feat: add zksync_tee_prover and container to nix (#2403)

``` $ nix build -L .#tee_prover $ nix build -L .#container-tee_prover-dcap $ nix build -L .#container-tee_prover-azure $ export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*') $ docker run -i --env GRAMINE_DIRECT=1 --env TEE_API_URL="http://127.0.0.1:3320" --privileged --init $IMAGE_TAG ``` ## What ❔    ## Why ❔   ## Checklist   - [x] PR title corresponds to the body of PR (we generate changelog entries from PRs). - [ ] Tests for the changes have been added / updated. - [x] Documentation comments have been added / updated. - [x] Code has been formatted via `zk fmt` and `zk lint`. Signed-off-by: Harald Hoyer <[email protected]>
matter-labs · Jul 10, 2024 · e0975db · e0975db
1 parent f4410e3
commit e0975db
Show file tree

Hide file tree

Showing 8 changed files with 899 additions and 218 deletions.
diff --git a/core/bin/zksync_tee_prover/Cargo.toml b/core/bin/zksync_tee_prover/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "zksync_tee_prover"
-version.workspace = true
+version = "0.1.0"
 edition.workspace = true
 authors.workspace = true
 homepage.workspace = true

diff --git a/etc/nix/README.md b/etc/nix/README.md
@@ -0,0 +1,86 @@
+# Declarative and Reproducible builds with Nix
+
+This directory contains the nix build recipes for various components of this project. Most importantly it is used to
+reproducible build `zksync_tee_prover` reproducibly and create a container containing all what is needed to run it on an
+SGX machine.
+
+## Prerequisites
+
+Install [nix](https://zero-to-nix.com/start/install).
+
+In `~/.config/nix/nix.conf`
+
+```ini
+experimental-features = nix-command flakes
+sandbox = true
+```
+
+or on nixos in `/etc/nixos/configuration.nix` add the following lines:
+
+```nix
+{
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+      sandbox = true
+    '';
+  };
+}
+```
+
+## Build
+
+Build various components of this project with `nix`.
+
+### Build as the CI would
+
+```shell
+nix run github:nixos/nixpkgs/nixos-23.11#nixci
+```
+
+### Build individual parts
+
+```shell
+nix build .#zksync_server
+```
+
+or
+
+```shell
+nix build .#zksync_server.contract_verifier
+nix build .#zksync_server.external_node
+nix build .#zksync_server.server
+nix build .#zksync_server.snapshots_creator
+nix build .#zksync_server.block_reverter
+```
+
+or
+
+```shell
+nix build .#tee_prover
+nix build .#container-tee_prover-dcap
+nix build .#container-tee_prover-azure
+```
+
+## Develop
+
+`nix` can provide the build environment for this project.
+
+```shell
+nix develop
+```
+
+optionally create `.envrc` for `direnv` to automatically load the environment when entering the main directory:
+
+```shell
+$ cat <<EOF > .envrc
+use flake .#
+EOF
+$ direnv allow
+```
+
+### Format for commit
+
+```shell
+nix run .#fmt
+```
diff --git a/etc/nix/container-tee-prover.nix b/etc/nix/container-tee-prover.nix
@@ -0,0 +1,48 @@
+{ pkgs
+, nixsgxLib
+, teepot
+, tee_prover
+, container-name
+, isAzure ? true
+, tag ? null
+}:
+let
+  name = container-name;
+  entrypoint = "${teepot.teepot.tee_key_preexec}/bin/tee-key-preexec";
+in
+nixsgxLib.mkSGXContainer {
+  inherit name;
+  inherit tag;
+
+  packages = [ teepot.teepot.tee_key_preexec tee_prover ];
+  inherit entrypoint;
+  inherit isAzure;
+
+  manifest = {
+    loader = {
+      argv = [
+        entrypoint
+        "${tee_prover}/bin/zksync_tee_prover"
+      ];
+
+      log_level = "error";
+
+      env = {
+        TEE_API_URL.passthrough = true;
+        API_PROMETHEUS_LISTENER_PORT.passthrough = true;
+        API_PROMETHEUS_PUSHGATEWAY_URL.passthrough = true;
+        API_PROMETHEUS_PUSH_INTERVAL_MS.passthrough = true;
+
+        ### DEBUG ###
+        RUST_BACKTRACE = "1";
+        RUST_LOG = "warning,zksync_tee_prover=debug";
+      };
+    };
+
+    sgx = {
+      edmm_enable = false;
+      enclave_size = "32G";
+      max_threads = 128;
+    };
+  };
+}
diff --git a/etc/nix/devshell.nix b/etc/nix/devshell.nix
@@ -0,0 +1,37 @@
+{ pkgs
+, zksync_server
+, commonArgs
+}:
+pkgs.mkShell {
+  inputsFrom = [ zksync_server ];
+
+  packages = with pkgs; [
+    docker-compose
+    nodejs
+    yarn
+    axel
+    postgresql
+    python3
+    solc
+    sqlx-cli
+  ];
+
+  inherit (commonArgs) env hardeningEnable;
+
+  shellHook = ''
+    export ZKSYNC_HOME=$PWD
+    export PATH=$ZKSYNC_HOME/bin:$PATH
+
+    if [ "x$NIX_LD" = "x" ]; then
+      export NIX_LD=$(<${pkgs.clangStdenv.cc}/nix-support/dynamic-linker)
+    fi
+    if [ "x$NIX_LD_LIBRARY_PATH" = "x" ]; then
+      export NIX_LD_LIBRARY_PATH="$ZK_NIX_LD_LIBRARY_PATH"
+    else
+      export NIX_LD_LIBRARY_PATH="$NIX_LD_LIBRARY_PATH:$ZK_NIX_LD_LIBRARY_PATH"
+    fi
+  '';
+
+  ZK_NIX_LD_LIBRARY_PATH = pkgs.lib.makeLibraryPath [ ];
+}
+
diff --git a/etc/nix/tee-prover.nix b/etc/nix/tee-prover.nix
@@ -0,0 +1,11 @@
+{ cargoArtifacts
+, craneLib
+, versionSuffix
+, commonArgs
+}:
+craneLib.buildPackage (commonArgs // {
+  pname = "zksync_tee_prover";
+  version = (builtins.fromTOML (builtins.readFile ../../core/bin/zksync_tee_prover/Cargo.toml)).package.version + versionSuffix;
+  cargoExtraArgs = "-p zksync_tee_prover --bin zksync_tee_prover";
+  inherit cargoArtifacts;
+})
diff --git a/etc/nix/zksync-server.nix b/etc/nix/zksync-server.nix
@@ -0,0 +1,41 @@
+{ cargoArtifacts
+, craneLib
+, versionSuffix
+, commonArgs
+}:
+craneLib.buildPackage (commonArgs // {
+  pname = "zksync";
+  version = (builtins.fromTOML (builtins.readFile ../../core/bin/zksync_tee_prover/Cargo.toml)).package.version + versionSuffix;
+  cargoExtraArgs = "--all";
+  inherit cargoArtifacts;
+
+  outputs = [
+    "out"
+    "contract_verifier"
+    "external_node"
+    "server"
+    "snapshots_creator"
+    "block_reverter"
+  ];
+
+  postInstall = ''
+    mkdir -p $out/nix-support
+    for i in $outputs; do
+      [[ $i == "out" ]] && continue
+      mkdir -p "''${!i}/bin"
+      echo "''${!i}" >> $out/nix-support/propagated-user-env-packages
+      if [[ -e "$out/bin/zksync_$i" ]]; then
+        mv "$out/bin/zksync_$i" "''${!i}/bin"
+      else
+        mv "$out/bin/$i" "''${!i}/bin"
+      fi
+    done
+
+    mkdir -p $external_node/nix-support
+    echo "block_reverter" >> $external_node/nix-support/propagated-user-env-packages
+
+    mv $out/bin/merkle_tree_consistency_checker $server/bin
+    mkdir -p $server/nix-support
+    echo "block_reverter" >> $server/nix-support/propagated-user-env-packages
+  '';
+})