Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: module allowlist #166

Closed
wants to merge 16 commits into from
Closed

feat: module allowlist #166

wants to merge 16 commits into from

Conversation

noryev
Copy link
Contributor

@noryev noryev commented Jun 17, 2024
edited
Loading

Review Type Requested (choose one):

  • Logic - thorough check (from everybody doing review)

Summary

Limit the containers that can be executed on the jobcreator. Updates consist of a module allowlist fetch and allowlist check before deal agreement.

Task/Issue reference

Closes: #63

Details

Location of Module Allowlist: https://github.com/Lilypad-Tech/module-allowlist/blob/main/allowlist.txt

Implemented into the jobcreator/controller.go due to controller managing job offers and doing the interaction with the solver on deal agreements. This includes the allowlist fetch using a simple http fetch to the lilypad-tech Github as well as the allowlist check function before a deal is agreed on.

How to test this code? (optional)

I am still having issues with my lilypad on-chain jobs in my local dev environment- please test as well!

Anything else? (optional)

I did a alias to the http package as to not step on the "github.com/lilypad-tech/lilypad/pkg/http" package

@noryev noryev mentioned this pull request Jun 17, 2024
Closed
1 task
@noryev noryev self-assigned this Jun 17, 2024
@richardbremner
Copy link
Contributor

richardbremner commented Jun 18, 2024
edited
Loading

So we are checking this https://raw.githubusercontent.com/lilypad-tech/module-allowlist/main/allowlist.txt list every 5 seconds?

Maybe I misunderstood, but that seems odd to me, I assume there's something I don't understand?

@noryev
Copy link
Contributor Author

noryev commented Jun 18, 2024

@richardbremner The code initializes a one-time fetch of the module allowlist when the controller starts and then sets up a periodic update via a time.Ticker that triggers once every hour

AquiGorka
AquiGorka reviewed Jun 24, 2024
View reviewed changes
pkg/http/utils.go Outdated Show resolved Hide resolved
AquiGorka
AquiGorka reviewed Jun 24, 2024
View reviewed changes
pkg/http/utils.go Outdated Show resolved Hide resolved
AquiGorka
AquiGorka reviewed Jun 24, 2024
View reviewed changes
pkg/http/utils.go Outdated Show resolved Hide resolved
@noryev noryev changed the title Noryev/feat module allowlist Noryev:feat module allowlist Jun 26, 2024
@noryev noryev changed the title Noryev:feat module allowlist Feat: module allowlist Jul 1, 2024
@noryev noryev changed the title Feat: module allowlist feat: module allowlist Jul 1, 2024
10d9e
10d9e approved these changes Jul 5, 2024
View reviewed changes
Copy link

@10d9e 10d9e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

AquiGorka
AquiGorka reviewed Jul 12, 2024
View reviewed changes
LOCAL_DEVELOPMENT.md
@@ -79,3 +79,5 @@ There are two commands that can be used to run existing tests: `./stack unit-tes
## Notes on tooling

Things should work right out-of-the-box, no extra configuration should be needed as Doppler provides the environment variables that are required with the current setup.

ß
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems off, let's remove this.

AquiGorka
AquiGorka reviewed Jul 12, 2024
View reviewed changes
pkg/data/types.go
@@ -140,7 +145,8 @@ type ResourceOffer struct {
Spec MachineSpec `json:"spec"`
// the module ID's that this resource provider can run
// an empty list means ALL modules
Modules []string `json:"modules"`
Modules []EnabledModules `json:"modules"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you rename this to EnabledModules? Modules feels too generic and the intention may get lost in other places where this is used.

AquiGorka
AquiGorka reviewed Jul 12, 2024
View reviewed changes
pkg/jobcreator/controller.go
@@ -141,6 +148,7 @@ func (controller *JobCreatorController) subscribeToWeb3() error {
controller.web3Events.Storage.SubscribeDealStateChange(func(ev storage.StorageDealStateChange) {
deal, err := controller.solverClient.GetDeal(ev.DealId)
if err != nil {
err = fmt.Errorf("module allowlist error: %s", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks off, if that's the error then it should bubble up from where it happened no? The way this code reads it says any error during the GetDeal process is a module allowlist err

AquiGorka
AquiGorka reviewed Jul 12, 2024
View reviewed changes
pkg/resourceprovider/resourceprovider.go
Offers ResourceProviderOfferOptions
Web3 web3.Web3Options
Pow ResourceProviderPowOptions
Allowlist ResourceProviderAllowlistOptions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, let's deprecate allowList and bring forth enabledModules

AquiGorka
AquiGorka reviewed Jul 12, 2024
View reviewed changes
pkg/solver/matcher.go
}

// strip out https- keep the org and module in place
// https://lilypad.tech/cowsay -> lilypad.tech/cowsay
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is more like https://github.com/Lilypad-Tech/lilypad-module-cowsay -> lilypad-tech/lilypad-module-cowsay (take notice how they are all lower case)

AquiGorka
AquiGorka reviewed Jul 12, 2024
View reviewed changes
pkg/solver/matcher.go
return moduleID == allowlistModuleID
}

func versionMatch(version, allowlistVersion string) bool {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an we get unit tests for different pattern matching? Here's two references that we can rely on:

AquiGorka
AquiGorka reviewed Jul 12, 2024
View reviewed changes
pkg/solver/matcher.go
if resourceOffer.Spec.CPU < jobOffer.Spec.CPU {
) bool */
func doOffersMatch(resourceOffer data.ResourceOffer, jobOffer data.JobOffer, allowlist []AllowlistItem, allowlistEnabled bool) bool {
if !allowlistEnabled {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean: "if the allow list feature is not enabled" then all offers match?

@AquiGorka
Copy link
Contributor

Hey @noryev it looks like these changes still include comments on TODOs, can you double check you've pushed all the changes and let us know?

@noryev noryev closed this Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AquiGorka AquiGorka AquiGorka left review comments

@10d9e 10d9e 10d9e approved these changes

@walkah walkah Awaiting requested review from walkah

@arsen3d arsen3d Awaiting requested review from arsen3d

@richardbremner richardbremner Awaiting requested review from richardbremner

@bgins bgins Awaiting requested review from bgins

@taoshengshi taoshengshi Awaiting requested review from taoshengshi

Assignees

@noryev noryev

Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[core] Limit containers that can be executed
4 participants
@noryev @richardbremner @AquiGorka @10d9e