Fix arm64 QEMU build failure: replace apt-get curl with Alpine multi-stage build

[Copilot]

apt-get install curl in both Dockerfiles causes libc-bin's post-install ldconfig to segfault under QEMU user-mode emulation for linux/arm64, breaking cross-platform CI builds.

Changes

• beacon-chain/Dockerfile / validator/Dockerfile: Added an Alpine first stage to install curl via apk (which does not trigger ldconfig), then copy the binary into the final image — eliminating dpkg execution under QEMU entirely.

FROM --platform=$TARGETPLATFORM alpine:3.20 AS curl-stage
RUN apk add --no-cache curl

ARG UPSTREAM_VERSION
FROM sigp/lighthouse:${UPSTREAM_VERSION}
# ...
COPY --from=curl-stage /usr/bin/curl /usr/bin/curl
RUN chmod +rx /usr/local/bin/entrypoint.sh /etc/profile.d/consensus_tools.sh

--platform=$TARGETPLATFORM ensures the correct architecture binary is fetched. Alpine's apk does not invoke ldconfig, sidestepping the QEMU segfault entirely.

Original prompt

Problem

The CI build at https://github.com/dappnode/DAppNodePackage-lighthouse-generic/actions/runs/24131958805/job/70414654417 is failing when building the Docker image for linux/arm64 with QEMU emulation. The error occurs in both beacon-chain/Dockerfile and validator/Dockerfile at the RUN step that does apt-get update && apt-get --yes install curl.

The root cause is a well-known QEMU bug where ldconfig (triggered by libc-bin post-install scripts during dpkg) segfaults under QEMU user-mode emulation for arm64:

#18 39.99 qemu: uncaught target signal 11 (Segmentation fault) - core dumped
#18 40.28 dpkg: error processing package libc-bin (--configure):
#18 40.28  installed libc-bin package post-installation script subprocess returned error exit status 139

Fix

Replace the apt-get install curl approach with downloading a statically-compiled curl binary. This completely avoids running apt-get/dpkg under QEMU emulation, sidestepping the segfault entirely.

Files to change:

beacon-chain/Dockerfile — Replace lines 19-21:

RUN rm -rf /var/lib/apt/lists/* && \
    apt-get update && apt-get --yes install curl && apt-get clean && \
    chmod +rx /usr/local/bin/entrypoint.sh /etc/profile.d/consensus_tools.sh

With a solution that installs curl without apt-get. The recommended approach is to use a multi-stage build: add a first stage that downloads a static curl binary for the target architecture, then COPY it into the final image. For example:

FROM --platform=$TARGETPLATFORM alpine:3.20 AS curl-stage
RUN apk add --no-cache curl

ARG UPSTREAM_VERSION
FROM sigp/lighthouse:${UPSTREAM_VERSION}
# ... rest of Dockerfile ...
COPY --from=curl-stage /usr/bin/curl /usr/bin/curl
RUN chmod +rx /usr/local/bin/entrypoint.sh /etc/profile.d/consensus_tools.sh

Alpine's apk package manager does NOT trigger ldconfig and does NOT have the same QEMU segfault issue — it works reliably under QEMU emulation. The --platform=$TARGETPLATFORM ensures we get the correct architecture binary.

validator/Dockerfile — Apply the exact same fix. Lines 18-20 have the identical pattern:

RUN rm -rf /var/lib/apt/lists/* && \
    apt-get update && apt-get --yes install curl && apt-get clean && \
    chmod +rx /usr/local/bin/entrypoint.sh /etc/profile.d/consensus_tools.sh

Important notes:

• Both Dockerfiles need the same fix
• Make sure the COPY --from=curl-stage line copies curl to a location that's on the PATH (e.g., /usr/bin/curl or /usr/local/bin/curl)
• curl also needs its shared libraries (libcurl, libssl, etc.) — using Alpine as the source stage handles this because Alpine's curl links against musl libc statically. Alternatively, if dependencies are needed, you can copy the necessary libs too. The simplest approach is to install curl in the Alpine stage and copy the binary, since Alpine curl is statically linked.
• Ensure the chmod +rx for entrypoint.sh and consensus_tools.sh is preserved
• The base image sigp/lighthouse is Ubuntu-based, so the static/musl-linked curl binary from Alpine will work fine as a standalone binary
• Do NOT remove security_opt: - seccomp:unconfined from docker-compose.yml — that's unrelated

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: make a pr with your preferred fix

Assistant:

Let me start by looking at the failing job logs to understand what's going wrong.

Assistant: Now let me look at how the build is invoked to understand the full context better.

Assistant: Now I have a clear picture of the issue and the codebase. Let me also check if there's a validator Dockerfile:

Assistant: Now I have a clear picture of the issue and the fix needed. The build fails because of QEMU segfaults when running apt-get install during cross-compilation for linux/arm64. The libc-bin package's post-install script (ldconfig) crashes under QEMU emulation. The well-known workaround is to install curl using a multi-stage build approach that avoids running dpkg triggers under emulation, or more practically, to use curl's static binary, or to download curl from the upstream image's native architecture. However, the most robust Dockerfile-level fix is to use --no-install-recommends and set DEBIAN_FRONTEND=noninteractive, combined with retries — but ultimately the real fix for a QEMU ldconfig segfault is to either avoid apt-get entirely (use a static curl binary) or to use a multi-stage approach where curl is copied from a native build stage.

Let me create the PR.

Assistant: I'm waiting for your confirmation to proceed with creating the pull request to fix the arm64 Docker build failure.

This pull request was created from Copilot chat.