Add doppelganger protection option

lh-base.yml

@@ -79,6 +79,7 @@ services:
       - MEV_BOOST=${MEV_BOOST}
       - BEACON_STATS_API=${BEACON_STATS_API}
       - BEACON_STATS_MACHINE=${BEACON_STATS_MACHINE}
+      - DOPPELGANGER=${DOPPELGANGER}
     volumes:
       - lhvalidator-data:/var/lib/lighthouse
       - /etc/localtime:/etc/localtime:ro

lh-vc-only.yml

@@ -21,6 +21,9 @@ services:
     environment:
       - OVERRIDE_TTD=${OVERRIDE_TTD}
       - MEV_BOOST=${MEV_BOOST}
+      - BEACON_STATS_API=${BEACON_STATS_API}
+      - BEACON_STATS_MACHINE=${BEACON_STATS_MACHINE}
+      - DOPPELGANGER=${DOPPELGANGER}
     volumes:
       - lhvalidator-data:/var/lib/lighthouse
       - /etc/localtime:/etc/localtime:ro

lighthouse/docker-entrypoint-vc.sh

@@ -23,4 +23,12 @@ else
   __beacon_stats=""
 fi
 
-exec "$@" ${__mev_boost} ${__beacon_stats} ${__override_ttd}
+# Check whether we should enable doppelganger protection
+if [ "${DOPPELGANGER}" = "true" ]; then
+  __doppel="--enable-doppelganger-protection"
+  echo "Doppelganger protection enabled, VC will pause for 2 epochs"
+else
+  __doppel=""
+fi
+
+exec "$@" ${__mev_boost} ${__beacon_stats} ${__override_ttd} ${__doppel}

lodestar-base.yml

@@ -70,6 +70,7 @@ services:
     user: lsvalidator
     environment:
       - MEV_BOOST=${MEV_BOOST}
+      - DOPPELGANGER=${DOPPELGANGER}
     volumes:
       - lsvalidator-data:/var/lib/lodestar/validators
       - /etc/localtime:/etc/localtime:ro

lodestar-vc-only.yml

@@ -14,6 +14,7 @@ services:
     user: lsvalidator
     environment:
       - MEV_BOOST=${MEV_BOOST}
+      - DOPPELGANGER=${DOPPELGANGER}
     volumes:
       - lsvalidator-data:/var/lib/lodestar/validators
       - /etc/localtime:/etc/localtime:ro

lodestar/docker-entrypoint-vc.sh

@@ -9,4 +9,12 @@ else
   __mev_boost=""
 fi
 
-exec "$@" ${__mev_boost}
+# Check whether we should enable doppelganger protection
+if [ "${DOPPELGANGER}" = "true" ]; then
+  __doppel="--doppelgangerProtectionEnabled"
+  echo "Doppelganger protection enabled, VC will pause for 2 epochs"
+else
+  __doppel=""
+fi
+
+exec "$@" ${__mev_boost} ${__doppel}

nimbus-base.yml

@@ -29,6 +29,7 @@ services:
       - JWT_SECRET=${JWT_SECRET}
       - OVERRIDE_TTD=${OVERRIDE_TTD}
       - MEV_BOOST=${MEV_BOOST}
+      - DOPPELGANGER=${DOPPELGANGER}
     ports:
       - ${CL_P2P_PORT:-9000}:${CL_P2P_PORT:-9000}/tcp
       - ${CL_P2P_PORT:-9000}:${CL_P2P_PORT:-9000}/udp
@@ -55,7 +56,6 @@ services:
       - --rest-address=0.0.0.0
       - --rest-port=5052
       - --enr-auto-update=true
-      - --doppelganger-detection=false
       - --metrics
       - --metrics-port=8008
       - --metrics-address=0.0.0.0

nimbus/docker-entrypoint.sh

@@ -31,4 +31,12 @@ else
   __mev_boost=""
 fi
 
-exec "$@" ${__mev_boost} ${__override_ttd}
+# Check whether we should enable doppelganger protection
+if [ "${DOPPELGANGER}" = "true" ]; then
+  __doppel=""
+  echo "Doppelganger protection enabled, VC will pause for 2 epochs"
+else
+  __doppel="--doppelganger-detection=false"
+fi
+
+exec "$@" ${__mev_boost} ${__override_ttd} ${__doppel}

prysm-base.yml

@@ -81,8 +81,12 @@ services:
     volumes:
       - prysmvalidator-data:/var/lib/prysm
       - /etc/localtime:/etc/localtime:ro
+    environment:
+      - MEV_BOOST=${MEV_BOOST}
+      - DOPPELGANGER=${DOPPELGANGER}
     <<: *logging
     entrypoint:
+      - docker-entrypoint-vc.sh
       - validator
       - --datadir
       - /var/lib/prysm
@@ -110,7 +114,6 @@ services:
       - consensus:5052
       - --suggested-fee-recipient
       - ${FEE_RECIPIENT}
-      - --enable-builder
       # If you chose not to store the wallet password during import, comment out the two following lines
       - --wallet-password-file
       - /var/lib/prysm/password.txt

prysm-vc-only.yml

@@ -27,6 +27,7 @@ services:
       - /etc/localtime:/etc/localtime:ro
     <<: *logging
     entrypoint:
+      - docker-entrypoint-vc.sh
       - validator
       - --datadir
       - /var/lib/prysm

prysm/Dockerfile.binary

@@ -65,6 +65,7 @@ RUN mkdir -p /var/lib/prysm && chown ${USER}:${USER} /var/lib/prysm && chmod 700
 COPY --from=vcsource /app/cmd/validator/validator /usr/local/bin/
 COPY ./validator-import.sh /usr/local/bin/
 COPY ./create-wallet.sh /usr/local/bin/
+COPY ./docker-entrypoint-vc.sh /usr/local/bin/
 
 USER ${USER}
 

prysm/Dockerfile.source

@@ -73,6 +73,7 @@ RUN mkdir -p /var/lib/prysm && chown ${USER}:${USER} /var/lib/prysm && chmod 700
 
 COPY ./validator-import.sh /usr/local/bin/
 COPY ./create-wallet.sh /usr/local/bin/
+COPY ./docker-entrypoint-vc.sh /usr/local/bin/
 
 USER ${USER}
 

prysm/docker-entrypoint-vc.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -Eeuo pipefail
+
+# Check whether we should use MEV Boost
+if [ "${MEV_BOOST}" = "true" ]; then
+  __mev_boost="--enable-builder"
+  echo "MEV Boost enabled"
+else
+  __mev_boost=""
+fi
+
+# Check whether we should enable doppelganger protection
+if [ "${DOPPELGANGER}" = "true" ]; then
+  __doppel="--enable-doppelganger"
+  echo "Doppelganger protection enabled, VC will pause for 2 epochs"
+else
+  __doppel=""
+fi
+
+exec "$@" ${__mev_boost} ${__doppel}

prysm/docker-entrypoint.sh

@@ -1,20 +1,6 @@
 #!/bin/bash
 set -Eeuo pipefail
 
-# prysm-web never used the chown, fix this now. To be removed after merge.
-if [ "$(id -u)" = '0' ]; then
-  if [ "$1" = 'validator' ]; then
-    chown -R prysmvalidator:prysmvalidator /var/lib/prysm
-    exec gosu prysmvalidator "$BASH_SOURCE" "$@"
-  else
-    echo "Could not determine that this is the validator client."
-    echo "This is a bug, please report it at https://github.com/eth-educators/eth-docker/,"
-    echo "and thank you."
-    echo "Failed to match on" $1
-    exit
-  fi
-fi
-
 if [ -n "${JWT_SECRET}" ]; then
   echo -n ${JWT_SECRET} > /var/lib/prysm/ee-secret/jwtsecret
   echo "JWT secret was supplied in .env"