feat: Cronos mainnet image bump v1.4.11

[Spich3000]

Cornos mainnet image bump v1.4.11
https://github.com/crypto-org-chain/cronos/releases/tag/v1.4.11

[⚠️ 15 Oct – Cronos EVM & Cronos POS Node Stability Patches ⚠️]

Stability patches have been released for both Cronos EVM and Cronos POS networks to enhance node performance and reliability.

‼️ All validators and node hosts are required to upgrade IMMEDIATELY to avoid potential service disruptions.

Affected Networks
Cronos EVM

• Mainnet (cronosmainnet_25-1)
• Testnet (cronostestnet_338-3)
  Cronos POS
• Mainnet (crypto-org-chain-mainnet-1)
• Testnet (testnet-croeseid-4)

👉 Action Required
Please upgrade your nodes to the latest versions:

• Cronos EVM cronosd to v1.4.11:
  https://github.com/crypto-org-chain/cronos/releases/tag/v1.4.11
• Cronos POS chain-maind to v6.0.3:
  https://github.com/crypto-org-chain/chain-main/releases/tag/v6.0.3

Note
This is a non-breaking upgrade. Node operators can gracefully shut down their node, replace the binary, and restart it using the new version.

Summary by CodeRabbit

• Chores

  • Streamlined container build steps to reduce complexity.
  • Updated bundled binary to v1.4.11 and simplified extraction process.
  • Adjusted default runtime user to root.
  • Preserved existing entrypoint behavior to maintain runtime compatibility.

• Refactor

  • Reorganized user and directory setup during image build for clearer separation of concerns.

[coderabbitai]

Walkthrough

Single Dockerfile refactor: reorders user and directory setup, consolidates package installation flags, changes downloaded Cronos tarball from v1.5.0 testnet to v1.4.11 with a different extraction/move flow, removes SHA256 verification, adjusts chown placement, switches runtime user to root, and retains the same ENTRYPOINT.

Changes

Cohort / File(s)	Summary
Docker image build and runtime flow Dockerfile	Split user vs. directory creation steps; consolidated apt-get flags; replaced testnet v1.5.0 tarball with v1.4.11; changed extraction to single tar -xvf and moved contents to /home/cronos/; removed sha256 check; kept chown but reordered; changed USER from cronos to root; ENTRYPOINT unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: cronos_1.5.0-testnet #83 — Touches the same Dockerfile flow: user setup, tarball download/extraction, ownership, and ENTRYPOINT.
• feat: INFRA-5312 Cronos mainnet image upgrade v1.4.10 #80 — Alters Cronos tarball version and extraction logic in the Dockerfile.
• chore:upgrade to 1.4.9.testnet #76 — Modifies Dockerfile binary download and extraction steps for Cronos.

Poem

A bunny packed a Docker crate,
Swapped a tar, adjusted fate.
Checked no sums, ran as root,
Hopped to bin for swift reboot.
Cronos hums—container tight,
Carrots cached, ENTRYPOINT right. 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly indicates a feature change focused on bumping the Cronos mainnet image to version v1.4.11, which matches the central purpose of the pull request. It uses a concise conventional commit style and directly references the relevant version. The phrasing is specific enough to convey the upgrade intent without extraneous details. This aligns well with the changeset’s objective of updating the Docker image version.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/Cronos-hotfix-v1.4.11

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4482701 and f0850e8.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Reinstate TLS and checksum verification for the Cronos tarball.

wget --no-check-certificate disables TLS validation and the checksum verification step has been dropped, so we now pipe an unauthenticated binary straight into the image. This is a critical supply-chain regression relative to the previous Dockerfile. Please restore CA verification and the SHA256 (or stronger) digest check before we can ship.

🧰 Tools

🪛 Checkov (3.2.334)

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around lines 11-12, restore TLS and checksum verification for the
Cronos tarball: remove the wget --no-check-certificate usage (use curl -fSL or
wget with default TLS), fetch the official release checksum (or
.sha256/.sha256sum file) from the same GitHub release, verify the downloaded
tarball against the expected SHA256 (e.g., using sha256sum --check or echo
"<expected>  file" | sha256sum -c -) and exit/ fail the build if the digest does
not match, then only extract and move the archive; also clean up checksum and
signature files after verification. Ensure commands return non-zero on
verification failure so the image build cannot proceed with an unauthenticated
artifact.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Revert to the non-root runtime user.

Switching the container back to USER root removes the least-privilege protection we previously had. The cronos daemon does not require root inside the container, so this change reintroduces an avoidable security risk. Please keep running as the dedicated cronos user.

🤖 Prompt for AI Agents

In Dockerfile around line 17, the PR changed the runtime user to "root" which
removes least-privilege protection; revert this to the dedicated non-root user
(e.g., USER cronos) and ensure any files or directories the container needs at
runtime are owned by that user and have the correct permissions (chown/chmod
during image build or COPY --chown) so the cronos daemon can run without root
privileges. Ensure the ENTRYPOINT/CMD and any startup scripts are executable by
the cronos user.