Merge branch 'main' into build-version

hyperledger · Jun 21, 2024 · 392e346 · 392e346
2 parents 730201b + 8c04d0a
commit 392e346
Show file tree

Hide file tree

Showing 185 changed files with 7,626 additions and 2,842 deletions.
diff --git a/.github/ISSUE_TEMPLATE/release-checklist.md b/.github/ISSUE_TEMPLATE/release-checklist.md
@@ -0,0 +1,35 @@
+---
+name: Release Checklist
+about: items to be completed for each release
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+- [ ] Confirm anything outstanding for release with other maintainers on #besu-release in Discord
+  - [ ] Notify maintainers about updating changelog for in-flight PRs 
+  - [ ] Update changelog if necessary, and merge a PR for it to main
+- [ ] Optional: for hotfixes, create a release branch and cherry-pick, e.g. `release-<version>-hotfix`
+- [ ] Optional: create a PR into main from the hotfix branch to see the CI checks pass
+- [ ] On the appropriate branch/commit, create a calver tag for the release candidate, format example: `24.4.0-RC2`
+- [ ] Sign-off with team; confirm tag is correct in #besu-release in Discord
+- [ ] Consensys staff start burn-in using the proposed release <version-RCX> tag
+- [ ] Sign off burn-in; convey burn-in results in #besu-release in Discord
+- [ ] Using the same git sha, create a calver tag for the FULL RELEASE, example format `24.4.0`
+- [ ] Using the FULL RELEASE tag, create a release in github to trigger the workflows. Once published:
+    - makes the release "latest" in github
+    - this is now public and notifies subscribed users
+    - publishes artefacts and version-specific docker tags
+    - publishes the docker `latest` tag variants
+- [ ] Draft homebrew PR
+- [ ] Draft documentation release
+- [ ] Ensure binary SHAs are correct on the release page
+- [ ] Docker release startup test:
+    - `docker run hyperledger/besu:<version>`
+    - `docker run hyperledger/besu:<version>-arm64`
+    - `docker run --platform linux/amd64 hyperledger/besu:<version>-amd64`
+    - `docker run --pull=always hyperledger/besu:latest` (check version is <version>)
+- [ ] Merge homebrew PR
+- [ ] Publish Docs Release
+- [ ] Social announcements
diff --git a/.github/workflows/BesuContainerVerify.sh b/.github/workflows/BesuContainerVerify.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+##
+## Copyright contributors to Hyperledger Besu.
+##
+## Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+## the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+## an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+## specific language governing permissions and limitations under the License.
+##
+## SPDX-License-Identifier: Apache-2.0
+##
+
+CONTAINER_NAME=${CONTAINER_NAME:-besu}
+VERSION=${VERSION}
+TAG=${TAG}
+CHECK_LATEST=${CHECK_LATEST}
+RETRY=${RETRY:-10}
+SLEEP=${SLEEP:-5}
+
+# Helper function to throw error
+log_error() {
+  echo "::error $1"
+  exit 1
+}
+
+# Check container is in running state
+_RUN_STATE=$(docker inspect --type=container -f={{.State.Status}} ${CONTAINER_NAME})
+if [[ "${_RUN_STATE}" != "running" ]]
+then
+  log_error "container is not running"
+fi
+
+# Check for specific log message in container logs to verify besu started
+_SUCCESS=false
+while [[ ${_SUCCESS} != "true" && $RETRY -gt 0 ]]
+do
+  docker logs ${CONTAINER_NAME} | grep -q "Ethereum main loop is up" && {
+    _SUCCESS=true
+    continue
+  }
+  echo "Waiting for the besu to start. Remaining retries $RETRY ..."
+  RETRY=$(expr $RETRY - 1)
+  sleep $SLEEP
+done
+
+# Log entry does not present after all retries, fail the script with a message
+if [[ ${_SUCCESS} != "true" ]]
+then
+  docker logs --tail=100 ${CONTAINER_NAME}
+  log_error "could not find the log message 'Ethereum main loop is up'"
+else
+  echo "Besu container started and entered main loop"
+fi
+
+# For the latest tag check the version match
+if [[ ${TAG} == "latest" && ${CHECK_LATEST} == "true" ]]
+then
+  _VERSION_IN_LOG=$(docker logs ${CONTAINER_NAME} | grep "#" | grep "Besu version" | cut -d " " -f 4 | sed 's/\s//g')
+  echo "Extracted version from logs [$_VERSION_IN_LOG]"
+  if [[ "$_VERSION_IN_LOG" != "${VERSION}" ]]
+  then
+    log_error "version [$_VERSION_IN_LOG] extracted from container logs does not match the expected version [${VERSION}]"
+  else
+    echo "Latest Besu container version matches"
+  fi
+fi
diff --git a/.github/workflows/container-security-scan.yml b/.github/workflows/container-security-scan.yml
@@ -0,0 +1,47 @@
+name: container security scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Container image tag'
+        required: false
+        default: 'develop'      
+  schedule:
+    # Start of the hour is the busy time. Scheule it to run 8:17am UTC
+    - cron:  '17 8 * * *'
+
+jobs:
+  scan-sarif:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      # Shell parameter expansion does not support directly on a step
+      # Adding a separate step to set the image tag. This allows running
+      # this workflow with a schedule as well as manual
+      - name: Set image tag
+        id: tag
+        run: |
+          echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT"
+        env:
+          INPUT_TAG: ${{ inputs.tag }} 
+
+      - name: Vulnerability scanner
+        id: trivy
+        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d
+        with:
+          image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }}
+          format: sarif
+          output: 'trivy-results.sarif'
+
+      # Check the vulnerabilities via GitHub security tab
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/container-verify.yml b/.github/workflows/container-verify.yml
@@ -0,0 +1,57 @@
+name: container verify
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Besu version'
+        required: true
+      verify-latest-version:
+        description: 'Check latest container version'
+        required: false
+        type: choice
+        default: "true"
+        options:
+          - "true"
+          - "false"
+
+jobs:
+  verify:
+    timeout-minutes: 4
+    strategy:
+      matrix:
+        combination:
+          - tag: ${{ inputs.version }}
+            platform: ''
+            runner: ubuntu-latest
+          - tag: ${{ inputs.version }}-amd64
+            platform: 'linux/amd64'
+            runner: ubuntu-latest
+          - tag: latest
+            platform: ''
+            runner: ubuntu-latest
+          - tag: ${{ inputs.version }}-arm64
+            platform: ''
+            runner: besu-arm64
+    runs-on: ${{ matrix.combination.runner }}
+    env:
+      CONTAINER_NAME: besu-check
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Start container
+        run: |
+          PLATFORM_OPT=""
+          [[ x${{ matrix.combination.platform }} != 'x' ]] && PLATFORM_OPT="--platform ${{ matrix.combination.platform }}"
+          docker run -d $PLATFORM_OPT --name ${{ env.CONTAINER_NAME }} hyperledger/besu:${{ matrix.combination.tag }}
+
+      - name: Verify besu container
+        run: bash .github/workflows/BesuContainerVerify.sh
+        env:
+          TAG: ${{ matrix.combination.tag }}
+          VERSION: ${{ inputs.version }}
+          CHECK_LATEST: ${{ inputs.verify-latest-version }}
+
+      - name: Stop container
+        run: docker stop ${{ env.CONTAINER_NAME }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -79,7 +79,7 @@ jobs:
 
   publish:
     runs-on: ubuntu-22.04
-    needs: [testWindows]
+    needs: [testWindows, artifacts]
     permissions:
       contents: write
     steps:
@@ -265,3 +265,17 @@ jobs:
         run: ./gradlew "-Prelease.releaseVersion=${{ github.event.release.name }}" "-PdockerOrgName=${{ env.registry }}/${{ secrets.DOCKER_ORG }}" dockerUploadRelease
       - name: Docker manifest
         run: ./gradlew "-Prelease.releaseVersion=${{ github.event.release.name }}" "-PdockerOrgName=${{ env.registry }}/${{ secrets.DOCKER_ORG }}" manifestDockerRelease
+
+  verifyContainer:
+    needs: dockerPromoteX64
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      actions: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - name: Trigger container verify
+        run: echo '{"version":"${{ github.event.release.name }}","verify-latest-version":"true"}' | gh workflow run container-verify.yml --json
+        env:
+          GH_TOKEN: ${{ github.token }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,24 @@
 # Changelog
 
+## Next Release
+
+### Breaking Changes
+- `Xp2p-peer-lower-bound` has been removed. [#7247](https://github.com/hyperledger/besu/pull/7247)
+
+### Additions and Improvements
+- Support for eth_maxPriorityFeePerGas [#5658](https://github.com/hyperledger/besu/issues/5658)
+- Improve genesis state performance at startup [#6977](https://github.com/hyperledger/besu/pull/6977)
+- Enable continuous profiling with default setting [#7006](https://github.com/hyperledger/besu/pull/7006)
+- A full and up to date implementation of EOF for Prague [#7169](https://github.com/hyperledger/besu/pull/7169)
+- Add Subnet-Based Peer Permissions.  [#7168](https://github.com/hyperledger/besu/pull/7168)
+- Reduce lock contention on transaction pool when building a block [#7180](https://github.com/hyperledger/besu/pull/7180)
+
+### Bug fixes
+- Validation errors ignored in accounts-allowlist and empty list [#7138](https://github.com/hyperledger/besu/issues/7138)
+- Fix "Invalid block detected" for BFT chains using Bonsai DB [#7204](https://github.com/hyperledger/besu/pull/7204)
+- Fix "Could not confirm best peer had pivot block" [#7109](https://github.com/hyperledger/besu/issues/7109)
+- Fix "Chain Download Halt" [#6884](https://github.com/hyperledger/besu/issues/6884)
+
 ## 24.6.0
 
 ### Breaking Changes
@@ -13,22 +32,23 @@
 - PKI-backed QBFT will be removed in a future version of Besu. Other forms of QBFT will remain unchanged.
 - --Xbonsai-limit-trie-logs-enabled is deprecated, use --bonsai-limit-trie-logs-enabled instead
 - --Xbonsai-trie-logs-pruning-window-size is deprecated, use --bonsai-trie-logs-pruning-window-size instead
-- Receipt compaction will be enabled by default in a future version of Besu. After this change it will not be possible to downgrade to the previous Besu version.
 
 ### Additions and Improvements
 - Add two counters to DefaultBlockchain in order to be able to calculate TPS and Mgas/s [#7105](https://github.com/hyperledger/besu/pull/7105)
-- Improve genesis state performance at startup [#6977](https://github.com/hyperledger/besu/pull/6977)
 - Enable --Xbonsai-limit-trie-logs-enabled by default, unless sync-mode=FULL [#7181](https://github.com/hyperledger/besu/pull/7181)
 - Promote experimental --Xbonsai-limit-trie-logs-enabled to production-ready, --bonsai-limit-trie-logs-enabled [#7192](https://github.com/hyperledger/besu/pull/7192)
 - Promote experimental --Xbonsai-trie-logs-pruning-window-size to production-ready, --bonsai-trie-logs-pruning-window-size [#7192](https://github.com/hyperledger/besu/pull/7192)
 - `admin_nodeInfo` JSON/RPC call returns the currently active EVM version [#7127](https://github.com/hyperledger/besu/pull/7127)
 - Improve the selection of the most profitable built block [#7174](https://github.com/hyperledger/besu/pull/7174)
-- Support for eth_maxPriorityFeePerGas [#5658](https://github.com/hyperledger/besu/issues/5658)
-- Enable continuous profiling with default setting [#7006](https://github.com/hyperledger/besu/pull/7006)
 
 ### Bug fixes
 - Make `eth_gasPrice` aware of the base fee market [#7102](https://github.com/hyperledger/besu/pull/7102)
-- Validation errors ignored in accounts-allowlist and empty list [#7138](https://github.com/hyperledger/besu/issues/7138)
+
+### Download Links
+https://github.com/hyperledger/besu/releases/tag/24.6.0
+https://github.com/hyperledger/besu/releases/download/24.6.0/besu-24.6.0.tar.gz / sha256 fa86e5c6873718cd568e3326151ce06957a5e7546b52df79a831ea9e39b857ab
+https://github.com/hyperledger/besu/releases/download/24.6.0/besu-24.6.0.zip / sha256 8b2d3a674cd7ead68b9ca68fea21e46d5ec9b278bbadc73f8c13c6a1e1bc0e4d
+
 ## 24.5.2
 
 ### Upcoming Breaking Changes

diff --git a/...tests/acceptance/permissioning/NodeSmartContractPermissioningOutOfSyncAcceptanceTest.java b/...tests/acceptance/permissioning/NodeSmartContractPermissioningOutOfSyncAcceptanceTest.java
@@ -17,6 +17,7 @@
 import org.hyperledger.besu.tests.acceptance.dsl.node.Node;
 
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 public class NodeSmartContractPermissioningOutOfSyncAcceptanceTest
@@ -42,6 +43,7 @@ public void setUp() throws InterruptedException {
   }
 
   @Test
+  @Disabled("test is flaky #7108")
   public void addNodeToClusterAndVerifyNonBootNodePeerConnectionWorksAfterSync() {
     final long blockchainHeight = 25L;
     waitForBlockHeight(permissionedNodeA, blockchainHeight);

diff --git a/...ts/acceptance/permissioning/NodesSmartContractPermissioningStaticNodesAcceptanceTest.java b/...ts/acceptance/permissioning/NodesSmartContractPermissioningStaticNodesAcceptanceTest.java
@@ -25,8 +25,10 @@
 import javax.annotation.Nonnull;
 
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
+@Disabled("flaky test #7155")
 public class NodesSmartContractPermissioningStaticNodesAcceptanceTest
     extends NodeSmartContractPermissioningAcceptanceTestBase {
 

diff --git a/besu/build.gradle b/besu/build.gradle
@@ -80,6 +80,7 @@ dependencies {
   implementation 'org.xerial.snappy:snappy-java'
   implementation 'tech.pegasys:jc-kzg-4844'
   implementation 'org.rocksdb:rocksdbjni'
+  implementation 'commons-net:commons-net'
 
   runtimeOnly 'org.apache.logging.log4j:log4j-jul'
   runtimeOnly 'com.splunk.logging:splunk-library-javalogging'

diff --git a/besu/src/main/java/org/hyperledger/besu/RunnerBuilder.java b/besu/src/main/java/org/hyperledger/besu/RunnerBuilder.java
@@ -88,6 +88,7 @@
 import org.hyperledger.besu.ethereum.p2p.network.ProtocolManager;
 import org.hyperledger.besu.ethereum.p2p.peers.DefaultPeer;
 import org.hyperledger.besu.ethereum.p2p.peers.EnodeDnsConfiguration;
+import org.hyperledger.besu.ethereum.p2p.permissions.PeerPermissionSubnet;
 import org.hyperledger.besu.ethereum.p2p.permissions.PeerPermissions;
 import org.hyperledger.besu.ethereum.p2p.permissions.PeerPermissionsDenylist;
 import org.hyperledger.besu.ethereum.p2p.rlpx.connections.netty.TLSConfiguration;
@@ -146,6 +147,7 @@
 import graphql.GraphQL;
 import io.vertx.core.Vertx;
 import io.vertx.core.VertxOptions;
+import org.apache.commons.net.util.SubnetUtils.SubnetInfo;
 import org.apache.tuweni.bytes.Bytes;
 import org.apache.tuweni.units.bigints.UInt256;
 import org.slf4j.Logger;
@@ -192,6 +194,7 @@ public class RunnerBuilder {
   private JsonRpcIpcConfiguration jsonRpcIpcConfiguration;
   private boolean legacyForkIdEnabled;
   private Optional<EnodeDnsConfiguration> enodeDnsConfiguration;
+  private List<SubnetInfo> allowedSubnets = new ArrayList<>();
 
   /** Instantiates a new Runner builder. */
   public RunnerBuilder() {}
@@ -589,6 +592,17 @@ public RunnerBuilder enodeDnsConfiguration(final EnodeDnsConfiguration enodeDnsC
     return this;
   }
 
+  /**
+   * Add subnet configuration
+   *
+   * @param allowedSubnets the allowedSubnets
+   * @return the runner builder
+   */
+  public RunnerBuilder allowedSubnets(final List<SubnetInfo> allowedSubnets) {
+    this.allowedSubnets = allowedSubnets;
+    return this;
+  }
+
   /**
    * Build Runner instance.
    *
@@ -648,6 +662,10 @@ public Runner build() {
     final PeerPermissionsDenylist bannedNodes = PeerPermissionsDenylist.create();
     bannedNodeIds.forEach(bannedNodes::add);
 
+    PeerPermissionSubnet peerPermissionSubnet = new PeerPermissionSubnet(allowedSubnets);
+    final PeerPermissions defaultPeerPermissions =
+        PeerPermissions.combine(peerPermissionSubnet, bannedNodes);
+
     final List<EnodeURL> bootnodes = discoveryConfiguration.getBootnodes();
 
     final Synchronizer synchronizer = besuController.getSynchronizer();
@@ -667,8 +685,8 @@ public Runner build() {
     final PeerPermissions peerPermissions =
         nodePermissioningController
             .map(nodePC -> new PeerPermissionsAdapter(nodePC, bootnodes, context.getBlockchain()))
-            .map(nodePerms -> PeerPermissions.combine(nodePerms, bannedNodes))
-            .orElse(bannedNodes);
+            .map(nodePerms -> PeerPermissions.combine(nodePerms, defaultPeerPermissions))
+            .orElse(defaultPeerPermissions);
 
     LOG.info("Detecting NAT service.");
     final boolean fallbackEnabled = natMethod == NatMethod.AUTO || natMethodFallbackEnabled;