From 166257f6ddc45b5d78f98333723a566d6e7c5bb6 Mon Sep 17 00:00:00 2001 From: MoeMahhouk Date: Wed, 9 Apr 2025 13:09:36 +0000 Subject: [PATCH 1/6] fix: workaround for builder-hub-proxy --- internal/components.go | 28 +++++++++++++++++++++------- internal/recipe_buildernet.go | 10 ++++------ 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/internal/components.go b/internal/components.go index 470e69d..71b26fb 100644 --- a/internal/components.go +++ b/internal/components.go @@ -467,6 +467,7 @@ func (b *BuilderHub) Run(service *service, ctx *ExContext) { WithEnv("ADMIN_ADDR", "0.0.0.0:"+`{{Port "admin" 8081}}`). WithEnv("INTERNAL_ADDR", "0.0.0.0:"+`{{Port "internal" 8082}}`). WithEnv("METRICS_ADDR", "0.0.0.0:"+`{{Port "metrics" 8090}}`). + WithEnv("MOCK_SECRETS", "true"). DependsOnHealthy(b.postgres) } @@ -480,13 +481,26 @@ type BuilderHubMockProxy struct { func (b *BuilderHubMockProxy) Run(service *service, ctx *ExContext) { service. - WithImage("docker.io/flashbots/builder-hub-mock-proxy"). - WithTag("latest"). - WithPort("http", 8888) - - if b.TargetService != "" { - service.DependsOnHealthy(b.TargetService) - } + WithImage("nginx"). + WithTag("1.27"). + WithPort("http", 8888). + DependsOnRunning(b.TargetService). + WithEntrypoint("/bin/sh"). + WithArgs("-c", fmt.Sprintf(`cat > /etc/nginx/conf.d/default.conf << 'EOF' +server { + listen 80; + listen 8888; + + location / { + proxy_pass http://%s:8080; + proxy_set_header X-Flashbots-Attestation-Type 'test'; + proxy_set_header X-Flashbots-Measurement '{}'; + proxy_set_header X-Forwarded-For '1.2.3.4'; + } +} +EOF +nginx -g 'daemon off;' +`, b.TargetService)) } func (b *BuilderHubMockProxy) Name() string { diff --git a/internal/recipe_buildernet.go b/internal/recipe_buildernet.go index aca4b4f..79c5145 100644 --- a/internal/recipe_buildernet.go +++ b/internal/recipe_buildernet.go @@ -52,12 +52,10 @@ func (b *BuilderNetRecipe) Apply(ctx *ExContext, artifacts *Artifacts) *Manifest postgres: "builder-hub-postgres", }) - // Optionally add mock proxy for testing - if b.includeMockProxy { - svcManager.AddService("builder-hub-proxy", &BuilderHubMockProxy{ - TargetService: "builder-hub", - }) - } + // Add mock proxy for testing + svcManager.AddService("builder-hub-proxy", &BuilderHubMockProxy{ + TargetService: "builder-hub", + }) return svcManager } From 51009a52bd943360e8d6e04006c79bb6f86f0270 Mon Sep 17 00:00:00 2001 From: MoeMahhouk Date: Thu, 10 Apr 2025 17:53:02 +0000 Subject: [PATCH 2/6] use the correct address for the local devnet --- internal/components.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/components.go b/internal/components.go index 71b26fb..5d7bc12 100644 --- a/internal/components.go +++ b/internal/components.go @@ -251,7 +251,7 @@ func (r *RethEL) Run(svc *service, ctx *ExContext) { "--datadir", "{{.Dir}}/data_reth", "--color", "never", "--ipcpath", "{{.Dir}}/reth.ipc", - "--addr", "127.0.0.1", + "--addr", "0.0.0.0", "--port", `{{Port "rpc" 30303}}`, // "--disable-discovery", // http config @@ -301,7 +301,7 @@ func (l *LighthouseBeaconNode) Run(svc *service, ctx *ExContext) { "--enable-private-discovery", "--disable-peer-scoring", "--staking", - "--enr-address", "127.0.0.1", + "--enr-address", "10.0.2.2", "--enr-udp-port", `{{Port "p2p" 9000}}`, "--enr-tcp-port", `{{Port "p2p" 9000}}`, "--enr-quic-port", `{{Port "quic-p2p" 9100}}`, From e631d6604dea7ad87b03a5c0a06bc6267a82e8ed Mon Sep 17 00:00:00 2001 From: MoeMahhouk Date: Fri, 11 Apr 2025 12:11:31 +0000 Subject: [PATCH 3/6] Add local port binding support --- internal/components.go | 8 ++++---- internal/local_runner.go | 8 +++++++- internal/manifest.go | 21 +++++++++++++++++---- main.go | 11 +++++++++++ 4 files changed, 39 insertions(+), 9 deletions(-) diff --git a/internal/components.go b/internal/components.go index 5d7bc12..f70b135 100644 --- a/internal/components.go +++ b/internal/components.go @@ -435,8 +435,8 @@ type BuilderHubPostgres struct { func (b *BuilderHubPostgres) Run(service *service, ctx *ExContext) { service. WithImage("docker.io/flashbots/builder-hub-db"). - WithTag("latest"). - WithPort("postgres", 5432). + WithTag("0.2.1"). + WithLocalPort("postgres", 5432). WithEnv("POSTGRES_USER", "postgres"). WithEnv("POSTGRES_PASSWORD", "postgres"). WithEnv("POSTGRES_DB", "postgres"). @@ -460,7 +460,7 @@ type BuilderHub struct { func (b *BuilderHub) Run(service *service, ctx *ExContext) { service. WithImage("docker.io/flashbots/builder-hub"). - WithTag("latest"). + WithTag("0.2.1"). WithEntrypoint("/app/builder-hub"). WithEnv("POSTGRES_DSN", "postgres://postgres:postgres@"+ConnectRaw(b.postgres, "postgres", "")+"/postgres?sslmode=disable"). WithEnv("LISTEN_ADDR", "0.0.0.0:"+`{{Port "http" 8080}}`). @@ -483,7 +483,7 @@ func (b *BuilderHubMockProxy) Run(service *service, ctx *ExContext) { service. WithImage("nginx"). WithTag("1.27"). - WithPort("http", 8888). + WithLocalPort("http", 8888). DependsOnRunning(b.TargetService). WithEntrypoint("/bin/sh"). WithArgs("-c", fmt.Sprintf(`cat > /etc/nginx/conf.d/default.conf << 'EOF' diff --git a/internal/local_runner.go b/internal/local_runner.go index bb4debf..fcbe662 100644 --- a/internal/local_runner.go +++ b/internal/local_runner.go @@ -583,7 +583,13 @@ func (d *LocalRunner) toDockerComposeService(s *service) (map[string]interface{} if len(s.ports) > 0 { ports := []string{} for _, p := range s.ports { - ports = append(ports, fmt.Sprintf("%d:%d", p.HostPort, p.Port)) + if p.Local { + // Bind only to localhost (127.0.0.1) + ports = append(ports, fmt.Sprintf("127.0.0.1:%d:%d", p.HostPort, p.Port)) + } else { + // Bind to all interfaces (default) + ports = append(ports, fmt.Sprintf("%d:%d", p.HostPort, p.Port)) + } } service["ports"] = ports } diff --git a/internal/manifest.go b/internal/manifest.go index abba73a..9f63030 100644 --- a/internal/manifest.go +++ b/internal/manifest.go @@ -222,6 +222,9 @@ type Port struct { // container port. It is populated by the local runner // TODO: We might want to move this to the runner itself. HostPort int + + // Local indicates if this port should only be bound to localhost (127.0.0.1) + Local bool } // NodeRef describes a reference from one service to another @@ -356,7 +359,7 @@ func (s *service) WithTag(tag string) *service { return s } -func (s *service) WithPort(name string, portNumber int) *service { +func (s *service) WithPort(name string, portNumber int, local bool) *service { // add the port if not already present with the same name. // if preset with the same name, they must have same port number for _, p := range s.ports { @@ -367,16 +370,26 @@ func (s *service) WithPort(name string, portNumber int) *service { return s } } - s.ports = append(s.ports, &Port{Name: name, Port: portNumber}) + s.ports = append(s.ports, &Port{Name: name, Port: portNumber, Local: local}) return s } +// WithLocalPort is a convenience method to add a port that should only be bound to localhost +func (s *service) WithLocalPort(name string, portNumber int) *service { + return s.WithPort(name, portNumber, true) +} + +// WithPublicPort is a convenience method to add a port that should be bound to all interfaces (default behavior) +func (s *service) WithPublicPort(name string, portNumber int) *service { + return s.WithPort(name, portNumber, false) +} + func (s *service) applyTemplate(arg string) { var port []Port var nodeRef []NodeRef _, port, nodeRef = applyTemplate(arg) for _, p := range port { - s.WithPort(p.Name, p.Port) + s.WithPort(p.Name, p.Port, false) // Default to non-local ports for backward compatibility } for _, n := range nodeRef { s.nodeRefs = append(s.nodeRefs, &n) @@ -445,7 +458,7 @@ func applyTemplate(templateStr string) (string, []Port, []NodeRef) { return fmt.Sprintf(`{{Service "%s" "%s"}}`, name, portLabel) }, "Port": func(name string, defaultPort int) string { - portRef = append(portRef, Port{Name: name, Port: defaultPort}) + portRef = append(portRef, Port{Name: name, Port: defaultPort, Local: false}) return fmt.Sprintf(`{{Port "%s" %d}}`, name, defaultPort) }, } diff --git a/main.go b/main.go index 7c3f31c..a253242 100644 --- a/main.go +++ b/main.go @@ -24,6 +24,7 @@ var dryRun bool var interactive bool var timeout time.Duration var logLevelFlag string +var localPortsFlag bool var rootCmd = &cobra.Command{ Use: "playground", @@ -167,6 +168,7 @@ func main() { recipeCmd.Flags().BoolVar(&interactive, "interactive", false, "interactive mode") recipeCmd.Flags().DurationVar(&timeout, "timeout", 0, "") // Used for CI recipeCmd.Flags().StringVar(&logLevelFlag, "log-level", "info", "log level") + recipeCmd.Flags().BoolVar(&localPortsFlag, "local-ports", false, "bind all ports to localhost only (127.0.0.1) for enhanced security") cookCmd.AddCommand(recipeCmd) } @@ -217,6 +219,15 @@ func runIt(recipe internal.Recipe) error { return fmt.Errorf("failed to validate manifest: %w", err) } + // set the local ports flag + if localPortsFlag { + for _, svc := range svcManager.Services() { + for _, port := range svc.Ports() { + port.Local = true + } + } + } + // generate the dot graph dotGraph := svcManager.GenerateDotGraph() if err := artifacts.Out.WriteFile("graph.dot", dotGraph); err != nil { From 6a4d269cdca07b944278cee979ea420f41a9f2cb Mon Sep 17 00:00:00 2001 From: MoeMahhouk Date: Wed, 16 Apr 2025 18:10:55 +0000 Subject: [PATCH 4/6] added tcp/udp docker firewall support --- internal/components.go | 6 +++++- internal/local_runner.go | 6 ++++-- internal/recipe_l1.go | 18 +++++++++--------- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/internal/components.go b/internal/components.go index f70b135..eb41fa4 100644 --- a/internal/components.go +++ b/internal/components.go @@ -252,6 +252,7 @@ func (r *RethEL) Run(svc *service, ctx *ExContext) { "--color", "never", "--ipcpath", "{{.Dir}}/reth.ipc", "--addr", "0.0.0.0", + "--nat", "extip:172.17.0.1", "--port", `{{Port "rpc" 30303}}`, // "--disable-discovery", // http config @@ -312,12 +313,15 @@ func (l *LighthouseBeaconNode) Run(svc *service, ctx *ExContext) { "--http-address", "0.0.0.0", "--http-allow-origin", "*", "--disable-packet-filter", - "--target-peers", "0", + "--target-peers", "5", "--execution-endpoint", Connect(l.ExecutionNode, "authrpc"), "--execution-jwt", "{{.Dir}}/jwtsecret", "--always-prepare-payload", "--prepare-payload-lookahead", "8000", "--suggested-fee-recipient", "0x690B9A9E9aa1C9dB991C7721a92d351Db4FaC990", + "--subscribe-all-subnets", + "--import-all-attestations", + "--debug-level", "trace", ). WithReady(ReadyCheck{ QueryURL: "http://localhost:3500/eth/v1/node/syncing", diff --git a/internal/local_runner.go b/internal/local_runner.go index fcbe662..bf19a60 100644 --- a/internal/local_runner.go +++ b/internal/local_runner.go @@ -585,10 +585,12 @@ func (d *LocalRunner) toDockerComposeService(s *service) (map[string]interface{} for _, p := range s.ports { if p.Local { // Bind only to localhost (127.0.0.1) - ports = append(ports, fmt.Sprintf("127.0.0.1:%d:%d", p.HostPort, p.Port)) + ports = append(ports, fmt.Sprintf("127.0.0.1:%d:%d/tcp", p.HostPort, p.Port)) + ports = append(ports, fmt.Sprintf("127.0.0.1:%d:%d/udp", p.HostPort, p.Port)) } else { // Bind to all interfaces (default) - ports = append(ports, fmt.Sprintf("%d:%d", p.HostPort, p.Port)) + ports = append(ports, fmt.Sprintf("%d:%d/tcp", p.HostPort, p.Port)) + ports = append(ports, fmt.Sprintf("%d:%d/udp", p.HostPort, p.Port)) } } service["ports"] = ports diff --git a/internal/recipe_l1.go b/internal/recipe_l1.go index ee267af..59271bc 100644 --- a/internal/recipe_l1.go +++ b/internal/recipe_l1.go @@ -72,20 +72,20 @@ func (l *L1Recipe) Apply(ctx *ExContext, artifacts *Artifacts) *Manifest { svcManager.AddService("beacon", &LighthouseBeaconNode{ ExecutionNode: elService, - MevBoostNode: "mev-boost", + // MevBoostNode: "mev-boost", }) svcManager.AddService("validator", &LighthouseValidator{ BeaconNode: "beacon", }) - mevBoostValidationServer := "" - if l.useRethForValidation { - mevBoostValidationServer = "el" - } - svcManager.AddService("mev-boost", &MevBoostRelay{ - BeaconClient: "beacon", - ValidationServer: mevBoostValidationServer, - }) + // mevBoostValidationServer := "" + // if l.useRethForValidation { + // mevBoostValidationServer = "el" + // } + // svcManager.AddService("mev-boost", &MevBoostRelay{ + // BeaconClient: "beacon", + // ValidationServer: mevBoostValidationServer, + // }) return svcManager } From 04951ab1cb85e572b434c35b23427d678ca9f27c Mon Sep 17 00:00:00 2001 From: MoeMahhouk Date: Tue, 22 Apr 2025 18:25:51 +0000 Subject: [PATCH 5/6] remove unnecessary new property --- internal/manifest.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/internal/manifest.go b/internal/manifest.go index a668ed3..3144369 100644 --- a/internal/manifest.go +++ b/internal/manifest.go @@ -230,9 +230,6 @@ type Port struct { // container port. It is populated by the local runner // TODO: We might want to move this to the runner itself. HostPort int - - // Local indicates if this port should only be bound to localhost (127.0.0.1) - Local bool } // NodeRef describes a reference from one service to another From b4194fc877293cd5a39059ce9942f18096b99bd0 Mon Sep 17 00:00:00 2001 From: MoeMahhouk Date: Thu, 24 Apr 2025 08:32:24 +0000 Subject: [PATCH 6/6] merge the mev-boost fix --- internal/recipe_l1.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/recipe_l1.go b/internal/recipe_l1.go index 59271bc..ee267af 100644 --- a/internal/recipe_l1.go +++ b/internal/recipe_l1.go @@ -72,20 +72,20 @@ func (l *L1Recipe) Apply(ctx *ExContext, artifacts *Artifacts) *Manifest { svcManager.AddService("beacon", &LighthouseBeaconNode{ ExecutionNode: elService, - // MevBoostNode: "mev-boost", + MevBoostNode: "mev-boost", }) svcManager.AddService("validator", &LighthouseValidator{ BeaconNode: "beacon", }) - // mevBoostValidationServer := "" - // if l.useRethForValidation { - // mevBoostValidationServer = "el" - // } - // svcManager.AddService("mev-boost", &MevBoostRelay{ - // BeaconClient: "beacon", - // ValidationServer: mevBoostValidationServer, - // }) + mevBoostValidationServer := "" + if l.useRethForValidation { + mevBoostValidationServer = "el" + } + svcManager.AddService("mev-boost", &MevBoostRelay{ + BeaconClient: "beacon", + ValidationServer: mevBoostValidationServer, + }) return svcManager }