Support for Besu eth1 client and eth1 security strengthened

CHANGELOG.md

@@ -9,12 +9,21 @@ directory (`cd ~/eth2-docker` by default):
 * `cp .env .env.bak && cp default.env .env`
 * Adjust contents of new `.env`, use `.env.bak` for guidance (LOCAL_UID
   and COMPOSE_FILE are the most common variables that may need to be adjusted)
-* `sudo docker-compose build --no-cache beacon` (go for a 30 minute walk)
+* `sudo docker-compose build --pull` if you are using binary builds, the default
+* `sudo docker-compose build --pull --no-cache beacon` **only** if you are using source builds, then
+  run `sudo docker-compose build -pull` to update the rest of the "stack"
 * `sudo docker-compose down`
 * !! If coming from Lighthouse v0.2.x, make changes as per notes for [v0.1.6](#v016-2020-10-09)
 * !! If coming from Prysm alpha.29 or earlier, make changes as per notes for [v0.1.7](#v017-2020-10-15)
 * `sudo docker-compose up -d eth2`
 
+## v0.2.1 2020-11-24
+
+* Support for Besu eth1 client
+* Fixed an issue with Nimbus log file
+* Removed CORS settings for eth1, for now
+* Tightened hosts values for Geth and Besu
+
 ## v0.2.0 2020-11-24
 
 * Support for Lighthouse v1.0.0

README.md

@@ -1,4 +1,4 @@
-# eth2-docker v0.2.0
+# eth2-docker v0.2.1
 
 Unofficial docker environment for Ethereum 2.0 clients
 
@@ -59,8 +59,9 @@ Currently supported clients:
 - Nimbus
 
 Currently supported optional components:
-- geth, local eth1 node.
-- nethermind, local eth1 node - testing only, DB corruption observed on goerli and mainnet
+- geth, local eth1 node
+- besu, local eth1 node - support in eth2-docker is new, has not been tested extensively by us. Feedback welcome.
+- nethermind, local eth1 node - support in eth2-docker is new, has not been tested extensively by us. Feedback welcome.
 - openethereum, local eth1 node - testing only, DB corruption observed on mainnet
 > Use one of the local eth1 node options or a 3rd-party provider of eth1 chain data to "feed"
 > your eth2 beacon node, so you can [propose](https://ethos.dev/beacon-chain/) blocks.

SETUP.md

@@ -48,9 +48,9 @@ Please choose:
   * Nimbus
 * Your source of eth1 data
   * geth
-  * nethermind - testing only, DB corruption observed on goerli and mainnet
+  * besu - support in eth2-docker is new, has not been tested extensively by us. Feedback welcome.
+  * nethermind - support in eth2-docker is new, has not been tested extensively by us. Feedback welcome.
   * openethereum - testing only, DB corruption observed on mainnet
-  * besu - testing for now, I have not solved interop issues with Lighthouse
   * 3rd-party
 * Whether to run a slasher (experimental for Prysm)
 * Whether to run a grafana dashboard for monitoring
@@ -100,9 +100,9 @@ geth with `:` between the file names.
 - `teku-base.yml` - Teku
 - `nimbus-base.yml` - Nimbus
 - `geth.yml` - local geth eth1 chain node
-- `nm.yml` - local nethermind eth1 chain node - testing only, DB corruptionb observed on goerli and mainnet
+- `besu.yml` - local besu eth1 chain node - support in eth2-docker is new, has not been tested extensively by us. Feedback welcome.
+- `nm.yml` - local nethermind eth1 chain node - support in eth2-docker is new, has not been tested extensively by us. Feedback welcome.
 - `oe.yml` - local openethereum eth1 chain node - testing only, DB corruption observed on mainnet
-- `besu.yml` - local besu eth1 chain mode - testing for now, I have not solved interop with the Ethereum 2.0 client
 - `eth1-shared.yml` - makes the RPC port of the eth1 node available from the host, for using the eth1 node with other nodes or with Metamask. **Not encrypted**, do not expose to Internet.
 - `eth1-standalone.yml` - like eth1-shared but for running *just* eth1, instead of running it alongside a beacon node in the same "stack". Also not encrypted, not meant for a fully distributed setup quite yet.
 - `prysm-slasher.yml` - Prysm experimental Slasher which helps secure the chain and may result in additional earnings. The experimental slasher can lead to missed attestations do to the additional resource demand.
@@ -124,6 +124,9 @@ clients each in their own directory.
 If you want to run multiple isolated clients, just clone this project into a new directory for
 each. This is great for running testnet and mainnet in parallel, for example.
 
+> Nimbus and Nethermind/Besu have interop issues as of 11/24/2020 when using eth2-docker. Use Geth or OpenEthereum instead for now.
+> Help with tracking root cause down greatly appreciated.
+
 ### Prysm Slasher   
 Running [slasher](https://docs.prylabs.network/docs/prysm-usage/slasher/) is an optional client compose file, but helps secure the chain and may result in additional earnings,
 though the chance of additional earnings is low in phase 0 as whistleblower rewards have not been implemented yet.

besu.yml

@@ -34,14 +34,14 @@ services:
       - 0.0.0.0
       - --rpc-http-port
       - ${ETH1_RPC_PORT}
-      - --rpc-http-cors-origins=*
       - --rpc-ws-enabled
       - --rpc-ws-api
       - "net,eth"
       - --rpc-ws-host
       - 0.0.0.0
       - --rpc-ws-port
       - ${ETH1_WS_PORT}
+      - --host-allowlist=eth1,localhost
       - --logging
       - ${LOG_LEVEL}
       - --network

default.env

@@ -28,10 +28,6 @@ GRAFANA_PORT=3000
 ETH1_RPC_PORT=8545
 # ETH1 WS port, used with Nimbus. Ditto insecure, do not expose to Internet.
 ETH1_WS_PORT=8546
-# ETH1 RPC CORS open to all. Insecure but allows for easy testing. May also be required on v6-native networks.
-ETH1_RPC_CORS=all
-# ETH1 RPC CORS, here for Metamask extension - was not functional in testing
-#ETH1_RPC_CORS="chrome-extension://* moz-extension://* 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.0.0.*"
 
 # Ancient barrier for ETH1, bodies and receipts before this block won't be
 # downloaded. For Nethermind currently. Setting this to mainnet value
@@ -58,9 +54,7 @@ LOG_LEVEL=info
 # use.
 
 LH_SRC_BUILD_TARGET=stable
-#Docker tag to latest once it tracks github `stable`
-LH_DOCKER_TAG=v1.0.0
-#LH_DOCKER_TAG=latest
+LH_DOCKER_TAG=latest
 # Change to Dockerfile.source to build from source
 LH_DOCKERFILE=Dockerfile.binary
 LH_USER=lighthouse

geth.yml

@@ -26,11 +26,9 @@ services:
       - --http
       - --http.addr
       - 0.0.0.0
-      - --http.vhosts=*
-      - --http.corsdomain=*
+      - --http.vhosts=eth1,localhost
       - --http.api
       - eth,net
-      - --ipcdisable
       - --datadir
       - /var/lib/goethereum
       - --port
@@ -44,7 +42,6 @@ services:
       - ${ETH1_WS_PORT}
       - --ws.api
       - eth,net
-      - --ws.origins=*
     command: ${GETH1_NETWORK}
   beacon:
     depends_on:

geth/Dockerfile.binary

@@ -12,9 +12,7 @@ ARG UID
 RUN adduser \
     --disabled-password \
     --gecos "" \
-    --home "/nonexistent" \
     --shell "/sbin/nologin" \
-    --no-create-home \
     --uid "${UID}" \
     "${USER}"
 

geth/Dockerfile.source

@@ -14,9 +14,7 @@ RUN apk update && apk add --no-cache make gcc musl-dev linux-headers git ca-cert
 RUN adduser \
     --disabled-password \
     --gecos "" \
-    --home "/nonexistent" \
     --shell "/sbin/nologin" \
-    --no-create-home \
     --uid "${UID}" \
     "${USER}"
 

maindefault.env

@@ -8,28 +8,14 @@ COMPOSE_FILE=lh-base.yml:geth.yml:lh-grafana.yml
 ETH1_NODE=http://eth1:8545
 # Graffiti to use for validator, in order to receive POAP
 GRAFFITI=eth2-docker
-# Number of validators to create with deposit-cli
-NUMVAL=1
-# Advanced: Start index for recovery of validators or adding validators
-VAL_START_INDEX=0
-# Restart policy: Set to no if you do not want services to automatically restart
-RESTART=unless-stopped
-# If you want debug logs, set this to debug instead of info
-LOG_LEVEL=info
-# Uncomment this if you need to restrict teku to use 6 GiB of heap
-#TEKU_LOW_MEM=-Xmx6G
-# Leave this as-is to compile nimbus with support for metrics via grafana. 
-# Change to empty (nothing after first =) to disable that functionality
-NIM_METRICS=NIMFLAGS="-d:insecure"
 # Network to use for eth2. If using main net, set to mainnet.
 NETWORK=mainnet
 # Network to use for eth1. If using main net, set to mainnet. Not in use for Geth.
 ETH1_NETWORK=mainnet
 # If using Geth as the eth1 node and main net, comment out.
 #GETH1_NETWORK=--goerli
 
-
-# Ports you will forward to your staking node. Adjust here if you are
+# P2P ports you will forward to your staking node. Adjust here if you are
 # going to use something other than defaults.
 ETH1_PORT=30303
 LH_PORT=9000
@@ -39,14 +25,10 @@ NIM_PORT=9000
 TEKU_PORT=9000
 # Local grafana dashboard port. Do not expose to Internet, it is insecure http
 GRAFANA_PORT=3000
-# ETH1 RPC port, important when using shared-eth1.yml
+# ETH1 RPC port, important when using shared-eth1.yml. Also insecure, do not expose to Internet.
 ETH1_RPC_PORT=8545
-# ETH1 WS port, used with Nimbus
+# ETH1 WS port, used with Nimbus. Ditto insecure, do not expose to Internet.
 ETH1_WS_PORT=8546
-# ETH1 RPC CORS open to all. Insecure but allows for easy testing. May also be required on v6-native networks.
-ETH1_RPC_CORS=all
-# ETH1 RPC CORS, here for Metamask extension - was not functional in testing
-#ETH1_RPC_CORS="chrome-extension://* moz-extension://* 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.0.0.*"
 
 # Ancient barrier for ETH1, bodies and receipts before this block won't be
 # downloaded. For Nethermind currently. Setting this to mainnet value
@@ -56,15 +38,24 @@ ETH1_RPC_CORS=all
 # Mainnet value
 ETH1_ANCIENT_BARRIER=11209000
 
+# Uncomment this if you need to restrict teku to use 6 GiB of heap
+#TEKU_LOW_MEM=-Xmx6G
+
+# Leave this as-is to compile nimbus with support for metrics via grafana. 
+# Change to empty (nothing after first =) to disable that functionality
+NIM_METRICS=NIMFLAGS="-d:insecure"
+# Restart policy: Set to no if you do not want services to automatically restart
+RESTART=unless-stopped
+# If you want debug logs, set this to debug instead of info
+LOG_LEVEL=info
+
 # You can set specific version targets and choose
 # binary or source builds below. 
 # Doing so is entirely optional, and arguably advanced
 # use.
 
 LH_SRC_BUILD_TARGET=stable
-#Docker tag latest once it tracks github `stable`
-LH_DOCKER_TAG=v1.0.0
-#LH_DOCKER_TAG=latest
+LH_DOCKER_TAG=latest
 # Change to Dockerfile.source to build from source
 LH_DOCKERFILE=Dockerfile.binary
 LH_USER=lighthouse

nimbus-base.yml

@@ -21,6 +21,7 @@ services:
     entrypoint:
       - /usr/local/bin/nimbus_beacon_node
       - --data-dir=/var/lib/nimbus
+      - --log-file=/var/lib/nimbus/beacon_node.log
       - --non-interactive
       - --tcp-port=${NIM_PORT}
       - --udp-port=${NIM_PORT}
@@ -47,6 +48,7 @@ services:
     entrypoint:
       - /usr/local/bin/nimbus_beacon_node
       - --data-dir=/var/lib/nimbus
+      - --log-file=/var/lib/nimbus/beacon_node.log
       - --network=${NETWORK}
       - deposits
       - import

nimbus/Dockerfile.source

@@ -41,4 +41,4 @@ COPY --from=builder /usr/src/nim-beacon-chain/build/beacon_node /usr/local/bin/n
 # Use an unprivileged user.
 USER ${USER}:${USER}
 
-ENTRYPOINT ["nimbus_beacon_node", "--data-dir=/var/lib/nimbus", "--web3-url=http://geth:8545", "--network=medalla", "--log-file=/var/lib/nimbus/beacon_node.log"]
+ENTRYPOINT ["nimbus_beacon_node", "--data-dir=/var/lib/nimbus", "--log-file=/var/lib/nimbus/beacon_node.log"]

oe.yml

@@ -28,7 +28,6 @@ services:
       - --jsonrpc-interface=all
       - --jsonrpc-apis=net,eth
       - --jsonrpc-hosts=all
-      - --jsonrpc-cors=${ETH1_RPC_CORS}
       - --ws-interface=all
       - --ws-apis=net,eth
       - --ws-hosts=all
@@ -39,6 +38,8 @@ services:
       - ${ETH1_PORT}
       - --jsonrpc-port
       - ${ETH1_RPC_PORT}
+      - --logging
+      - ${LOG_LEVEL}
   beacon:
     depends_on:
       - eth1