Files

GitHub Actions ca477c48d4 chore: Enhance documentation for E2E testing:

- Added clarity and structure to README files, including recent updates and getting started sections.
- Improved manual verification documentation for CrowdSec authentication, emphasizing expected outputs and success criteria.
- Updated debugging guide with detailed output examples and automatic trace capture information.
- Refined best practices for E2E tests, focusing on efficient polling, locator strategies, and state management.
- Documented triage report for DNS Provider feature tests, highlighting issues fixed and test results before and after improvements.
- Revised E2E test writing guide to include when to use specific helper functions and patterns for better test reliability.
- Enhanced troubleshooting documentation with clear resolutions for common issues, including timeout and token configuration problems.
- Updated tests README to provide quick links and best practices for writing robust tests.

2026-03-24 01:47:22 +00:00

9.2 KiB

Raw Blame History

GeoLite2 Database Checksum Update Guide

Overview

Charon uses the MaxMind GeoLite2-Country database for geographic IP information. When the upstream database is updated, the checksum in the Dockerfile must be updated to match the new file.

Automated Updates: Charon includes a GitHub Actions workflow that checks for upstream changes weekly and creates pull requests automatically.

Manual Updates: Follow this guide if the automated workflow fails or you need to update immediately.

When to Update

Update the checksum when:

Docker build fails with the following error:

sha256sum: /app/data/geoip/GeoLite2-Country.mmdb: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match

Automated workflow creates a PR (happens weekly on Mondays at 2 AM UTC)
GitHub Actions build fails with checksum mismatch

Automated Workflow (Recommended)

Charon includes a GitHub Actions workflow that automatically:

Checks for upstream GeoLite2 database changes weekly
Calculates the new checksum
Creates a pull request with the update
Validates Dockerfile syntax

Workflow File: .github/workflows/update-geolite2.yml

Schedule: Mondays at 2 AM UTC (weekly)

Manual Trigger:

gh workflow run update-geolite2.yml

Reviewing Automated PRs

When the workflow creates a PR:

Review the checksum change in the PR description
Verify the checksums match the upstream file (see verification below)
Wait for CI checks to pass (build, tests, security scans)
Merge the PR if all checks pass

Manual Update (5 Minutes)

Step 1: Download and Calculate Checksum

# Download the database file
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
  -o /tmp/geolite2-test.mmdb

# Calculate SHA256 checksum
sha256sum /tmp/geolite2-test.mmdb

# Example output:
# 436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d  /tmp/geolite2-test.mmdb

Step 2: Update Dockerfile

File: Dockerfile (line ~352)

Find this line:

ARG GEOLITE2_COUNTRY_SHA256=<old-checksum>

Replace with the new checksum:

ARG GEOLITE2_COUNTRY_SHA256=436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d

Using sed (automated):

NEW_CHECKSUM=$(curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum | cut -d' ' -f1)

sed -i "s/ARG GEOLITE2_COUNTRY_SHA256=.*/ARG GEOLITE2_COUNTRY_SHA256=${NEW_CHECKSUM}/" Dockerfile

Step 3: Verify the Change

# Verify the checksum was updated
grep "GEOLITE2_COUNTRY_SHA256" Dockerfile

# Expected output:
# ARG GEOLITE2_COUNTRY_SHA256=436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d

Step 4: Test Build

# Clean build environment (recommended)
docker builder prune -af

# Build without cache to ensure checksum is verified
docker build --no-cache --pull \
  --platform linux/amd64 \
  --build-arg VERSION=test-checksum \
  -t charon:test-checksum \
  .

# Verify build succeeded and container starts
docker run --rm charon:test-checksum /app/charon --version

Expected output:

✅ GeoLite2-Country.mmdb: OK
✅ Successfully tagged charon:test-checksum

Step 5: Commit and Push

git add Dockerfile
git commit -m "fix(docker): update GeoLite2-Country.mmdb checksum

The upstream GeoLite2 database file was updated, requiring a checksum update.

Old: <old-checksum>
New: <new-checksum>

Fixes: #<issue-number>
Resolves: Docker build checksum mismatch"

git push origin <branch-name>

Verification Script

Use this script to check if the Dockerfile checksum matches the upstream file:

#!/bin/bash
# verify-geolite2-checksum.sh

set -euo pipefail

DOCKERFILE_CHECKSUM=$(grep "ARG GEOLITE2_COUNTRY_SHA256=" Dockerfile | cut -d'=' -f2)
UPSTREAM_CHECKSUM=$(curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum | cut -d' ' -f1)

echo "Dockerfile: $DOCKERFILE_CHECKSUM"
echo "Upstream:   $UPSTREAM_CHECKSUM"

if [ "$DOCKERFILE_CHECKSUM" = "$UPSTREAM_CHECKSUM" ]; then
  echo "✅ Checksum matches"
  exit 0
else
  echo "❌ Checksum mismatch - update required"
  echo ""
  echo "Run: sed -i 's/ARG GEOLITE2_COUNTRY_SHA256=.*/ARG GEOLITE2_COUNTRY_SHA256=$UPSTREAM_CHECKSUM/' Dockerfile"
  exit 1
fi

Make executable:

chmod +x scripts/verify-geolite2-checksum.sh

Run verification:

./scripts/verify-geolite2-checksum.sh

Troubleshooting

Issue: Build Still Fails After Update

Symptoms:

Checksum verification fails
"FAILED" error persists

Solutions:

Clear Docker build cache:
```
docker builder prune -af
```

Verify the checksum was committed:

git show HEAD:Dockerfile | grep "GEOLITE2_COUNTRY_SHA256"

Re-download and verify upstream file:

curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" -o /tmp/test.mmdb
sha256sum /tmp/test.mmdb
diff <(echo "$EXPECTED_CHECKSUM") <(sha256sum /tmp/test.mmdb | cut -d' ' -f1)

Issue: Upstream File Unavailable (404)

Symptoms:

curl returns 404 Not Found
Automated workflow fails with download_failed error

Investigation Steps:

Check upstream repository:
- Visit: https://github.com/P3TERX/GeoLite.mmdb
- Verify the file still exists at the raw URL
- Check for repository status or announcements
Check MaxMind status:
- Visit: https://status.maxmind.com/
- Check for service outages or maintenance

Temporary Solutions:

Use cached Docker layer (if available):

docker build --cache-from ghcr.io/wikid82/charon:latest -t charon:latest .

Use local copy (temporary):

# Download from a working container
docker run --rm ghcr.io/wikid82/charon:latest cat /app/data/geoip/GeoLite2-Country.mmdb > /tmp/GeoLite2-Country.mmdb

# Calculate checksum
sha256sum /tmp/GeoLite2-Country.mmdb

Alternative source (if P3TERX mirror is down):
- Official MaxMind downloads require a license key
- Consider MaxMind GeoLite2 signup (free)

Issue: Checksum Mismatch on Re-download

Symptoms:

Checksum calculated locally differs from what's in the Dockerfile
Checksum changes between downloads

Investigation Steps:

Verify file integrity:

# Download multiple times and compare
for i in {1..3}; do
  curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum
done

Check for CDN caching issues:
- Wait 5 minutes and retry
- Try from different network locations

Verify no MITM proxy:

# Download via HTTPS and verify certificate
curl -v -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" -o /tmp/test.mmdb 2>&1 | grep "CN="

If confirmed as supply chain attack:

STOP and do not proceed
Report to security team
See Security Incident Response

Issue: Multi-Platform Build Fails (arm64)

Symptoms:

linux/amd64 build succeeds
linux/arm64 build fails with checksum error

Investigation:

Verify upstream file is architecture-agnostic:
- GeoLite2 .mmdb files are data files, not binaries
- Should be identical across all platforms
Check buildx platform emulation:
```
docker buildx ls
docker buildx inspect
```

Test arm64 build explicitly:

docker buildx build --platform linux/arm64 --load -t test-arm64 .

Additional Resources

Automated Workflow: .github/workflows/update-geolite2.yml
Implementation Plan: docs/plans/current_spec.md
QA Report: docs/reports/qa_report.md
Dockerfile: Dockerfile (line ~352)
MaxMind GeoLite2: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
P3TERX Mirror: https://github.com/P3TERX/GeoLite.mmdb

Historical Context

Issue: Docker build failures due to checksum mismatch (February 2, 2026)

Root Cause: The upstream GeoLite2 database file was updated by MaxMind, but the Dockerfile still referenced the old SHA256 checksum. When Docker's multi-stage build tried to verify the checksum, it failed and aborted the build, causing cascade failures in subsequent COPY commands that referenced earlier build stages.

Solution: Updated one line in Dockerfile (line 352) with the correct checksum and implemented an automated workflow to prevent future occurrences.

Build Failure URL: https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617

Related PRs:

Fix implementation: (link to PR)
Automated workflow addition: (link to PR)

Last Updated: February 2, 2026 Maintainer: Charon Development Team Status: Active

9.2 KiB Raw Blame History

GeoLite2 Database Checksum Update Guide

Overview

When to Update

Automated Workflow (Recommended)

Reviewing Automated PRs

Manual Update (5 Minutes)

Step 1: Download and Calculate Checksum

Step 2: Update Dockerfile

Step 3: Verify the Change

Step 4: Test Build

Step 5: Commit and Push

Verification Script

Troubleshooting

Issue: Build Still Fails After Update

Issue: Upstream File Unavailable (404)

Issue: Checksum Mismatch on Re-download

Issue: Multi-Platform Build Fails (arm64)

Additional Resources

Historical Context

9.2 KiB

Raw Blame History