eth-educators / eth-docker Goto Github PK

Add the option to choose openethereum instead of geth. Due to openethereum 2.5.13 being slow, 3.01 not stable, and 3.1 not yet out, on the back burner until openethereum 3.1.x is out and well tested.

Add the option to run the prysm slasher

Inform user when an update is available, handle client updates for them.

Here's @tjcim 's idea that we may want to pull from:

#!/bin/bash
set -e

RED='\033[0;31m'
GREEN='\033[0;32m'
ORANGE='\033[0;33m'
NC='\033[0m'

# Change this
REGISTRY=registry_host:port

populate_build_list () {
  builds=()
  for entry in ./Dockerfile.*
  do
    IFS='.' read -ra docker_files <<< "$entry"
    builds+=("${docker_files[-1]}")
  done
}

get_desired_build () {
  echo "${builds[@]}"
  echo -e "$GREEN[*] Available build options:$NC"
  for ((i=1; i<="${#builds[@]}"; i++));
  do
    echo "$i: ${builds[$i-1]}"
  done
  echo -ne "$ORANGE[+] Enter the number that you want to build:$NC "
  read build_num
  BUILD="${builds[$build_num -1]}"
}

print_urls () {
  case $BUILD in
    deposit_cli)
      echo -e "$GREEN[*] Check available tags here: https://github.com/ethereum/eth2.0-deposit-cli/tags$NC";;
    go_ethereum)
      echo -e "$GREEN[*] Check available tags here: https://github.com/ethereum/go-ethereum/tags$NC";;
    lighthouse)
      echo -e "$GREEN[*] Check available tags here: https://github.com/sigp/lighthouse/tags$NC";;
    prysm)
      echo -e "$GREEN[*] Check available tags here: https://github.com/prysmaticlabs/prysm/tags$NC";;
    teku)
      echo -e "$GREEN[*] Check available tags here: https://github.com/PegaSysEng/teku/tags$NC";;
  esac

  DOCKER_FILE="./Dockerfile.$BUILD"
}

check_latest () {
  # If utility than don't ask about the release or the latest. Just mark latest as true.
  if [ "$BUILD" != "utility" ]; then
    echo -ne "$ORANGE[+] Enter the version release you want to build:$NC "
    read RELEASE
    while true
    do
      echo -ne "$ORANGE[+] Do you want me to tag this release as the latest? [Y]:$NC "
      read LATEST
      LATEST=${LATEST:-Y}
      case $LATEST in
        [yY]* ) LATEST=true
                break;;
        [nN]* ) LATEST=false
                break;;
        * ) echo "Enter Y or N";;
      esac
    done
  else
    LATEST=true
  fi
}

echo_summary () {
  echo -e "$GREEN[*] ***** Summary *****"
  echo -e "[*] Build: $BUILD"
  echo -e "[*] Release: $RELEASE"
  echo -e "[*] Tag as Latest: $LATEST"
  if [ -z "$RELEASE" ] ; then
    echo -e "[*] Push to Registry: $REGISTRY/ethereum/$BUILD:latest$NC"
  else
    echo -e "[*] Push to Registry: $REGISTRY/ethereum/$BUILD:$RELEASE$NC"
  fi
  while true
  do
    echo -ne "$ORANGE[+] Is the summary correct? [Y]:$NC "
    read CORRECT
    CORRECT=${CORRECT:-Y}
    case $CORRECT in
      [yY]* ) break;;
      [nN]* ) exit 1;;
      * ) echo "Enter Y or N";;
    esac
  done
}

build_image () {
  if [ "$LATEST" = true ] ; then
    # If release is not set build as latest.
    if [ -z "$RELEASE" ]; then
      docker build -t $REGISTRY/ethereum/$BUILD:latest -f $DOCKER_FILE .
    else
      docker build --build-arg RELEASE=$RELEASE -t $REGISTRY/ethereum/$BUILD:$RELEASE -t $REGISTRY/ethereum/$BUILD:latest -f $DOCKER_FILE .
    fi
  else
    docker build --build-arg RELEASE=$RELEASE -t $REGISTRY/ethereum/$BUILD:$RELEASE -f $DOCKER_FILE .
  fi
}

push_image () {
  if [ "$LATEST" = true ] ; then
    echo -e "$GREEN[*] Pushing the image to the registry with the latest tag$NC"
    docker push $REGISTRY/ethereum/$BUILD:latest
  fi

  # If release is set, tag it with that release
  if [ ! -z "$RELEASE" ]; then
    echo -e "$GREEN[*] Pushing the $BUILD image to the registry with a tag of: $RELEASE$NC"
    docker push $REGISTRY/ethereum/$BUILD:$RELEASE
  fi
}

prune_images () {
  while true
  do
    echo -ne "$ORANGE[+] Do you want me to run 'docker image prune -f'? [Y]:$NC "
    read PRUNE
    PRUNE=${PRUNE:-Y}
    case $PRUNE in
      [yY]* ) PRUNE=true
              break;;
      [nN]* ) PRUNE=false
              break;;
      * ) echo "Enter Y or N";;
    esac
  done

  if [ "$PRUNE" = true ] ; then
    echo -e "$GREEN[*] Pruning docker images$NC"
    docker image prune -f
  fi
}

read_args () {
  # If no argument was passed
  if [ -z $1 ]; then
    populate_build_list
    get_desired_build
    print_urls
    check_latest
    echo_summary
    build_image
    push_image
    prune_images
  # If an agrument was passed
  else
    populate_build_list
    # Check if argument is part of builds
    if [[ " ${builds[@]} " =~ " ${1} " ]]; then
      BUILD=$1
      print_urls
      check_latest
      echo_summary
      build_image
      push_image
      prune_images
    fi
  fi
}

read_args $1

Give users the option to use https://github.com/emeraldpay/dshackle as a load balancer for eth1 source, e.g. infura and geth

Still confusing as-is. Suggested change:

"
It should start with a description and then prerequisites with a link to docker (or another page) for installation instructions. Then the eth2 wallet creation section. Split the Choose a client section into two parts, one under lighthouse and one under prysm. Lighthouse and Prysm should be there own sections and contain all the instructions for getting that client up and running. Then the monitoring stuff.
"

And thanks to tjc_ for his valuable comments.

Keep an eye on NethermindEth/nethermind#2308 and consider offering Nethermind as an eth1 option when pruning is in.

Test and create AppArmor profiles for beacon, validator, eth1. Look into same for grafana, prometheus, node_exporter, at lower priority.

It'd need to be done individually for each client and be quite a bit of work, trial-and-error to a degree.

It'd also enhance security dramatically.

Definitely outside of this project, and relevant to it. Grafana dashboards that include notification for low memory, high CPU, low disk space, validator offline, time sync off. I saw a Prysm dashboard that has some of that.

Track available dashboards here and add them to docs; maybe contribute to dashboard projects.

Completion Criteria:

• Ensure latest and greatest pre-existing community developed dashboards are integrated into Dockerfile.
• Modify each community Dashboard to ensure it Displays node metrics of CPU, Memory, and Disk usage.
• Modify each community Dashboard to alert on CPU 90% more then 10 minutes.
• Modify each community Dashboard to alert on MEM 90% more then 10 minutes.
• Modify each community Dashboard to alert on DISK 90% more then 10 minutes.

Current Status:

Lighthouse:

• Added lighthouse_yoldark34 Dashboard to Dockerfile - https://raw.githubusercontent.com/Yoldark34/lighthouse-staking-dashboard/main/Yoldark_ETH_staking_dashboard.json

16 hours

Look into how to create alpine containers for Lighthouse, Prysm, possibly Nimbus and Teku, when compiling from source. The current debian option is a little heavy.

I'm experiencing an issue with using Dockerfile.source of openethereum in my docker-compose definition. I've configured OE_USER along with other parameters in .env. Looks like a leftover default.

Step 18/19 : COPY --chown=openethereum:openethereum --from=builder /openethereum/target/x86_64-alpine-linux-musl/release/openethereum /usr/local/bin
ERROR: Service 'eth1' failed to build: unable to convert uid/gid chown string to host mapping: can't find uid for user openethereum: no such user: openethereum

Document steps to use this project to participate in spadina. May require ethdo unless eth2.0-deposit-cli gets updated to understand spadina.

More options than extip, and extend to geth and if need be lighthouse

Updated to the latest version of eth2-docker and noticed my metanull dashboard was no longer working. I changed my dashboard json from

https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source-beacon_node.json

to

https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source.json

Need to update the Dockerfile to include the proper metalnull dashboard.

Following /u/SomerEsat's directions

Following /u/SomerEsat's guide for it

After building per docs at https://eth2-docker.net/docs/ the "Configure Wallet" step https://eth2-docker.net/docs/Usage/ConfigureWallet instructs to test the keys generated offline with sudo docker-compose run --rm deposit-cli existing-mnemonic but the option isn't available:

user@host:~/eth2-docker$ sudo docker-compose run --rm deposit-cli existing-mnemonic
[sudo] password for user: 
Please choose your mnemonic language (spanish, italian, czech, english, chinese_traditional, chinese_simplified, korean) [english]: 
Please choose how many validators you wish to run: 1
Type the password that secures your validator keystore(s): 
Repeat for confirmation: 
Usage: deposit.py new-mnemonic [OPTIONS]
Try 'deposit.py new-mnemonic --help' for help.

Error: Got unexpected extra argument (existing-mnemonic)
user@host:~/eth2-docker$ sudo docker-compose run --rm deposit-cli existing-mnemonic --help
Usage: deposit.py new-mnemonic [OPTIONS]

  Generate a new mnemonic and keys

Options:
  --mnemonic_language [spanish|italian|czech|english|chinese_traditional|chinese_simplified|korean]
                                  The language that your mnemonic is in.
  --num_validators INTEGER RANGE  The number of validators keys you want to
                                  generate (you can always generate more
                                  later)  [required]

  --folder DIRECTORY              The folder to place the generated keystores
                                  and deposit_data.json in

  --chain [mainnet|witti|altona|medalla|spadina|zinken|pyrmont]
                                  The version of eth2 you are targeting. use
                                  "mainnet" if you are depositing ETH

  --keystore_password TEXT        The password that will secure your
                                  keystores. You will need to re-enter this to
                                  decrypt them when you setup your eth2
                                  validators. (It is reccomened not to use
                                  this argument, and wait for the CLI to ask
                                  you for your mnemonic as otherwise it will
                                  appear in your shell history.)

  --help                          Show this message and exit.

The option does work when I download the binary manually using instructions here: https://github.com/ethereum/eth2.0-deposit-cli#for-linux-or-macos-users

Lighthouse will improve beacon to do liveness check itself, remove the wrapper script when this is live in their code.

8 hours

Both LH and Prysm keep the wallet password inside their volume, in plain text. To read it would require breaching the container or breaching the host as root.

Better secrets management via Ansible or S3 is desirable.

I ran into a small bug when my Wallet password has a \ character in it. When the password is written to the password.txt file, the \ is omitted.

For example, a password entered as 12345\abcdef is written to password.txt as 12345abcdef. As a result, the validator complains that the wallet password is incorrect.

I'm trying to get eth2-docker setup for pyrmont... I decided to start from scratch... I did a system update, wiped all the containers, images and volumes from Docker, created a new eth2-docker directory, did a new clone, and started the build, but got a
ERROR: Service 'validator-import' failed to build: invalid reference format
... I see some red lines in the build log that say
file eth2deposit.py (for module eth2deposit) not found
The last output of the build is:

Building beacon
Step 1/11 : ARG DOCKER_TAG
Step 2/11 : FROM sigp/lighthouse:${DOCKER_TAG}
ERROR: Service 'beacon' failed to build: invalid reference format

Any thoughts?

See https://docs.teku.consensys.net/en/stable/HowTo/Voluntary-Exit/

Likely will require a wrapper script so the user doesn't need to dig out the json and password files for the validator to exit, --validator-keys=validator/keys/validator_888eef.json:validator/passwords/validator_888eef.txt

• Auto configure Grafana with prometheus datasource.
• Auto Add Metanull's Prysm Dashboard JSON to Grafana
• Auto Add Prysm Dashboard JSON to Grafana
• Auto Add Prysm Dashboard JSON for more than 10 validators to Grafana

Either traefik or nginx to expose the grafana dashboard, for cloud-hosted. Requires DNS and let's encrypt.
Same thing for UI.
This work would likely immediately solve #10

Integrate these community dashboards into Grafana Dockerfile

• lighthouse: https://raw.githubusercontent.com/sigp/lighthouse-metrics/master/dashboards/Summary.json
• teku: https://grafana.com/api/dashboards/12199/revisions/1/download
• nimbus: https://raw.githubusercontent.com/status-im/nimbus-eth2/master/grafana/beacon_nodes_Grafana_dashboard.json

8 hours

24

And restore from mnemonic also seems like a good idea to be documented.

This may already work through .env. Likely just needs testing, and a minimal change to docker-compose.yml to support client "stacks" that don't have geth in them.

Followed the guide but when bringing docker-compose up and importing my wallet through the Prysm web interface I first notice a bunch of errors popping up saying Head block of chain was nil.

When restarting docker-compose and checking the validator container logs, I get the following:

"validator_1                 | time="2021-05-03 19:11:21" level=warning msg="Running on the Prater Testnet" prefix=flags
validator_1                 | time="2021-05-03 19:11:21" level=info msg="Enabling web portal to manage the validator client" prefix=node
validator_1                 | time="2021-05-03 19:11:21" level=info msg="Opened validator wallet" keymanager-kind=direct prefix=node wallet="/var/lib/prysm/direct"
validator_1                 | time="2021-05-03 19:11:21" level=error msg="could not read keymanager for wallet: could not initialize imported keymanager: failed to initialize account store: wrong password for wallet entered: invalid checksum" prefix=main

I have verified that the password stored in password.txt in /var/lib/prysm/password.txt is the exact same one I submitted through the web interface. I've scrapped the containers and volumes and run docker-compose run --rm validator-import again to repeat the process multiple times with no results.

What am I missing here?

Exactly like /u/SomerEsat's guides. Questionable whether it should be in here or external, but it's part of the setup of a host.

I'd like to monitor trafic going in/out eth2-docker network. However each time i restart serviced / docker-compose down&&up i got generated new interface names.

example of autogenerated bridge interface name:

ifconfig
br-a7c4259c4b4c: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.21.0.1 netmask 255.255.0.0 broadcast 172.21.255.255

br-fca541589d20: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.19.0.1 netmask 255.255.0.0 broadcast 172.19.255.255
br-8e9669b47913: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255

Keep an eye on NethermindEth/nethermind#2308 and consider offering Nethermind as an eth1 option when pruning is in.

To make it even easier to bring the client up. Questionable whether and how desirable this is.

It could make .env shenanigans easier and also handle options better than it does now, by copying in the "right" docker-compose.yml rather than having everything in one.

Add additional documentation to show how to use 3rd party ETH1 clients like infura

ddclient and --p2p-host-dns instead of running --p2p-host-ip. This would be more friendly to clients on dynamic IP, but require a dynamic DNS provider.

16 hours

Instead of compiled from source. What's the value prop compared to the client teams' own efforts, though?

This plus "with or without slasher" and "various geth/openethereum options" gets unwieldy in docker-compose.yml if the intent is still to have a one-command "up" option. That'd speak towards wanting #17 , shell script frontend, to be addressed, so it's a matter of configuring and then just docker-compose up -d eth2-client and it'll do The Thing, whatever combination of things The Thing ends up being.

When a VPN is enabled and you run "sudo docker-compose up -d eth2", you'll see the following error:

ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network

This seems to be a common problem as documented here: docker/for-linux#599

I found a workaround by defining a custom network as part of the compose files, in my case I'm using lh-base.yml, geth.yml, and lh-grafana.yml. I added an entry like the following to those files:

networks:
  eth2-net:
    ipam:
      config:
        - subnet: 172.20.0.0/16

And then for each of the services in those files, adding the following:

    networks:
      - eth2-net

Now all the services and containers start up fine. Not sure why this works, but sharing this in case you want to incorporate something like this into the code base. With this change, and setting custom ports that map to my VPN's port forwarding options, I've been able to get the services running successfully under VPN.

When trying to run an ETH1 client in standalone mode, I get

ERROR: The Compose file is invalid because:
Service beacon has neither an image nor a build context specified. At least one must be provided.

Look into options

docker-compose build

Building validator-import
ERROR: Cannot locate specified Dockerfile: Dockerfile

Ubuntu 18.04

$ docker-compose --version
docker-compose version 1.24.0, build 0aa59064

$ docker --version
Docker version 19.03.6, build 369ce74a3c

.env:

# Please adjust the below variable to your local user ID if you are on Linux.
# This is vital for key import to work. You can find your UID with "echo $UID".
LOCAL_UID=1000
# Client choice: See SETUP.md for available options
COMPOSE_FILE=lh-base.yml:oe.yml:lh-grafana.yml
# ETH1 endpoint / chain source. This default uses the eth1 node container
ETH1_NODE=http://eth1:8545
# Graffiti to use for validator, in order to receive POAP
GRAFFITI=eth2-docker
# Number of validators to create with deposit-cli
NUMVAL=1
# Advanced: Start index for recovery of validators or adding validators
VAL_START_INDEX=0
# Restart policy: Set to no if you do not want services to automatically restart
RESTART=unless-stopped
# If you want debug logs, set this to debug instead of info
LOG_LEVEL=info
# Uncomment this if you need to restrict teku to use 6 GiB of heap
#TEKU_LOW_MEM=-Xmx6G
# Leave this as-is to compile nimbus with support for metrics via grafana. 
# Change to empty (nothing after first =) to disable that functionality
NIM_METRICS=NIMFLAGS="-d:insecure"
# Network to use for eth2. If using main net, set to mainnet.
NETWORK=mainnet
# Network to use for eth1. If using OpenEthereum and main net, set to ethereum. For Nethermind and main net, set to mainnet. Not in use for Geth.
ETH1_NETWORK=ethereum
# If using Geth as the eth1 node and main net, comment out.
# GETH1_NETWORK=--goerli

32 hours

Following /u/SomerEsat's guide for it

As we get towards mainnet, more conservative default targets than "master" may be desirable.

Consider using something like travis or github actions to perform CI/CD
linting
shellcheck
formating
Changelog maybe

When building lighthouse with

COMPOSE_FILE=lh-base.yml:oe.yml:lh-grafana.yml:shared-eth1.yml

I got the error of

error: 'mainnet' isn't a valid value for '--testnet <testnet>'
[possible values: altona, medalla, spadina, zinken]

The current yaml has --testnet hard coded.

- --testnet
- ${NETWORK}

I don't think we want to remove it, because we want backwards compatibility with Pyrmont. Maybe we could just do.

- ${USETESTNET}

where, if set, it would have a value like
USETESTNET=--"testnet Pyrmont"

Validator can start before beacon is fully up, leading to validator stopping.
Tracked at prysmaticlabs/prysm#7339

Until Prysm resolve this, I need to wrap the validator in a script, similar to what I am doing for the LH beacon

Can we add a timezone setting in the .env so to have the time of the docker logs in sync with the local time? Or should it be configured in another way?