Cleaned up NAT behavior for non-standard ports

adrienlacombe · Sep 30, 2020 · ce53047 · ce53047
1 parent ed32616
commit ce53047
Show file tree

Hide file tree

Showing 18 changed files with 165 additions and 75 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# eth2-docker v0.1.3
+# eth2-docker v0.1.4
 Unofficial and experimental docker build instructions for eth2 clients
 
 ## Acknowledgements
@@ -21,12 +21,12 @@ Currently supported clients:
 
 Currently supported optional components:
 - geth, local eth1 node. Use this or a 3rd-party provider of eth1 chain data to "feed"
-  your eth2 beacon node, so you can "propose" blocks.
+  your eth2 beacon node, so you can [propose](https://ethos.dev/beacon-chain/) blocks.
 - Grafana dashboard
 
-**Note**: As of 9/28/2020, Nimbus requires an "archive" source of eth1 chain data.
-This can be a local geth in archive mode, or a 3rd-party provider. Please see [SETUP](SETUP.md)
-for details.
+**Note**: As of 9/30/2020, Nimbus requires an "archive" source of eth1 chain data.
+This can be a local geth in archive mode via ws://, or a 3rd-party provider via wss://. 
+Please see [SETUP](SETUP.md) for details.
 
 # USAGE
 

diff --git a/SETUP.md b/SETUP.md
@@ -82,7 +82,7 @@ geth with `:` between the file names.
 - `teku-base.yml` - Teku
 - `geth.yml` - local geth eth1 chain node
 - `geth-archive.yml` - local geth node in full archive mode, required for Nimbus
-- `grafana.yml` - grafana dashboard for Lighthouse or Prysm
+- `lh-prysm-grafana.yml` - grafana dashboard for Lighthouse or Prysm
 - `nimbus-grafana.yml` - grafana dashboard for Nimbus
 - `teku-grafana.yml` - grafana dashboard for Teku
 
@@ -94,9 +94,13 @@ is in use, their own geth. This is perfect for running a single client, or multi
 clients each in their own directory.
 
 If you want to run multiple isolated clients, just clone this project into a new directory for
-each. This is perfect for running medalla and spadina in parallel, for example.
+each. This is great for running medalla and zinken in parallel, for example.
 
-Note that a "full archive" geth takes ~80GB for goerli testnet and ~2TB for mainnet.
+> Nimbus: Nimbus as of 9/30/2020 requires a "full archive" source of eth1 chain data.
+> It should work with a 3rd party via wss://, though possibly not https://, and a local
+> archive node via ws://, though possibly not http://. Nimbus' capabilities will evolve,
+> check with the Nimbus Discord for its current state.
+> Note that a "full archive" geth takes ~60GB for goerli testnet and ~1.3TB for mainnet.
 
 ### Optional: Advanced setup with multiple beacons, shared geth and Vouch client
 
@@ -120,11 +124,11 @@ Ports that I mention should be "Open to Internet" need to be either forwarded
 to your node if behind a home router, or allowed in via the VPS firewall.
 
 - 30303 tcp/udp - local eth1 node, geth or openethereum. Open to Internet.
-- 19000 tcp/udp - Nimbus beacon node. Open to Internet.
 - 9000 tcp/udp - Lighthouse beacon node. Open to Internet.
 - 13000/tcp - Prysm beacon node. Open to Internet.
 - 12000/udp - Prysm beacon node. Open to Internet.
 - 9000 tcp/udp - Teku beacon node. Open to Internet. Note this is the same as Lighthouse.
+- 9000 tcp/udp - Nimbus beacon node. Open to Internet. Note this is the same as Lighthouse.
 - 3000/tcp - Grafana. **Not** open to Internet, allow locally only. It is insecure http.
 - 22/tcp - SSH. Only open to Internet if this is a remote server (VPS). If open to Internet, configure
   SSH key authentication.
@@ -135,14 +139,14 @@ On Ubuntu, the host firewall `ufw` can be used to only allow specific ports inbo
   * `sudo ufw allow OpenSSH` will allow ssh inbound
   * `sudo ufw allow 30303` will allow traffic for geth to port 30303, both tcp and udp.
   * `sudo ufw allow 3000/tcp` will allow traffic to the Grafana dashboard
-  * Nimbus
-    * `sudo ufw allow 19000` will allow Nimbus beacon traffic, both tcp and udp
   * Lighthouse
     * `sudo ufw allow 9000` will allow Lighthouse beacon traffic, both tcp and udp
   * Prysm
     * `sudo ufw allow 13000/tcp && sudo ufw allow 12000/udp` will allow Prysm beacon traffic
   * Teku
     * `sudo ufw allow 9000` will allow Teku beacon traffic, both tcp and udp
+  * Nimbus
+    * `sudo ufw allow 9000` will allow Nimbus beacon traffic, both tcp and udp
 * Check the rules you created and verify that you are allowing SSH. You can **lock yourself out** if
 you don't allow your SSH port in. `allow OpenSSH` is sufficient for the default SSH port.
   * `sudo ufw show added`

diff --git a/default.env b/default.env
@@ -2,7 +2,7 @@
 # This is vital for key import to work. You can find your UID with "echo $UID".
 LOCAL_UID=1000
 # Client choice: See SETUP.md for available options
-COMPOSE_FILE=lh-base.yml:geth.yml:grafana.yml
+COMPOSE_FILE=lh-base.yml:geth.yml:lh-prysm-grafana.yml
 # ETH1 endpoint / chain source. This default uses the geth container
 # For Nimbus with geth, use ws://geth:8546, and the geth-archive.yml file
 # in COMPOSE_FILE
@@ -11,51 +11,46 @@ ETH1_NODE=http://geth:8545
 GRAFFITI=eth2-docker
 # Number of validators to create with deposit-cli
 NUMVAL=1
-# Chain to use for wallet creation and initial deposit
-DEPOSIT_CHAIN=medalla
-# Network to use for geth.
-ETH_NETWORK=--goerli
-# Testnet to use for eth2.
-TESTNET=medalla
 # If you want debug logs, set this to debug instead of info
 LOG_LEVEL=info
+# Uncomment this if you need to restrict teku to just 4 GiB of RAM
+#TEKU_LOW_MEM=-Xmx4G
 # Leave this as-is to compile nimbus with support for metrics via grafana. 
 # Change to empty (nothing after first =) to disable that functionality
 NIM_METRICS=NIMFLAGS="-d:insecure"
-# Uncomment this if you need to restrict teku to just 4 GiB of RAM
-#TEKU_LOW_MEM=-Xmx4G
+# Testnet to use for eth2.
+TESTNET=medalla
+# Specific to Prysm, testnet that's NOT medalla
+#PRYSM_NONSTD_TESTNET=--zinken
 
 # Ports you will forward to your staking node. Adjust here if you are
 # going to use something other than defaults.
 GETH_PORT=30303
 LH_PORT=9000
 PRYSM_PORT=13000
 PRYSM_UDP_PORT=12000
-NIM_PORT=19000
+NIM_PORT=9000
 TEKU_PORT=9000
 # Local grafana dashboard port. Do not expose to Internet, it is insecure http
 GRAFANA_PORT=3000
+# Geth ports are for advanced config, not functional yet
 # Local geth http port if you are using geth-shared.yml. Do not expose to Internet, it is insecure http
 GETH_HTTP_PORT=8545 
-# Local geth ws port if you are using geth-archived-shared.yml. Do not expose to Internet, it is insecure
+# Local geth ws port if you are using geth-archive-shared.yml. Do not expose to Internet, it is insecure
 GETH_WS_PORT=8546
 
 # These variables are not likely to require adjustment
+# Network to use for geth.
+ETH_NETWORK=goerli
+
 GETH_BUILD_TARGET=release/1.9
 GETH_USER=geth
-GETH_ENTRYPOINT=geth --nousb --http --http.addr 0.0.0.0 --http.vhosts * --http.api eth,net --ipcdisable --datadir /var/lib/goethereum
 
 LH_BUILD_TARGET=master
 LH_USER=lighthouse
-LH_BN_ENTRYPOINT=lighthouse bn --datadir /var/lib/lighthouse --http --http-address 0.0.0.0
-LH_VAL_ENTRYPOINT=lighthouse --datadir /var/lib/lighthouse
 
 PRYSM_BUILD_TARGET=master
 PRYSM_USER=prysm
-#PRYSM_BN_ENTRYPOINT=beacon-chain --datadir /var/lib/prysm/ --rpc-host 0.0.0.0
-PRYSM_BN_ENTRYPOINT=start-prysm-beacon-extip.sh
-PRYSM_VAL_ENTRYPOINT=validator --datadir /var/lib/prysm --wallet-dir /var/lib/prysm/
-PRYSM_VAL_IMPORT_ENTRYPOINT=create-prysm-validator-wallet.sh
 
 NIM_BUILD_TARGET=devel
 NIM_USER=nimbus

diff --git a/geth-archive.yml b/geth-archive.yml
@@ -1,6 +1,6 @@
 # Runs a full archive geth node with http and ws endpoints, local to the container network
 # Included for Nimbus, which requires a full archive geth. In main net, this would require
-# ~2TB storage. For Goerli, it is ~80GB
+# ~1.5TB storage. For Goerli, it is ~80GB
 version: "3"
 services:
   geth:
@@ -16,21 +16,28 @@ services:
     volumes:
       - geth-data:/var/lib/goethereum
     ports:
-      - ${GETH_PORT}:30303/tcp
-      - ${GETH_PORT}:30303/udp
+      - ${GETH_PORT}:${GETH_PORT}/tcp
+      - ${GETH_PORT}:${GETH_PORT}/udp
     expose:
       - 8545
       - 8546
-    entrypoint: ${GETH_ENTRYPOINT}
-    command:
-      - ${ETH_NETWORK}
-      - --gcmode
-      - "archive"
-      - --ws
-      - --ws.api
-      - eth,net
-      - --ws.addr
+    entrypoint:
+      - geth
+      - --nousb
+      - --http
+      - --http.addr
       - 0.0.0.0
+      - --http.vhosts=*
+      - --http.api
+      - eth,net
+      - --ipcdisable
+      - --datadir
+      - /var/lib/goethereum
+      - --${ETH_NETWORK}
+      - --port
+      - ${GETH_PORT}
+      - --gcmode=archive
+      - --syncmode=full
   beacon:
     depends_on:
       - geth

diff --git a/geth.yml b/geth.yml
@@ -13,13 +13,25 @@ services:
     volumes:
       - geth-data:/var/lib/goethereum
     ports:
-      - ${GETH_PORT}:30303/tcp
-      - ${GETH_PORT}:30303/udp
+      - ${GETH_PORT}:${GETH_PORT}/tcp
+      - ${GETH_PORT}:${GETH_PORT}/udp
     expose:
       - 8545
-    entrypoint: ${GETH_ENTRYPOINT}
-    command:
-      - ${ETH_NETWORK}
+    entrypoint:
+      - geth
+      - --nousb
+      - --http
+      - --http.addr
+      - 0.0.0.0
+      - --http.vhosts=*
+      - --http.api
+      - eth,net
+      - --ipcdisable
+      - --datadir
+      - /var/lib/goethereum
+      - --${ETH_NETWORK}
+      - --port
+      - ${GETH_PORT}
   beacon:
     depends_on:
       - geth

diff --git a/lh-base.yml b/lh-base.yml
@@ -13,14 +13,22 @@ services:
     volumes:
       - lhbeacon-data:/var/lib/lighthouse
     ports:
-      - ${LH_PORT}:9000/tcp
-      - ${LH_PORT}:9000/udp
+      - ${LH_PORT}:${LH_PORT}/tcp
+      - ${LH_PORT}:${LH_PORT}/udp
     expose:
       - 5052
-    entrypoint: wait-for-eth1.sh ${ETH1_NODE} ${LH_BN_ENTRYPOINT}
-    command:
+    entrypoint: 
+      - lighthouse
+      - bn
+      - --datadir
+      - /var/lib/lighthouse
+      - --http
+      - --http-address
+      - 0.0.0.0
       - --testnet
       - ${TESTNET}
+      - --port
+      - ${LH_PORT}
       - --eth1-endpoint
       - ${ETH1_NODE}
       - --debug-level
@@ -37,8 +45,19 @@ services:
     image: lighthouse
     volumes:
       - lhvalidator-data:/var/lib/lighthouse
-    entrypoint: ${LH_VAL_ENTRYPOINT}
-    command: ["validator", "--server", "http://beacon:5052", "--graffiti", "${GRAFFITI}", "--testnet", "${TESTNET}", "--debug-level", "${LOG_LEVEL}"]
+    entrypoint:
+      - lighthouse
+      - validator
+      - --datadir
+      - /var/lib/lighthouse
+      - --server
+      - http://beacon:5052
+      - --graffiti
+      - ${GRAFFITI}
+      - --testnet
+      - ${TESTNET}
+      - --debug-level
+      - ${LOG_LEVEL}
     depends_on:
       - beacon
   validator-import:
@@ -54,8 +73,20 @@ services:
     volumes:
       - lhvalidator-data:/var/lib/lighthouse
       - ${DEPCLI_LOCALDIR}/validator_keys:/var/lib/lighthouse/validator_keys
-    entrypoint: ${LH_VAL_ENTRYPOINT}
-    command: ["account", "validator", "import", "--directory", "/var/lib/lighthouse/validator_keys", "--validator-dir", "/var/lib/lighthouse", "--testnet", "${TESTNET}", "--reuse-password"]
+    entrypoint:
+      - query-lh-validator-passwords.sh
+      - lighthouse
+      - account
+      - validator
+      - import
+      - --datadir
+      - /var/lib/lighthouse
+      - --directory
+      - /var/lib/lighthouse/validator_keys
+      - --validator-dir
+      - /var/lib/lighthouse
+      - --testnet
+      - ${TESTNET}
   deposit-cli:
     restart: "no"
     user: ${LOCAL_UID}:${LOCAL_UID}
@@ -73,7 +104,7 @@ services:
       - --num_validators
       - ${NUMVAL}
       - --chain
-      - ${DEPOSIT_CHAIN}
+      - ${TESTNET}
   eth2:
     image: tianon/true
     restart: "no"

diff --git a/grafana.yml → lh-prysm-grafana.yml b/grafana.yml → lh-prysm-grafana.yml
diff --git a/lighthouse/Dockerfile b/lighthouse/Dockerfile
@@ -41,8 +41,8 @@ RUN adduser \
 RUN mkdir -p /var/lib/lighthouse && chown ${USER}:${USER} /var/lib/lighthouse
 # Copy executable
 COPY --from=builder /usr/local/cargo/bin/lighthouse /usr/local/bin/
-# Script to be able to wait for eth1 node to be up
-COPY ./wait-for-eth1.sh /usr/local/bin
+# Script to query whether all validator key passwords are the same
+COPY ./query-lh-validator-passwords.sh /usr/local/bin
 # Use an unprivileged user.
 USER ${USER}:${USER}
 

diff --git a/lighthouse/query-lh-validator-passwords.sh b/lighthouse/query-lh-validator-passwords.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Ask whether all the validator passwords are the same, then call the parameters that had been passed in
+
+while true; do
+  read -p "Do all validator keys have the same password? (y/n) " yn
+  case $yn in
+    [Yy]* ) justone=1; break;;
+    [Nn]* ) justone=0; break;;
+    * ) echo "Please answer yes or no.";;
+  esac
+done
+
+if [ $justone -eq 1 ]; then
+  $@ --reuse-password
+else
+  $@
+fi
diff --git a/nimbus-base.yml b/nimbus-base.yml
@@ -14,13 +14,15 @@ services:
     volumes:
       - nimbus-data:/var/lib/nimbus
     ports:
-      - ${NIM_PORT}:19000/tcp
-      - ${NIM_PORT}:19000/udp
+      - ${NIM_PORT}:${NIM_PORT}/tcp
+      - ${NIM_PORT}:${NIM_PORT}/udp
     entrypoint:
       - /usr/local/bin/beacon_node
       - --data-dir=/var/lib/nimbus
       - --non-interactive
       - --log-file=/var/lib/nimbus/beacon_node.log
+      - --tcp-port=${NIM_PORT}
+      - --udp-port=${NIM_PORT}
       - --network=${TESTNET}
       - --web3-url=${ETH1_NODE}
       - --graffiti=${GRAFFITI}
@@ -57,7 +59,7 @@ services:
       - --num_validators
       - ${NUMVAL}
       - --chain
-      - ${DEPOSIT_CHAIN}
+      - ${TESTNET}
   eth2:
     image: tianon/true
     restart: "no"