forked from eth-educators/eth-docker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-entrypoint.sh
executable file
·138 lines (125 loc) · 5.38 KB
/
docker-entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/bin/env bash
if [ "$(id -u)" = '0' ]; then
chown -R teku:teku /var/lib/teku
exec gosu teku docker-entrypoint.sh "$@"
fi
if [ -f /var/lib/teku/teku-keyapi.keystore ]; then
if [ "$(date +%s -r /var/lib/teku/teku-keyapi.keystore)" -lt "$(date +%s --date="300 days ago")" ]; then
rm /var/lib/teku/teku-keyapi.keystore
elif ! openssl x509 -noout -ext subjectAltName -in /var/lib/teku/teku-keyapi.crt | grep -q 'DNS:consensus'; then
rm /var/lib/teku/teku-keyapi.keystore
fi
fi
if [ ! -f /var/lib/teku/teku-keyapi.keystore ]; then
__password=$(head -c 8 /dev/urandom | od -A n -t u8 | tr -d '[:space:]' | sha256sum| head -c 32)
echo "$__password" > /var/lib/teku/teku-keyapi.password
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout /var/lib/teku/teku-keyapi.key -out /var/lib/teku/teku-keyapi.crt -subj '/CN=teku-keyapi-cert' -extensions san -config <( \
echo '[req]'; \
echo 'distinguished_name=req'; \
echo '[san]'; \
echo 'subjectAltName=DNS:localhost,DNS:consensus,DNS:validator,DNS:vc,IP:127.0.0.1')
openssl pkcs12 -export -in /var/lib/teku/teku-keyapi.crt -inkey /var/lib/teku/teku-keyapi.key -out /var/lib/teku/teku-keyapi.keystore -name teku-keyapi -passout pass:"$__password"
fi
if [ -n "${JWT_SECRET}" ]; then
echo -n "${JWT_SECRET}" > /var/lib/teku/ee-secret/jwtsecret
echo "JWT secret was supplied in .env"
fi
if [[ -O "/var/lib/teku/ee-secret" ]]; then
# In case someone specificies JWT_SECRET but it's not a distributed setup
chmod 777 /var/lib/teku/ee-secret
fi
if [[ -O "/var/lib/teku/ee-secret/jwtsecret" ]]; then
chmod 666 /var/lib/teku/ee-secret/jwtsecret
fi
# Check whether we should rapid sync
if [ -n "${RAPID_SYNC_URL:+x}" ]; then
if [ "${ARCHIVE_NODE}" = "true" ]; then
echo "Teku archive node cannot use checkpoint sync: Syncing from genesis."
__rapid_sync=""
else
__rapid_sync="--checkpoint-sync-url=${RAPID_SYNC_URL}"
echo "Checkpoint sync enabled"
fi
else
__rapid_sync=""
fi
if [[ "${NETWORK}" =~ ^https?:// ]]; then
echo "Custom testnet at ${NETWORK}"
repo=$(awk -F'/tree/' '{print $1}' <<< "${NETWORK}")
branch=$(awk -F'/tree/' '{print $2}' <<< "${NETWORK}" | cut -d'/' -f1)
config_dir=$(awk -F'/tree/' '{print $2}' <<< "${NETWORK}" | cut -d'/' -f2-)
echo "This appears to be the ${repo} repo, branch ${branch} and config directory ${config_dir}."
# For want of something more amazing, let's just fail if git fails to pull this
set -e
if [ ! -d "/var/lib/teku/testnet/${config_dir}" ]; then
mkdir -p /var/lib/teku/testnet
cd /var/lib/teku/testnet
git init --initial-branch="${branch}"
git remote add origin "${repo}"
git config core.sparseCheckout true
echo "${config_dir}" > .git/info/sparse-checkout
git pull origin "${branch}"
fi
bootnodes="$(paste -s -d, "/var/lib/teku/testnet/${config_dir}/bootstrap_nodes.txt")"
set +e
if [ -z "${__rapid_sync}" ]; then
__rapid_sync="--initial-state=/var/lib/teku/testnet/${config_dir}/genesis.ssz"
fi
__network="--network=/var/lib/teku/testnet/${config_dir}/config.yaml --p2p-discovery-bootnodes=${bootnodes} \
--data-storage-non-canonical-blocks-enabled=true --Xlog-include-p2p-warnings-enabled \
--metrics-block-timing-tracking-enabled --Xmetrics-blob-sidecars-storage-enabled=true --Xtrusted-setup=/var/lib/teku/testnet/${config_dir}/trusted_setup.txt \
--Xpeer-rate-limit=100000 --Xpeer-request-limit=1000"
else
__network="--network=${NETWORK}"
fi
# Check whether we should use MEV Boost
if [ "${MEV_BOOST}" = "true" ]; then
__mev_boost="--validators-builder-registration-default-enabled --validators-proposer-blinded-blocks-enabled --builder-endpoint=${MEV_NODE:-http://mev-boost:18550}"
echo "MEV Boost enabled"
else
__mev_boost=""
fi
# Check whether we should send stats to beaconcha.in
if [ -n "${BEACON_STATS_API}" ]; then
__beacon_stats="--metrics-publish-endpoint=https://beaconcha.in/api/v1/client/metrics?apikey=${BEACON_STATS_API}&machine=${BEACON_STATS_MACHINE}"
echo "Beacon stats API enabled"
else
__beacon_stats=""
fi
# Check whether we should enable doppelganger protection
if [ "${DOPPELGANGER}" = "true" ]; then
__doppel="--doppelganger-detection-enabled=true"
echo "Doppelganger protection enabled, VC will pause for 2 epochs"
else
__doppel=""
fi
if [ "${ARCHIVE_NODE}" = "true" ]; then
echo "Teku archive node without pruning"
__prune="--data-storage-mode=ARCHIVE"
else
__prune="--data-storage-mode=MINIMAL"
fi
# Web3signer URL
if [[ "${EMBEDDED_VC}" = "true" && "${WEB3SIGNER}" = "true" ]]; then
__w3s_url="--validators-external-signer-url http://web3signer:9000"
# while true; do
# if curl -s -m 5 http://web3signer:9000 &> /dev/null; then
# echo "web3signer is up, starting Teku"
# break
# else
# echo "Waiting for web3signer to be reachable..."
# sleep 5
# fi
# done
else
__w3s_url=""
fi
if [ "${DEFAULT_GRAFFITI}" = "true" ]; then
# Word splitting is desired for the command line parameters
# shellcheck disable=SC2086
exec "$@" ${__network} ${__w3s_url} ${__mev_boost} ${__rapid_sync} ${__prune} ${__beacon_stats} ${__doppel} ${CL_EXTRAS} ${VC_EXTRAS}
else
# Word splitting is desired for the command line parameters
# shellcheck disable=SC2086
exec "$@" ${__network} "--validators-graffiti=${GRAFFITI}" ${__w3s_url} ${__mev_boost} ${__rapid_sync} ${__prune} ${__beacon_stats} ${__doppel} ${CL_EXTRAS} ${VC_EXTRAS}
fi