Implement netcat listener for open port scanning on Render

[djstrong]

Lite PR

Summary

• Added netcat listener during container initialization to keep port open while database downloads/validates
• Added netcat-openbsd package to Dockerfile dependencies
• Netcat listener is automatically cleaned up before the actual server starts

---

Why

During container initialization, ENSRainbow can take a long time to download and validate the database (up to 20 minutes). Without a listener on the port during this phase, Render health checks fail and orchestration systems may mark the container as unhealthy or restart it prematurely. The netcat listener keeps the port open and accepts connections during initialization, then is cleanly terminated when the actual server is ready to start.

---

Testing

• Tested on Render

---

Notes for Reviewer (Optional)

• It is a quick workaround for Render.

---

Pre-Review Checklist (Blocking)

• This PR does not introduce significant changes and is low-risk to review quickly.
• Relevant changesets are included (or are not required)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Skipped		Feb 6, 2026 10:25am
ensnode.io	Skipped		Feb 6, 2026 10:25am
ensrainbow.io	Skipped		Feb 6, 2026 10:25am

[changeset-bot]

⚠️ No Changeset found

Latest commit: ea2401e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a netcat-based background listener to container init: the Dockerfile installs netcat-openbsd, and entrypoint.sh starts a listener during database download/validation, then cleans it up before the application server binds the service port.

Changes

Cohort / File(s)	Summary
Dockerfile Runtime Dependencies apps/ensrainbow/Dockerfile	Adds netcat-openbsd to the runtime stage and includes comments explaining the listener's purpose and caveats (listener does not serve HTTP).
Entrypoint Initialization Logic apps/ensrainbow/scripts/entrypoint.sh	Starts a background netcat listener, adds cleanup_nc() and trap cleanup_nc EXIT, ensures listener is terminated and trap removed before server startup, and inserts a short delay to allow port release.

Sequence Diagram

sequenceDiagram
    participant Container as Container Init
    participant Netcat as Netcat Listener
    participant DB as Database Operations
    participant Server as Application Server

    Container->>Netcat: Start background listener on service port
    Note over Netcat: Holds port while DB download/validation run\n(no HTTP responses)
    Container->>DB: Download and validate database
    DB-->>Container: Database ready
    Container->>Netcat: Call cleanup_nc() (via EXIT trap or explicit)
    Netcat->>Netcat: Terminate process (release port)
    Netcat-->>Container: Port released
    Container->>Container: Short delay to ensure port free
    Container->>Server: Start application server
    Server->>Server: Bind to service port

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I held the port while the data came in,
A quiet listener, patient and thin,
When downloads finished and checks were done,
I hopped away so the server could run,
Little paws tidy — the job's neatly spun.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: implementing a netcat listener for Render deployment.
Description check	✅ Passed	The description follows the template structure with all required sections completed: Summary, Why, Testing, Pre-Review Checklist, and includes optional Notes for Reviewer.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch opdd

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR attempts to address healthcheck issues during the long startup period of the ENSRainbow service by adding a netcat listener that occupies the application port while the database is being downloaded and validated. The ensrainbow service has a 20-minute start period because it downloads and validates a large database before starting the actual server.

Changes:

• Added netcat-openbsd package to the Docker image
• Started a netcat listener on the application port during startup to respond to health checks
• Added cleanup logic to kill the netcat listener before starting the actual ENSRainbow server

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
apps/ensrainbow/Dockerfile	Added netcat-openbsd package installation to support the netcat listener
apps/ensrainbow/scripts/entrypoint.sh	Added netcat listener startup, cleanup function, and pre-server cleanup logic

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🚀 Preview Packages - opdd

NPM Packages:

# Install latest preview for this branch
pnpm add @ensnode/datasources@preview-opdd
pnpm add @ensnode/ensnode-react@preview-opdd
pnpm add @ensnode/ensrainbow-sdk@preview-opdd
pnpm add @ensnode/ensnode-schema@preview-opdd
pnpm add @ensnode/ensnode-sdk@preview-opdd
pnpm add @ensnode/ponder-metadata@preview-opdd
pnpm add @ensnode/ponder-sdk@preview-opdd
pnpm add @ensnode/ponder-subgraph@preview-opdd
pnpm add @ensnode/ens-referrals@preview-opdd
pnpm add @ensnode/namehash-ui@preview-opdd

# Or install specific version
pnpm add @ensnode/ensnode-sdk@0.0.0-preview-opdd-20260205153739

Docker Images:

docker pull ghcr.io/namehash/ensnode/ensindexer:preview-opdd-aa06b11d
docker pull ghcr.io/namehash/ensnode/ensadmin:preview-opdd-aa06b11d
docker pull ghcr.io/namehash/ensnode/ensapi:preview-opdd-aa06b11d
docker pull ghcr.io/namehash/ensnode/ensrainbow:preview-opdd-aa06b11d

Build Info:

• 🎯 Target: 📦 NPM packages + 🐳 Docker images
• 📦 Version: 0.0.0-preview-opdd-20260205153739
• 📝 Commit: aa06b11d
• 🌿 Branch: opdd
• ⏰ Built: 2026-02-05 15:41:39 UTC
• 🔗 Workflow Run

---

🤖 This comment will be updated on subsequent publishing of release previews from the branch associated with this PR

Note: Preview packages are managed by changesets. NPM dist-tags can be cleaned up manually using npm dist-tag rm @ensnode/ensnode-sdk preview-opdd

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@apps/ensrainbow/Dockerfile`:
- Line 5: The RUN instruction installing packages in the Dockerfile ("RUN
apt-get update && apt-get install -y wget tar netcat-openbsd && rm -rf
/var/lib/apt/lists/*") should add --no-install-recommends to apt-get install to
avoid pulling recommended packages and reduce image size; update that command to
use apt-get install -y --no-install-recommends and, if deterministic builds are
required, pin package versions (e.g., package=version) or add an APT sources
snapshot so the RUN line (the installation step) produces reproducible, smaller
images.

In `@apps/ensrainbow/scripts/entrypoint.sh`:
- Around line 144-149: After calling cleanup_nc, immediately verify that the
netcat process was actually terminated (e.g., check NC_PID/process existence
with kill -0 or ps) before clearing NC_PID and removing the EXIT trap; if the
process still exists or the PID was reused, log an error and exit non-zero to
fail fast rather than proceeding to start the server. Ensure the check
references cleanup_nc, NC_PID and the trap - EXIT sequence so the script only
clears NC_PID and removes the trap after confirming netcat is no longer running.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR keeps Render health checks from failing during ENSRainbow’s long initialization by starting a background nc listener on $PORT in apps/ensrainbow/scripts/entrypoint.sh, and adds netcat-openbsd to the runtime image (apps/ensrainbow/Dockerfile). Before launching the actual server (pnpm run serve), the entrypoint attempts to kill the netcat process and removes the EXIT trap so the real server can bind the port.

Key integration point: the listener runs only during the DB download/validate phase and is intended to be torn down immediately before exec pnpm run serve --port $PORT.

Confidence Score: 3/5

• Moderately safe to merge, but there is a real risk of startup failures due to port-binding behavior in the init listener.
• Changes are small and localized, but the current netcat startup/cleanup does not validate that nc successfully bound the port or that the port is definitely freed before starting pnpm serve, which can produce deterministic boot failures in some environments/nc behaviors.
• apps/ensrainbow/scripts/entrypoint.sh

Important Files Changed

Filename	Overview
apps/ensrainbow/Dockerfile	Adds netcat-openbsd to runtime apt dependencies so entrypoint can run nc during init.
apps/ensrainbow/scripts/entrypoint.sh	Starts a background nc listener during init and kills it before starting the server; cleanup works but listener can fail to start silently and can bind the port in a way that prevents the server from starting.

Sequence Diagram

sequenceDiagram
    participant Orchestrator as Render/Orchestrator
    participant Entrypoint as entrypoint.sh
    participant NC as nc listener
    participant Downloader as download/validate
    participant Server as pnpm serve

    Orchestrator->>Entrypoint: Start container (PORT set)
    Entrypoint->>NC: nc -lk -p $PORT (background)
    Orchestrator->>NC: Health checks / connections
    Entrypoint->>Downloader: Download + extract DB (if needed)
    Entrypoint->>Downloader: pnpm validate:lite
    Entrypoint->>NC: cleanup_nc() / kill $NC_PID
    Entrypoint->>Server: exec pnpm run serve --port $PORT
    Orchestrator->>Server: Health checks / traffic

Loading

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

terraform/modules/ensadmin/main.tf (1)

1-52: ⚠️ Potential issue | 🟡 Minor

Run terraform fmt to fix CI failure.

The CI pipeline reports formatting differences in this file; please reformat and re-run the check.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@terraform/modules/ensadmin/main.tf`:
- Around line 42-45: The joined FQDN list built for
NEXT_PUBLIC_SERVER_CONNECTION_LIBRARY uses values(local.api_fqdns) which is
unordered; change the iteration to use a deterministic ordering such as sorting
keys(local.api_fqdns) and then mapping those keys to their FQDN values so the
join(...) produces a stable, repeatable string (update the expression that
constructs NEXT_PUBLIC_SERVER_CONNECTION_LIBRARY to iterate over sorted keys and
build "https://${fqdn}" from the corresponding values).

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lightwalker-eth]

@djstrong Shared a few small comments. There's also a number of comments from AI agents that look to have good feedback. Appreciate if you can review all AI agent feedback and resolve as you think is best. Thanks

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@apps/ensrainbow/scripts/entrypoint.sh`:
- Around line 152-157: The fixed 2-second sleep in the entrypoint is unnecessary
and adds startup latency; remove or shorten it and instead ensure the port is
free after cleanup_nc returns (which already does kill + wait). Update the block
around the exec pnpm run serve line to either remove sleep entirely or replace
sleep 2 with sleep 0.5, or better implement a short fail-fast guard that polls
the port (loop checking that nc/netstat/lsof shows no listener) and only
proceeds when the port is confirmed free; refer to the existing cleanup_nc
helper to verify it has completed before starting the server and use that helper
as the trigger to start exec pnpm run serve --port "${PORT}" --data-dir
"${DB_SUBDIR_PATH}".
- Around line 39-55: Move the cleanup function definition (cleanup_nc) and the
trap registration (trap cleanup_nc EXIT) to before the nc invocation so the
listener cannot be orphaned if the script exits; start nc using the portable
positional form nc -lk "${PORT}" and background it into NC_PID, then immediately
verify the listener started (e.g., short sleep then ensure NC_PID is alive with
kill -0 "$NC_PID" and/or confirm the port is bound) and fail early if
verification fails so set -e surfaces bind errors.

[lightwalker-eth]

@djstrong Really appreciate your updates here. Looks good 👍