feat: updated the docker examples to generate consensus keys and use …

…gossipnet (#2476) Tested on a hetzner instance. --------- Co-authored-by: Bruno França <[email protected]>
matter-labs · Sep 16, 2024 · beca173 · beca173
1 parent 413856f
commit beca173
Show file tree

Hide file tree

Showing 6 changed files with 95 additions and 98 deletions.
diff --git a/docs/guides/external-node/09_decentralization.md b/docs/guides/external-node/09_decentralization.md
@@ -7,85 +7,7 @@ will eventually be used instead of ZKsync API for synchronizing data.
 On the gossipnet, the data integrity will be protected by the BFT (byzantine fault-tolerant) consensus algorithm
 (currently data is signed just by the main node though).
 
-## Enabling gossipnet on your node
-
-> [!NOTE]
->
-> Because the data transmitted over the gossipnet is signed by the main node (and eventually by the consensus quorum),
-> the signatures need to be backfilled to the node's local storage the first time you switch from centralized (ZKsync
-> API based) synchronization to the decentralized (gossipnet based) synchronization (this is a one-time thing). With the
-> current implementation it may take a couple of hours and gets faster the more nodes you add to the
-> `gossip_static_outbound` list (see below). We are working to remove this inconvenience.
-
-> [!NOTE]
->
-> The minimal supported server version for this is
-> [24.11.0](https://github.com/matter-labs/zksync-era/releases/tag/core-v24.11.0)
-
-### Generating secrets
-
-Each participant node of the gossipnet has to have an identity (a public/secret key pair). When running your node for
-the first time, generate the secrets by running:
-
-```
-docker run --entrypoint /usr/bin/zksync_external_node "matterlabs/external-node:2.0-v24.12.0" generate-secrets > consensus_secrets.yaml
-chmod 600 consensus_secrets.yaml
-```
-
-> [!NOTE]
->
-> NEVER reveal the secret keys used by your node. Otherwise, someone can impersonate your node on the gossipnet. If you
-> suspect that your secret key has been leaked, you can generate fresh keys using the same tool.
->
-> If you want someone else to connect to your node, give them your PUBLIC key instead. Both public and secret keys are
-> present in the `consensus_secrets.yaml` (public keys are in comments).
-
-### Preparing configuration file
-
-Copy the template of the consensus configuration file (for
-[mainnet](https://github.com/matter-labs/zksync-era/blob/main/docs/guides/external-node/prepared_configs/mainnet_consensus_config.yaml)
-or
-[testnet](https://github.com/matter-labs/zksync-era/blob/main/docs/guides/external-node/prepared_configs/testnet_consensus_config.yaml)
-).
-
-> [!NOTE]
->
-> You need to fill in the `public_addr` field. This is the address that will (not implemented yet) be advertised over
-> gossipnet to other nodes, so that they can establish connections to your node. If you don't want to expose your node
-> to the public internet, you can use IP in your local network.
-
-Currently the config contains the following fields (refer to config
-[schema](https://github.com/matter-labs/zksync-era/blob/990676c5f84afd2ff8cd337f495c82e8d1f305a4/core/lib/protobuf_config/src/proto/core/consensus.proto#L66)
-for more details):
-
-- `server_addr` - local TCP socket address that the node should listen on for incoming connections. Note that this is an
-  additional TCP port that will be opened by the node.
-- `public_addr` - the public address of your node that will be advertised over the gossipnet.
-- `max_payload_size` - limit (in bytes) on the sized of the ZKsync ERA block received from the gossipnet. This protects
-  your node from getting DoS`ed by too large network messages. Use the value from the template.
-- `gossip_dynamic_inbound_limit` - maximal number of unauthenticated concurrent inbound connections that can be
-  established to your node. This is a DDoS protection measure.
-- `gossip_static_outbound` - list of trusted peers that your node should always try to connect to. The template contains
-  the nodes maintained by Matterlabs, but you can add more if you know any. Note that the list contains both the network
-  address AND the public key of the node - this prevents spoofing attacks.
-
-### Setting environment variables
-
-Uncomment (or add) the following lines in your `.env` config:
-
-```
-EN_CONSENSUS_CONFIG_PATH=...
-EN_CONSENSUS_SECRETS_PATH=...
-```
-
-These variables should point to your consensus config and secrets files that we have just created. Tweak the paths to
-the files if you have placed them differently.
-
 ### Add `--enable-consensus` flag to your entry point command
 
-For the consensus configuration to take effect you have to add `--enable-consensus` flag to the command line when
-running the node, for example:
-
-```
-docker run "matterlabs/external-node:2.0-v24.12.0" <all the other flags> --enable-consensus
-```
+For the consensus configuration to take effect you have to add `--enable-consensus` flag when
+running the node. You can do that by editing the docker compose files (mainnet-external-node-docker-compose.yml or testnet-external-node-docker-compose.yml) and uncommenting the line with `--enable-consensus`.
diff --git a/docs/guides/external-node/docker-compose-examples/configs/generate_secrets.sh b/docs/guides/external-node/docker-compose-examples/configs/generate_secrets.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ ! -s $1 ]; then
+  /usr/bin/zksync_external_node generate-secrets > $1
+fi
diff --git a/docs/guides/external-node/docker-compose-examples/configs/mainnet_consensus_config.yaml b/docs/guides/external-node/docker-compose-examples/configs/mainnet_consensus_config.yaml
@@ -0,0 +1,10 @@
+server_addr: '0.0.0.0:3054'
+public_addr: '127.0.0.1:3054'
+max_payload_size: 5000000
+gossip_dynamic_inbound_limit: 100
+gossip_static_outbound:
+  # preconfigured ENs owned by Matterlabs that you can connect to
+  - key: 'node:public:ed25519:68d29127ab03408bf5c838553b19c32bdb3aaaae9bf293e5e078c3a0d265822a'
+    addr: 'external-node-consensus-mainnet.zksync.dev:3054'
+  - key: 'node:public:ed25519:b521e1bb173d04bc83d46b859d1296378e94a40427a6beb9e7fdd17cbd934c11'
+    addr: 'external-node-moby-consensus-mainnet.zksync.dev:3054'
diff --git a/docs/guides/external-node/docker-compose-examples/configs/testnet_consensus_config.yaml b/docs/guides/external-node/docker-compose-examples/configs/testnet_consensus_config.yaml
@@ -0,0 +1,10 @@
+server_addr: '0.0.0.0:3054'
+public_addr: '127.0.0.1:3054'
+max_payload_size: 5000000
+gossip_dynamic_inbound_limit: 100
+gossip_static_outbound:
+  # preconfigured ENs owned by Matterlabs that you can connect to
+  - key: 'node:public:ed25519:4a94067664e7b8d0927ab1443491dab71a1d0c63f861099e1852f2b6d0831c3e'
+    addr: 'external-node-consensus-sepolia.zksync.dev:3054'
+  - key: 'node:public:ed25519:cfbbebc74127099680584f07a051a2573e2dd7463abdd000d31aaa44a7985045'
+    addr: 'external-node-moby-consensus-sepolia.zksync.dev:3054'
diff --git a/docs/guides/external-node/docker-compose-examples/mainnet-external-node-docker-compose.yml b/docs/guides/external-node/docker-compose-examples/mainnet-external-node-docker-compose.yml
@@ -1,16 +1,16 @@
-version: "3.2"
+name: "mainnet-node"
 services:
   prometheus:
     image: prom/prometheus:v2.35.0
     volumes:
-      - mainnet-prometheus-data:/prometheus
+      - prometheus-data:/prometheus
       - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
     expose:
       - 9090
   grafana:
     image: grafana/grafana:9.3.6
     volumes:
-      - mainnet-grafana-data:/var/lib/grafana
+      - grafana-data:/var/lib/grafana
       - ./grafana/provisioning:/etc/grafana/provisioning
     environment:
       GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin"
@@ -37,7 +37,7 @@ services:
     expose:
       - 5430
     volumes:
-      - mainnet-postgres:/var/lib/postgresql/data
+      - postgres:/var/lib/postgresql/data
     healthcheck:
       interval: 1s
       timeout: 3s
@@ -49,17 +49,39 @@ services:
     environment:
       - POSTGRES_PASSWORD=notsecurepassword
       - PGPORT=5430
+  # Generation of consensus secrets.
+  # The secrets are generated iff the secrets file doesn't already exist.
+  generate-secrets:
+    image: "matterlabs/external-node:2.0-v24.16.0"
+    entrypoint:
+      [
+      "/configs/generate_secrets.sh",
+      "/configs/mainnet_consensus_secrets.yaml",
+      ]
+    volumes:
+      - ./configs:/configs
   external-node:
     image: "matterlabs/external-node:2.0-v24.16.0"
+    entrypoint:
+      [
+      "/usr/bin/entrypoint.sh",
+      # Uncomment the following line to enable consensus
+      # "--enable-consensus",
+      ]
+    restart: always
     depends_on:
       postgres:
         condition: service_healthy
+      generate-secrets:
+        condition: service_completed_successfully
     ports:
+      - "0.0.0.0:3054:3054" # consensus public port
       - "127.0.0.1:3060:3060"
       - "127.0.0.1:3061:3061"
       - "127.0.0.1:3081:3081"
     volumes:
-      - mainnet-rocksdb:/db
+      - rocksdb:/db
+      - ./configs:/configs
     expose:
       - 3322
     environment:
@@ -83,8 +105,11 @@ services:
       EN_SNAPSHOTS_OBJECT_STORE_MODE: "GCSAnonymousReadOnly"
       RUST_LOG: "warn,zksync=info,zksync_core::metadata_calculator=debug,zksync_state=debug,zksync_utils=debug,zksync_web3_decl::client=error"
 
+      EN_CONSENSUS_CONFIG_PATH: "/configs/mainnet_consensus_config.yaml"
+      EN_CONSENSUS_SECRETS_PATH: "/configs/mainnet_consensus_secrets.yaml"
+
 volumes:
-  mainnet-postgres: {}
-  mainnet-rocksdb: {}
-  mainnet-prometheus-data: {}
-  mainnet-grafana-data: {}
+  postgres: {}
+  rocksdb: {}
+  prometheus-data: {}
+  grafana-data: {}
diff --git a/docs/guides/external-node/docker-compose-examples/testnet-external-node-docker-compose.yml b/docs/guides/external-node/docker-compose-examples/testnet-external-node-docker-compose.yml
@@ -1,16 +1,16 @@
-version: "3.2"
+name: "testnet-node"
 services:
   prometheus:
     image: prom/prometheus:v2.35.0
     volumes:
-      - testnet-prometheus-data:/prometheus
+      - prometheus-data:/prometheus
       - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
     expose:
       - 9090
   grafana:
     image: grafana/grafana:9.3.6
     volumes:
-      - testnet-grafana-data:/var/lib/grafana
+      - grafana-data:/var/lib/grafana
       - ./grafana/provisioning:/etc/grafana/provisioning
     environment:
       GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin"
@@ -37,7 +37,7 @@ services:
     expose:
       - 5430
     volumes:
-      - testnet-postgres:/var/lib/postgresql/data
+      - postgres:/var/lib/postgresql/data
     healthcheck:
       interval: 1s
       timeout: 3s
@@ -49,17 +49,39 @@ services:
     environment:
       - POSTGRES_PASSWORD=notsecurepassword
       - PGPORT=5430
+  # Generation of consensus secrets.
+  # The secrets are generated iff the secrets file doesn't already exist.
+  generate-secrets:
+    image: "matterlabs/external-node:2.0-v24.16.0"
+    entrypoint:
+      [
+      "/configs/generate_secrets.sh",
+      "/configs/testnet_consensus_secrets.yaml",
+      ]
+    volumes:
+      - ./configs:/configs
   external-node:
     image: "matterlabs/external-node:2.0-v24.16.0"
+    entrypoint:
+      [
+      "/usr/bin/entrypoint.sh",
+      # Uncomment the following line to enable consensus
+      # "--enable-consensus",
+      ]
+    restart: always
     depends_on:
       postgres:
         condition: service_healthy
+      generate-secrets:
+        condition: service_completed_successfully
     ports:
+      - "0.0.0.0:3054:3054" # consensus public port
       - "127.0.0.1:3060:3060"
       - "127.0.0.1:3061:3061"
       - "127.0.0.1:3081:3081"
     volumes:
-      - testnet-rocksdb:/db
+      - rocksdb:/db
+      - ./configs:/configs
     expose:
       - 3322
     environment:
@@ -83,8 +105,11 @@ services:
       EN_SNAPSHOTS_OBJECT_STORE_MODE: "GCSAnonymousReadOnly"
       RUST_LOG: "warn,zksync=info,zksync_core::metadata_calculator=debug,zksync_state=debug,zksync_utils=debug,zksync_web3_decl::client=error"
 
+      EN_CONSENSUS_CONFIG_PATH: "/configs/testnet_consensus_config.yaml"
+      EN_CONSENSUS_SECRETS_PATH: "/configs/testnet_consensus_secrets.yaml"
+
 volumes:
-  testnet-postgres: {}
-  testnet-rocksdb: {}
-  testnet-prometheus-data: {}
-  testnet-grafana-data: {}
+  postgres: {}
+  rocksdb: {}
+  prometheus-data: {}
+  grafana-data: {}