optimize builds. In particular, regenerate-stateful-test-disks.yml was reaching the
 # GitHub Actions time limit (6 hours), so we needed to make it faster.
 ENV RUSTFLAGS -O
 ENV CARGO_HOME /app/.cargo/
 # Build dependencies - this is the caching Docker layer!
 RUN cargo chef cook --release --features enable-sentry --recipe-path recipe.json
 ARG RUST_BACKTRACE=1
 ENV RUST_BACKTRACE ${RUST_BACKTRACE}
 COPY . .
 # Pre-download Zcash Sprout and Sapling parameters
 RUN cargo run --locked --release --features enable-sentry --bin zebrad download