Cronos mainnet image bump v1.5.0

[Spich3000]

INFRA-5557 Cronos v1.5.0 Upgrades across clusters

Summary by CodeRabbit

• New Features

  • None.

• Chores

  • Upgraded the container’s bundled Cronos runtime to v1.5.0 for improved stability and compatibility.

• Impact

  • Users running the container benefit from upstream fixes and improvements included in Cronos 1.5.0 without changing usage or configuration.

[coderabbitai]

Walkthrough

Bumps the Cronos binary version used in the Docker image from 1.4.10 to 1.5.0 by updating the download URL, tarball filename, and related extraction/cleanup commands. All subsequent Dockerfile steps and runtime directives remain unchanged.

Changes

Cohort / File(s)	Summary
Cronos version bump in Dockerfile Dockerfile	Updated download URL and tarball from cronos_1.4.10_Linux_x86_64.tar.gz to cronos_1.5.0_Linux_x86_64.tar.gz; adjusted extraction and cleanup commands accordingly. Post-install steps (move to /home/cronos, chown, permissions, ENTRYPOINT, USER) unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: INFRA-5312 Cronos testnet image bump v1.4.10 #79 — Similar Dockerfile change updating Cronos tarball version (previous bump to v1.4.10).
• chore:upgrade to 1.4.9.testnet #76 — Modifies Dockerfile download/extract steps for Cronos tarball version updates.
• chore:1.4.9-mainnet #77 — Updates Cronos binary fetch and extraction in Dockerfile, analogous change with different target version.

Poem

I nudge the tag, a tiny hop,
From 1.4.10 to 1.5.0—no stop.
Tarballs roll, I flick an ear,
Extract, clean up—carrots near.
In Docker’s burrow, neat and tight,
New bits nibble through the night. 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Cronos mainnet image bump v1.5.0" succinctly and accurately summarizes the primary change in the PR (upgrading the Cronos image to v1.5.0 as shown in the Dockerfile), includes the component and exact version, and is brief and free of noise.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/INFRA-5557-mainnet

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

11-13: Do not run the node as root.

Image currently ends as root; prefer the dedicated user created earlier.

Apply this diff:

-USER root
+USER cronos
+
+# Optional but recommended:
+# WORKDIR /home/cronos

Ensure /home/cronos/bin/cronosd remains executable for user cronos (the chown already helps).

🧹 Nitpick comments (3)

Dockerfile (3)

6-6: Install CA roots and use lean apt options; clean up apt cache.

Without ca-certificates, TLS can fail and tempt disabling verification. Also reduce image size with --no-install-recommends and clean apt lists.

Apply this diff:

-RUN apt-get update -y && apt-get install wget curl procps net-tools jq lz4 -y
+RUN apt-get update -y \
+ && apt-get install -y --no-install-recommends ca-certificates curl procps net-tools jq lz4 \
+ && rm -rf /var/lib/apt/lists/*

You can also drop wget entirely since curl is used above.

---

1-1: Pin base image by digest for reproducibility.

Consider pinning debian:bullseye-slim@sha256:<digest> to avoid silent base changes.

---

7-8: Parameterize the Cronos version once.

Using an ARG avoids touching multiple lines on future bumps.

Apply outside-range addition near the top (before downloads):

ARG CRONOS_VERSION=1.5.0

Then adjust the fetch lines (already changed) to:

- curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz; \
- curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz.sha256; \
- sha256sum -c cronos_1.5.0_Linux_x86_64.tar.gz.sha256; \
- tar -xzf cronos_1.5.0_Linux_x86_64.tar.gz -C /home/cronos --strip-components=1; \
+ curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v${CRONOS_VERSION}/cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz; \
+ curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v${CRONOS_VERSION}/cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz.sha256; \
+ sha256sum -c cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz.sha256; \
+ tar -xzf cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz -C /home/cronos --strip-components=1; \

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3bc8405 and 02c52b3.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[high] 7-8: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

[coderabbitai]

⚠️ Potential issue

❓ Verification inconclusive

Remove insecure TLS bypass; verify downloads and extract directly into target.

wget --no-check-certificate disables TLS verification (flagged by Checkov CKV2_DOCKER_3). Also, mv ./* /home/cronos/ from /tmp is brittle—extract straight into the destination and avoid moving unrelated files.

Apply this diff to harden the fetch and extraction:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0_Linux_x86_64.tar.gz \
-     && rm cronos_1.5.0_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN set -eux; \
+  cd /tmp; \
+  curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz; \
+  curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz.sha256; \
+  sha256sum -c cronos_1.5.0_Linux_x86_64.tar.gz.sha256; \
+  mkdir -p /home/cronos; \
+  tar -xzf cronos_1.5.0_Linux_x86_64.tar.gz -C /home/cronos --strip-components=1; \
+  rm -rf /tmp/*

Follow-up: if the tarball layout differs, adjust --strip-components accordingly.

---

Remove insecure TLS bypass; verify downloads and extract directly into target.

File: Dockerfile (lines 7–8) — wget --no-check-certificate disables TLS verification (Checkov CKV2_DOCKER_3). Avoid mv ./* /home/cronos from /tmp; download+verify checksum and extract straight into /home/cronos.

Apply this diff to harden the fetch and extraction:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0_Linux_x86_64.tar.gz \
-     && rm cronos_1.5.0_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN set -eux; \
+  cd /tmp; \
+  curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz; \
+  curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz.sha256; \
+  sha256sum -c cronos_1.5.0_Linux_x86_64.tar.gz.sha256; \
+  mkdir -p /home/cronos; \
+  tar -xzf cronos_1.5.0_Linux_x86_64.tar.gz -C /home/cronos --strip-components=1; \
+  rm -rf /tmp/*

Follow-up: if the tarball layout differs, adjust --strip-components accordingly.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0_Linux_x86_64.tar.gz \
	&& rm cronos_1.5.0_Linux_x86_64.tar.gz && mv ./* /home/cronos/
	RUN set -eux; \
	cd /tmp; \
	curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz; \
	curl -fsSLO https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz.sha256; \
	sha256sum -c cronos_1.5.0_Linux_x86_64.tar.gz.sha256; \
	mkdir -p /home/cronos; \
	tar -xzf cronos_1.5.0_Linux_x86_64.tar.gz -C /home/cronos --strip-components=1; \
	rm -rf /tmp/*

🧰 Tools

🪛 Checkov (3.2.334)

[high] 7-8: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

Dockerfile lines 7-8: the RUN uses wget --no-check-certificate and moves
everything from /tmp into /home/cronos; replace this with a secure download
flow: fetch the tarball with a TLS-valid tool (curl -fSL or wget without
--no-check-certificate) into a temp file, fetch the corresponding checksum (or
signature) and verify it (sha256sum --check or gpg --verify) before extraction,
then extract the tarball directly into /home/cronos using tar with an
appropriate --strip-components value to avoid unwanted directory nesting, set
correct ownership/permissions, and remove temp files; ensure the step fails on
verification errors so builds stop on tampered downloads.