Adapt docker to antithesis

saratomaz · saratomaz · commit 7f992ede62c3 · 2026-04-09T11:03:48.000+01:00
diff --git a/.github/regression.sh b/.github/regression.sh
@@ -115,16 +115,25 @@ case "${CARDANO_CLI_REV:-}" in
 esac
 
 # setup cardano-node binaries
-case "${NODE_REV:-}" in
-  "" | "none" )
-    NODE_REV=master
-    ;;
-esac
-# shellcheck disable=SC1091
-. .github/source_cardano_node.sh
-cardano_bins_build_all "$NODE_REV" "${CARDANO_CLI_REV:-}"
-PATH_PREPEND="$(cardano_bins_print_path_prepend "${CARDANO_CLI_REV:-}")${PATH_PREPEND}"
-export PATH_PREPEND
+if [ -n "${CARDANO_PREBUILT_DIR:-}" ]; then
+  # Pre-built binaries were baked into the image (e.g. for Antithesis).
+  # Skip all nix builds and point PATH_PREPEND at the pre-built directories.
+  _d="${CARDANO_PREBUILT_DIR}"
+  PATH_PREPEND="${_d}/cardano-node/bin:${_d}/cardano-submit-api/bin:${_d}/cardano-cli/bin:${_d}/bech32/bin:${PATH_PREPEND}"
+  export PATH_PREPEND
+  unset _d
+else
+  case "${NODE_REV:-}" in
+    "" | "none" )
+      NODE_REV=master
+      ;;
+  esac
+  # shellcheck disable=SC1091
+  . .github/source_cardano_node.sh
+  cardano_bins_build_all "$NODE_REV" "${CARDANO_CLI_REV:-}"
+  PATH_PREPEND="$(cardano_bins_print_path_prepend "${CARDANO_CLI_REV:-}")${PATH_PREPEND}"
+  export PATH_PREPEND
+fi
 
 # optimize nix store if running in GitHub Actions
 if [ -n "${GITHUB_ACTIONS:-}" ]; then
@@ -254,7 +263,14 @@ nix develop --accept-flake-config .#testenv --command bash -c '
 
   echo "::group::Python venv setup"
   printf "start: %(%H:%M:%S)T\n" -1
-  . .github/setup_venv.sh clean
+  # When _VENV_DIR points to a pre-built venv (e.g. baked into the image for
+  # Antithesis), skip the `clean` flag so the existing venv is reused as-is
+  # without re-downloading packages.
+  if [ -n "${_VENV_DIR:-}" ] && [ -e "${_VENV_DIR}" ]; then
+    . .github/setup_venv.sh
+  else
+    . .github/setup_venv.sh clean
+  fi
   echo "::endgroup::"  # end group for "Python venv setup"
 
   echo "::group::🧪 Testrun"
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,23 +1,75 @@
-# Dockerfile for cardano-node-tests (Antithesis/Moog driver image)
+# Dockerfile for cardano-node-tests (Antithesis-compatible driver image)
 #
-# Minimal image: nix is configured and the repo is copied in.
-# All heavy setup (cardano binaries, Python venv) happens at runtime
-# via regression.sh, which manages its own nix environment through its shebang.
+# All heavy dependencies are baked in at image build time so the container
+# runs without any network access (required by Antithesis environments).
 #
-# Build and push to GHCR before submitting to Moog:
-#   docker build -f docker/Dockerfile -t ghcr.io/intersectmbo/cardano-node-tests-antithesis:latest .
+# Build args:
+#   GIT_REVISION  — git commit hash stored as $GIT_REVISION in the image
+#   NODE_REV      — cardano-node git ref to pre-build (default: master)
+#
+# Build and push to GHCR before submitting to Antithesis:
+#   docker build -f docker/Dockerfile \
+#     --build-arg GIT_REVISION=$(git rev-parse HEAD) \
+#     --build-arg NODE_REV=master \
+#     -t ghcr.io/intersectmbo/cardano-node-tests-antithesis:latest .
 #   docker push ghcr.io/intersectmbo/cardano-node-tests-antithesis:latest
 
 FROM nixos/nix:2.25.5
 
 ARG GIT_REVISION
+ARG NODE_REV=master
+
 ENV GIT_REVISION=${GIT_REVISION}
+# Store the baked-in node revision for reference at runtime.
+ENV BAKED_NODE_REV=${NODE_REV}
 
+# Configure Nix with IOG binary cache and required experimental features.
 RUN mkdir -p /etc/nix && \
-    echo "extra-substituters = https://cache.iog.io" >> /etc/nix/nix.conf && \
-    echo "extra-trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" >> /etc/nix/nix.conf && \
-    echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf && \
-    echo "accept-flake-config = true" >> /etc/nix/nix.conf
+    printf 'extra-substituters = https://cache.iog.io\n\
+extra-trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=\n\
+experimental-features = nix-command flakes\n\
+accept-flake-config = true\n' >> /etc/nix/nix.conf
 
 WORKDIR /work
 COPY . /work/
+
+# Pre-build cardano-node, cardano-submit-api, cardano-cli, and bech32 into /opt/cardano/.
+# NODE_REV is fixed at image build time — no network access is needed at runtime.
+RUN mkdir -p /opt/cardano && \
+    nix build \
+      --accept-flake-config --no-write-lock-file \
+      "github://github.com/IntersectMBO/cardano-node?ref=${NODE_REV}#cardano-node" \
+      -o /opt/cardano/cardano-node && \
+    nix build \
+      --accept-flake-config --no-write-lock-file \
+      "github://github.com/IntersectMBO/cardano-node?ref=${NODE_REV}#cardano-submit-api" \
+      -o /opt/cardano/cardano-submit-api && \
+    nix build \
+      --accept-flake-config --no-write-lock-file \
+      "github://github.com/IntersectMBO/cardano-node?ref=${NODE_REV}#cardano-cli" \
+      -o /opt/cardano/cardano-cli && \
+    nix build \
+      --accept-flake-config --no-write-lock-file \
+      "github://github.com/IntersectMBO/cardano-node?ref=${NODE_REV}#bech32" \
+      -o /opt/cardano/bech32
+
+# Pre-warm the testenv dev shell (pulls nixpkgs, postgres, uv, python313 into the
+# nix store) and create the Python venv at /opt/tests-venv with all project
+# dependencies installed.  This is the same step regression.sh does at runtime
+# but done here so no pip/uv network calls are needed in the Antithesis env.
+RUN nix develop --accept-flake-config .#testenv --command \
+    bash -c 'python3 -m venv /opt/tests-venv --prompt tests-venv && \
+             . /opt/tests-venv/bin/activate && \
+             cd /work && \
+             uv sync --active --no-dev'
+
+# Pre-warm the base dev shell (bash, coreutils, git, jq, …) so its store
+# paths are cached and the regression.sh shebang resolves offline.
+RUN nix develop --accept-flake-config .#base --command true
+
+# Create the Antithesis test driver directory and install the entry-point.
+# singleton_driver_* files are run once per test run by Antithesis.
+RUN mkdir -p /opt/antithesis/test/v1/quickstart && \
+    cp /work/docker/antithesis_run.sh \
+       /opt/antithesis/test/v1/quickstart/singleton_driver_regression.sh && \
+    chmod +x /opt/antithesis/test/v1/quickstart/singleton_driver_regression.sh
diff --git a/docker/Dockerfile.config b/docker/Dockerfile.config
@@ -0,0 +1,13 @@
+# Config image for Antithesis.
+#
+# Contains only the docker-compose.yaml that tells Antithesis how to run
+# the services.  Must be pushed to the Antithesis registry alongside the
+# driver image.
+#
+# Build:
+#   docker build -f docker/Dockerfile.config \
+#     -t us-central1-docker.pkg.dev/<tenant>/antithesis/config:latest .
+#   docker push us-central1-docker.pkg.dev/<tenant>/antithesis/config:latest
+
+FROM scratch
+COPY docker/docker-compose.yaml /docker-compose.yaml
diff --git a/docker/README.md b/docker/README.md
@@ -1,54 +1,81 @@
-# Docker setup for cardano-node-tests (Antithesis/Moog)
+# Docker setup for cardano-node-tests (Antithesis)
 
-This directory contains the driver image and compose file for submitting
-`cardano-node-tests` to Antithesis via the Moog platform.
+This directory contains the driver image and compose files for submitting
+`cardano-node-tests` to Antithesis.
 
 ## How it works
 
-- `Dockerfile` — minimal image: configures Nix and copies the repo into
-  `/work/`. No binaries are pre-built; `regression.sh` handles all setup at
-  runtime via its own Nix shebang. Requires `GIT_REVISION` build arg (the
-  current commit hash) so pytest can identify the revision without a `.git`
-  directory inside the image.
-- `docker-compose.yaml` — single `driver` service for Moog submission.
+Antithesis environments have **no internet access** at runtime, so all
+dependencies are baked into the image at build time:
+
+- `Dockerfile` — builds the driver image.  At build time it:
+  1. Pre-builds `cardano-node`, `cardano-submit-api`, `cardano-cli`, and
+     `bech32` from `NODE_REV` into `/opt/cardano/` via `nix build`.
+  2. Pre-warms the `testenv` dev shell and creates the Python venv at
+     `/opt/tests-venv/` with all project dependencies installed.
+  3. Pre-warms the `base` dev shell so the `regression.sh` shebang resolves
+     from the local nix store without network access.
+  4. Installs `antithesis_run.sh` as the Antithesis test driver at
+     `/opt/antithesis/test/v1/quickstart/singleton_driver_regression.sh`.
+
+- `antithesis_run.sh` — container entrypoint that:
+  1. Forces nix into offline mode (`offline = true`).
+  2. Exports `CARDANO_PREBUILT_DIR=/opt/cardano` and `_VENV_DIR=/opt/tests-venv`
+     so `regression.sh` skips all downloads and uses the pre-built artefacts.
+  3. Emits the Antithesis `setup_complete` lifecycle signal.
+  4. Hands off to `.github/regression.sh`.
+
+- `Dockerfile.config` — builds the Antithesis config image (`FROM scratch`)
+  containing only `docker-compose.yaml`.
+
+- `docker-compose.yaml` — single `driver` service.
 
 ## Workflow
 
-### 1. Build and push the image
+### 1. Build and push the driver image
 
 ```bash
 docker build -f docker/Dockerfile \
   --build-arg GIT_REVISION=$(git rev-parse HEAD) \
+  --build-arg NODE_REV=master \
   -t ghcr.io/intersectmbo/cardano-node-tests-antithesis:latest .
 
 docker push ghcr.io/intersectmbo/cardano-node-tests-antithesis:latest
 ```
 
-### 2. Validate the compose locally
+`NODE_REV` is locked at build time — the same binaries are used every run
+regardless of what is on the `master` branch when the container starts.
+
+### 2. Build and push the config image
+
+```bash
+docker build -f docker/Dockerfile.config \
+  -t us-central1-docker.pkg.dev/<tenant>/antithesis/config:latest .
+
+docker push us-central1-docker.pkg.dev/<tenant>/antithesis/config:latest
+```
+
+### 3. Validate locally (internet-connected build, isolated network at runtime)
 
 ```bash
 docker compose -f docker/docker-compose.yaml config
 docker compose -f docker/docker-compose.yaml up --build
 ```
 
-### 3. Submit to Moog
+To fully simulate the Antithesis no-internet constraint, run inside an
+isolated network namespace on Linux:
 
 ```bash
-moog requester create-test \
-  --platform github \
-  --username saratomaz \
-  --repository IntersectMBO/cardano-node-tests \
-  --directory ./docker \
-  --commit $(git rev-parse HEAD) \
-  --try 1 \
-  --duration 2
+unshare -n docker compose -f docker/docker-compose.yaml up
 ```
 
 ## Environment variables
 
+`NODE_REV` is baked into the image at build time and must **not** be set at
+runtime.  All other variables are passed through docker-compose as before.
+
 | Variable          | Default    | Description                              |
 |-------------------|------------|------------------------------------------|
-| `NODE_REV`        | `master`   | cardano-node git revision                |
 | `CARDANO_CLI_REV` | (built-in) | cardano-cli revision, empty = use node's |
 | `DBSYNC_REV`      | (disabled) | db-sync revision, empty = disabled       |
 | `RUN_TARGET`      | `tests`    | `tests`, `testpr`, or `testnets`         |
diff --git a/docker/antithesis_run.sh b/docker/antithesis_run.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+# Antithesis entrypoint for cardano-node-tests.
+#
+# Runs the full test suite without any network access by:
+#   1. Forcing nix into offline mode (all store paths were pre-built into
+#      the image by docker/Dockerfile).
+#   2. Pointing regression.sh at the pre-built cardano binaries and Python
+#      venv so it skips all download / build steps.
+#   3. Emitting the Antithesis `setup_complete` lifecycle signal before
+#      starting pytest.
+#
+# This file is installed at:
+#   /opt/antithesis/test/v1/quickstart/singleton_driver_regression.sh
+# and is also usable directly as the docker-compose `command`.
+
+set -Eeuo pipefail
+
+# ---------------------------------------------------------------------------
+# 1. Force nix offline — all required store paths were pre-built into the
+#    image.  This prevents nix from attempting any network calls at runtime,
+#    which would fail inside the Antithesis environment.
+# ---------------------------------------------------------------------------
+echo "offline = true" >> /etc/nix/nix.conf
+
+# ---------------------------------------------------------------------------
+# 2. Tell regression.sh to use the pre-built binaries and Python venv that
+#    were baked into the image at docker build time.
+# ---------------------------------------------------------------------------
+export CARDANO_PREBUILT_DIR=/opt/cardano
+export _VENV_DIR=/opt/tests-venv
+
+# ---------------------------------------------------------------------------
+# 3. Emit the Antithesis setup_complete signal.
+#    Written as JSONL to $ANTITHESIS_OUTPUT_DIR/sdk.jsonl.
+#    Antithesis begins fault injection / test orchestration after receiving
+#    this message.
+# ---------------------------------------------------------------------------
+_output_dir="${ANTITHESIS_OUTPUT_DIR:-/tmp/antithesis}"
+mkdir -p "$_output_dir"
+printf '{"antithesis_setup": {"status": "complete", "details": {"info": ["cardano-node-tests driver ready, node_rev=%s"]}}}\n' \
+    "${BAKED_NODE_REV:-unknown}" >> "$_output_dir/sdk.jsonl"
+unset _output_dir
+
+# ---------------------------------------------------------------------------
+# 4. Hand off to regression.sh.  The shebang in that script will invoke
+#    `nix develop .#base` which now resolves entirely from the local nix
+#    store (offline = true).
+# ---------------------------------------------------------------------------
+exec /work/.github/regression.sh
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
@@ -1,13 +1,15 @@
-# Docker Compose for Antithesis/Moog test submission.
+# Docker Compose for Antithesis test submission.
 #
-# Submit to Moog:
-#   moog requester create-test \
-#     --platform github --username <you> \
-#     --repository IntersectMBO/cardano-node-tests \
-#     --directory ./docker \
-#     --commit <hash> --try 1 --duration 2
+# The driver image must be pre-built with all cardano binaries and the Python
+# venv baked in (see docker/Dockerfile).  No internet access is available at
+# runtime inside the Antithesis environment.
 #
-# Validate locally before submitting:
+# Push images to the Antithesis registry before submitting:
+#   docker push us-central1-docker.pkg.dev/<tenant>/antithesis/cardano-node-tests:latest
+#   docker push us-central1-docker.pkg.dev/<tenant>/antithesis/config:latest
+#
+# Validate locally (requires internet — use an isolated netns to simulate
+# the Antithesis environment):
 #   docker compose -f docker/docker-compose.yaml config
 #   docker compose -f docker/docker-compose.yaml up --build
 
@@ -17,9 +19,11 @@ services:
     build:
       context: ..
       dockerfile: docker/Dockerfile
-    command: ["/work/.github/regression.sh"]
+    # antithesis_run.sh sets nix offline, exports pre-built paths, emits
+    # setup_complete, then hands off to regression.sh.
+    command: ["/work/docker/antithesis_run.sh"]
     environment:
-      - NODE_REV=${NODE_REV:-master}
+      # NODE_REV is baked into the image at build time; do not override here.
       - CARDANO_CLI_REV=${CARDANO_CLI_REV:-}
       - DBSYNC_REV=${DBSYNC_REV:-}
       - RUN_TARGET=${RUN_TARGET:-tests}
