OpenSats Work-Log 4

Friday, January 31, 2025

This is a copy of the 4th work-log I sent to OpenSats for my LTS grant.

Disclaimer: Some information that is not (or not yet) meant to be published may have been redacted.

What did you work on?

Publications

Bitcoin Core self-hosted CI

Inspired by discussions at the last Bitcoin CoreDev meeting in fall 2024, I started looking into a NixOS based configuration for the Bitcoin Core self-hosted CI runners. At the time, I discovered that the self-hosted runners were running under a privileged user, which could easily stop/vandalize/otherwise negatively affect the underlying machine. CI tasks weren’t isolated from the machine and from other tasks. Note that a CI is basically one of your servers where you give someone from the internet Remote-Code-Execution access. Additionally, the CI token could easily be leaked, which allowed anyone to spawn new, and potentially malicious CI runners for the Bitcoin Core project.

This made is it worthwhile to spend a bit of time looking into a potential CI runner setup that is more secure, properly isolates CI tasks, and doesn’t leak the CI token. By choosing NixOS, the CI runners can be configured once as infrastructure-as-code, and then easily deterministically replicated across multiple hosts.

To isolate individual CI jobs from each other, I choose to run a ephemeral QEMU VM for each job. For this, the cirrus-ci runner used by Bitcoin Core needs to stop after it completed a single job (ephemeral mode). I opened a PR for this, but sadly, there hasn’t been much review activity by the Cirrus-CI folks: https://github.com/cirruslabs/cirrus-cli/pull/813.

The hardest part is to do caching of CI build inputs in ephemeral runners. The current Bitcoin Core CI runners aren’t ephemeral because caching dependency sources and built dependency artifacts, docker base images and task specific docker, previous releases, and ccache artifacts is important for both CI performance and resilience against e.g. network problems or rate-limiting. Managing these across CI jobs can be challenging, especially when a single CI job shouldn’t be able to clear the cache. I’ve written down some notes about this in https://github.com/bitcoin/bitcoin/issues/30852#issuecomment-2558198430.

The project is about 85% done, but still requires some work to get to a production ready-level. Based on discussions with other Bitcoin Core developers, the current CI situation might have been improved since last fall: CI jobs don’t run as privileged user anymore and other safeguards have been put into place. The plan is to present my CI setup at the upcoming CoreDev and evaluate if it makes sense to invest more time and energy into this project in the short-term.

I’ve published the CI-runner setup in https://github.com/0xB10C/bitcoin-core-cirrus-runner and my infrastructure in https://github.com/0xB10C/bitcoin-core-cirrus-runner-infra.

During development, I noticed that it is time consuming to manually parse the Bitcoin Core CI logs. To help during my development and to provide stats for the Bitcoin Core project, I’ve build a tool and website that parses and gives an overview over the recent tasks. The repository can be found at https://github.com/0xB10C/bitcoin-core-ci-stats and the website here https://0xb10c.github.io/bitcoin-core-ci-stats/.

On the Bitcoin Core side, I initially proposed https://github.com/bitcoin/bitcoin/pull/31377, which was then superseded by https://github.com/bitcoin/bitcoin/pull/31545. This makes the caching of the Bitcoin Core CI docker images possible.

Bitcoin Core

peer-observer

A tool used to monitor for attacks and anomalies by hooking into the Bitcoin Core tracepoints.

fork-observer

Tool to visualize forks and reorgs on various Bitcoin networks.

miningpool-observer

Transparency for Mining Pool Transaction Selection

my nix packages

Collection Nix packages and NixOS modules of software I’ve written or software I use. Allows others to easily run my tools too.

Misc

What do you plan to work on next quarter?

  • Evaluate (e.g. at CoreDev) if makes sense to continue working on the self-hosted Bitcoin Core CI runners or if other projects might have a higher priority for me for now.
  • Continue working on open issues for my current projects like fork-observer, miningpool-observer, peer-observer and others
  • Continue working on the Bitcoin Core tracing interface. See e.g. https://github.com/bitcoin/bitcoin/issues/31274
  • Further analyzing data and research posts on delving (e.g. compact block reconstruction and more)

My open-source work is currently funded by an OpenSats LTS grant. You can learn more about my funding and how to support my work on my funding page.

Creative Commons License Text and images on this page are licensed under the Creative Commons Attribution-ShareAlike 4.0 International License

Next

Image for OpenSats Work-Log 5
April 30, 2025

OpenSats Work-Log 5

This is a copy of the 5th work-log I sent to OpenSats for my LTS grant.

Previous

Image for OpenSats Work-Log 3
October 31, 2024

OpenSats Work-Log 3

This is a copy of the 3rd work-log I sent to OpenSats for my LTS grant.