ops-bedrock: Beacon-chain devnet with Dencun + Ecotone upgrade #9117
Conversation
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
protolambda
force-pushed
the
ecotone-beacon-devnet
branch
from
ac19021
to
b7e6afa
Compare
|
Semgrep found 6 Named return arguments to functions must be appended with an underscore ( |
protolambda
force-pushed
the
ecotone-beacon-devnet
branch
from
28fc937
to
0516e9b
Compare
|
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
protolambda
force-pushed
the
ecotone-beacon-devnet
branch
from
0516e9b
to
4d96bf0
Compare
|
Squashed and rebased on latest |
protolambda
changed the title
|
Wondering if we plan on moving forward with this as we will be needing a devnet for interop development soon |
|
@tynes yes, moving forward with this. Currently blocked on 2 things:
|
|
|
|
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
sebastianst
force-pushed
the
ecotone-beacon-devnet
branch
from
4d96bf0
to
269b5dc
Compare
|
Semgrep found 3
Named return arguments to functions must be appended with an underscore ( |
|
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
How is the progress on this coming along? |
@tynes Blocked by a bunch of other more urgent work unfortunately. Hope to get to it on Friday or Monday. |
|
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
Semgrep found 9
No Semgrep found 3 Service 'grafana' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this. Ignore this finding from writable-filesystem-service.Semgrep found 3 Service 'grafana' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this. Ignore this finding from no-new-privileges.Semgrep found 3 Service port is exposed on all interfaces Ignore this finding from port-all-interfaces.Semgrep found 1 A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy. View Dataflow Graphflowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>indexer/database/db.go</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/ethereum-optimism/optimism/blob/ab31d2b0485f84a9868d9aa6fffbdace836333bc/indexer/database/db.go#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] " password=%s"</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/ethereum-optimism/optimism/blob/ab31d2b0485f84a9868d9aa6fffbdace836333bc/indexer/database/db.go#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] dsn</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/ethereum-optimism/optimism/blob/ab31d2b0485f84a9868d9aa6fffbdace836333bc/indexer/database/db.go#L64 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 64] gorm.Open(postgres.Open(dsn), &gormConfig)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
Semgrep found 1 The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy. View Dataflow Graphflowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>indexer/database/db.go</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/ethereum-optimism/optimism/blob/ab31d2b0485f84a9868d9aa6fffbdace836333bc/indexer/database/db.go#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] " password=%s"</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/ethereum-optimism/optimism/blob/ab31d2b0485f84a9868d9aa6fffbdace836333bc/indexer/database/db.go#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] dsn</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/ethereum-optimism/optimism/blob/ab31d2b0485f84a9868d9aa6fffbdace836333bc/indexer/database/db.go#L64 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 64] gorm.Open(postgres.Open(dsn), &gormConfig)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
Semgrep found 2 Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and render data using 'template.Execute()'. Ignore this finding from no-direct-write-to-responsewriter.Semgrep found 2 If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner. Ignore this finding from unsafe-reflect-by-name.Semgrep found 2 Detected string concatenation with a non-literal variable in a "database/sql" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls. Ignore this finding from gosql-sqli. |
| run_commands([ | ||
| CommandPreset('erc20-test', | ||
| ['npx', 'hardhat', 'deposit-erc20', '--network', 'devnetL1', | ||
| '--l1-contracts-json-path', paths.addresses_json_path, '--signer-index', '14'], | ||
| cwd=paths.tasks_dir, timeout=8*60), | ||
| # CommandPreset('erc20-test', | ||
| # ['npx', 'hardhat', 'deposit-erc20', '--network', 'devnetL1', | ||
| # '--l1-contracts-json-path', paths.addresses_json_path, '--signer-index', '14'], | ||
| # cwd=paths.tasks_dir, timeout=8*60) |
There was a problem hiding this comment.
Didn't mean to commit this diff. If reviewers are happy with the op-e2e devnet test, I will just remove this altogether. Can then remove the devnet-tasks in a follow up.
There was a problem hiding this comment.
I would like to remove these devnet tasks, perhaps its a better idea to see them pass in CI against the new devnet before removing them
There was a problem hiding this comment.
@tynes They don't pass and I cannot get them to work. I wasted a lot of time on this. This is the reason I switched to Go tests.
| @@ -189,3 +192,14 @@ func (a *Addresses) All() []common.Address { | |||
| a.Mallory, | |||
| } | |||
| } | |||
|
|
|||
| func (s *Secrets) AccountAtIdx(idx int) *ecdsa.PrivateKey { | |||
There was a problem hiding this comment.
perhaps uint because negative values don't make sense here?
There was a problem hiding this comment.
It's common to use ints in Go for indices that don't make sense to be negative. So I just followed that convention. E.g. see stdlib, it uses int indices everywhere. The user of this API is usually an expert who wouldn't put in negative numbers. So I'd just leave it as is.
|
We are moving towards removing the L2OO and being a fault proofs only sort of system, just wanna make sure that we are on the same page and that this takes that into account, ie no deep assumptions about L2OO in this diff |
@tynes yes, this PR just adds lighthouse, the default local devnet is still FP enabled. |
Description
This PR makes the local devnet to use a real lighthouse Beacon node.
It also enables Delta by default on all e2e tests, plus L1 enables Cancun after a few blocks, and Ecotone a shortly after.
In a follow up PR, Ecotone and Cancun will be enabled at genesis.
The PR also improves fork selection in individual tests and fixes from fork tests (e.g. one Ecotone test didn't call its activation function).
The PR introduces a new package
op-e2e/devnetto run e2e tests against the local devnet. It provides a minimalSystemabstraction that works with the withdrawals test, which got extracted and made into a reusable test.ℹ️ For reviewers: the files in
ops-bedrock/dataare auto-generated.Tests
Many fixed.
Additional context
Explicit fork selection in tests is somewhat improved, but is still brittle. We should completely remove fork selection by setting individual
<Fork>TimeOffsetfields in the deploy config and do it by a modular constructor of the configs using theWith...option pattern.Open TODOs are tracked at #10968
Metadata