Feature/debian packages (#8872)

* Basic build targets for debian packages * Add comments to config files * Harden beacon-chain systemd service * Add install scripts to set users and folders up * Rename bazel target, fix service files * Extra service hardening, cleanup install scripts * Fix linting issues * //shared:version_file run local only * gazelle Co-authored-by: Nishant Das <nishdas93@gmail.com> Co-authored-by: Raul Jordan <raul@prysmaticlabs.com> Co-authored-by: Preston Van Loon <preston@prysmaticlabs.com>
2024-12-22 03:30:35 +00:00 · 2021-06-02 01:44:24 +10:00 · 2021-06-02 01:44:24 +10:00 · eb1d122aec
commit eb1d122aec
parent 638e76cbd7
11 changed files with 267 additions and 0 deletions
--- a/beacon-chain/package/BUILD.bazel
+++ b/beacon-chain/package/BUILD.bazel
@ -0,0 +1,51 @@
+load("@rules_pkg//:pkg.bzl", "pkg_deb", "pkg_tar")
+
+pkg_tar(
+    name = "beacon-chain-bin",
+    srcs = [
+        "//cmd/beacon-chain",
+    ],
+    mode = "0755",
+    package_dir = "/usr/bin",
+)
+
+pkg_tar(
+    name = "beacon-chain-config",
+    srcs = glob(["beacon-chain.yaml"]),
+    mode = "0640",
+    package_dir = "/etc/prysm",
+)
+
+pkg_tar(
+    name = "beacon-chain-service",
+    srcs = glob(["prysm-beacon-chain.service"]),
+    mode = "0640",
+    package_dir = "/usr/lib/systemd/system",
+)
+
+pkg_tar(
+    name = "debian-data",
+    extension = "tar.gz",
+    deps = [
+        ":beacon-chain-bin",
+        ":beacon-chain-config",
+        ":beacon-chain-service",
+    ],
+)
+
+pkg_deb(
+    name = "deb",
+    architecture = "amd64",
+    conffiles = [
+        "etc/prysm/beacon-chain.yaml",
+    ],
+    data = ":debian-data",
+    description = "Prysm Beacon Chain - Ethereum 2.0 network communications",
+    homepage = "https://prysmaticlabs.com/",
+    maintainer = "Prysmatic Labs <contact@prysmaticlabs.com>",
+    package = "prysm-beacon-chain",
+    postinst = "postinst.sh",
+    preinst = "preinst.sh",
+    version_file = "//shared:version_file",
+    visibility = ["//beacon-chain:__pkg__"],
+)
--- a/beacon-chain/package/beacon-chain.yaml
+++ b/beacon-chain/package/beacon-chain.yaml
@ -0,0 +1,23 @@
+# Configuration file for Prysm beacon-chain
+
+# datadir: Location of blockchain data
+datadir: /var/lib/prysm/beacon
+
+# http-web3provider: ETH1 API endpoint, eg. http://localhost:8545 for a local geth service on the default port
+http-web3provider: http://localhost:8545
+
+# fallback-web3provider: List of backup ETH1 API endpoints, used if above is not working
+# For example:
+# fallback-web3provider:
+#   - https://mainnet.infura.io/v3/YOUR-PROJECT-ID
+#   - https://eth-mainnet.alchemyapi.io/v2/YOUR-PROJECT-ID
+
+
+# Optional tuning parameters
+# For full list, see https://docs.prylabs.network/docs/prysm-usage/parameters
+
+# p2p-max-peers: The max number of p2p peers to maintain. Default: 45
+# block-batch-limit: The amount of blocks the local peer is bounded to request and respond to in a batch. Default: 64
+# block-batch-limit-burst-factor: The factor by which block batch limit may increase on burst. Default: 10
+# p2p-udp-port: The port used by discv5. Default: 12000
+# p2p-tcp-port: The port used by libP2P. Default: 13000
--- a/beacon-chain/package/postinst.sh
+++ b/beacon-chain/package/postinst.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e
+
+chown prysm-beacon:prysm-beacon /etc/prysm/beacon-chain.yaml
--- a/beacon-chain/package/preinst.sh
+++ b/beacon-chain/package/preinst.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+SERVICE_USER=prysm-beacon
+
+# Create the service account, if needed
+getent passwd $SERVICE_USER > /dev/null || useradd -s /bin/false --no-create-home --system --user-group $SERVICE_USER
+
+# Create directories
+mkdir -p /etc/prysm
+mkdir -p /var/lib/prysm
+install -d -m 0700 -o $SERVICE_USER -g $SERVICE_USER /var/lib/prysm/beacon-chain
--- a/beacon-chain/package/prysm-beacon-chain.service
+++ b/beacon-chain/package/prysm-beacon-chain.service
@ -0,0 +1,37 @@
+[Unit]
+Description=Prysm Eth2 Beacon Chain
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=prysm-beacon
+Group=prysm-beacon
+Type=simple
+ExecStart=/usr/bin/beacon-chain --config-file /etc/prysm/beacon-chain.yaml --accept-terms-of-use
+
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectSystem=strict
+ReadWritePaths=/var/lib/prysm/beacon-chain
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+[Install]
+WantedBy=multi-user.target
--- a/shared/BUILD.bazel
+++ b/shared/BUILD.bazel
@ -19,3 +19,13 @@ go_test(
        "//shared/testutil/require:go_default_library",
    ],
 )
+
+genrule(
+    name = "version_file",
+    srcs = [],
+    outs = ["version.txt"],
+    cmd = "cat bazel-out/stable-status.txt | grep STABLE_GIT_TAG | cut -d' ' -f2 | tr -d v > $@",
+    stamp = True,
+    tags = ["local"],
+    visibility = ["//visibility:public"],
+)
--- a/validator/package/BUILD.bazel
+++ b/validator/package/BUILD.bazel
@ -0,0 +1,51 @@
+load("@rules_pkg//:pkg.bzl", "pkg_deb", "pkg_tar")
+
+pkg_tar(
+    name = "validator-bin",
+    srcs = [
+        "//cmd/validator",
+    ],
+    mode = "0755",
+    package_dir = "/usr/bin",
+)
+
+pkg_tar(
+    name = "validator-config",
+    srcs = glob(["validator.yaml"]),
+    mode = "0640",
+    package_dir = "/etc/prysm",
+)
+
+pkg_tar(
+    name = "validator-service",
+    srcs = glob(["prysm-validator.service"]),
+    mode = "0640",
+    package_dir = "/usr/lib/systemd/system",
+)
+
+pkg_tar(
+    name = "debian-data",
+    extension = "tar.gz",
+    deps = [
+        ":validator-bin",
+        ":validator-config",
+        ":validator-service",
+    ],
+)
+
+pkg_deb(
+    name = "deb",
+    architecture = "amd64",
+    conffiles = [
+        "etc/prysm/validator.yaml",
+    ],
+    data = ":debian-data",
+    description = "Prysm Validator Client - Ethereum 2.0 block consensus",
+    homepage = "https://prysmaticlabs.com/",
+    maintainer = "Prysmatic Labs <contact@prysmaticlabs.com>",
+    package = "prysm-validator",
+    postinst = "postinst.sh",
+    preinst = "preinst.sh",
+    version_file = "//shared:version_file",
+    visibility = ["//validator:__pkg__"],
+)
--- a/validator/package/postinst.sh
+++ b/validator/package/postinst.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e
+
+chown prysm-validator:prysm-validator /etc/prysm/validator.yaml
--- a/validator/package/preinst.sh
+++ b/validator/package/preinst.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+SERVICE_USER=prysm-validator
+
+# Create the service account, if needed
+getent passwd $SERVICE_USER > /dev/null || useradd -s /bin/false --no-create-home --system --user-group $SERVICE_USER
+
+# Create directories
+mkdir -p /etc/prysm
+mkdir -p /var/lib/prysm
+install -d -m 0700 -o $SERVICE_USER -g $SERVICE_USER /var/lib/prysm/validator
--- a/validator/package/prysm-validator.service
+++ b/validator/package/prysm-validator.service
@ -0,0 +1,38 @@
+[Unit]
+Description=Prysm Eth2 Validator Client
+Wants=network-online.target
+After=network-online.target
+Requires=prysm-beacon-chain.service
+
+[Service]
+User=prysm-validator
+Group=prysm-validator
+Type=simple
+ExecStart=/usr/bin/validator --config-file /etc/prysm/validator.yaml --accept-terms-of-use
+
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectSystem=strict
+ReadWritePaths=/var/lib/prysm/validator
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+
+[Install]
+WantedBy=multi-user.target
--- a/validator/package/validator.yaml
+++ b/validator/package/validator.yaml
@ -0,0 +1,21 @@
+# Configuration file for Prysm validator
+
+# datadir: Location of slashing protection DB
+datadir: /var/lib/prysm/validator
+
+# wallet-dir: Path to a wallet directory on-disk for Prysm validator accounts.
+wallet-dir: /var/lib/prysm/validator
+
+# wallet-password-file: Path to a plain-text, .txt file containing your wallet password.
+# wallet-password-file: /var/lib/prysm/validator/password.txt
+
+# Optional tuning parameters
+# For full list, see https://docs.prylabs.network/docs/prysm-usage/parameters
+
+# beacon-rpc-provider: Beacon node RPC provider endpoint. Default: localhost:4000
+# rpc-host: Specify the RPC host exposed by the validator. Default: localhost
+# rpc-port: Specify the RPC port exposed by the validator. Default: 7000
+# grpc-gateway-host: Specify the gRPC gateway port exposed by the validator. Default: localhost
+# grpc-gateway-port: Specify the gRPC gateway port exposed by the validator. Default: 7500
+# graffiti: A string to include in proposed block.
+# graffiti-file: Path to Yaml file containing advanced graffiti settings. See https://docs.prylabs.network/docs/prysm-usage/graffiti-file