Fix some docker CI issues (#5013)

### Changes - Remove leakage by adding --rm to docker run invocations - Remove resource sharing by adding a name to the docker compose invocations - Add `-L` to all `nix build` in the CI ### Issues fix #5011 fix #5001
cardano-foundation · Feb 27, 2025 · 89b0cdc · 89b0cdc
2 parents 394e81d + 78f4b1d
commit 89b0cdc
Show file tree

Hide file tree

Showing 14 changed files with 47 additions and 34 deletions.
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
@@ -64,9 +64,9 @@ steps:
     steps:
     - label: Nix Build (linux)
       commands:
-        - nix build .#cardano-wallet
-        - nix build .#cardano-node
-        - nix build .#cardano-cli
+        - nix build -L .#cardano-wallet
+        - nix build -L .#cardano-node
+        - nix build -L .#cardano-cli
       agents:
         system: ${linux}
 
@@ -298,7 +298,7 @@ steps:
 
     - label: Build Benchmarks (linux)
       command:
-        - nix build .#ci.benchmarks.all
+        - nix build -L .#ci.benchmarks.all
       agents:
         system: ${linux}
 
@@ -311,8 +311,8 @@ steps:
       key: nix-build-benchmarks
       depends_on: trigger-benchmarks
       command:
-        - nix build
-        - nix build .#ci.benchmarks.all
+        - nix build -L
+        - nix build -L .#ci.benchmarks.all
       agents:
         system: ${linux}
         queue: adrestia-bench
@@ -434,15 +434,15 @@ steps:
     - label: Build Package (macOS, x86_64)
       key: macos-intel-package
       depends_on: block-macos
-      command: 'nix build -o result/macos-intel .#packages.x86_64-darwin.ci.artifacts.macos-intel.release'
+      command: 'nix build -L -o result/macos-intel .#packages.x86_64-darwin.ci.artifacts.macos-intel.release'
       artifact_paths: [ "./result/macos-intel/**" ]
       agents:
         system: ${macos}
 
     - label: Build Package (macOS, arm64)
       key: macos-arm64-package
       depends_on: block-macos
-      command: 'nix build -o result/macos-silicon .#packages.aarch64-darwin.ci.artifacts.macos-silicon.release'
+      command: 'nix build -L -o result/macos-silicon .#packages.aarch64-darwin.ci.artifacts.macos-silicon.release'
       artifact_paths: [ "./result/macos-silicon/**" ]
       agents:
         system: ${macos}
@@ -525,7 +525,7 @@ steps:
       key: windows-package
       depends_on:
         - trigger-build-windows-artifacts
-      command: nix build -o result/windows .#ci.artifacts.win64.release
+      command: nix build -L -o result/windows .#ci.artifacts.win64.release
       artifact_paths: [ "./result/windows/**" ]
       agents:
         system: ${linux}
@@ -535,7 +535,7 @@ steps:
       key: windows-testing-bundle
       depends_on:
         - trigger-build-windows-artifacts
-      command: nix build -o result/windows-tests .#ci.artifacts.win64.tests
+      command: nix build -L -o result/windows-tests .#ci.artifacts.win64.tests
       artifact_paths: [ "./result/windows-tests/**" ]
       agents:
         system: ${linux}
@@ -609,6 +609,7 @@ steps:
       - label: Mainnet Boot Sync
         timeout_in_minutes: 30
         command: |
+          export COMPOSE_PROJECT_NAME=$(head /dev/urandom | tr -dc a-z | head -c 8 ; echo '')
           cd run/mainnet/docker
           export WALLET_TAG=$(buildkite-agent meta-data get "docker-image-tag")
           rm -rf databases
@@ -622,6 +623,7 @@ steps:
       - label: Preview Boot Sync
         timeout_in_minutes: 30
         command: |
+          export COMPOSE_PROJECT_NAME=$(head /dev/urandom | tr -dc a-z | head -c 8 ; echo '')
           cd run/preview/docker
           export WALLET_TAG=$(buildkite-agent meta-data get "docker-image-tag")
           rm -rf databases
@@ -641,6 +643,7 @@ steps:
         timeout_in_minutes: 120
         depends_on: mithril-mainnet-full-sync-block
         command: |
+          export COMPOSE_PROJECT_NAME=$(head /dev/urandom | tr -dc a-z | head -c 8 ; echo '')
           cd run/mainnet/docker
           export WALLET_TAG=$(buildkite-agent meta-data get "docker-image-tag")
           rm -rf databases

diff --git a/.buildkite/restoration-benchmarks.yml b/.buildkite/restoration-benchmarks.yml
@@ -32,8 +32,8 @@ steps:
     key: nix-build-benchmarks
     depends_on: restoration-parameters
     command:
-      - nix build
-      - nix build .#ci.benchmarks.all
+      - nix build -L
+      - nix build -L .#ci.benchmarks.all
     agents:
       system: ${linux}
       queue: adrestia-bench

diff --git a/README.md b/README.md
@@ -180,7 +180,7 @@ It would be no different from exposing the keys to your bank account to the inte
 You can connect to the wallet by attaching a container to the network and using the internal port.
 
 ```bash
-docker run -it --network mainnet_default alpine/curl curl http://cardano-wallet:8090/v2/network/information | jq
+docker run --rm -it --network mainnet_default alpine/curl curl http://cardano-wallet:8090/v2/network/information | jq
 ```
 
 Or modify the `docker-compose.yml` to host your client in the `mainnet_default` network.

diff --git a/run/common/docker/docker-compose.yml b/run/common/docker/docker-compose.yml
@@ -48,3 +48,13 @@ services:
         compress: "true"
         max-file: "10"
         max-size: "50m"
+
+  mithril:
+    env_file:
+      - .env
+    image: ghcr.io/input-output-hk/mithril-client:2506.0-2627f17
+    user: ${USER_ID}:${GROUP_ID}
+    volumes:
+      - ${NODE_DB}:/app/db
+    profiles:
+      - mithril
diff --git a/run/common/docker/run.sh b/run/common/docker/run.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # Enforce strict script execution modes
-set -euo pipefail
+set -euox pipefail
 
 # Function to display usage information
 usage() {
@@ -81,32 +81,30 @@ LOCAL_NODE_CONFIGS=./configs
 NODE_CONFIGS=${NODE_CONFIGS:=$LOCAL_NODE_CONFIGS}
 export NODE_CONFIGS
 
+COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:=cardano}
 startup() {
     # Pull the latest images
     if [ -z "${USE_LOCAL_IMAGE-}" ]; then
         docker compose pull -q
     fi
     # Start the service in detached mode
-    docker compose up -d
+    docker compose -p "$COMPOSE_PROJECT_NAME" up -d
 }
 
 # Function to clean up the service
 cleanup() {
     echo "Cleaning up..."
-    docker compose down 2>/dev/null
+    docker compose -p "$COMPOSE_PROJECT_NAME" down 2>/dev/null
     sleep  3
-    docker compose kill 2>/dev/null
+    docker compose -p "$COMPOSE_PROJECT_NAME" kill 2>/dev/null
 }
 
 node-db-with-mithril() {
-    if [ "$NETWORK" != "mainnet" ]; then
-        echo "Error: This option is only available for the mainnet network"
-        exit 1
-    fi
+    random_name=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8 ; echo '')
     echo "Starting the mithril service..."
-    digest=$(docker compose -p mithril run --rm mithril cdb  snapshot list --json | jq -r .[0].digest)
+    digest=$(docker compose -p "$random_name" --profile  mithril run --rm mithril cdb  snapshot list --json | jq -r .[0].digest)
     rm -rf "${NODE_DB:?}"/*
-    docker compose -p mithril run --rm mithril cdb download "$digest"
+    docker compose -p "$random_name" --profile mithril run --rm mithril cdb download "$digest"
 }
 
 # Case statement to handle different command-line arguments
@@ -125,7 +123,7 @@ case "$1" in
         start_time=$(date +%s)
 
         # Commands to query service status and node tip time
-        command=$(printf "docker run --network %s_default alpine/curl curl -s --max-time 5 http://cardano-wallet:8090/v2/network/information | jq -r" "$NETWORK" )
+        command=$(printf "docker run --rm --network %s_default alpine/curl curl -s --max-time 5 http://cardano-wallet:8090/v2/network/information | jq -r" "$COMPOSE_PROJECT_NAME")
         query_status="$command  .sync_progress.status"
         query_time="$command .node_tip.time"
         query_progress="$command .sync_progress.progress.quantity"
@@ -178,7 +176,7 @@ case "$1" in
         ;;
     logs)
         echo "Showing logs..."
-        docker compose logs -f  # Follow the service logs
+        docker compose -p "$COMPOSE_PROJECT_NAME" logs -f  # Follow the service logs
         ;;
     node-db-with-mithril)
         node-db-with-mithril

diff --git a/run/preprod/docker/.env b/run/preprod/docker/.env
@@ -1 +1,3 @@
 NETWORK="preprod"
+AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator
+GENESIS_VERIFICATION_KEY=5b3132372c37332c3132342c3136312c362c3133372c3133312c3231332c3230372c3131372c3139382c38352c3137362c3139392c3136322c3234312c36382c3132332c3131392c3134352c31332c3233322c3234332c34392c3232392c322c3234392c3230352c3230352c33392c3233352c34345d 
diff --git a/scripts/buildkite/main/bench-api.sh b/scripts/buildkite/main/bench-api.sh
@@ -19,7 +19,7 @@ results=api.txt
 echo "--- Build"
 nix --version
 
-nix build .#ci.benchmarks.api -o bench-api
+nix build -L .#ci.benchmarks.api -o bench-api
 bench="./bench-api/bin/api lib/benchmarks/data/api-bench"
 
 

diff --git a/scripts/buildkite/main/bench-db.sh b/scripts/buildkite/main/bench-db.sh
@@ -12,7 +12,7 @@ mkdir -p $TMPDIR
 rm -rf $bench_name
 
 echo "--- Build"
-nix build .#ci.benchmarks.db -o $bench_name
+nix build -L .#ci.benchmarks.db -o $bench_name
 
 echo "+++ Run benchmark"
 

diff --git a/scripts/buildkite/main/bench-read-blocks.sh b/scripts/buildkite/main/bench-read-blocks.sh
@@ -20,7 +20,7 @@ log=read-blocks.log
 echo "--- Build"
 nix --version
 
-nix build .#ci.benchmarks.read-blocks -o bench-read-blocks
+nix build -L .#ci.benchmarks.read-blocks -o bench-read-blocks
 bench="./bench-read-blocks/bin/read-blocks"
 
 

diff --git a/scripts/buildkite/main/bench-restore.sh b/scripts/buildkite/main/bench-restore.sh
@@ -20,7 +20,7 @@ export TMPDIR="$TMPDIR/bench/restore"
 mkdir -p "$TMPDIR"
 
 echo "--- Build"
-nix build .#ci.benchmarks.restore -o bench-restore
+nix build -L .#ci.benchmarks.restore -o bench-restore
 
 echo "--- Run benchmarks - $network"
 

diff --git a/scripts/buildkite/main/docker-build.sh b/scripts/buildkite/main/docker-build.sh
@@ -21,9 +21,9 @@ mkdir -p artifacts
 TARGET="artifacts/cardano-wallet-$RELEASE_VERSION-docker-image.tgz"
 
 if [ "$RELEASING" = "testing" ]; then
-    nix build .#dockerTestImage -o "$TARGET"
+    nix build -L .#dockerTestImage -o "$TARGET"
 else
-    nix build .#dockerImage -o "$TARGET"
+    nix build -L .#dockerImage -o "$TARGET"
 fi
 
 output=$(docker load <"$TARGET")

diff --git a/scripts/buildkite/main/linux-package.sh b/scripts/buildkite/main/linux-package.sh
@@ -9,4 +9,4 @@ git fetch --all
 git checkout "$RELEASE_CANDIDATE_COMMIT"
 
 rm -rf ./result/*
-nix build -o result/linux .#ci.artifacts.linux64.release
+nix build -L -o result/linux .#ci.artifacts.linux64.release
diff --git a/scripts/buildkite/main/macos-intel-package.sh b/scripts/buildkite/main/macos-intel-package.sh
@@ -9,4 +9,4 @@ git fetch --all
 git checkout "$RELEASE_CANDIDATE_COMMIT"
 
 rm -rf ./result/*
-nix build -o result/macos-intel .#packages.x86_64-darwin.ci.artifacts.macos-intel.release
+nix build -L -o result/macos-intel .#packages.x86_64-darwin.ci.artifacts.macos-intel.release
diff --git a/scripts/buildkite/main/macos-silicon-package.sh b/scripts/buildkite/main/macos-silicon-package.sh
@@ -9,4 +9,4 @@ git fetch --all
 git checkout "$RELEASE_CANDIDATE_COMMIT"
 
 rm -rf ./result/*
-nix build -o result/macos-silicon .#packages.aarch64-darwin.ci.artifacts.macos-silicon.release
+nix build -L -o result/macos-silicon .#packages.aarch64-darwin.ci.artifacts.macos-silicon.release