diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 0a9b5a9c343..eee433b3225 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -8,7 +8,6 @@ on: jobs: build-and-upload-to-s3: runs-on: ubuntu-18.04 - environment: protected steps: - uses: actions/checkout@master diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 5a7fc39b1af..bc57238cfe8 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -22,7 +22,6 @@ jobs: BRANCH_NAME: ${{ steps.extract_branch.outputs.BRANCH_NAME }} build-docker-arm64: runs-on: ubuntu-18.04 - environment: protected needs: [extract-branch-name] # We need to enable experimental docker features in order to use `docker buildx` env: @@ -61,7 +60,6 @@ jobs: --push build-docker-amd64: runs-on: ubuntu-18.04 - environment: protected needs: [extract-branch-name] steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4c424c38afe..99c93be3468 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,7 +43,6 @@ jobs: platform: macos-latest runs-on: ${{ matrix.platform }} - environment: protected needs: extract-version steps: - name: Checkout sources diff --git a/Makefile b/Makefile index b5df59798f9..225dff2ec4b 100644 --- a/Makefile +++ b/Makefile @@ -50,6 +50,15 @@ build-aarch64: build-aarch64-portable: cross build --release --manifest-path lighthouse/Cargo.toml --target aarch64-unknown-linux-gnu --features portable +# The following commands use `cargo-deb` to create a Debian package for lighthouse. +# +# `cargo-deb` can be installed with `cargo install cargo-deb` +build-deb: + cargo deb --manifest-path lighthouse/Cargo.toml -- --locked --features portable +build-deb-aarch64: + cross build --release --manifest-path lighthouse/Cargo.toml --target aarch64-unknown-linux-gnu --features portable + cargo deb --target aarch64-unknown-linux-gnu --no-build --manifest-path lighthouse/Cargo.toml + # Create a `.tar.gz` containing a binary for a specific target. define tarball_release_binary cp $(1)/lighthouse $(BIN_DIR)/lighthouse diff --git a/lighthouse/Cargo.toml b/lighthouse/Cargo.toml index ff3e89e687f..89e20e19e98 100644 --- a/lighthouse/Cargo.toml +++ b/lighthouse/Cargo.toml @@ -3,6 +3,27 @@ name = "lighthouse" version = "1.0.6" authors = ["Sigma Prime "] edition = "2018" +description = "Implementation of https://github.com/ethereum/eth2.0-specs in Rust." +license = "Apache-2.0" + +# Configuration for building a .deb package - for use with `cargo-deb` +[package.metadata.deb] +name = "lighthouse" +extended-description = "Implementation of https://github.com/ethereum/eth2.0-specs in Rust." +section = "misc" +maintainer = "sean@sigmaprime.io" +license-file = ["../LICENSE", "0"] +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html +maintainer-scripts = "scripts/packaging/deb-maintainer-scripts" +assets = [ + ["../target/release/lighthouse", "/usr/bin/", "755"], + ["../scripts/packaging/lighthousebeacon.service", "/lib/systemd/system/", "644"], + ["../scripts/packaging/lighthousevalidator.service", "/lib/systemd/system/", "644"] +] +conf-files = [ + "/etc/default/lighthousebeacon", + "/etc/default/lighthousevalidator" +] [features] # Writes debugging .ssz files to /tmp during block processing. diff --git a/scripts/packaging/deb-maintainer-scripts/postinst b/scripts/packaging/deb-maintainer-scripts/postinst new file mode 100644 index 00000000000..d3990dded9d --- /dev/null +++ b/scripts/packaging/deb-maintainer-scripts/postinst @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +action="$1" +config_file_beacon="/etc/default/lighthousebeacon" +config_file_validator="/etc/default/lighthousevalidator" +data_dir_beacon="/var/lib/lighthouse/beacon" +data_dir_validator="/var/lib/lighthouse/validators" + +if [ "$action" = "configure" ]; then + + # make the data dir + mkdir -p /var/lib/lighthouse + + # Make user and group + getent group lighthousebeacon >/dev/null 2>&1 || addgroup --system lighthousebeacon + getent passwd lighthousebeacon >/dev/null 2>&1 || + adduser --system --no-create-home --disabled-password \ + --ingroup lighthousebeacon lighthousebeacon + + # make the data dir and change ownership + mkdir -p /var/lib/lighthouse/beacon + chown -R lighthousebeacon:lighthousebeacon /var/lib/lighthouse/beacon + + if [ ! -e "$config_file_beacon" ]; then + echo "LIGHTHOUSE_BEACON_CLI_ARGS=\"--datadir $data_dir_beacon\"" > /etc/default/lighthousebeacon + fi + + # Make user and group + getent group lighthousevalidator >/dev/null 2>&1 || addgroup --system lighthousevalidator + getent passwd lighthousevalidator >/dev/null 2>&1 || + adduser --system --no-create-home --disabled-password \ + --ingroup lighthousevalidator lighthousevalidator + + # make the data dir and change ownership + mkdir -p /var/lib/lighthouse/validators + chown -R lighthousevalidator:lighthousevalidator /var/lib/lighthouse/validators + if [ ! -e "$config_file_validator" ]; then + echo "LIGHTHOUSE_VALIDATOR_CLI_ARGS=\"--datadir $data_dir_validator\"" > /etc/default/lighthousevalidator + fi +fi diff --git a/scripts/packaging/lighthousebeacon.service b/scripts/packaging/lighthousebeacon.service new file mode 100644 index 00000000000..6c91c4c7ec9 --- /dev/null +++ b/scripts/packaging/lighthousebeacon.service @@ -0,0 +1,42 @@ +[Unit] +Description=Ethereum 2.0 Lighthouse Beacon Node +After=syslog.target network.target +Documentation=https://lighthouse-book.sigmaprime.io/ + +[Service] +EnvironmentFile=-/etc/default/lighthousebeacon +ExecStart=/usr/bin/lighthouse bn $LIGHTHOUSE_BEACON_CLI_ARGS +User=lighthousebeacon +Group=lighthousebeacon +Restart=always +RestartSec=10 +KillMode=process +KillSignal=SIGINT +TimeoutStopSec=90 +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=lighthousebeacon +CapabilityBoundingSet= +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateMounts=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@clock @module @mount @reboot @swap @privileged +UMask=0027 + +[Install] +WantedBy=multi-user.target diff --git a/scripts/packaging/lighthousevalidator.service b/scripts/packaging/lighthousevalidator.service new file mode 100644 index 00000000000..1b5c4bb719a --- /dev/null +++ b/scripts/packaging/lighthousevalidator.service @@ -0,0 +1,42 @@ +[Unit] +Description=Ethereum 2.0 Lighthouse Validator Client +After=syslog.target network.target +Documentation=https://lighthouse-book.sigmaprime.io/ + +[Service] +EnvironmentFile=-/etc/default/lighthousevalidator +ExecStart=/usr/bin/lighthouse vc $LIGHTHOUSE_BEACON_CLI_ARGS +User=lighthousevalidator +Group=lighthousevalidator +Restart=always +RestartSec=10 +KillMode=process +KillSignal=SIGINT +TimeoutStopSec=90 +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=lighthousevalidator +CapabilityBoundingSet= +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateMounts=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@clock @module @mount @reboot @swap @privileged +UMask=0027 + +[Install] +WantedBy=multi-user.target