ElementsProject · ShahanaFarooqui · Nov 20, 2025 · Nov 22, 2025 · Nov 20, 2025
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -1,4 +1,4 @@
-name: Build and push multi-platform docker images
+name: Publish multi-platform docker images
 
 on:
   push:
@@ -30,6 +30,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        flavor: ['lightningd', 'lightningd-vls-signer']
 
     steps:
     - name: Checkout repository
@@ -50,7 +53,7 @@ jobs:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}
 
-    - name: Set up values
+    - name: Set up values for ${{ matrix.flavor }}
       id: set-values
       run: |
         if [[ "${{ github.event.inputs.version }}" != "" ]]; then
@@ -89,9 +92,9 @@ jobs:
         fi
         echo "PUSHLATEST=$PUSHLATEST" >> $GITHUB_ENV
 
-        TAGS="$REPONAME/lightningd:$VERSION"
+        TAGS="$REPONAME/${{ matrix.flavor }}:$VERSION"
         if [[ "$PUSHLATEST" == "true" ]]; then
-          TAGS="$TAGS,$REPONAME/lightningd:latest"
+          TAGS="$TAGS,$REPONAME/${{ matrix.flavor }}:latest"
         fi
         echo "TAGS=$TAGS" >> $GITHUB_ENV
 
@@ -109,13 +112,16 @@ jobs:
         echo "ENV PUSH LATEST: ${{ env.PUSHLATEST }}"
         echo "ENV TAGS: ${{ env.TAGS }}"
 
-    - name: Build and push Docker image
+    - name: Build and push Docker image - ${{ matrix.flavor }}
       uses: docker/build-push-action@v5
       with:
         context: .
         file: ./Dockerfile
+        target: ${{ matrix.flavor }}
         push: true
         platforms: ${{ env.PLATFORMS }}
         tags: ${{ env.TAGS }}
         build-args: |
-          VERSION=${{ env.VERSION }}
+          VERSION=${{ env.VERSION }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
@@ -163,7 +163,70 @@ RUN find /tmp/lightning_install -type f -executable -exec \
     awk -F: '/ELF/ {print $1}' | \
     xargs -r ${STRIP} --strip-unneeded
 
-FROM base-target AS final
+# VLS builder stage (only used by lightningd-vls-signer)
+FROM base-builder-${TARGETOS}-${TARGETARCH} AS vls-builder
+
+ARG AR=${target_arch}-ar
+ARG AS=${target_arch}-as
+ARG CC=${target_arch}-gcc
+ARG CXX=${target_arch}-g++
+ARG LD=${target_arch}-ld
+ARG STRIP=${target_arch}-strip
+ARG TARGET=${target_arch_rust}
+ARG RUST_PROFILE=release
+ARG VERSION
+ENV VERSION=${VERSION}
+ARG VLS_VERSION=v0.14.0
+
+RUN dpkg --add-architecture ${target_arch_dpkg}
+
+# Install architecture-independent libraries
+RUN apt-get update && \
+    apt-get install -qq -y --no-install-recommends \
+        python3-dev \
+        lowdown
+
+# Install target-arch libraries
+RUN apt-get install -qq -y --no-install-recommends \
+    pkg-config:${target_arch_dpkg} \
+    libffi-dev:${target_arch_dpkg} \
+    libicu-dev:${target_arch_dpkg} \
+    zlib1g-dev:${target_arch_dpkg} \
+    libsqlite3-dev:${target_arch_dpkg} \
+    libpq-dev:${target_arch_dpkg} \
+    libsodium-dev:${target_arch_dpkg} \
+    crossbuild-essential-${target_arch_dpkg}
+
+WORKDIR /opt
+
+RUN ./install-uv.sh -q
+RUN ./install-rust.sh -y -q --profile minimal --component rustfmt --target ${target_arch_rust}
+ENV PATH="/root/.cargo/bin:/root/.local/bin:${PATH}"
+
+RUN git clone --depth 1 --branch ${VLS_VERSION} https://gitlab.com/lightning-signer/validating-lightning-signer.git
+WORKDIR /opt/validating-lightning-signer
+
+RUN mkdir -p .cargo && tee .cargo/config.toml <<EOF
+
+[build]
+target = "${target_arch_rust}"
+rustflags = ["-C", "target-cpu=generic"]
+
+[target.${target_arch_rust}]
+linker = "${CC}"
+
+EOF
+
+RUN cargo build --release
+
+RUN cp -r ./target/${target_arch_rust}/release/ /tmp/vls_install/ \
+    && find /tmp/vls_install -type f -executable -exec \
+    file {} + | \
+    awk -F: '/ELF/ {print $1}' | \
+    xargs -r ${STRIP} --strip-unneeded
+
+# Standard Lightning image (without VLS)
+FROM base-target AS lightningd
 
 RUN apt-get update && \
     apt-get install -qq -y --no-install-recommends \
@@ -176,8 +239,8 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-COPY --from=downloader    /opt/bitcoin/bin/bitcoin-cli      /usr/bin/
-COPY --from=builder       /tmp/lightning_install/           /usr/local/
+COPY --from=downloader    /opt/bitcoin/bin/bitcoin-cli          /usr/bin/
+COPY --from=builder       /tmp/lightning_install/               /usr/local/
 
 COPY tools/docker-entrypoint.sh    /entrypoint.sh
 
@@ -189,3 +252,36 @@ ENV LIGHTNINGD_NETWORK=bitcoin
 EXPOSE 9735 9835
 VOLUME ["/root/.lightning"]
 ENTRYPOINT ["/entrypoint.sh"]
+
+# Lightning with VLS Signer
+FROM base-target AS lightningd-vls-signer
+
+RUN apt-get update && \
+    apt-get install -qq -y --no-install-recommends \
+        inotify-tools \
+        socat \
+        jq \
+        libpq5 \
+        libsqlite3-0 \
+        libsodium23 && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=downloader    /opt/bitcoin/bin/bitcoin-cli          /usr/bin/
+COPY --from=builder       /tmp/lightning_install/               /usr/local/
+COPY --from=vls-builder   /tmp/vls_install/remote_hsmd_socket   /var/lib/vls/bin/
+
+COPY tools/docker-entrypoint.sh    /entrypoint.sh
+
+ENV LIGHTNINGD_DATA=/root/.lightning
+ENV LIGHTNINGD_RPC_PORT=9835
+ENV LIGHTNINGD_PORT=9735
+ENV LIGHTNINGD_NETWORK=bitcoin
+ENV VLS_ENABLED=true
+
+EXPOSE 9735 9835
+VOLUME ["/root/.lightning"]
+ENTRYPOINT ["/entrypoint.sh"]
+
+# Default target (for backward compatibility)
+FROM lightningd AS final
diff --git a/doc/contribute-to-core-lightning/docker-images.md b/doc/contribute-to-core-lightning/docker-images.md
@@ -131,3 +131,96 @@ docker exec -it <container-id-from-step2> bash
 docker run -it --rm --platform=linux/amd64 --network=host -v '/root/.lightning:/root/.lightning' -v '/root/.bitcoin:/root/.bitcoin' -e LIGHTNINGD_DATA=/root/.lightning elementsproject/lightningd:latest --network=regtest
 
 ```
+
+## Replace the `hsmd` subdaemon with VLS `remote_hsmd_socket`:
+
+1. This setup assumes that both `bitcoind` and `vlsd` will be running on your host system.
+
+2. Start your `bitcoind` node on the local machine.
+
+3. Start `vlsd` locally with your prefered configuration. For example:
+
+```shell
+export LIGHTNING_VLS_DIR=/root/.lightning
+export GREENLIGHT_VERSION="v25.12"
+export VLS_CLN_VERSION="v25.12"
+export VLS_NETWORK="regtest"
+export BITCOIND_RPC_URL="http://user:password@127.0.0.1:18443"
+export RUST_LOG=info
+export RUST_BACKTRACE=1
+
+/home/validating-lightning-signer/target/release/vlsd \
+  --datadir "$LIGHTNING_VLS_DIR"/.lightning-signer \
+  --network regtest \
+  --connect http://127.0.0.1:7701 \
+  --rpc-server-address 127.0.0.1 \
+  --rpc-server-port 8000 \
+  --rpc-user vlsuser \
+  --rpc-pass vlspassword \
+  --log-level info
+```
+
+4. Finally, run the Core Lightning node:
+
+4.1 Either by utilizing our docker image flavor `elementsproject/lightningd-vls-signer` which comes with pre-built `remote_hsmd_socket` binaries.
+
+```shell
+docker run -it --rm -d \
+  --platform=linux/amd64 \
+  --network=host \
+  -v '/root/.lightning:/root/.lightning' \
+  -v '/root/.bitcoin:/root/.bitcoin' \
+  -e GREENLIGHT_VERSION="v25.12" \
+  -e VLS_CLN_VERSION="v25.12" \
+  -e VLS_NETWORK="regtest" \
+  -e BITCOIND_RPC_URL="http://user:password@127.0.0.1:18443" \
+  -e LIGHTNINGD_NETWORK=regtest \
+  elementsproject/lightningd-vls-signer:v25.12 \
+  --bitcoin-rpcconnect=0.0.0.0 \
+  --bitcoin-rpcuser=user \
+  --bitcoin-rpcpassword=password \
+  --network=regtest \
+  --database-upgrade=true \
+  --bitcoin-datadir=/root/.bitcoin \
+  --log-level=debug \
+  --announce-addr=127.0.0.1:19750 \
+  --bind-addr=localhost:8989 \
+  --bind-addr=ws:127.0.0.1:5020 \
+  --bind-addr=0.0.0.0:19750 \
+  --bitcoin-rpcport=18443 \
+  --clnrest-port=3020 \
+  --grpc-port=9740 \
+  --subdaemon=hsmd:/var/lib/vls/bin/remote_hsmd_socket
+```
+
+4.2 Or, by replacing subdaemon `hsmd` with your mounted `remote_hsmd_socket`:
+
+```shell
+docker run -it --rm -d \
+  --platform=linux/amd64 \
+  --network=host \
+  -v '/root/.lightning:/root/.lightning' \
+  -v '/root/.bitcoin:/root/.bitcoin' \
+  -v '/root/vls/target/release/remote_hsmd_socket:/var/lib/vls/bin/remote_hsmd_socket'
+  -e GREENLIGHT_VERSION="v25.12" \
+  -e VLS_CLN_VERSION="v25.12" \
+  -e VLS_NETWORK="regtest" \
+  -e BITCOIND_RPC_URL="http://user:password@127.0.0.1:18443" \
+  -e LIGHTNINGD_NETWORK=regtest \
+  elementsproject/lightningd:v25.12 \
+  --bitcoin-rpcconnect=0.0.0.0 \
+  --bitcoin-rpcuser=user \
+  --bitcoin-rpcpassword=password \
+  --network=regtest \
+  --database-upgrade=true \
+  --bitcoin-datadir=/root/.bitcoin \
+  --log-level=debug \
+  --announce-addr=127.0.0.1:19750 \
+  --bind-addr=localhost:8989 \
+  --bind-addr=ws:127.0.0.1:5020 \
+  --bind-addr=0.0.0.0:19750 \
+  --bitcoin-rpcport=18443 \
+  --clnrest-port=3020 \
+  --grpc-port=9740 \
+  --subdaemon=hsmd:/var/lib/vls/bin/remote_hsmd_socket
+```