|
1 | 1 | #!/bin/sh |
2 | 2 | set -e |
3 | 3 |
|
| 4 | +SHARED_DIR="/shared" |
| 5 | +AWS_CONFIG_FILE="$SHARED_DIR/config/aws_config" |
| 6 | +AWS_SHARED_CREDENTIALS_FILE="$SHARED_DIR/config/aws_credentials" |
| 7 | +AWS_PARAMS="AWS_CONFIG_FILE=$AWS_CONFIG_FILE AWS_SHARED_CREDENTIALS_FILE=$AWS_SHARED_CREDENTIALS_FILE" |
| 8 | + |
4 | 9 | echo "Starting" |
| 10 | +echo "Some sleep..." |
5 | 11 | sleep 5 |
6 | 12 |
|
7 | 13 | echo "Up loopback interface" |
8 | 14 | ip link set lo up || true |
| 15 | +echo "Some sleep..." |
9 | 16 | sleep 5 |
10 | 17 |
|
11 | 18 | echo "Setup /etc/hosts" |
12 | 19 | echo "127.0.0.2 kms.us-east-1.amazonaws.com kms.us-east-2.amazonaws.com kms.us-west-1.amazonaws.com kms.us-west-2.amazonaws.com kms.ap-south-1.amazonaws.com kms.ap-northeast-1.amazonaws.com kms.ap-northeast-2.amazonaws.com kms.ap-northeast-3.amazonaws.com kms.ap-southeast-1.amazonaws.com kms.ap-southeast-2.amazonaws.com kms.ca-central-1.amazonaws.com kms.eu-central-1.amazonaws.com kms.eu-west-1.amazonaws.com kms.eu-west-2.amazonaws.com kms.eu-west-3.amazonaws.com kms.eu-north-1.amazonaws.com kms.sa-east-1.amazonaws.com" >>/etc/hosts |
13 | 20 | echo "127.0.0.3 sts.us-east-1.amazonaws.com sts.us-east-2.amazonaws.com sts.us-west-1.amazonaws.com sts.us-west-2.amazonaws.com sts.ap-south-1.amazonaws.com sts.ap-northeast-1.amazonaws.com sts.ap-northeast-2.amazonaws.com sts.ap-northeast-3.amazonaws.com sts.ap-southeast-1.amazonaws.com sts.ap-southeast-2.amazonaws.com sts.ca-central-1.amazonaws.com sts.eu-central-1.amazonaws.com sts.eu-west-1.amazonaws.com sts.eu-west-2.amazonaws.com sts.eu-west-3.amazonaws.com sts.eu-north-1.amazonaws.com sts.sa-east-1.amazonaws.com" >>/etc/hosts |
14 | | -echo "127.0.0.4 l1-node" >>/etc/hosts |
15 | | -echo "127.0.0.5 l1-beacon-node" >>/etc/hosts |
16 | 21 |
|
17 | 22 | echo "Ensure loopback addresses exist" |
18 | 23 | # AWS KMS |
@@ -40,25 +45,99 @@ if ! ip addr show dev lo | grep -q "127.0.0.200"; then |
40 | 45 | ip addr add 127.0.0.200/32 dev lo:0 |
41 | 46 | ip link set dev lo:0 up |
42 | 47 | fi |
| 48 | +echo "Some sleep..." |
43 | 49 | sleep 5 |
44 | 50 |
|
45 | | -echo "Start vsock proxies" |
| 51 | +echo "Start AWS KMS egress vsock proxy" |
46 | 52 | socat TCP-LISTEN:443,bind=127.0.0.2,fork,reuseaddr,keepalive VSOCK-CONNECT:3:8002,keepalive & |
| 53 | +echo "Start AWS STS egress vsock proxy" |
47 | 54 | socat TCP-LISTEN:443,bind=127.0.0.3,fork,reuseaddr,keepalive VSOCK-CONNECT:3:8003,keepalive & |
| 55 | +echo "Start L1 node egress vsock proxy" |
48 | 56 | socat TCP-LISTEN:8546,bind=127.0.0.4,fork,reuseaddr,keepalive VSOCK-CONNECT:3:8004,keepalive & |
| 57 | +echo "Start L1 beacon node egress vsock proxy" |
49 | 58 | socat TCP-LISTEN:3500,bind=127.0.0.5,fork,reuseaddr,keepalive VSOCK-CONNECT:3:8005,keepalive & |
50 | 59 | # NFS |
| 60 | +echo "Start NFSv4 egress vsock proxy" |
51 | 61 | socat TCP-LISTEN:2049,bind=127.0.0.200,fork,reuseaddr,keepalive VSOCK-CONNECT:3:20000,keepalive & |
52 | 62 | # Supervisor |
| 63 | +echo "Start supervisor ingress vsock proxy" |
53 | 64 | socat VSOCK-LISTEN:9001,fork,keepalive TCP:127.0.0.1:9001,keepalive & |
| 65 | +echo "Start L2 HTTP ingress vsock proxy" |
54 | 66 | socat VSOCK-LISTEN:10000,fork,keepalive TCP:127.0.0.1:8547,keepalive & |
| 67 | +echo "Start L2 WS ingress vsock proxy" |
55 | 68 | socat VSOCK-LISTEN:10001,fork,keepalive TCP:127.0.0.1:8548,keepalive & |
| 69 | +echo "Some sleep..." |
56 | 70 | sleep 5 |
57 | 71 |
|
58 | | -echo "Mounting persistent volume to /home/user/export" |
59 | | -su user -c 'mkdir -p /home/user/export' |
60 | | -mount -t nfs4 127.0.0.200:/ /home/user/export |
| 72 | +echo "Create $SHARED_DIR dir" |
| 73 | +mkdir -p $SHARED_DIR |
| 74 | +chown -R user:user $SHARED_DIR |
| 75 | +echo "Mounting persistent volume to $SHARED_DIR" |
| 76 | +mount -t nfs4 127.0.0.200:/ $SHARED_DIR |
| 77 | +echo "Some sleep..." |
61 | 78 | sleep 5 |
62 | 79 |
|
| 80 | +echo "Extend /etc/hosts" |
| 81 | +cat $SHARED_DIR/config/hosts >> /etc/hosts |
| 82 | + |
| 83 | +if [ -f $SHARED_DIR/config/storage_kms_key_id.coses1 ]; then |
| 84 | + echo "storage_kms_key_id.coses1 exist, try to read key ID" |
| 85 | + su user -c "nitro-attestation-cli document read --verify-pcr0 --user-data --input $SHARED_DIR/config/storage_kms_key_id.coses1 > /home/user/kms-key-id" |
| 86 | +else |
| 87 | + if [ -f $SHARED_DIR/config/storage_encrypted_data_key.coses1 ]; then |
| 88 | + echo "kms-key-id not exist, but encrypted-data-key exist, can't decrypt data-key" |
| 89 | + exit 1 |
| 90 | + fi |
| 91 | + echo "storage_kms_key_id.coses1 don't exist, try to create key ID" |
| 92 | + su user -c "$AWS_PARAMS nitro-attestation-cli kms create-key --pcr0 > /home/user/kms-key-id" |
| 93 | + echo "Ensure that key created. Some sleep..." |
| 94 | + sleep 1 |
| 95 | + echo "Create attestation document with KMS Key ID in $SHARED_DIR/config/storage_kms_key_id.coses1" |
| 96 | + su user -c "nitro-attestation-cli document create --user-data $(cat /home/user/kms-key-id | xxd -p -c 0) > $SHARED_DIR/config/storage_kms_key_id.coses1" |
| 97 | +fi |
| 98 | + |
| 99 | +if [ -f $SHARED_DIR/config/storage_encrypted_data_key.coses1 ]; then |
| 100 | + echo "storage_encrypted_data_key.coses1 exist, try to read encrypted data key" |
| 101 | + su user -c "nitro-attestation-cli document read --verify-pcr0 --user-data --input $SHARED_DIR/config/storage_encrypted_data_key.coses1 > /home/user/encrypted-data-key" |
| 102 | +else |
| 103 | + echo "storage_encrypted_data_key.coses1 don't exist, try to encrypted data key" |
| 104 | + su user -c "$AWS_PARAMS nitro-attestation-cli kms generate-data-key --key-id $(cat /home/user/kms-key-id) --number-of-bytes 32 > /home/user/encrypted-data-key" |
| 105 | + echo "Create attestation document with encryped data key in $SHARED_DIR/config/storage_encrypted_data_key.coses1" |
| 106 | + su user -c "nitro-attestation-cli document create --user-data $(cat /home/user/encrypted-data-key | xxd -p -c 0) > $SHARED_DIR/config/storage_encrypted_data_key.coses1" |
| 107 | +fi |
| 108 | + |
| 109 | +echo "Decrypte data key" |
| 110 | +su user -c "$AWS_PARAMS nitro-attestation-cli kms decrypt --key-id $(cat /home/user/kms-key-id) --input /home/user/encrypted-data-key > /home/user/data-key" |
| 111 | + |
| 112 | +echo "Create chain directory: /chain" |
| 113 | +mkdir -p /chain |
| 114 | +if [ ! -f $SHARED_DIR/chain.img ]; then |
| 115 | + echo "chain.img don't exist, exit..." |
| 116 | + exit 1 |
| 117 | +fi |
| 118 | + |
| 119 | +if cryptsetup isLuks $SHARED_DIR/chain.img >/dev/null 2>&1; then |
| 120 | + echo "chain.img is LUKS container, open..." |
| 121 | + cryptsetup luksOpen $SHARED_DIR/chain.img chain --key-file=/home/user/data-key |
| 122 | +else |
| 123 | + echo "chain.img is not LUKS container, format..." |
| 124 | + cryptsetup luksFormat $SHARED_DIR/chain.img --key-file=/home/user/data-key --batch-mode |
| 125 | + echo "Open encrypted container" |
| 126 | + cryptsetup luksOpen $SHARED_DIR/chain.img chain --key-file=/home/user/data-key |
| 127 | + echo "Make ext4 filesystem in encrypted container" |
| 128 | + mkfs.ext4 /dev/mapper/chain |
| 129 | +fi |
| 130 | + |
| 131 | +echo "Mount chain to /chain" |
| 132 | +mount /dev/mapper/chain /chain |
| 133 | +chmod 777 /chain |
| 134 | +chown -R user:user /chain |
| 135 | + |
| 136 | +echo "Some sleep..." |
| 137 | +sleep 5 |
| 138 | + |
| 139 | +echo "Create $SHARED_DIR/.arbitrum/local/nitro" |
| 140 | +su user -c "mkdir -p $SHARED_DIR/.arbitrum/local/nitro" |
| 141 | + |
63 | 142 | echo "Start supervisor" |
64 | 143 | supervisord -c /etc/supervisor/supervisord.conf |
0 commit comments