Skip to content

Polkadot: Verify the workers at startup #10386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Polkadot: Verify the workers at startup #10386

wants to merge 6 commits into from

Conversation

@naijauser
Copy link

@naijauser naijauser commented Nov 21, 2025
edited
Loading

Closes #8117

Description

Checks that env vars have been cleared on polkadot node startup.

Checklist

  • My PR includes a detailed description as outlined in the "Description" and its two subsections above.
  • My PR follows the labeling requirements of this project (at minimum one label for T required)

@cla-bot-2021
Copy link

cla-bot-2021 bot commented Nov 21, 2025

User @naijauser, please sign the CLA here.

@naijauser
Copy link
Author

naijauser commented Nov 21, 2025

/cmd label T8-polkadot

@naijauser
Copy link
Author

naijauser commented Nov 21, 2025

Hi @bkchr, please take a look.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 21, 2025

Command "label T8-polkadot" has failed ❌! See logs here

bkchr
bkchr requested changes Nov 23, 2025
View reviewed changes
Copy link
Member

@bkchr bkchr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really fixing the issue right now.

polkadot/cli/src/cli.rs
Comment on lines +100 to +102
/// Verify validator on start. Checks that env vars were cleared on node startup.
#[arg(long, requires = "validator")]
pub verify_on_start: bool,
Copy link
Member

@bkchr bkchr Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not what the issue is about.

polkadot/node/service/src/workers.rs
Comment on lines +103 to +121
if verify_on_start {
let worker_version = polkadot_node_core_pvf::get_worker_version(&prep_worker_path)?;
let mut worker_dir = prep_worker_path.clone();
let _ = worker_dir.pop();

let worker_info = WorkerInfo {
pid: std::process::id(),
kind: WorkerKind::Prepare,
version: Some(worker_version),
worker_dir_path: worker_dir,
};

if !security::check_env_vars_were_cleared(&worker_info) {
let err = "Not all env vars were cleared when spawning the process.";
log::warn!("{}", err);

worker_shutdown(worker_info, err);
}
}
Copy link
Member

@bkchr bkchr Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue is about calling into the worker and do all the extra checks there, ensuring that the worker will work when being executed later on.

Copy link
Author

@naijauser naijauser Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @bkchr, thanks for checking this out. I don't quite understand what you mean by calling into the worker to do all the checks there.

Could you clarify that bit?

Copy link
Author

@naijauser naijauser Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I get it now. @bkchr

Do you mean something like...

let output = Command::new(path)
        .arg("--check-can-enable-landlock")
        .arg("--check-can-enable-seccomp")
        .arg("--check-can-unshare-user-namespace-and-change-root")
        .arg("--check-can-do-secure-clone")
        .stderr(Stdio::piped())
        .stdout(Stdio::piped())
        .output()
        .with_context(|| format!("Failed to spawn worker {:?}", path))?;

    if !output.status.success() {
        worker_shutdown(worker_info, err);
    }

We do this inside determine_workers_paths.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bkchr bkchr bkchr requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Polkadot: Verify the workers at startup

2 participants

@naijauser @bkchr