Unverified Commit 2ffb293e authored by Javier Viola's avatar Javier Viola Committed by GitHub
Browse files

introduce malus + zombienet based integration tests (#4131)

* test/malus: craft the first maliciously disputing actor

* initial draft

* Add Dockerfile and instructions how to use it to build malus image locally

* Forgot one flag for the build cmd

* we are not docker specific, we are happy to use any containerruntime

* shuffle things around

* add initial tera based integration test

* chores

* fixins

* simple setup to start

* other samples (WIP)

* add Docker version with cargo-chef

* update substarte and small change of orders in commands in the container file

* metrics one

* fmt

* minor

* fixin

* fix metric names

* -d

* add open gauge

* fmt

* spellcheck

* fix test

* adjust to changed error messages

* refactor, more malus impls

* more malus changes

* foo

* minor cleanup

* suggest garbage candidate

* chore

* fix suggest garabge malus

* malus: back garbage candidate

* cargo lock

* re-introduce metrics

* chore: cargo fmt

* undoe 1.54.0 output, CI uses 1.53.0 rustc

* update location of js types

* Fix trybuild

* add tag to image name also; this will be replaced in the prod version

* Tests fixed

* add some fix me

* add dockerfile for ci

* Add docker file for malus for ci

* use variables in .toml file

* add chnages for malus test

* some fixes

* some more fixes

* Update .gitlab-ci.yml

* add local build for polkadot and malus

* some fixes

* enable disputes feature in CI

* ok, ok

* rename: MsgFilter -> MessageInterceptor

* remove TODO that would not have worked

* intercept

* refactor

* fix README and containers

* fix

* chore: cargo fmt

* avoid some more malus-$VARIANT references

* fix argument order

* chore: add about

* Update sanity check in relay chain selection

* fix order, add dispute-unavailable-block malus

* fixup: avoid underflow issue

* it's all u32

* fix conditional use

* Revert "it's all u32"

This reverts commit 6b3ae25b.

* Revert "fixup: avoid underflow issue"

This reverts commit 336cbe29.

* Revert "Update sanity check in relay chain selection"

This reverts commit 970647f3

.

* update the malus bin

* Update node/malus/integrationtests/0003-dispute-unavailable-block.feature
Co-authored-by: Andronik Ordian's avatarAndronik Ordian <write@reusable.software>

* add some FIXME reminders

* update path to index.js

* Update .gitlab-ci.yml

* Update node/malus/integrationtests/0001-dispute-valid-block.toml

* try 1: make malus test run

* chore: cargo fmt

* temporary fix

* use subcommand syntax from latest gurke

* cargo +nightly fmt

* add collator to a a test

* docs: add env vars to README

* update ci to run dispute-valid-block test

* needs the polkadot image

* Fix path for nodejs container

* post merge fix

* download proper dir  containg configs for malus test

* update the malus ci job

* rm a whitespace

* temp build for malus

* use correct build command for temp malus

* remove subcommands for now

* set max validators per core in the default HostConfig

* tabs

* update beefy

* fixup

* fixup II

* make one variant compile

* make other variants compile

* revert changes to chain_spec

* fmt

* build malus image from polkadot-test-malus again

* revert unrelated changes

* try fixing build-malus job

* Revert "remove subcommands for now"

This reverts commit 5d8292bc

.

* try fixing build-malus job II

* MVP working dispute-ancestor

* renames

* fix PVF execution on malus

* fix test

* fix typo

* fmt

* checkmate

* try something

* make it actually work

* some tweaks to 01 feature test

* fmt

* sleep a bit more

* complete wococoization

* some tweaks to 01 feature test

* typo fix

* use correct metric names

* fix

* ffs

* .

* try some rearrangement

* Attempt to wait till initial node bootstrap in test

* Fix test syntax

* Run malus tests with v2 script

* Proper symlink created

* simnet v14

* add zombienet tests

* add zombie net test - draft

* add more tests to dispute suite

* add within to fix tests

* replace test directory and start test migration

* migrate all the tests

* add timeout to tests

* reduce debug

* make easy to test in dev

* set appropriated debug

* use image from ci

* fix config for test

* set images from ci

* fix config

* add COLIMAGE env

* tweek tests

* reduce debug

* typo

* wip, migrate old test to zombie-net

* adjunt test config for zombie-net

* run mauls 0001 test only

* clean and setup smoke-test in zombie-net

* add extra time to assertinons

* clean code to merge and improve README

* add info to access logs

* improved readme

* merge master and resolve conflicts

* Update zombienet_tests/README.md
Co-authored-by: Bernhard Schuster's avatarBernhard Schuster <bernhard@ahoi.io>

* clean and consolidate zombienet name

* change runner in gitlab

* add comment explain why we use wococo

* change tag for runner

* remove unused tests

* remove dup Dockerfile and update description

* fmt

* fix compilation post-merge

* fmt

* cut me Some slack
Co-authored-by: Bernhard Schuster's avatarBernhard Schuster <bernhard@ahoi.io>
Co-authored-by: Radu Popa's avatarradupopa2010 <radupopa2010@yahoo.com>
Co-authored-by: default avatarBastian Köcher <info@kchr.de>
Co-authored-by: grbIzl's avatarAnton Gavrilov <AntonE.Gavrilov@gmail.com>
Co-authored-by: Andronik Ordian's avatarAndronik Ordian <write@reusable.software>
Co-authored-by: Lldenaurois's avatarLldenaurois <Ljdenaurois@gmail.com>
parent cd9929fb
Pipeline #167167 passed with stages
in 37 minutes and 17 seconds
......@@ -27,10 +27,10 @@ variables:
CI_IMAGE: "paritytech/ci-linux:production"
DOCKER_OS: "debian:stretch"
ARCH: "x86_64"
ZOMBIENET_IMAGE: "docker.io/paritypr/zombienet"
VAULT_SERVER_URL: "https://vault.parity-mgmt-vault.parity.io"
VAULT_AUTH_PATH: "gitlab-parity-io-jwt"
VAULT_AUTH_ROLE: "cicd_gitlab_parity_${CI_PROJECT_NAME}"
SIMNET_IMAGE: "europe-west3-docker.pkg.dev/parity-simnet/simnet-images/simnet:v14"
PIPELINE_SCRIPTS_TAG: "v0.1"
default:
......@@ -191,6 +191,7 @@ test-build-linux-stable:
script:
- ./scripts/gitlab/test_linux_stable.sh
# we're using the bin built here, instead of having a parallel `build-linux-release`
# disputes feature is needed for zombie-net parachains malus test
- time cargo build --release --verbose --bin polkadot --features "disputes"
- sccache -s
# pack artifacts
......@@ -259,6 +260,26 @@ build-adder-collator:
- echo "adder-collator version = $(cat ./artifacts/VERSION) (EXTRATAG = $(cat ./artifacts/EXTRATAG))"
- cp -r scripts/* ./artifacts
build-malus:
stage: test
<<: *collect-artifacts
<<: *docker-env
<<: *compiler-info
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_REF_NAME == "master"
- if: $CI_COMMIT_REF_NAME =~ /^[0-9]+$/ # PRs
script:
- time cargo build --release --verbose -p polkadot-test-malus --features disputes
- sccache -s
# pack artifacts
- mkdir -p ./artifacts
- mv ./target/release/malus ./artifacts/.
- echo -n "${CI_COMMIT_REF_NAME}" > ./artifacts/VERSION
- echo -n "${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHORT_SHA}" > ./artifacts/EXTRATAG
- echo "polkadot-test-malus = $(cat ./artifacts/VERSION) (EXTRATAG = $(cat ./artifacts/EXTRATAG))"
- cp -r scripts/* ./artifacts
#### stage: build
.check-dependent-project: &check-dependent-project
......@@ -393,13 +414,13 @@ publish-polkadot-image:
- job: test-build-linux-stable
artifacts: true
after_script:
# pass artifacts to the simnet-tests job
# pass artifacts to the zombienet-tests job
# https://docs.gitlab.com/ee/ci/multi_project_pipelines.html#with-variable-inheritance
- echo "PARACHAINS_IMAGE_NAME=${IMAGE_NAME}" > ./artifacts/parachains.env
- echo "PARACHAINS_IMAGE_TAG=$(cat ./artifacts/EXTRATAG)" >> ./artifacts/parachains.env
artifacts:
reports:
# this artifact is used in simnet-tests job
# this artifact is used in zombienet-tests job
dotenv: ./artifacts/parachains.env
publish-adder-collator-image:
......@@ -417,14 +438,40 @@ publish-adder-collator-image:
artifacts: true
after_script:
- buildah logout --all
# pass artifacts to the simnet-tests job
# pass artifacts to the zombienet-tests job
- echo "COLLATOR_IMAGE_NAME=${IMAGE_NAME}" > ./artifacts/collator.env
- echo "COLLATOR_IMAGE_TAG=$(cat ./artifacts/EXTRATAG)" >> ./artifacts/collator.env
artifacts:
reports:
# this artifact is used in simnet-tests job
# this artifact is used in zombienet-tests job
dotenv: ./artifacts/collator.env
publish-malus-image:
# service image for Simnet
stage: build
<<: *build-push-image
variables:
<<: *image-variables
# scripts/dockerfiles/malus.Dockerfile
DOCKERFILE: dockerfiles/malus.Dockerfile
IMAGE_NAME: docker.io/paritypr/malus
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_REF_NAME == "master"
- if: $CI_COMMIT_REF_NAME =~ /^[0-9]+$/ # PRs
needs:
- job: build-malus
artifacts: true
after_script:
- buildah logout "$IMAGE_NAME"
# pass artifacts to the zombienet-tests job
- echo "MALUS_IMAGE_NAME=${IMAGE_NAME}" > ./artifacts/malus.env
- echo "MALUS_IMAGE_TAG=$(cat ./artifacts/EXTRATAG)" >> ./artifacts/malus.env
artifacts:
reports:
# this artifact is used in zombienet-tests job
dotenv: ./artifacts/malus.env
update_polkadot_weights: &update-weights
stage: build
when: manual
......@@ -550,38 +597,80 @@ deploy-polkasync-kusama:
allow_failure: true
trigger: "parity/infrastructure/parity-testnet"
simnet-tests:
zombienet-tests-parachains-smoke-test:
stage: deploy
image: "${SIMNET_IMAGE}"
image: "${ZOMBIENET_IMAGE}"
<<: *kubernetes-env
<<: *rules-test-and-rococo
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_REF_NAME == "master"
- if: $CI_COMMIT_REF_NAME =~ /^[0-9]+$/ # PRs
- if: $CI_COMMIT_REF_NAME == "rococo-v1"
needs:
- job: publish-polkadot-image
- job: publish-malus-image
- job: publish-adder-collator-image
variables:
GH_DIR: "https://github.com/paritytech/polkadot/tree/master/simnet_tests"
GH_DIR: 'https://github.com/paritytech/polkadot/tree/bernhard-malus-fx-zombienet/zombienet_tests/parachains'
# FIXME: use the master after the merge of the malus pr
# GH_DIR: 'https://github.com/paritytech/polkadot/tree/master/zombienet_tests/parachains'
before_script:
- echo "Zombie-net Tests Config"
- echo "${ZOMBIENET_IMAGE_NAME}"
- echo "${PARACHAINS_IMAGE_NAME} ${PARACHAINS_IMAGE_TAG}"
- echo "${MALUS_IMAGE_NAME} ${MALUS_IMAGE_TAG}"
- echo "${GH_DIR}"
- export DEBUG=zombie,zombie::network-node
- export ZOMBIENET_INTEGRATION_TEST_IMAGE=${PARACHAINS_IMAGE_NAME}:${PARACHAINS_IMAGE_TAG}
- export MALUS_IMAGE=${MALUS_IMAGE_NAME}:${MALUS_IMAGE_TAG}
- export COL_IMAGE=${COLLATOR_IMAGE_NAME}:${COLLATOR_IMAGE_TAG}
script:
- /home/nonroot/zombie-net/scripts/run-test-env-manager.sh
--github-remote-dir="${GH_DIR}"
--test="0001-parachains-smoke-test.feature"
allow_failure: true
retry: 2
tags:
- zombienet-polkadot-integration-test
zombienet-tests-malus-dispute-valid:
stage: deploy
image: "${ZOMBIENET_IMAGE}"
<<: *kubernetes-env
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_REF_NAME == "master"
- if: $CI_COMMIT_REF_NAME =~ /^[0-9]+$/ # PRs
- if: $CI_COMMIT_REF_NAME == "rococo-v1"
needs:
- job: publish-polkadot-image
- job: publish-malus-image
- job: publish-adder-collator-image
# `parachains.env` brings here `$PARACHAINS_IMAGE_NAME` and `$PARACHAINS_IMAGE_TAG`
# (`$EXTRATAG` here, # i.e. `2643-0.8.29-5f689e0a-6b24dc54`).
# `collator.env` brings here `$COLLATOR_IMAGE_NAME` and `$COLLATOR_IMAGE_TAG`
# For local tests with docker `$PARACHAINS_IMAGE_TAG` and `$COLLATOR_IMAGE_TAG`
# can be replaced with `master` tag.
# SIMNET_REF is a gitlab variable
variables:
GH_DIR: 'https://github.com/paritytech/polkadot/tree/bernhard-malus-fx-zombienet/node/malus/integrationtests'
# FIXME: use the master after the merge of the malus pr
# GH_DIR: 'https://github.com/paritytech/polkadot/tree/master/node/malus/integrationtests'
before_script:
- echo "Simnet Tests Config"
- echo "${SIMNET_IMAGE}"
- echo "Zombie-net Tests Config"
- echo "${ZOMBIENET_IMAGE_NAME}"
- echo "${PARACHAINS_IMAGE_NAME} ${PARACHAINS_IMAGE_TAG}"
- echo "${COLLATOR_IMAGE_NAME} ${COLLATOR_IMAGE_TAG}"
- echo "${MALUS_IMAGE_NAME} ${MALUS_IMAGE_TAG}"
- echo "${GH_DIR}"
- export DEBUG=zombie,zombie::network-node
- export ZOMBIENET_INTEGRATION_TEST_IMAGE=${PARACHAINS_IMAGE_NAME}:${PARACHAINS_IMAGE_TAG}
- export MALUS_IMAGE=${MALUS_IMAGE_NAME}:${MALUS_IMAGE_TAG}
- export COL_IMAGE=${COLLATOR_IMAGE_NAME}:${COLLATOR_IMAGE_TAG}
script:
- /home/nonroot/simnet/scripts/run-test-environment-manager-v2.sh
- /home/nonroot/zombie-net/scripts/run-test-env-manager.sh
--github-remote-dir="${GH_DIR}"
--tag=smoketest
--image="PARACHAINSIMAGE=${PARACHAINS_IMAGE_NAME}:${PARACHAINS_IMAGE_TAG}"
--image="SYNTHIMAGE=${PARACHAINS_IMAGE_NAME}:${PARACHAINS_IMAGE_TAG}"
--image="COLIMAGE=${COLLATOR_IMAGE_NAME}:${COLLATOR_IMAGE_TAG}"
--image="SCRIPTSIMAGE=${SIMNET_IMAGE}"
--test="0001-dispute-valid-block.feature"
allow_failure: true
retry: 2
tags:
- polkadot-simnet
- zombienet-polkadot-integration-test
......@@ -7127,15 +7127,23 @@ dependencies = [
"async-trait",
"color-eyre",
"futures 0.3.17",
"futures-timer 3.0.2",
"parity-util-mem",
"polkadot-cli",
"polkadot-node-core-backing",
"polkadot-node-core-candidate-validation",
"polkadot-node-core-dispute-coordinator",
"polkadot-node-core-pvf",
"polkadot-node-primitives",
"polkadot-node-subsystem",
"polkadot-node-subsystem-test-helpers",
"polkadot-node-subsystem-types",
"polkadot-node-subsystem-util",
"polkadot-primitives",
"sp-core",
"sp-keystore",
"structopt",
"tracing",
]
[[package]]
......
......@@ -219,8 +219,8 @@ fn ensure_dev(spec: &Box<dyn service::ChainSpec>) -> std::result::Result<(), Str
/// accepts an alternative overseer generator, to adjust behavior
/// for integration tests as needed.
#[cfg(feature = "malus")]
pub fn run_node(cli: Cli, overseer_gen: impl service::OverseerGen) -> Result<()> {
run_node_inner(cli, overseer_gen)
pub fn run_node(run: Cli, overseer_gen: impl service::OverseerGen) -> Result<()> {
run_node_inner(run, overseer_gen)
}
fn run_node_inner(cli: Cli, overseer_gen: impl service::OverseerGen) -> Result<()> {
......
[lib]
name = "malus"
path = "src/lib.rs"
[[bin]]
name = "malus-variant-a"
path = "src/variant-a.rs"
[package]
name = "polkadot-test-malus"
description = "Misbehaving nodes for local testnets, system and Simnet tests."
......@@ -16,17 +8,34 @@ edition = "2018"
readme = "README.md"
publish = false
[[bin]]
name = "malus"
path = "src/malus.rs"
[dependencies]
polkadot-cli = { path = "../../cli", default-features = false, features = [ "cli", "malus" ] }
polkadot-node-subsystem = { path = "../subsystem" }
polkadot-node-subsystem-util = { path = "../subsystem-util" }
polkadot-node-subsystem-types = { path = "../subsystem-types" }
polkadot-node-core-dispute-coordinator = { path = "../core/dispute-coordinator" }
polkadot-node-core-candidate-validation = { path = "../core/candidate-validation" }
polkadot-node-core-backing = { path = "../core/backing" }
polkadot-node-primitives = { path = "../primitives" }
polkadot-primitives = { path = "../../primitives" }
polkadot-node-core-pvf = { path = "../core/pvf" }
parity-util-mem = { version = "0.10.0", default-features = false, features = ["jemalloc-global"] }
color-eyre = { version = "0.5.11", default-features = false }
assert_matches = "1.5"
structopt = "0.3.25"
async-trait = "0.1.51"
sp-keystore = { git = "https://github.com/paritytech/substrate", branch = "master" }
futures = "0.3.16"
futures-timer = "3.0.2"
tracing = "0.1.26"
[features]
default = [] # we do not enable disputes by default to avoid feature leak
disputes = ["polkadot-cli/disputes"]
[dev-dependencies]
polkadot-node-subsystem-test-helpers = { path = "../subsystem-test-helpers" }
......
# malus
Create nemesis nodes with alternate, at best fault, at worst intentionally destructive behavior traits.
\ No newline at end of file
Create nemesis nodes with alternate, at best faulty, at worst intentionally destructive behavior traits.
The first argument determines the behavior strain. The currently supported are:
* `suggest-garbage-candidate`
* `back-garbage-candidate`
* `dispute-ancestor`
## Integration test cases
To define integration tests create file
in the toml format as used with [zombienet][zombienet]
under `./integrationtests` describing the network to spawn and
also the `feature` file (with `.feature` extension ) using the format
defined in the [DSL doc](https://github.com/paritytech/zombienet/blob/main/docs/testing-dsl-definition.md).
## Usage
> Assumes you already gained permissiones, ping in element @javier:matrix.parity.io to get access.
> and you have cloned the [zombienet][zombienet] repo.
To launch a test case in the development cluster use (e.g. for the ./node/malus/integrationtests/0001-dispute-valid-block.toml):
```sh
# declare the containers pulled in by zombie-net test definitions
export MALUS_IMAGE=docker.io/paritypr/malus:4131-ccd09bbf
export ZOMBIENET_INTEGRATION_TEST_IMAGE=docker.io/paritypr/synth-wave:4131-0.9.12-ccd09bbf-29a1ac18
export COL_IMAGE=docker.io/paritypr/colander:4131-ccd09bbf
# login chore, once, with the values as provided in the above guide
gcloud auth login
gcloud config set project "parity-zombienet"
gcloud container clusters get-credentials "parity-zombienet" --zone "europe-west3-b" --project parity-zombienet
# launching the actual test
cd zombienet
npm run build
node dist/cli.js test <path to polkadot repo>/node/malus/integrationtests/0001-dispute-valid-block.feature
# Access logs (in google cloud storage)
gsutil ls gs://zombienet-logs/zombie-<namespace uniqueId>/logs/
```
This will also teardown the namespace after completion.
## Container Image Building Note
In order to build the container image you need to have the latest changes from
polkadot and substrate master branches.
```sh
pwd # run this from the current dir
podman build -t paritypr/malus:v1 -f Containerfile ../../..
```
[zombienet]: https://github.com/paritytech/zombienet
[gke]: (https://github.com/paritytech/gurke/blob/main/docs/How-to-setup-access-to-gke-k8s-cluster.md)
#
### Builder stage
#
FROM rust as builder
WORKDIR /usr/src/polkadot-malus
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y \
ca-certificates \
clang \
curl \
cmake \
libssl1.1 \
libssl-dev \
pkg-config
RUN export PATH="$PATH:$HOME/.cargo/bin" && \
rustup toolchain install nightly && \
rustup target add wasm32-unknown-unknown --toolchain nightly && \
rustup default stable
COPY polkadot/ /usr/src/polkadot-malus/polkadot/
COPY substrate/ /usr/src/polkadot-malus/substrate/
WORKDIR /usr/src/polkadot-malus/polkadot
RUN cargo build -p polkadot-test-malus --release
RUN cp -v /usr/src/polkadot-malus/polkadot/target/release/malus /usr/local/bin
# check if executable works in this container
RUN /usr/local/bin/malus $VARIANT --version
#
### Runtime
#
FROM debian:buster-slim as runtime
RUN apt-get update && \
apt-get install -y curl tini
COPY --from=builder /usr/src/polkadot-malus/polkadot/target/release/malus /usr/local/bin
# Non-root user for security purposes.
#
# UIDs below 10,000 are a security risk, as a container breakout could result
# in the container being ran as a more privileged user on the host kernel with
# the same UID.
#
# Static GID/UID is also useful for chown'ing files outside the container where
# such a user does not exist.
RUN groupadd --gid 10001 nonroot && \
useradd --home-dir /home/nonroot \
--create-home \
--shell /bin/bash \
--gid nonroot \
--groups nonroot \
--uid 10000 nonroot
WORKDIR /home/nonroot/polkadot-malus
RUN chown -R nonroot. /home/nonroot
# Use the non-root user to run our application
# Tell run test script that it runs in container
USER nonroot
# check if executable works in this container
RUN /usr/local/bin/malus --version
# Tini allows us to avoid several Docker edge cases, see https://github.com/krallin/tini.
ENTRYPOINT ["tini", "--", "/usr/local/bin/malus"]
FROM rust:1.54.0 as planner
WORKDIR /usr/src/polkadot-malus
# We only pay the installation cost once,
# it will be cached from the second build onwards
RUN cargo install cargo-chef
COPY polkadot/ /usr/src/polkadot-malus/polkadot/
COPY substrate/ /usr/src/polkadot-malus/substrate/
WORKDIR /usr/src/polkadot-malus/polkadot
RUN cargo chef prepare --recipe-path recipe.json
FROM rust:1.54.0 as cacher
WORKDIR /usr/src/polkadot-malus/polkadot
RUN cargo install cargo-chef
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y \
ca-certificates \
clang \
curl \
cmake \
libssl1.1 \
libssl-dev \
pkg-config
RUN export PATH="$PATH:$HOME/.cargo/bin" && \
rustup toolchain install nightly && \
rustup target add wasm32-unknown-unknown --toolchain nightly && \
rustup default stable
COPY --from=planner /usr/src/polkadot-malus/polkadot/recipe.json recipe.json
RUN cargo chef cook --release --recipe-path recipe.json
FROM rust:1.54.0 as builder
WORKDIR /usr/src/polkadot-malus
COPY polkadot/ /usr/src/polkadot-malus/polkadot/
COPY substrate/ /usr/src/polkadot-malus/substrate/
# Copy over the cached dependencies
WORKDIR /usr/src/polkadot-malus/polkadot
COPY --from=cacher /usr/src/polkadot-malus/polkadot/target target
COPY --from=cacher $CARGO_HOME $CARGO_HOME
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y \
ca-certificates \
clang \
curl \
cmake \
libssl1.1 \
libssl-dev \
pkg-config
RUN export PATH="$PATH:$HOME/.cargo/bin" && \
rustup toolchain install nightly && \
rustup target add wasm32-unknown-unknown --toolchain nightly && \
rustup default stable
RUN cargo build -p polkadot-test-malus --release
FROM debian:buster-slim as runtime
RUN apt-get update && \
apt-get install -y curl tini
COPY --from=builder /usr/src/polkadot-malus/polkadot/target/release/malus /usr/local/bin
# Non-root user for security purposes.
#
# UIDs below 10,000 are a security risk, as a container breakout could result
# in the container being ran as a more privileged user on the host kernel with
# the same UID.
#
# Static GID/UID is also useful for chown'ing files outside the container where
# such a user does not exist.
RUN groupadd --gid 10001 nonroot && \
useradd --home-dir /home/nonroot \
--create-home \
--shell /bin/bash \
--gid nonroot \
--groups nonroot \
--uid 10000 nonroot
WORKDIR /home/nonroot/polkadot-malus
RUN chown -R nonroot. /home/nonroot
# Use the non-root user to run our application
# Tell run test script that it runs in container
USER nonroot
# check if executable works in this container
RUN /usr/local/bin/malus --version
# Tini allows us to avoid several Docker edge cases, see https://github.com/krallin/tini.
ENTRYPOINT ["/usr/local/bin/malus"]
podman build -t paritypr/malus:v1 -f Containerfile ../../../..
#
### Builder stage
#
FROM rust as builder
WORKDIR /usr/src/polkadot-malus
COPY polkadot/ /usr/src/polkadot-malus/polkadot/
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y \
ca-certificates \
clang \
curl \
cmake \
libssl1.1 \
libssl-dev \
pkg-config
RUN export PATH="$PATH:$HOME/.cargo/bin" && \
rustup toolchain install nightly && \
rustup target add wasm32-unknown-unknown --toolchain nightly && \
rustup default stable
WORKDIR /usr/src/polkadot-malus/polkadot
RUN cargo build -p polkadot-test-malus --release --verbose
RUN cp -v /usr/src/polkadot-malus/polkadot/target/release/malus /usr/local/bin
# check if executable works in this container
RUN /usr/local/bin/malus --version
#
### Runtime
#
FROM debian:buster-slim as runtime
RUN apt-get update && \
apt-get install -y curl tini
COPY --from=builder /usr/src/polkadot-malus/polkadot/target/release/malus /usr/local/bin
# Non-root user for security purposes.
#
# UIDs below 10,000 are a security risk, as a container breakout could result
# in the container being ran as a more privileged user on the host kernel with
# the same UID.
#
# Static GID/UID is also useful for chown'ing files outside the container where
# such a user does not exist.
RUN groupadd --gid 10001 nonroot && \
useradd --home-dir /home/nonroot \
--create-home \
--shell /bin/bash \
--gid nonroot \
--groups nonroot \
--uid 10000 nonroot
WORKDIR /home/nonroot/polkadot-malus
RUN chown -R nonroot. /home/nonroot
# Use the non-root user to run our application
USER nonroot
# check if executable works in this container
RUN /usr/local/bin/malus --version
# Tini allows us to avoid several Docker edge cases, see https://github.com/krallin/tini.
ENTRYPOINT ["tini", "--", "/usr/local/bin/malus"]
#
### Builder stage
#
FROM rust as builder
WORKDIR /usr/src/polkadot
COPY polkadot/ /usr/src/polkadot
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y \
ca-certificates \
clang \
curl \
cmake \
libssl1.1 \
libssl-dev \
pkg-config
RUN export PATH="$PATH:$HOME/.cargo/bin" && \
rustup toolchain install nightly && \
rustup target add wasm32-unknown-unknown --toolchain nightly && \
rustup default stable
WORKDIR /usr/src/polkadot
RUN cargo build --release --bin polkadot --features disputes --verbose
RUN cp -v /usr/src/polkadot/target/release/polkadot /usr/local/bin
# check if executable works in this container
RUN /usr/local/bin/polkadot --version
#
### Runtime
#
FROM debian:buster-slim as runtime
RUN apt-get update && \
apt-get install -y curl tini
COPY --from=builder /usr/src/polkadot/target/release/polkadot /usr/local/bin
# Non-root user for security purposes.
#
# UIDs below 10,000 are a security risk, as a container breakout could result
# in the container being ran as a more privileged user on the host kernel with
# the same UID.