web3labs / ink-verifier-image Goto Github PK

View Code? Open in Web Editor NEW

3.0 3.0 2.0 78 KB

Container image for Ink! smart contracts source code verification

License: Apache License 2.0

Dockerfile 14.43% Shell 55.87% Rust 21.41% Just 8.29%

ink-verifier-image's People

Contributors

Stargazers

Watchers

Forkers

w3f-grants-archive deuszx

ink-verifier-image's Issues

[Apple ARM] Building with the default image on slow and with lots of suspicious logs.

Running the tool with build-verifiable-ink -i ghcr.io/web3labs/ink-verifier . on M1 ARM returns hundreds of errors such as:

<jemalloc>: MADV_DONTNEED does not work (memset will be used instead)
<jemalloc>: (This is the expected behaviour if you are running under QEMU)

The process is very slow as well.

And in the end it fails with

Compiling pallet-contracts-primitives v23.0.0
<jemalloc>: MADV_DONTNEED does not work (memset will be used instead)
<jemalloc>: (This is the expected behaviour if you are running under QEMU)
/usr/local/bin/build-contract: line 41:    62 Killed                  cargo install --version "${cargo_contract_version}" --force --locked cargo-contract

No cross-platform tests in the CI.

The verifier image should be portable across different machines, OSes, architectures. Not that the image should necessarily produce deterministic results but the image should be at least usable on different platforms.

It would increase the confidence in the tool greatly if a step like that was part of the CI, before new images are pushed to the docker hub.

Installing cargo contract on memory-constrained envs crashes

I've found that cargo install --version {cargo_contract_version} cargo-contract can eat up to 16GB of RAM (most likely caused by caching the dependencies in RAM) which is a problem in resource-constraint envs like docker (I'm using colima on MacOS instead of the default docker context and it gets 8GB of RAM by default). This is a problem since no building/packaging can happen with cargo-contract installed and the process fails abruptly with no information about the error cause and cryptic Killed.

The workaround to that problem is to do the following (instead of installing it via cargo install):

In docker cotainer, export https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli CARGO_NET_GIT_FETCH_WITH_CLI=true
Run git clone --depth 1 --branch v2.1.0 <git-link>
cd into cargo-contract.
cargo install --path .

For me, the process was peaking at ~700MB instead of 16GB.

Please test yourself first.

Big image size

Image size after building:

➜  ~ docker images
REPOSITORY                  TAG       IMAGE ID       CREATED          SIZE
ink-verifier                develop   b87247c9e4b2   19 minutes ago   2.17GB

I'd recommend looking for inspiration in the image we've developed: https://github.com/Cardinal-Cryptography/docker-ink-dev . If you remove the ink-wrapper section (and you can, since it's not needed for building), then it becomes:

➜  docker-ink-dev git:(main) ✗ docker images
REPOSITORY                            TAG       IMAGE ID       CREATED          SIZE
cardinal-cryptography/ink-dev-arm64   1.2.0     172d5cefaf66   3 seconds ago    949MB

2.17GB vs 949MB

CLI builds `/target` with owner as docker.

Folders created by the docker cannot be deleted without sudo.

CLI should use the currently-running user as the owner of the docker process.

Failed to verify ink contracts

I followed the tutorial provided here for verifying ink smart contracts. However, I'm facing an error:

The script in the ink-verifier-image repo under scripts/verify-contract is failing at line number 26:

..
mkdir -p $TARGET
..

Is there a step missing in the tutorial?

Detect custom rust version in the dir

It's possible to specify a custom rust version via rust-toolchain file in the directory/project. For example in https://github.com/Cardinal-Cryptography/zk-apps, there's a rust-toolchain file which gest picked up:

~/aleph/zk-apps/shielder/contract$ rustup show
Default host: x86_64-unknown-linux-gnu
rustup home:  /home/mateusz/.rustup

installed toolchains
--------------------

stable-x86_64-unknown-linux-gnu (default)
1.68-x86_64-unknown-linux-gnu
1.65.0-x86_64-unknown-linux-gnu
1.66.0-x86_64-unknown-linux-gnu

installed targets for active toolchain
--------------------------------------

wasm32-unknown-unknown
x86_64-unknown-linux-gnu

active toolchain
----------------

nightly-2022-11-28-x86_64-unknown-linux-gnu (overridden by '/home/mateusz/aleph/zk-apps/rust-toolchain')
rustc 1.67.0-nightly (1eb62b123 2022-11-27)

I think it makes sense to detect that and use the active toolchain as the default when running the tool. Unless user specifies otherwise.

In the example above, tool would set RUST_TOOLCHAIN=nightly-2022-11-28-x86_64-unknown-linux-gnu automatically.

CLI tool could include an option to build contracts

Currently build-verifiable-ink CLI tool builds and packages the resulting files into package.zip. Then there's a section in the README about how to extract *.contract, *.metadata and *.wasm files from the zipped file but it's not very UX-friendly approach. I'd suggest adding that functionality to the build-verifiable-ink tool itself. Or the output of build-verifiable-ink . could preserve the original files.

Curious to hear your opinions.

Fail to verify basic flipper contract

I've done the following:

Build the ink-verifier-image locally from main branch.
Create a basic flipper contract cargo contract new flipper
cd flipper and run build-verifiable-ink -t develop .

The result is that it fails to build the package:

  flipper build-verifiable-ink -t develop .
Building package w/ args: ["run", "-i", "-t", "--rm", "--entrypoint", "package-contract", "-v", "/Users/gorskimateusz/projects/aleph/flipper:/build", "ink-verifier:develop"]
mv: failed to preserve ownership for '/build/package/src/Cargo.toml': Permission denied
mv: failed to preserve ownership for '/build/package/src/lib.rs': Permission denied
mv: failed to preserve ownership for '/build/package/src': Permission denied
Build Info

- build_mode: Release
- cargo_contract_version: 2.0.2
- rustc_toolchain: 1.66.1-x86_64-unknown-linux-gnu
- optimization_passes: Z
- keep_debug_symbols: false

In SRC_ROOT
total 20K
drwxr-xr-x 1 501 dialout  128 May 12 08:44 .
drwxr-xr-x 1 501 dialout   96 May 12 08:44 ..
-rwxr-xr-x 1 501 dialout  573 May 12 08:44 Cargo.toml
-rwxr-xr-x 1 501 dialout 5.1K May 12 08:44 lib.rs
error: DEPRECATED: future versions of rustup will require --force-non-host to install a non-host toolchain as the default.
warning: toolchain '1.66.1-x86_64-unknown-linux-gnu' may not be able to run on this system.
warning: If you meant to build software to target that platform, perhaps try `rustup target add x86_64-unknown-linux-gnu` instead?
info: syncing channel updates for '1.66.1-x86_64-unknown-linux-gnu'
warning: Signature verification failed for 'https://static.rust-lang.org/dist/channel-rust-1.66.1.toml'
info: latest update on 2023-01-10, rust version 1.66.1 (90743e729 2023-01-10)
info: downloading component 'cargo'
info: downloading component 'rust-std'
 30.0 MiB /  30.0 MiB (100 %)   3.4 MiB/s in  8s ETA:  0s
info: downloading component 'rustc'
 67.4 MiB /  67.4 MiB (100 %)   4.7 MiB/s in 18s ETA:  0s
info: installing component 'cargo'
info: installing component 'rust-std'
 30.0 MiB /  30.0 MiB (100 %)  20.9 MiB/s in  1s ETA:  0s
info: installing component 'rustc'
 67.4 MiB /  67.4 MiB (100 %)  24.5 MiB/s in  2s ETA:  0s

  1.66.1-x86_64-unknown-linux-gnu installed - (error reading rustc version)

info: checking for self-updates
info: downloading self-update
info: downloading component 'rust-std' for 'wasm32-unknown-unknown'
info: installing component 'rust-std' for 'wasm32-unknown-unknown'
info: downloading component 'rust-src'
info: installing component 'rust-src'
    Updating crates.io index
  Downloaded cargo-contract v2.0.2
  Downloaded 1 crate (94.8 KB) in 1.47s
  Installing cargo-contract v2.0.2

// Omitting lines with downloading and installing dependencies for brevity

Downloaded 420 crates (36.2 MB) in 30.81s (largest was `ring` at 5.1 MB)
error: failed to compile `cargo-contract v2.0.2`, intermediate artifacts can be found at `/tmp/cargo-installbjuGr0`

Caused by:
  package `ink_env v4.2.0` cannot be built because it requires rustc 1.68 or newer, while the currently active rustc version is 1.66.1
  Try re-running cargo install with `--locked`

Notice the errors at the beginning.

Update instructions about verifying contracts

Instruction about how to verify the contract in the README use some very specific paths, like roccoco etc., but it's not necessary when verifying. The following was enough to verify locally:

Correct structure of the contracts/package locally:

build
├── package.zip
└── pristine.wasm

Running the following command:

docker run --rm -v ./build:/build ink-verifier:develop

If instructions can be simpler and not roccoco-specific (or any other chain) we should try to simplify it.

$ rm -rf package
rm: cannot remove 'package/src/Cargo.toml': Permission denied
rm: cannot remove 'package/src/lib.rs': Permission denied

$ ls -al
total 24
drwxr-xr-x 3 mateusz mateusz 4096 May 17 16:28 .
drwxr-xr-x 7 mateusz mateusz 4096 Apr 14 10:19 ..
-rw-r--r-- 1 mateusz mateusz  967 Apr 14 10:19 Cargo.toml
-rw-r--r-- 1 mateusz mateusz 7206 Apr 14 10:19 lib.rs
drwxr-xr-x 3 root    root    4096 May 17 16:28 package