Added teku client support

.gitignore

@@ -1,2 +1,5 @@
 .env
 docker-compose.yml
+.eth2/*
+!.eth2/README.md
+!.eth2/validator_keys/.empty

README.md

@@ -17,6 +17,7 @@ Currently supported clients:
 - Nimbus
 - Lighthouse
 - Prysm
+- Teku
 
 Currently supported optional components:
 - geth, local eth1 node. Use this or a 3rd-party provider of eth1 chain data to "feed"
@@ -102,7 +103,7 @@ To start the client:
 ```
 sudo docker-compose up -d eth2
 ```
-> **Nimbus**: Beacon and validator run in the same process, there is only one container for both
+> **Nimbus and Teku**: Beacon and validator run in the same process, there is only one container for both
 
 If, however, you chose not to store the wallet password with the validator, you will need
 to bring the beacon and, if in use, geth, up individually instead, then "run"
@@ -138,7 +139,7 @@ the link gets you to, use Ctrl-a to select all and Ctrl-C to copy), click "Load"
 - [Prysm Dashboard JSON](https://raw.githubusercontent.com/GuillaumeMiralles/prysm-grafana-dashboard/master/less_10_validators.json)
 - [Prysm Dashboard JSON for more than 10 validators](https://raw.githubusercontent.com/GuillaumeMiralles/prysm-grafana-dashboard/master/more_10_validators.json)
 - [Nimbus Dashboard JSON](https://raw.githubusercontent.com/SomerEsat/ethereum-staking-guide/master/NimbusGrafana.json)
-- [Teku Dashboard JSON](https://grafana.com/grafana/dashboards/12199)
+- [Teku Dashboard](https://grafana.com/grafana/dashboards/12199)
 
 ## Step 9: Autostart the client on boot
 
@@ -148,10 +149,10 @@ For Linux systems that use systemd, e.g. Ubuntu, you'd create a systemd
 service. 
 
 - Copy the file: `sudo cp sample-systemd /etc/systemd/system/eth2.service`
-- Edit the file `/etc/systemd/system/eth2.service`
+- Edit the file: `sudo nano /etc/systemd/system/eth2.service`
 - Adjust the `WorkingDirectory` to the directory you stored the project in.
 - Adjust the path to `docker-compose` to be right for your system, see `which docker-compose`
-- Test the service: `sudo systemctl daemon-reload`, `sudo systemctl start eth2`, check `docker ps` to
+- Test the service: `sudo systemctl daemon-reload`, `sudo systemctl start eth2`, check `sudo docker ps` to
 see all expected containers are up
 - Enable the service: `sudo systemctl enable eth2`
 
@@ -240,6 +241,9 @@ If a service is not starting and you want to bring up its container manually, so
 `sudo docker-compose down`, tear down everything first.<br />
 `sudo docker ps`, make sure everything is down.<br />
 
+If you need to see the files that are being stored by services such as beacon, validator, eth1 node, grafana, &c, in Ubuntu Linux you can find
+those in /var/lib/docker/volumes. `sudo bash` to invoke a shell that has access.
+
 **HERE BE DRAGONS** You can totally run N copies of an image manually and then successfully start a validator in each and get yourself slashed.
 Take extreme care.
 
@@ -251,9 +255,9 @@ the client images currently supplied are `lighthouse` and `prysm`.<br />
 
 # Guiding principles:
 
-- Reduce the attack surface of the client where this is feasible. Not
-  all clients lend themselves to be statically compiled and running
-  in "scratch"
+- Reduce the attack surface of the client as much as feasible.
+  None of the eth2 clients lend themselves to be statically compiled and running
+  in "scratch" containers, alas.
 - Guide users to good key management as much as possible
 - Create something that makes for a good user experience and guides people new to docker and Linux as much as feasible
 

RECOMMENDATIONS.md

@@ -115,7 +115,7 @@ was unable to report ECC errors via IPMI, only OS-level reporting worked.
 * mITX: 
   * SuperMicro X11SCL-IF(-O)
 * uATX:
-  * SuperMicro X11SCL-F(-O)
+  * SuperMicro X11SCL-F(-O) or X11SCH-F(-O)
 * Common components:
   * Intel i3-9100F or Intel Xeon E-2xxx (i5/7 do not support ECC)
   * 16 GiB of Micron or Samsung DDR4 UDIMM ECC RAM (unbuffered, **not** registered)
@@ -142,8 +142,8 @@ growing. The eth2 db is expected to be far smaller, though exact figures
 won't be seen until Phase 1.5 and 2.
 
 You'll want decent write endurance. The two models mentioned here have 600TB
-write endurance each. Intel is also well-liked, their data center SSDs
-are quite reliable, if a bit pricey.
+write endurance each.<br />
+Intel SSDs are also well-liked, their data center SSDs are quite reliable, if a bit pricey.
 
 You may also consider getting two SSDs and running them in a software mirror
 (RAID-1) setup, in the OS. That way, data loss becomes less likely for the

SETUP.md

@@ -21,13 +21,9 @@ usermod -aG sudo USERNAME
 ```
 
 Optional: If you used SSH keys to connect to your Ubuntu instance via the root user you
-will need to associate the new user with the root user’s SSH key data.
+will need to [associate the new user with your public key(s)](#ssh-key-authentication-with-linux).
 
-`rsync --archive --chown=USERNAME:USERNAME ~/.ssh /home/USERNAME`
-
-Finally, log out of `root` and log in as your `USERNAME`.
-
-## "Pull" the project
+## "Clone" the project
 
 From a terminal - Powershell if you are installing the node on Windows - and logged in as the user
 you'll be using from now on, and assuming you'll be storing the project in your `$HOME`, run:
@@ -41,15 +37,19 @@ cd eth2-docker
 ## Client choice
 
 Please choose:
-- The eth2 client you wish to run
-  - Nimbus
-  - Lighthouse
-  - Prysm
-- Your source of eth1 data
-  - geth
-  - 3rd-party
-- Whether to run a slasher (not yet implemented)
-- Whether to run a grafana dashboard for monitoring
+* The eth2 client you wish to run
+  * Nimbus
+  * Lighthouse
+  * Prysm
+  * Teku
+* Your source of eth1 data
+  * geth
+  * 3rd-party
+* Whether to run a slasher (not yet implemented)
+* Whether to run a grafana dashboard for monitoring
+
+> Note: Teku is written in Java, which makes it memory-hungry. In its default configuration, you may
+> want a machine with 16 GiB of RAM. See .env for a parameter to restrict Teku to 4 GiB of RAM.
 
 First, copy the environment file.<br />
 `cp default.env .env`
@@ -79,9 +79,11 @@ geth with `:` between the file names.
 - `nimbus-base.yml` - Nimbus
 - `lh-base.yml` - Lighthouse
 - `prysm-base.yml` - Prysm
+- `teku-base.yml` - Teku
 - `geth.yml` - local geth eth1 chain node
 - `grafana.yml` - grafana dashboard for Lighthouse or Prysm
 - `nimbus-grafana.yml` - grafana dashboard for Nimbus
+- `teku-grafana.yml` - grafana dashboard for Teku
 
 For example, Lighthouse with local geth and grafana:
 `COMPOSE_FILE=lh-base.yml:geth.yml:grafana.yml`
@@ -98,6 +100,7 @@ to your node if behind a home router, or allowed in via the VPS firewall.
 - 9000 tcp/udp - Lighthouse beacon node. Open to Internet.
 - 13000/tcp - Prysm beacon node. Open to Internet.
 - 12000/udp - Prysm beacon node. Open to Internet.
+- 9000 tcp/udp - Teku beacon node. Open to Internet. Note this is the same as Lighthouse.
 - 3000/tcp - Grafana. **Not** open to Internet, allow locally only. It is insecure http.
 - 22/tcp - SSH. Only open to Internet if this is a remote server (VPS). If open to Internet, configure
   SSH key authentication.
@@ -109,12 +112,17 @@ On Ubuntu, the host firewall `ufw` can be used to only allow specific ports inbo
   * `sudo ufw allow 30303` will allow traffic for geth to port 30303, both tcp and udp.
   * `sudo ufw allow 3000/tcp` will allow traffic to the Grafana dashboard
   * Nimbus
-    * `sudo ufw allow 19000` will allow Nimbus beacon traffic, both tcp and udp.
+    * `sudo ufw allow 19000` will allow Nimbus beacon traffic, both tcp and udp
   * Lighthouse
     * `sudo ufw allow 9000` will allow Lighthouse beacon traffic, both tcp and udp
   * Prysm
     * `sudo ufw allow 13000/tcp && sudo ufw allow 12000/udp` will allow Prysm beacon traffic
-* Enable the firewall and check the rules you created
+  * Teku
+    * `sudo ufw allow 9000` will allow Teku beacon traffic, both tcp and udp
+* Check the rules you created and verify that you are allowing SSH. You can **lock yourself out** if
+you don't allow your SSH port in. `allow OpenSSH` is sufficient for the default SSH port.
+  * `sudo ufw show added`
+* Enable the firewall and see numbered rules once more
   * `sudo ufw enable`
   * `sudo ufw status numbered`
 
@@ -148,21 +156,35 @@ to already be installed. If it isn't, follow that link and install it.
 From your MacOS/Linux Terminal or Windows Powershell, check whether you have an ssh key. You expect an id_TYPE.pub
 file when running `ls ~/.ssh`.
 
+### Create an SSH key pair
+
 Create a key if you need to, or if you don't have `id_ed25519.pub` but prefer that cipher:<br />
 `ssh-keygen -t ed25519`
+> Bonus: On Linux, you can also include a timestamp with your key, like so:<br />
+> `ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/id_ed25519`
+
+### MacOS/Linux, copy public key
+
+ If you are on MacOS or Linux, you can then copy this new public key to the Linux server:<br />
+`ssh-copy-id USERNAME@HOST`
 
-Output the contents of your public key file to terminal and copy, here for `id_ed25519.pub`:<br />
-`cat ~/.ssh/id_ed25519.pub`
+### Windows 10, copy public key
 
+On Windows 10, or if that command is not available, output the contents of your public key file
+to terminal and copy, here for `id_ed25519.pub`:<br />
+`cat ~/.ssh/id_ed25519.pub`<br
 On your Linux server, logged in as your non-root user, add this public key to your account:<br />
 ```
 mkdir ~/.ssh
 nano ~/.ssh/authorized_keys
 ```
 And paste in the public key.
 
+### Test login and turn off password authentication
+
 Test your login. `ssh user@serverIP` from your client's MacOS/Linux Terminal or Windows Powershell should log you in
-directly without prompting for a password.<br />
+directly without prompting for a password.
+
 If you are still prompted for a password, resolve that first. Your ssh client should show you errors in that case.
 On Windows 10 in particular, if the ssh client complains about the "wrong permissions" on the `.ssh` directory or
 `.ssh/config` file, go into Explorer, find the `C:\Users\USERNAME\.ssh` directory, edit its Properties->Security, click

default.env

@@ -20,15 +20,19 @@ LOG_LEVEL=info
 # Leave this as-is to compile nimbus with support for metrics via grafana. 
 # Change to empty (nothing after first =) to disable that functionality
 NIM_METRICS=NIMFLAGS="-d:insecure"
+# Uncomment this if you need to restrict teku to just 4 GiB of RAM
+#TEKU_LOW_MEM=-Xmx4G
 
 # Ports you will forward to your staking node. Adjust here if you are
 # going to use something other than defaults.
 GETH_PORT=30303
 LH_PORT=9000
 PRYSM_PORT=13000
 PRYSM_UDP_PORT=12000
-GRAFANA_PORT=3000
 NIM_PORT=19000
+TEKU_PORT=9000
+# Local grafana dashboard port. Do not expose to Internet, it is insecure http
+GRAFANA_PORT=3000
 
 # These variables are not likely to require adjustment
 GETH_BUILD_TARGET=release/1.9
@@ -49,8 +53,9 @@ PRYSM_VAL_IMPORT_ENTRYPOINT=create-prysm-validator-wallet.sh
 
 NIM_BUILD_TARGET=devel
 NIM_USER=nimbus
-NIM_ENTRYPOINT=["/usr/local/bin/beacon_node", "--data-dir=/var/lib/nimbus", "--non-interactive", "--log-file=/var/lib/nimbus/beacon_node.log"]
-NIM_IMPORT_ENTRYPOINT=["/usr/local/bin/beacon_node", "deposits", "import", "--data-dir=/var/lib/nimbus", "--log-file=/var/lib/nimbus/beacon_node.log", "/var/lib/nimbus/validator_keys"]
+
+TEKU_BUILD_TARGET=master
+TEKU_USER=teku
 
 DEPCLI_BUILD_TARGET=master
 DEPCLI_USER=depcli

prometheus/Dockerfile

@@ -3,6 +3,7 @@ FROM prom/prometheus
 COPY ./lh-prom.yml /etc/prometheus
 COPY ./prysm-prom.yml /etc/prometheus
 COPY ./nimbus-prom.yml /etc/prometheus
+COPY ./teku-prom.yml /etc/prometheus
 COPY ./prometheus.yml /etc/prometheus
 COPY ./choose-config.sh /usr/local/bin/choose-config.sh
 

prometheus/choose-config.sh

@@ -7,6 +7,7 @@ case "$CLIENT" in
   *lh-base* ) conffile=lh-prom.yml ;;
   *prysm-base* ) conffile=prysm-prom.yml ;;
   *nimbus-base* ) conffile=nimbus-prom.yml ;;
+  *teku-base* ) conffile=teku-prom.yml ;;
   * ) conffile=prometheus.yml ;;
 esac
 

prometheus/teku-prom.yml

@@ -0,0 +1,12 @@
+global:
+  scrape_interval: 15s
+scrape_configs:
+  - job_name: 'node_exporter'
+    static_configs:
+      - targets: ['node-exporter:9100']
+  - job_name: "teku-dev"
+    scrape_timeout: 10s
+    metrics_path: /metrics
+    scheme: http
+    static_configs:
+    - targets: ["beacon:8008"] 

prysm/create-prysm-validator-wallet.sh

@@ -5,21 +5,22 @@
 if [ $? -ne 0 ]; then
   exit 1;
 fi
-
+echo
 echo Storing the wallet password in plain text will allow the validator to start automatically without user input.
+echo
 while true; do
   read -p "Do you wish to store the wallet password inside this container? (y/n) " yn
   case $yn in
     [Yy]* ) break;;
-    [Nn]* ) echo "Not storing plaintext wallet password."; echo; echo "Please adjust docker-compose.yml and see instructions in README.md on how to start the client"; exit;;
+    [Nn]* ) echo "Not storing plaintext wallet password."; echo; echo "Please adjust prysm-base.yml and see instructions in README.md on how to start the client"; exit;;
     * ) echo "Please answer yes or no.";;
   esac
 done
+echo
 while true; do
   read -sp "Please enter the 'New wallet password' you chose above: " password1
   echo
   read -sp "Please re-enter the 'New wallet password': " password2
-  echo
   if [ $password1 == $password2 ]; then
     break
   else
@@ -28,4 +29,6 @@ while true; do
   fi
 done
 
+echo
 echo $password1 >/var/lib/prysm/password.txt
+echo "Wallet password has been stored."

teku-base.yml

@@ -0,0 +1,68 @@
+version: "3"
+services:
+  beacon:
+    restart: "no"
+    user: ${LOCAL_UID}:${LOCAL_UID}
+    build:
+      context: ./teku
+      args:
+        - BUILD_TARGET=${TEKU_BUILD_TARGET}
+        - USER=${TEKU_USER}
+        - UID=${LOCAL_UID}
+    image: teku
+    volumes:
+      - teku-data:/var/lib/teku
+    environment:
+      - JAVA_OPTS=${TEKU_LOW_MEM}
+    ports:
+      - ${TEKU_PORT}:9000/tcp
+      - ${TEKU_PORT}:9000/udp
+    entrypoint:
+      - /usr/local/teku/bin/teku
+      - --data-path=/var/lib/teku
+      - --log-destination=CONSOLE
+      - --network=${TESTNET}
+      - --eth1-endpoint=${ETH1_NODE}
+      - --validators-keystore-locking-enabled=true
+      - --validator-keys=/var/lib/teku/validator-keys:/var/lib/teku/validator-passwords
+      - --validators-graffiti=${GRAFFITI}
+      - --logging=${LOG_LEVEL}
+  validator-import:
+    restart: "no"
+    user: ${LOCAL_UID}:${LOCAL_UID}
+    image: teku
+    build:
+      context: ./teku
+      args:
+        - BUILD_TARGET=${TEKU_BUILD_TARGET}
+        - USER=${TEKU_USER}
+        - UID=${LOCAL_UID}
+    volumes:
+      - teku-data:/var/lib/teku
+      - ${DEPCLI_LOCALDIR}/validator_keys:/var/lib/teku/validator_keys
+    entrypoint: copy-teku-validator-keys.sh
+  deposit-cli:
+    restart: "no"
+    user: ${LOCAL_UID}:${LOCAL_UID}
+    build:
+      context: ./eth2.0-deposit-cli
+      args:
+        - BUILD_TARGET=${DEPCLI_BUILD_TARGET}
+        - USER=${DEPCLI_USER}
+        - UID=${LOCAL_UID}
+    image: eth2.0-deposit-cli
+    volumes:
+      - ${DEPCLI_LOCALDIR}:/var/lib/depcli-data
+    entrypoint: ${DEPCLI_ENTRYPOINT}
+    command:
+      - --num_validators
+      - ${NUMVAL}
+      - --chain
+      - ${DEPOSIT_CHAIN}
+  eth2:
+    image: tianon/true
+    restart: "no"
+    depends_on:
+      - beacon
+volumes:
+  teku-data: