From 50853fc086b92416d6dee79931dd03ef66220902 Mon Sep 17 00:00:00 2001 From: realbigsean Date: Thu, 31 Dec 2020 16:22:03 -0500 Subject: [PATCH 1/6] remove protected environment --- .github/workflows/book.yml | 1 - .github/workflows/docker.yml | 2 -- .github/workflows/release.yml | 1 - 3 files changed, 4 deletions(-) diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 0a9b5a9c343..eee433b3225 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -8,7 +8,6 @@ on: jobs: build-and-upload-to-s3: runs-on: ubuntu-18.04 - environment: protected steps: - uses: actions/checkout@master diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 5a7fc39b1af..bc57238cfe8 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -22,7 +22,6 @@ jobs: BRANCH_NAME: ${{ steps.extract_branch.outputs.BRANCH_NAME }} build-docker-arm64: runs-on: ubuntu-18.04 - environment: protected needs: [extract-branch-name] # We need to enable experimental docker features in order to use `docker buildx` env: @@ -61,7 +60,6 @@ jobs: --push build-docker-amd64: runs-on: ubuntu-18.04 - environment: protected needs: [extract-branch-name] steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6c43466fea7..eaa32f494a3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,7 +43,6 @@ jobs: platform: macos-latest runs-on: ${{ matrix.platform }} - environment: protected needs: extract-version steps: - name: Checkout sources From 2219cac97ef380df30bc2aef6467fab5ecde0d8b Mon Sep 17 00:00:00 2001 From: realbigsean Date: Tue, 12 Jan 2021 16:21:30 -0500 Subject: [PATCH 2/6] add tools to build deb package and the postinst scripts --- Makefile | 6 +++ lighthouse/Cargo.toml | 21 ++++++++++ .../packaging/deb-maintainer-scripts/postinst | 42 +++++++++++++++++++ scripts/packaging/lighthousebeacon.service | 42 +++++++++++++++++++ scripts/packaging/lighthousevalidator.service | 42 +++++++++++++++++++ 5 files changed, 153 insertions(+) create mode 100644 scripts/packaging/deb-maintainer-scripts/postinst create mode 100644 scripts/packaging/lighthousebeacon.service create mode 100644 scripts/packaging/lighthousevalidator.service diff --git a/Makefile b/Makefile index b5df59798f9..80537921dac 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,12 @@ else cargo install --path lcli --force --locked endif +# The following commands use `cargo-deb` to create a Debian package for lighthouse. +# +# `cargo-deb` can be installed with `cargo install cargo-deb` +build-deb: + cargo deb --manifest-path lighthouse/Cargo.toml -- --force --locked --features portable + # The following commands use `cross` to build a cross-compile. # # These commands require that: diff --git a/lighthouse/Cargo.toml b/lighthouse/Cargo.toml index ff3e89e687f..ce76298c15c 100644 --- a/lighthouse/Cargo.toml +++ b/lighthouse/Cargo.toml @@ -3,6 +3,27 @@ name = "lighthouse" version = "1.0.6" authors = ["Sigma Prime "] edition = "2018" +description = "Implementation of https://github.com/ethereum/eth2.0-specs in Rust." +license = "Apache-2.0" + +# Configuration for building a .deb package - for use with `cargo-deb` +[package.metadata.deb] +name = "lighthouse" +extended-description = "Implementation of https://github.com/ethereum/eth2.0-specs in Rust." +section = "misc" +maintainer = "sean@sigmaprime.io" +license-file = ["LICENSE", "0"] +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html +maintainer-scripts = "scripts/packaging/deb-maintainer-scripts" +assets = [ + ["target/release/lighthouse", "/usr/bin/", "755"], + ["scripts/packaging/lighthousebeacon.service", "/lib/systemd/system/", "644"], + ["scripts/packaging/lighthousevalidator.service", "/lib/systemd/system/", "644"] +] +conf-files = [ + "/etc/default/lighthousebeacon", + "/etc/default/lighthousevalidator" +] [features] # Writes debugging .ssz files to /tmp during block processing. diff --git a/scripts/packaging/deb-maintainer-scripts/postinst b/scripts/packaging/deb-maintainer-scripts/postinst new file mode 100644 index 00000000000..9579ca24195 --- /dev/null +++ b/scripts/packaging/deb-maintainer-scripts/postinst @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +action="$1" +config_file_beacon="/etc/default/lighthousebeacon" +config_file_validator="/etc/default/lighthousevalidator" +data_dir_beacon="/var/lib/lighthouse/beacon" +data_dir_validator="/var/lib/lighthouse/validators" + +if [ "$action" = "configure" ]; then + + # make the data dir + mkdir -p /var/lib/lighthouse + + # Make user and group + getent group lighthousebeacon >/dev/null 2>&1 || addgroup --system lighthousebeacon + getent passwd lighthousebeacon >/dev/null 2>&1 || + adduser --system --home /home/lighthousebeacon --disabled-password \ + --ingroup lighthousebeacon lighthousebeacon + + # make the data dir and change ownership + mkdir -p /var/lib/lighthouse/beacon + chown -R lighthousebeacon:lighthousebeacon /var/lib/lighthouse/beacon + + if [ ! -e "$config_file_beacon" ]; then + echo "LIGHTHOUSE_BEACON_CLI_ARGS=\"--datadir $data_dir_beacon\"" > /etc/default/lighthousebeacon + fi + + # Make user and group + getent group lighthousevalidator >/dev/null 2>&1 || addgroup --system lighthousevalidator + getent passwd lighthousevalidator >/dev/null 2>&1 || + adduser --system --home /home/lighthousevalidator --disabled-password \ + --ingroup lighthousevalidator lighthousevalidator + + # make the data dir and change ownership + mkdir -p /var/lib/lighthouse/validators + chown -R lighthousevalidator:lighthousevalidator /var/lib/lighthouse/validators + if [ ! -e "$config_file_validator" ]; then + echo "LIGHTHOUSE_VALIDATOR_CLI_ARGS=\"--datadir $data_dir_validator\"" > /etc/default/lighthousevalidator + fi +fi \ No newline at end of file diff --git a/scripts/packaging/lighthousebeacon.service b/scripts/packaging/lighthousebeacon.service new file mode 100644 index 00000000000..c6c2cccefd1 --- /dev/null +++ b/scripts/packaging/lighthousebeacon.service @@ -0,0 +1,42 @@ +[Unit] +Description=Ethereum 2.0 Lighthouse Beacon Node +After=syslog.target network.target +Documentation=https://lighthouse-book.sigmaprime.io/ + +[Service] +EnvironmentFile=-/etc/default/lighthousebeacon +ExecStart=/usr/bin/lighthouse bn $LIGHTHOUSE_BEACON_CLI_ARGS +User=lighthousebeacon +Group=lighthousebeacon +Restart=always +RestartSec=10 +KillMode=process +KillSignal=SIGINT +TimeoutStopSec=90 +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=lighthousebeacon +CapabilityBoundingSet= +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateMounts=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@clock @module @mount @reboot @swap @privileged +UMask=0027 + +[Install] +WantedBy=multi-user.target diff --git a/scripts/packaging/lighthousevalidator.service b/scripts/packaging/lighthousevalidator.service new file mode 100644 index 00000000000..51fe0483ba5 --- /dev/null +++ b/scripts/packaging/lighthousevalidator.service @@ -0,0 +1,42 @@ +[Unit] +Description=Ethereum 2.0 Lighthouse Validator Client +After=syslog.target network.target +Documentation=https://lighthouse-book.sigmaprime.io/ + +[Service] +EnvironmentFile=-/etc/default/lighthousevalidator +ExecStart=/usr/bin/lighthouse vc $LIGHTHOUSE_BEACON_CLI_ARGS +User=lighthousevalidator +Group=lighthousevalidator +Restart=always +RestartSec=10 +KillMode=process +KillSignal=SIGINT +TimeoutStopSec=90 +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=lighthousevalidator +CapabilityBoundingSet= +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateMounts=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@clock @module @mount @reboot @swap @privileged +UMask=0027 + +[Install] +WantedBy=multi-user.target From f68c46f0627a68489fdd2627c56a5dd9eae8b744 Mon Sep 17 00:00:00 2001 From: realbigsean Date: Tue, 12 Jan 2021 16:40:47 -0500 Subject: [PATCH 3/6] newline --- scripts/packaging/deb-maintainer-scripts/postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/packaging/deb-maintainer-scripts/postinst b/scripts/packaging/deb-maintainer-scripts/postinst index 9579ca24195..4ac557d4647 100644 --- a/scripts/packaging/deb-maintainer-scripts/postinst +++ b/scripts/packaging/deb-maintainer-scripts/postinst @@ -39,4 +39,4 @@ if [ "$action" = "configure" ]; then if [ ! -e "$config_file_validator" ]; then echo "LIGHTHOUSE_VALIDATOR_CLI_ARGS=\"--datadir $data_dir_validator\"" > /etc/default/lighthousevalidator fi -fi \ No newline at end of file +fi From 07b4edafb366ea1f861b25ace8cf21ec4d5fbf41 Mon Sep 17 00:00:00 2001 From: realbigsean Date: Wed, 13 Jan 2021 00:04:53 +0000 Subject: [PATCH 4/6] Fix paths for cargo-deb --- Makefile | 2 +- lighthouse/Cargo.toml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 80537921dac..36e71d42462 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ endif # # `cargo-deb` can be installed with `cargo install cargo-deb` build-deb: - cargo deb --manifest-path lighthouse/Cargo.toml -- --force --locked --features portable + cargo deb --manifest-path lighthouse/Cargo.toml -- --locked --features portable # The following commands use `cross` to build a cross-compile. # diff --git a/lighthouse/Cargo.toml b/lighthouse/Cargo.toml index ce76298c15c..085c48f0288 100644 --- a/lighthouse/Cargo.toml +++ b/lighthouse/Cargo.toml @@ -12,13 +12,13 @@ name = "lighthouse" extended-description = "Implementation of https://github.com/ethereum/eth2.0-specs in Rust." section = "misc" maintainer = "sean@sigmaprime.io" -license-file = ["LICENSE", "0"] +license-file = ["../LICENSE", "0"] # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html -maintainer-scripts = "scripts/packaging/deb-maintainer-scripts" +maintainer-scripts = "../scripts/packaging/deb-maintainer-scripts" assets = [ - ["target/release/lighthouse", "/usr/bin/", "755"], - ["scripts/packaging/lighthousebeacon.service", "/lib/systemd/system/", "644"], - ["scripts/packaging/lighthousevalidator.service", "/lib/systemd/system/", "644"] + ["../target/release/lighthouse", "/usr/bin/", "755"], + ["../scripts/packaging/lighthousebeacon.service", "/lib/systemd/system/", "644"], + ["../scripts/packaging/lighthousevalidator.service", "/lib/systemd/system/", "644"] ] conf-files = [ "/etc/default/lighthousebeacon", From 05f0af62b099bfbe6f1bd625e2147d6ecde1d1c0 Mon Sep 17 00:00:00 2001 From: realbigsean Date: Tue, 12 Jan 2021 21:27:54 -0500 Subject: [PATCH 5/6] fix system protect value, fix scripts location --- lighthouse/Cargo.toml | 2 +- scripts/packaging/lighthousebeacon.service | 2 +- scripts/packaging/lighthousevalidator.service | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lighthouse/Cargo.toml b/lighthouse/Cargo.toml index 085c48f0288..89e20e19e98 100644 --- a/lighthouse/Cargo.toml +++ b/lighthouse/Cargo.toml @@ -14,7 +14,7 @@ section = "misc" maintainer = "sean@sigmaprime.io" license-file = ["../LICENSE", "0"] # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html -maintainer-scripts = "../scripts/packaging/deb-maintainer-scripts" +maintainer-scripts = "scripts/packaging/deb-maintainer-scripts" assets = [ ["../target/release/lighthouse", "/usr/bin/", "755"], ["../scripts/packaging/lighthousebeacon.service", "/lib/systemd/system/", "644"], diff --git a/scripts/packaging/lighthousebeacon.service b/scripts/packaging/lighthousebeacon.service index c6c2cccefd1..6c91c4c7ec9 100644 --- a/scripts/packaging/lighthousebeacon.service +++ b/scripts/packaging/lighthousebeacon.service @@ -28,7 +28,7 @@ ProtectControlGroups=true ProtectHostname=true ProtectKernelModules=true ProtectKernelTunables=true -ProtectSystem=strict +ProtectSystem=full RemoveIPC=true RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictNamespaces=true diff --git a/scripts/packaging/lighthousevalidator.service b/scripts/packaging/lighthousevalidator.service index 51fe0483ba5..1b5c4bb719a 100644 --- a/scripts/packaging/lighthousevalidator.service +++ b/scripts/packaging/lighthousevalidator.service @@ -28,7 +28,7 @@ ProtectControlGroups=true ProtectHostname=true ProtectKernelModules=true ProtectKernelTunables=true -ProtectSystem=strict +ProtectSystem=full RemoveIPC=true RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictNamespaces=true From d9be0a5e321f65a8ae09ea9723806cc44474f9bb Mon Sep 17 00:00:00 2001 From: realbigsean Date: Thu, 14 Jan 2021 12:48:11 -0500 Subject: [PATCH 6/6] add aarch64 deb build, remove home directories from service users --- Makefile | 15 +++++++++------ scripts/packaging/deb-maintainer-scripts/postinst | 4 ++-- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 36e71d42462..225dff2ec4b 100644 --- a/Makefile +++ b/Makefile @@ -28,12 +28,6 @@ else cargo install --path lcli --force --locked endif -# The following commands use `cargo-deb` to create a Debian package for lighthouse. -# -# `cargo-deb` can be installed with `cargo install cargo-deb` -build-deb: - cargo deb --manifest-path lighthouse/Cargo.toml -- --locked --features portable - # The following commands use `cross` to build a cross-compile. # # These commands require that: @@ -56,6 +50,15 @@ build-aarch64: build-aarch64-portable: cross build --release --manifest-path lighthouse/Cargo.toml --target aarch64-unknown-linux-gnu --features portable +# The following commands use `cargo-deb` to create a Debian package for lighthouse. +# +# `cargo-deb` can be installed with `cargo install cargo-deb` +build-deb: + cargo deb --manifest-path lighthouse/Cargo.toml -- --locked --features portable +build-deb-aarch64: + cross build --release --manifest-path lighthouse/Cargo.toml --target aarch64-unknown-linux-gnu --features portable + cargo deb --target aarch64-unknown-linux-gnu --no-build --manifest-path lighthouse/Cargo.toml + # Create a `.tar.gz` containing a binary for a specific target. define tarball_release_binary cp $(1)/lighthouse $(BIN_DIR)/lighthouse diff --git a/scripts/packaging/deb-maintainer-scripts/postinst b/scripts/packaging/deb-maintainer-scripts/postinst index 4ac557d4647..d3990dded9d 100644 --- a/scripts/packaging/deb-maintainer-scripts/postinst +++ b/scripts/packaging/deb-maintainer-scripts/postinst @@ -16,7 +16,7 @@ if [ "$action" = "configure" ]; then # Make user and group getent group lighthousebeacon >/dev/null 2>&1 || addgroup --system lighthousebeacon getent passwd lighthousebeacon >/dev/null 2>&1 || - adduser --system --home /home/lighthousebeacon --disabled-password \ + adduser --system --no-create-home --disabled-password \ --ingroup lighthousebeacon lighthousebeacon # make the data dir and change ownership @@ -30,7 +30,7 @@ if [ "$action" = "configure" ]; then # Make user and group getent group lighthousevalidator >/dev/null 2>&1 || addgroup --system lighthousevalidator getent passwd lighthousevalidator >/dev/null 2>&1 || - adduser --system --home /home/lighthousevalidator --disabled-password \ + adduser --system --no-create-home --disabled-password \ --ingroup lighthousevalidator lighthousevalidator # make the data dir and change ownership