Skip to content

feat(cli): validator container runs with cartesi unprivileged user #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
endersonmaia wants to merge 4 commits into from
Closed

feat(cli): validator container runs with cartesi unprivileged user #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5585479
feat(cli): adapt to rollups-node:2.0.0
endersonmaia Oct 29, 2024
87f8b78
DELETE: use cartesi/rollups-node:devel
endersonmaia Nov 1, 2024
d2c37a4
chore(cli): bump sdk to 0.12.0-alpha.5
endersonmaia Feb 3, 2025
61ab946
feat(cli): validator container runs with cartesi unprivileged user
endersonmaia Jan 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/seven-seals-pull.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@cartesi/cli": patch
---

validator container will run with cartesi unprivileged user
2 changes: 1 addition & 1 deletion apps/cli/src/baseCommand.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ export abstract class BaseCommand<T extends typeof Command> extends Command {

protected async getApplicationAddress(): Promise<Address> {
// fixed value, as we do deterministic deployment with a zero hash
return getAddress("0xab7528bb862fb57e8a2bcd567a2e929a0be56a5e");
return getAddress("0x60ec77594cdaa4ec2263c0d7436d70e37164c69f");
}

protected async getAddressBook(): Promise<AddressBook> {
Expand Down
2 changes: 1 addition & 1 deletion apps/cli/src/commands/doctor.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ export default class DoctorCommand extends BaseCommand<typeof DoctorCommand> {
static examples = ["<%= config.bin %> <%= command.id %>"];

private static MINIMUM_DOCKER_VERSION = "23.0.0"; // Replace with our minimum required Docker version
private static MINIMUM_DOCKER_COMPOSE_VERSION = "2.21.0"; // Replace with our minimum required Docker Compose version
private static MINIMUM_DOCKER_COMPOSE_VERSION = "2.30.0"; // Replace with our minimum required Docker Compose version
private static MINIMUM_BUILDX_VERSION = "0.13.0"; // Replace with our minimum required Buildx version

private async checkDocker(): Promise<true | never> {
Expand Down
2 changes: 1 addition & 1 deletion apps/cli/src/config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ export class InvalidStringArrayError extends Error {
const DEFAULT_FORMAT = "ext2";
const DEFAULT_RAM = "128Mi";
const DEFAULT_RAM_IMAGE = "/usr/share/cartesi-machine/images/linux.bin";
export const DEFAULT_SDK = "cartesi/sdk:0.12.0-alpha.3";
export const DEFAULT_SDK = "cartesi/sdk:0.12.0-alpha.5";

type Builder = "directory" | "docker" | "empty" | "none" | "tar";
type DriveFormat = "ext2" | "sqfs";
Expand Down
2 changes: 1 addition & 1 deletion apps/cli/src/node/DockerfileDeploy.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM cartesi/rollups-node:1.5.1
FROM cartesi/rollups-node:devel
ENV CARTESI_SNAPSHOT_DIR=/usr/share/rollups-node/snapshot
ENV CARTESI_HTTP_ADDRESS=0.0.0.0
COPY --chown=cartesi:cartesi . ${CARTESI_SNAPSHOT_DIR}
57 changes: 38 additions & 19 deletions apps/cli/src/node/default.env
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,46 @@
# cartesi/rollups-node
CARTESI_LOG_LEVEL="${CARTESI_LOG_LEVEL:-error}"
CARTESI_HTTP_ADDRESS="${CARTESI_HTTP_ADDRESS:-0.0.0.0}"
CARTESI_HTTP_PORT="${CARTESI_HTTP_PORT:-10000}"
CARTESI_FEATURE_HOST_MODE="${CARTESI_FEATURE_HOST_MODE:-false}"
CARTESI_FEATURE_READER_MODE_ENABLED="${CARTESI_FEATURE_READER_MODE_ENABLED:-false}"
CARTESI_FEATURE_DISABLE_CLAIMER="${CARTESI_FEATURE_DISABLE_CLAIMER:-false}"
CARTESI_FEATURE_DISABLE_MACHINE_HASH_CHECK="${CARTESI_FEATURE_DISABLE_MACHINE_HASH_CHECK:-true}"

#logs
CARTESI_LOG_LEVEL="${CARTESI_LOG_LEVEL:-info}"
CARTESI_LOG_PRETTY_ENABLED="${CARTESI_LOG_PRETTY_ENABLED:-false}"

# features
CARTESI_FEATURE_INPUT_READER_ENABLED="${CARTESI_FEATURE_INPUT_READER_ENABLED:-true}"
CARTESI_FEATURE_CLAIM_SUBMISSION_ENABLED="${CARTESI_FEATURE_CLAIM_SUBMISSION_ENABLED:-true}"
CARTESI_FEATURE_MACHINE_HASH_CHECK_ENABLED="${CARTESI_FEATURE_MACHINE_HASH_CHECK_ENABLED:-false}"

# rollups
CARTESI_EPOCH_LENGTH="${CARTESI_EPOCH_LENGTH:-720}"
CARTESI_EVM_READER_RETRY_POLICY_MAX_RETRIES="${CARTESI_EVM_READER_RETRY_POLICY_MAX_RETRIES:-3}"
CARTESI_EVM_READER_RETRY_POLICY_MAX_DELAY="${CARTESI_EVM_READER_RETRY_POLICY_MAX_DELAY:-3}"
CARTESI_ADVANCER_POLLING_INTERVAL="${CARTESI_ADVANCER_POLLING_INTERVAL:-7}"
CARTESI_VALIDATOR_POLLING_INTERVAL="${CARTESI_VALIDATOR_POLLING_INTERVAL:-7}"
CARTESI_CLAIMER_POLLING_INTERVAL="${CARTESI_CLAIMER_POLLING_INTERVAL:-7}"
CARTESI_MAX_STARTUP_TIME="${CARTESI_MAX_STARTUP_TIME:-5}"

# blockchain
CARTESI_BLOCKCHAIN_ID="${CARTESI_BLOCKCHAIN_ID:-31337}"
CARTESI_BLOCKCHAIN_HTTP_ENDPOINT="${CARTESI_BLOCKCHAIN_HTTP_ENDPOINT:-http://anvil:8545}"
CARTESI_BLOCKCHAIN_WS_ENDPOINT="${CARTESI_BLOCKCHAIN_WS_ENDPOINT:-ws://anvil:8545}"
CARTESI_BLOCKCHAIN_IS_LEGACY="${CARTESI_BLOCKCHAIN_IS_LEGACY:-false}"
CARTESI_BLOCKCHAIN_FINALITY_OFFSET="${CARTESI_BLOCKCHAIN_FINALITY_OFFSET:-0}"
CARTESI_LEGACY_BLOCKCHAIN_ENABLED="${CARTESI_LEGACY_BLOCKCHAIN_ENABLED:-false}"
CARTESI_EVM_READER_DEFAULT_BLOCK="${CARTESI_EVM_READER_DEFAULT_BLOCK:-latest}"
CARTESI_BLOCKCHAIN_BLOCK_TIMEOUT="${CARTESI_BLOCKCHAIN_BLOCK_TIMEOUT:-60}"
CARTESI_CONTRACTS_APPLICATION_ADDRESS="${CARTESI_CONTRACTS_APPLICATION_ADDRESS:-0xab7528bb862fb57e8a2bcd567a2e929a0be56a5e}"
CARTESI_CONTRACTS_INPUT_BOX_DEPLOYMENT_BLOCK_NUMBER="${CARTESI_CONTRACTS_INPUT_BOX_DEPLOYMENT_BLOCK_NUMBER:-22}"
CARTESI_CONTRACTS_HISTORY_ADDRESS="${CARTESI_CONTRACTS_HISTORY_ADDRESS:-0x325272217ae6815b494bf38ced004c5eb8a7cda7}"
CARTESI_CONTRACTS_AUTHORITY_ADDRESS="${CARTESI_CONTRACTS_AUTHORITY_ADDRESS:-0x58c93f83fb3304730c95aad2e360cdb88b782010}"
CARTESI_CONTRACTS_INPUT_BOX_ADDRESS="${CARTESI_CONTRACTS_INPUT_BOX_ADDRESS:-0x59b22D57D4f067708AB0c00552767405926dc768}"
CARTESI_SNAPSHOT_DIR="${CARTESI_SNAPSHOT_DIR:-/usr/share/cartesi/snapshot}"

# contracts
CARTESI_CONTRACTS_INPUT_BOX_ADDRESS="${CARTESI_CONTRACTS_INPUT_BOX_ADDRESS:-0x593E5BCf894D6829Dd26D0810DA7F064406aebB6}"
CARTESI_CONTRACTS_INPUT_BOX_DEPLOYMENT_BLOCK_NUMBER="${CARTESI_CONTRACTS_INPUT_BOX_DEPLOYMENT_BLOCK_NUMBER:-7}"
CARTESI_CONTRACTS_APPLICATION_FACTORY_ADDRESS="${CARTESI_CONTRACTS_APPLICATION_FACTORY_ADDRESS:-0xd7d4d184b82b1a4e08f304DDaB0A2A7a301C2620}"
CARTESI_CONTRACTS_AUTHORITY_FACTORY_ADDRESS="${CARTESI_CONTRACTS_AUTHORITY_FACTORY_ADDRESS:-0xB897F7Fe78f220aE34B7FA9493092701a873Ed45}"

# snapshot
CARTESI_SNAPSHOT_DIR="${CARTESI_SNAPSHOT_DIR:-/usr/share/rollups-node/snapshot}"

# auth
CARTESI_AUTH_MNEMONIC="${CARTESI_AUTH_MNEMONIC:-test test test test test test test test test test test junk}"
CARTESI_POSTGRES_ENDPOINT="${CARTESI_POSTGRES_ENDPOINT:-postgres://postgres:password@database:5432/postgres}"
CARTESI_EXPERIMENTAL_SERVER_MANAGER_BYPASS_LOG="${CARTESI_EXPERIMENTAL_SERVER_MANAGER_BYPASS_LOG:-false}"

# server-manager
SM_DEADLINE_MACHINE="${SM_DEADLINE_MACHINE:-30000}"
# postgres
CARTESI_POSTGRES_ENDPOINT="${CARTESI_POSTGRES_ENDPOINT:-postgres://postgres:password@database:5432/postgres?sslmode=disable}"

# http
CARTESI_INSPECT_PORT=${CARTESI_INSPECT_PORT:-10012}
CARTESI_INSPECT_ADDRESS=${CARTESI_INSPECT_ADDRESS:-0.0.0.0:$CARTESI_INSPECT_PORT}
39 changes: 21 additions & 18 deletions apps/cli/src/node/docker-compose-anvil.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
services:
anvil:
image: cartesi/sdk:0.12.0-alpha.3
image: cartesi/sdk:0.12.0-alpha.5
command:
[
"devnet",
Expand All @@ -19,27 +19,30 @@ services:
- 8545:8545

dapp_deployer:
image: cartesi/sdk:0.12.0-alpha.3
image: cartesi/rollups-node:devel
restart: on-failure
depends_on:
anvil:
validator:
condition: service_started
env_file:
- ${CARTESI_BIN_PATH}/node/default.env
command:
[
"cast",
"send",
"--rpc-url",
"http://anvil:8545",
"--private-key",
"0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80",
"0x4C11C7F82D6D56a726f9B53dd99af031AFd86BB6",
"deployContracts(address,address,bytes32,bytes32)",
"0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266",
"720",
"0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266",
"0x0000000000000000000000000000000000000000000000000000000000000000",
"0x0000000000000000000000000000000000000000000000000000000000000000",
]
- /bin/bash
- -c
- -x
- |
cartesi-rollups-cli app deploy \
--print-json \
--postgres-endpoint "$$CARTESI_POSTGRES_ENDPOINT" \
--rpc-url "$$CARTESI_BLOCKCHAIN_HTTP_ENDPOINT" \
--inputbox-block-number "$$CARTESI_CONTRACTS_INPUT_BOX_DEPLOYMENT_BLOCK_NUMBER" \
--mnemonic "$$CARTESI_AUTH_MNEMONIC" \
--epoch-length "$$CARTESI_EPOCH_LENGTH" \
--app-factory "$$CARTESI_CONTRACTS_APPLICATION_FACTORY_ADDRESS" \
--authority-factory "$$CARTESI_CONTRACTS_AUTHORITY_FACTORY_ADDRESS" \
--app-owner "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266" \
--template-path $$CARTESI_SNAPSHOT_DIR \
--name "dapp"

prompt:
image: debian:bookworm-slim
Expand Down
2 changes: 1 addition & 1 deletion apps/cli/src/node/docker-compose-bundler.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
services:
alto:
image: cartesi/sdk:0.12.0-alpha.3
image: cartesi/sdk:0.12.0-alpha.5
command:
- "alto"
- "--entrypoints"
Expand Down
16 changes: 16 additions & 0 deletions apps/cli/src/node/docker-compose-database.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,19 @@ services:
retries: 5
environment:
- POSTGRES_PASSWORD=password

migration:
image: cartesi/rollups-node:devel
command:
- /bin/bash
- -c
- -x
- |
cartesi-rollups-cli db upgrade -p "$$CARTESI_POSTGRES_ENDPOINT"

depends_on:
database:
condition: service_healthy
restart: "no"
env_file:
- ${CARTESI_BIN_PATH}/node/default.env
2 changes: 1 addition & 1 deletion apps/cli/src/node/docker-compose-paymaster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
services:
mock-verifying-paymaster:
image: cartesi/sdk:0.12.0-alpha.3
image: cartesi/sdk:0.12.0-alpha.5
command: "mock-verifying-paymaster"
environment:
- ALTO_RPC=http://alto:4337
Expand Down
2 changes: 1 addition & 1 deletion apps/cli/src/node/docker-compose-snapshot-volume.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
services:
dapp_deployer:
volumes:
- ./.cartesi/image:/usr/share/cartesi/snapshot:ro
- ./.cartesi/image:/usr/share/rollups-node/snapshot:ro

validator:
volumes:
Expand Down
23 changes: 17 additions & 6 deletions apps/cli/src/node/docker-compose-validator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,33 @@
services:
validator:
image: cartesi/rollups-node:1.5.1
image: cartesi/rollups-node:devel
depends_on:
dapp_deployer:
migration:
condition: service_completed_successfully
anvil:
condition: service_healthy
expose:
- "10000"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:10000/healthz"]
test: ["CMD", "curl", "-f", "http://localhost:10000/livez"]
interval: 10s
timeout: 1s
retries: 5
post_start:
- command:
- /bin/bash
- -c
- |
mkdir -p "$CARTESI_SNAPSHOT_DIR"
cp --recursive /tmp/snapshot/* "$CARTESI_SNAPSHOT_DIR"
user: root
command:
- /bin/bash
- -c
- |
mkdir -p "$CARTESI_SNAPSHOT_DIR"
cp --recursive /tmp/snapshot/* "$CARTESI_SNAPSHOT_DIR"
while ! stat "$CARTESI_SNAPSHOT_DIR" &>/dev/null; do
Copy link
Member

@tuler tuler Feb 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This busy wait and coordination between the command and post_start is not very elegant.
Does it really need to be this way? What if the post_start fails for whatever reason?

Copy link
Contributor Author

@endersonmaia endersonmaia Feb 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could add some timeout to ensure it fails.

Does it really need to be this way?

It's my approach to run the validator with an unprivileged user leveraging compose.

There are other approaches, for sure, would have to test some alternatives.

Copy link
Member

@tuler tuler Feb 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about we first see how the start + deploy would work. Because it will be different in that case.

Copy link
Contributor Author

@endersonmaia endersonmaia Feb 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, we can put this on-hold

if the rollups-node container image release already has this in-place, this process or preparing a directory should just be unnecessary

sleep 0.5
done
exec cartesi-rollups-node

env_file:
Expand Down Expand Up @@ -45,7 +56,7 @@ services:
inspect_server:
loadBalancer:
servers:
- url: "http://validator:10000/inspect"
- url: "http://validator:10012/inspect"
TRAEFIK_CONFIG_GRAPHQL_SERVER: |
http:
routers:
Expand Down
Loading