web3labs / ink-verifier-image Goto Github PK
View Code? Open in Web Editor NEWContainer image for Ink! smart contracts source code verification
License: Apache License 2.0
Container image for Ink! smart contracts source code verification
License: Apache License 2.0
Running the tool with build-verifiable-ink -i ghcr.io/web3labs/ink-verifier .
on M1 ARM returns hundreds of errors such as:
<jemalloc>: MADV_DONTNEED does not work (memset will be used instead)
<jemalloc>: (This is the expected behaviour if you are running under QEMU)
The process is very slow as well.
And in the end it fails with
Compiling pallet-contracts-primitives v23.0.0
<jemalloc>: MADV_DONTNEED does not work (memset will be used instead)
<jemalloc>: (This is the expected behaviour if you are running under QEMU)
/usr/local/bin/build-contract: line 41: 62 Killed cargo install --version "${cargo_contract_version}" --force --locked cargo-contract
The verifier image should be portable across different machines, OSes, architectures. Not that the image should necessarily produce deterministic results but the image should be at least usable on different platforms.
It would increase the confidence in the tool greatly if a step like that was part of the CI, before new images are pushed to the docker hub.
I've found that cargo install --version {cargo_contract_version} cargo-contract
can eat up to 16GB of RAM (most likely caused by caching the dependencies in RAM) which is a problem in resource-constraint envs like docker (I'm using colima
on MacOS instead of the default docker context and it gets 8GB of RAM by default). This is a problem since no building/packaging can happen with cargo-contract
installed and the process fails abruptly with no information about the error cause and cryptic Killed
.
The workaround to that problem is to do the following (instead of installing it via cargo install
):
CARGO_NET_GIT_FETCH_WITH_CLI=true
git clone --depth 1 --branch v2.1.0 <git-link>
cargo-contract
.cargo install --path .
For me, the process was peaking at ~700MB instead of 16GB.
Please test yourself first.
Image size after building:
➜ ~ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ink-verifier develop b87247c9e4b2 19 minutes ago 2.17GB
I'd recommend looking for inspiration in the image we've developed: https://github.com/Cardinal-Cryptography/docker-ink-dev . If you remove the ink-wrapper
section (and you can, since it's not needed for building), then it becomes:
➜ docker-ink-dev git:(main) ✗ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cardinal-cryptography/ink-dev-arm64 1.2.0 172d5cefaf66 3 seconds ago 949MB
2.17GB vs 949MB
Folders created by the docker cannot be deleted without sudo.
CLI should use the currently-running user as the owner of the docker process.
I followed the tutorial provided here for verifying ink smart contracts. However, I'm facing an error:
The script in the ink-verifier-image repo under scripts/verify-contract is failing at line number 26:
..
mkdir -p $TARGET
..
Is there a step missing in the tutorial?
It's possible to specify a custom rust version via rust-toolchain
file in the directory/project. For example in https://github.com/Cardinal-Cryptography/zk-apps, there's a rust-toolchain
file which gest picked up:
~/aleph/zk-apps/shielder/contract$ rustup show
Default host: x86_64-unknown-linux-gnu
rustup home: /home/mateusz/.rustup
installed toolchains
--------------------
stable-x86_64-unknown-linux-gnu (default)
1.68-x86_64-unknown-linux-gnu
1.65.0-x86_64-unknown-linux-gnu
1.66.0-x86_64-unknown-linux-gnu
installed targets for active toolchain
--------------------------------------
wasm32-unknown-unknown
x86_64-unknown-linux-gnu
active toolchain
----------------
nightly-2022-11-28-x86_64-unknown-linux-gnu (overridden by '/home/mateusz/aleph/zk-apps/rust-toolchain')
rustc 1.67.0-nightly (1eb62b123 2022-11-27)
I think it makes sense to detect that and use the active toolchain as the default when running the tool. Unless user specifies otherwise.
In the example above, tool would set RUST_TOOLCHAIN=nightly-2022-11-28-x86_64-unknown-linux-gnu
automatically.
Currently build-verifiable-ink
CLI tool builds and packages the resulting files into package.zip
. Then there's a section in the README about how to extract *.contract
, *.metadata
and *.wasm
files from the zipped file but it's not very UX-friendly approach. I'd suggest adding that functionality to the build-verifiable-ink
tool itself. Or the output of build-verifiable-ink .
could preserve the original files.
Curious to hear your opinions.
I've done the following:
ink-verifier-image
locally from main
branch.cargo contract new flipper
cd flipper
and run build-verifiable-ink -t develop .
The result is that it fails to build the package:
flipper build-verifiable-ink -t develop .
Building package w/ args: ["run", "-i", "-t", "--rm", "--entrypoint", "package-contract", "-v", "/Users/gorskimateusz/projects/aleph/flipper:/build", "ink-verifier:develop"]
mv: failed to preserve ownership for '/build/package/src/Cargo.toml': Permission denied
mv: failed to preserve ownership for '/build/package/src/lib.rs': Permission denied
mv: failed to preserve ownership for '/build/package/src': Permission denied
Build Info
- build_mode: Release
- cargo_contract_version: 2.0.2
- rustc_toolchain: 1.66.1-x86_64-unknown-linux-gnu
- optimization_passes: Z
- keep_debug_symbols: false
In SRC_ROOT
total 20K
drwxr-xr-x 1 501 dialout 128 May 12 08:44 .
drwxr-xr-x 1 501 dialout 96 May 12 08:44 ..
-rwxr-xr-x 1 501 dialout 573 May 12 08:44 Cargo.toml
-rwxr-xr-x 1 501 dialout 5.1K May 12 08:44 lib.rs
error: DEPRECATED: future versions of rustup will require --force-non-host to install a non-host toolchain as the default.
warning: toolchain '1.66.1-x86_64-unknown-linux-gnu' may not be able to run on this system.
warning: If you meant to build software to target that platform, perhaps try `rustup target add x86_64-unknown-linux-gnu` instead?
info: syncing channel updates for '1.66.1-x86_64-unknown-linux-gnu'
warning: Signature verification failed for 'https://static.rust-lang.org/dist/channel-rust-1.66.1.toml'
info: latest update on 2023-01-10, rust version 1.66.1 (90743e729 2023-01-10)
info: downloading component 'cargo'
info: downloading component 'rust-std'
30.0 MiB / 30.0 MiB (100 %) 3.4 MiB/s in 8s ETA: 0s
info: downloading component 'rustc'
67.4 MiB / 67.4 MiB (100 %) 4.7 MiB/s in 18s ETA: 0s
info: installing component 'cargo'
info: installing component 'rust-std'
30.0 MiB / 30.0 MiB (100 %) 20.9 MiB/s in 1s ETA: 0s
info: installing component 'rustc'
67.4 MiB / 67.4 MiB (100 %) 24.5 MiB/s in 2s ETA: 0s
1.66.1-x86_64-unknown-linux-gnu installed - (error reading rustc version)
info: checking for self-updates
info: downloading self-update
info: downloading component 'rust-std' for 'wasm32-unknown-unknown'
info: installing component 'rust-std' for 'wasm32-unknown-unknown'
info: downloading component 'rust-src'
info: installing component 'rust-src'
Updating crates.io index
Downloaded cargo-contract v2.0.2
Downloaded 1 crate (94.8 KB) in 1.47s
Installing cargo-contract v2.0.2
// Omitting lines with downloading and installing dependencies for brevity
Downloaded 420 crates (36.2 MB) in 30.81s (largest was `ring` at 5.1 MB)
error: failed to compile `cargo-contract v2.0.2`, intermediate artifacts can be found at `/tmp/cargo-installbjuGr0`
Caused by:
package `ink_env v4.2.0` cannot be built because it requires rustc 1.68 or newer, while the currently active rustc version is 1.66.1
Try re-running cargo install with `--locked`
Notice the errors at the beginning.
Instruction about how to verify the contract in the README use some very specific paths, like roccoco
etc., but it's not necessary when verifying. The following was enough to verify locally:
build
├── package.zip
└── pristine.wasm
docker run --rm -v ./build:/build ink-verifier:develop
If instructions can be simpler and not roccoco-specific (or any other chain) we should try to simplify it.
These lines disallow any non-stable Rust versions to be used for building process.
Any contract that uses OpenBrush dependencies will fail b/c that code makes use of a min_specialization
feature which is available only in nightly https://github.com/Brushfam/openbrush-contracts/blob/main/contracts/src/lib.rs#L23
No CI steps that verify that the built image can package/build/verify contracts.
Default version of cargo contract
is 2.0.2 but it depends on ink 4.2.0 which is not compatible with the default rustc version used.
Solution would be to either bump the rustc version to a proper one or default to cc @ 2.0.1
On WSL2, running build-verifiable-ink -i ghcr.io/web3labs/ink-verifier .
creates directory that is owned by root
and cannot be removed by a use
$ rm -rf package
rm: cannot remove 'package/src/Cargo.toml': Permission denied
rm: cannot remove 'package/src/lib.rs': Permission denied
$ ls -al
total 24
drwxr-xr-x 3 mateusz mateusz 4096 May 17 16:28 .
drwxr-xr-x 7 mateusz mateusz 4096 Apr 14 10:19 ..
-rw-r--r-- 1 mateusz mateusz 967 Apr 14 10:19 Cargo.toml
-rw-r--r-- 1 mateusz mateusz 7206 Apr 14 10:19 lib.rs
drwxr-xr-x 3 root root 4096 May 17 16:28 package
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.