chore(docker): Add back cannon reproducible build

[clabby]

Overview

Adds the reproducible build recipe for cannon back in.

[claude]

Claude finished @clabby's task —— View job

---

PR Review: Add back cannon reproducible build

Reviewing this PR to provide feedback on code quality, best practices, potential issues, performance, security, and test coverage.

Todo List:

• Read and analyze the modified Dockerfile
• Review Dockerfile best practices and security
• Check reproducibility implementation
• Assess integration with existing project structure
• Provide comprehensive feedback

Review Feedback

This PR adds a multi-stage Dockerfile for creating reproducible builds of the cannon fault proof VM with kona-client. Overall, the implementation follows good Docker practices, but there are several areas for improvement:

✅ Strengths

1. Multi-stage build design: Well-structured with clear separation of concerns across 4 stages
2. Reproducible builds: Uses specific tags and locked dependencies (--locked flag)
3. Minimal final image: Uses scratch base for the export stage, reducing attack surface
4. Clear documentation: Good section headers and comments explaining each stage

⚠️ Security Concerns

1. Unverified downloads (docker/fpvm-prestates/cannon-repro.dockerfile:17):

   RUN curl -sL https://go.dev/dl/go$GO_VERSION.linux-$TARGETARCH.tar.gz -o go$GO_VERSION.linux-$TARGETARCH.tar.gz && \
     tar -C /usr/local/ -xzf go$GO_VERSION.linux-$TARGETARCH.tar.gz

   Recommendation: Add checksum verification for the Go download to prevent supply chain attacks.

2. Git clones without verification (docker/fpvm-prestates/cannon-repro.dockerfile:23, docker/fpvm-prestates/cannon-repro.dockerfile:43):

   RUN git clone https://github.com/ethereum-optimism/optimism
   RUN git clone https://github.com/op-rs/kona

   Recommendation: Consider using git clone --depth 1 for performance, and verify commit signatures if security is critical.

🔧 Best Practices & Optimization

1. Package manager cache cleanup: Missing cleanup after apt installations

   # Current:
   RUN apt-get update && apt-get install -y --no-install-recommends git curl ca-certificates make
   
   # Recommended:
   RUN apt-get update && apt-get install -y --no-install-recommends git curl ca-certificates make && \
       apt-get clean && rm -rf /var/lib/apt/lists/*

2. Build argument validation: No validation for required build args
   Recommendation: Add validation to ensure CANNON_TAG, CLIENT_TAG, and CLIENT_BIN are provided.

3. Go version pinning: Good practice using specific version 1.22.7

📝 Documentation & Clarity

1. TODO comment (docker/fpvm-prestates/cannon-repro.dockerfile:71): There's a TODO about updating --type once cannon supports DCLO/DCLZ. Consider tracking this in an issue.

2. Missing build arg documentation: The Dockerfile uses several build args but doesn't document expected values or formats.

🏗️ Architecture Integration

1. Consistent with project structure: Follows the existing Docker organization under docker/fpvm-prestates/
2. Aligns with kona architecture: Properly builds the kona-client binary for the MIPS target
3. Uses project's build profile: Correctly uses release-client-lto profile

🧪 Test Coverage

Missing: No tests or validation that the generated prestate artifacts are correct. Consider adding:

• Validation that the prestate loads successfully
• Smoke test that the proof generation works
• Integration with existing CI/test infrastructure

📊 Performance Considerations

1. Build caching: The current structure doesn't optimize for Docker layer caching
2. Parallel builds: Could potentially parallelize the cannon and kona-client builds
3. Resource usage: Large intermediate images (Ubuntu + Go toolchain) - acceptable for reproducible builds

Summary

This is a solid implementation of a reproducible build system. The main concerns are around supply chain security (unverified downloads) and missing cleanup. The architecture and approach are sound for the stated goal of reproducible cannon prestates.

Priority Recommendations:

1. Add checksum verification for Go download
2. Clean up package manager caches
3. Add build argument validation
4. Consider adding basic validation tests for the generated artifacts

---

[Copilot]

Pull Request Overview

This PR restores the reproducible build recipe for cannon by adding back the complete Dockerfile that was previously removed. The change adds multi-stage build process for cannon and kona-client components with prestate generation.

• Adds complete multi-stage Dockerfile for cannon reproducible builds
• Implements build stages for cannon binary, kona-client, and prestate generation
• Includes artifact export stage for distributing build outputs

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.0%. Comparing base (aabf5b1) to head (e362645).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
crates/proof/std-fpvm/src/tracing.rs	0.0%	19 Missing ⚠️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude finished @clabby's task —— View job

---

PR Review: Add back cannon reproducible build

Reviewing this PR to provide feedback on code quality, best practices, potential issues, performance, security, and test coverage.

Todo List:

• Read and analyze the modified Dockerfile
• Review the justfile changes
• Check Docker best practices and security
• Assess reproducibility implementation
• Review integration with existing project structure
• Provide comprehensive feedback

Review Feedback

This PR adds a multi-stage Dockerfile for creating reproducible builds of the cannon fault proof VM with kona-client. The changes align well with the project's architecture and goals. Here's my detailed analysis:

✅ Strengths

1. Well-structured multi-stage build: The 4-stage design clearly separates concerns:

   • cannon-build: Builds the cannon binary from optimism repo
   • client-build: Builds kona-client for MIPS target
   • prestate-build: Generates prestate artifacts
   • export-stage: Minimal scratch-based export layer

2. Reproducible build practices:

   • Uses specific Go version (1.22.7)
   • Employs --locked flag for Cargo builds
   • Uses tagged versions via build args
   • Proper build profile (release-client-lto)

3. Consistent justfile updates: The cannon type parameter update from multithreaded64-4 to multithreaded64-5 is consistent between the Dockerfile and justfile.

⚠️ Security Concerns

1. Unverified Go download (docker/fpvm-prestates/cannon-repro.dockerfile:17-18):

   RUN curl -sL https://go.dev/dl/go$GO_VERSION.linux-$TARGETARCH.tar.gz -o go$GO_VERSION.linux-$TARGETARCH.tar.gz && \
     tar -C /usr/local/ -xzf go$GO_VERSION.linux-$TARGETARCH.tar.gz

   Risk: Supply chain attack via compromised download
   Recommendation: Add SHA256 checksum verification

2. Unverified Git clones (docker/fpvm-prestates/cannon-repro.dockerfile:23, 43):

   RUN git clone https://github.com/ethereum-optimism/optimism
   RUN git clone https://github.com/op-rs/kona

   Recommendation: Consider shallow clones (--depth 1) for performance

🔧 Best Practices & Optimization

1. Missing package cleanup:

   # Current (lines 12, 40):
   RUN apt-get update && apt-get install -y --no-install-recommends git curl ca-certificates make
   
   # Recommended:
   RUN apt-get update && apt-get install -y --no-install-recommends git curl ca-certificates make && \
       apt-get clean && rm -rf /var/lib/apt/lists/*

2. Build argument validation: No validation that required args (CANNON_TAG, CLIENT_TAG, CLIENT_BIN) are provided.

3. Inconsistent source path in final stage (docker/fpvm-prestates/cannon-repro.dockerfile:92):

   COPY --from=prestate-build /cannon .  # Should be /cannon-bin

   The cannon binary is at /cannon-bin per line 65, but copied from /cannon in the export stage.

📝 Documentation & Integration

1. Architecture alignment: Properly integrates with kona's cross-compilation setup for MIPS64 target and uses the correct release profile.

2. Missing build documentation: The Dockerfile lacks inline documentation for build arguments and their expected formats.

3. Type parameter update: The justfile changes updating multithreaded64-4 to multithreaded64-5 maintain consistency, though the reasoning isn't documented.

🧪 Test Coverage

Missing validation: No tests verify that:

• Generated prestate artifacts are valid
• The build process produces reproducible outputs
• Integration with the broader kona ecosystem works correctly

Recommendation: Add smoke tests or validation steps for generated artifacts.

🏗️ Performance Considerations

1. Build caching: Current structure doesn't optimize Docker layer caching - dependencies are installed in each stage separately.

2. Resource usage: Large intermediate images (Ubuntu + Go toolchain) are acceptable for reproducible builds but could be optimized.

Summary

This is a solid implementation that properly restores cannon reproducible build capability. The main issues are around supply chain security (unverified downloads) and a path inconsistency in the final export stage.

Critical Issues:

1. Path mismatch: Fix export stage to copy from /cannon-bin not /cannon
2. Security: Add checksum verification for Go download

Recommended Improvements:

1. Clean up package manager caches
2. Add build argument validation
3. Consider adding basic artifact validation

The architecture aligns well with kona's cross-compilation needs and the justfile changes maintain consistency across the codebase.

---

[claude]

Claude finished @clabby's task —— View job

---

PR Review: Add back cannon reproducible build

Reviewing this PR to provide feedback on code quality, best practices, potential issues, performance, security, and test coverage.

Todo List:

• Read and analyze the modified Dockerfile
• Review the justfile changes
• Check Docker best practices and security
• Assess reproducibility implementation
• Review integration with existing project structure
• Provide comprehensive feedback

Review Summary

This PR adds a comprehensive multi-stage Dockerfile for creating reproducible builds of the cannon fault proof VM with kona-client, plus updates the cannon type parameter from multithreaded64-4 to multithreaded64-5 in the justfile.

✅ Strengths

1. Well-structured multi-stage build: Clear separation across 4 stages (cannon-build, client-build, prestate-build, export-stage)
2. Reproducible build approach: Uses specific tags via build args and --locked flag for dependencies
3. Minimal final image: Uses scratch base for export stage, reducing attack surface
4. Consistent parameter update: The justfile changes align the type parameter with what's used in the Dockerfile

⚠️ Security Concerns

1. Unverified Go download (docker/fpvm-prestates/cannon-repro.dockerfile:17-18):

   RUN curl -sL https://go.dev/dl/go$GO_VERSION.linux-$TARGETARCH.tar.gz -o go$GO_VERSION.linux-$TARGETARCH.tar.gz && \
     tar -C /usr/local/ -xzf go$GO_VERSION.linux-$TARGETARCH.tar.gz

   Critical: No checksum verification. This could allow supply chain attacks.

2. Unverified Git clones (docker/fpvm-prestates/cannon-repro.dockerfile:23, 43):

   RUN git clone https://github.com/ethereum-optimism/optimism
   RUN git clone https://github.com/op-rs/kona

   Recommendation: While git checkout with specific tags provides some protection, consider shallow clones for performance.

🔧 Best Practices Issues

1. Missing package cleanup (docker/fpvm-prestates/cannon-repro.dockerfile:12, 40):

   RUN apt-get update && apt-get install -y --no-install-recommends git curl ca-certificates make

   Should include: && apt-get clean && rm -rf /var/lib/apt/lists/*

2. Go version inconsistency: Dockerfile uses Go 1.23.8, but no validation of this version choice against project requirements.

3. Build arg validation missing: No validation that required CANNON_TAG, CLIENT_TAG, and CLIENT_BIN are provided.

🐛 Potential Issues

1. Path inconsistency (docker/fpvm-prestates/cannon-repro.dockerfile:92):

   COPY --from=prestate-build /cannon .

   This copies from /cannon but the cannon binary was copied to /cannon-bin in cannon-build stage. The environment variable CANNON_BIN_PATH="/cannon" is set correctly in prestate-build, so this should work, but it's confusing.

2. Missing error handling: No validation that the prestate generation steps completed successfully.

📈 Performance Considerations

1. Build caching: Structure doesn't optimize for Docker layer caching between builds
2. Large intermediate images: Acceptable for reproducible builds but could be optimized
3. Sequential builds: Cannon and kona-client builds could potentially be parallelized

🧪 Test Coverage

Missing: No validation that generated artifacts are correct. Consider adding:

• Smoke test that prestate loads successfully
• Validation of generated proof format
• Integration with CI to verify reproducibility

📝 Minor Issues

1. Incomplete TODO comment (docker/fpvm-prestates/cannon-repro.dockerfile:74): Lacks context about when/how to update the type parameter
2. Inconsistent Go version: Uses 1.23.8 vs project's apparent preference for 1.22.7 based on existing reviews

Priority Recommendations

1. Critical: Add checksum verification for Go download
2. High: Clean up package manager caches to reduce image size
3. Medium: Add build argument validation
4. Low: Consider adding artifact validation tests

The overall approach is sound for reproducible builds, but the security concerns around unverified downloads should be addressed before merging.

---

[theochap]

Looks good, should we add a CI task to test that this doesn't break in the future?