From 76af32e427de6501bb3bbdb3d298ae15ea9f5ff9 Mon Sep 17 00:00:00 2001 From: Igor Novgorodov Date: Wed, 2 Oct 2024 16:12:21 +0200 Subject: [PATCH 1/2] feat(BOUN-1250): BN Ubuntu upgrade to 24.04 (#1796) * Upgrade Ubuntu to 24.04 * Upgrade Vector & node_exporter * Remove redundant packages, make image build faster * Simplify the dockerfile * Remove `prober` & `balance-exporter` from BN images & published binaries --- ic-os/boundary-guestos/context/Dockerfile | 11 +- .../boundary-guestos/context/Dockerfile.base | 107 ++++++------------ ic-os/boundary-guestos/defs.bzl | 2 - ic-os/boundary-guestos/docs/Components.adoc | 4 - .../scripts/build-bootstrap-config-image.sh | 12 -- .../scripts/build-deployment.sh | 33 +----- ic-os/components/boundary-guestos.bzl | 7 -- .../boundary-guestos/etc/nftables.conf | 2 - .../etc/prober-wallets-exporter/wallets.json | 25 ---- .../etc/prober/ic_public_key.pem | 5 - .../boundary-guestos/etc/prober/wallets.json | 25 ---- .../system/prober-wallets-exporter.service | 20 ---- .../etc/systemd/system/prober.service | 22 ---- .../etc/systemd/system/setup-prober.service | 11 -- .../opt/ic/bin/bootstrap-ic-node.sh | 1 - .../opt/ic/bin/setup-prober.sh | 43 ------- publish/binaries/BUILD.bazel | 2 - 17 files changed, 36 insertions(+), 296 deletions(-) delete mode 100644 ic-os/components/boundary-guestos/etc/prober-wallets-exporter/wallets.json delete mode 100644 ic-os/components/boundary-guestos/etc/prober/ic_public_key.pem delete mode 100644 ic-os/components/boundary-guestos/etc/prober/wallets.json delete mode 100644 ic-os/components/boundary-guestos/etc/systemd/system/prober-wallets-exporter.service delete mode 100644 ic-os/components/boundary-guestos/etc/systemd/system/prober.service delete mode 100644 ic-os/components/boundary-guestos/etc/systemd/system/setup-prober.service delete mode 100644 ic-os/components/boundary-guestos/opt/ic/bin/setup-prober.sh diff --git a/ic-os/boundary-guestos/context/Dockerfile b/ic-os/boundary-guestos/context/Dockerfile index d2a5975fba6..2cbf960cda9 100644 --- a/ic-os/boundary-guestos/context/Dockerfile +++ b/ic-os/boundary-guestos/context/Dockerfile @@ -26,7 +26,7 @@ WORKDIR /tmp # Download and verify ic-gateway RUN \ curl -L -O https://github.com/dfinity/ic-gateway/releases/download/v0.1.55/ic-gateway_0.1.55_amd64.deb && \ - echo "57ef6ed420bca99cc2e5857a862d630d6c1f5ab3 ic-gateway_0.1.55_amd64.deb" | shasum -c + echo "b360fa670fef8d097fc814b718ea5333a7de5c52d654c8f850a55bb014b006e1 ic-gateway_0.1.55_amd64.deb" | sha256sum -c # # Second build stage: @@ -177,15 +177,6 @@ RUN addgroup node_exporter && \ adduser --system --disabled-password --shell /usr/sbin/nologin --no-create-home socks && \ adduser socks socks && chmod +s /usr/sbin/danted -# Setup prober -RUN \ - addgroup prober && \ - adduser --system --disabled-password --shell /usr/sbin/nologin --no-create-home prober && \ - adduser prober prober && \ - mkdir -p /var/log/prober && \ - chown prober:prober /var/log/prober && \ - chmod 755 /var/log/prober - # Install node_exporter RUN chown root:root /etc/node_exporter \ /usr/local/bin/node_exporter && \ diff --git a/ic-os/boundary-guestos/context/Dockerfile.base b/ic-os/boundary-guestos/context/Dockerfile.base index fbbdb6ad960..3ef8a9df64f 100644 --- a/ic-os/boundary-guestos/context/Dockerfile.base +++ b/ic-os/boundary-guestos/context/Dockerfile.base @@ -16,42 +16,18 @@ ARG CROWDSEC_BOUNCER_VERSION=1.0.14 ARG CROWDSEC_BOUNCER_SHA=c99919c6ecc69904249ff71b32ea791ce2eec32e5a9e8d4c9c6554131a4fb331 # Vector version to install -ARG VECTOR_VERSION=0.36.0 -ARG VECTOR_SHA=1e7c8d47768a8286c0de517aeb6d7b12e85d91d11c2d282583827c92b83083cf +ARG VECTOR_VERSION=0.41.1 +ARG VECTOR_SHA=a4fe30ec0e9ef959bac8b6de013a28e22890f6e5a5afd00d42ef7affaf432442 # Node exporter version to install -ARG NODE_EXPORTER_VERSION=1.8.1 -ARG NODE_EXPORTER_SHA=fbadb376afa7c883f87f70795700a8a200f7fd45412532cc1938a24d41078011 +ARG NODE_EXPORTER_VERSION=1.8.2 +ARG NODE_EXPORTER_SHA=6809dd0b3ec45fd6e992c19071d6b5253aed3ead7bf0686885a51d85c6643c66 # -# First build stage: download software, build and verify it (such that it -# does not change under our noses). +# - Download and cache minimal Ubuntu Server 24.04 LTS Docker image +# - Install and cache upstream packages from built-in Ubuntu repositories # -FROM ubuntu:20.04 AS download - -USER root:root - -ENV TZ=UTC -RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone -RUN apt-get -y update && apt-get -y upgrade && apt-get -y --no-install-recommends install \ - ca-certificates \ - curl \ - pkg-config \ - libffi-dev \ - libssl-dev \ - ssl-cert \ - rustc \ - cargo \ - perl \ - git \ - autoconf \ - make \ - automake \ - g++ \ - gcc \ - uuid-dev - -WORKDIR /tmp +FROM ubuntu:24.04 ARG CROWDSEC_BOUNCER_VERSION ARG CROWDSEC_BOUNCER_SHA @@ -60,29 +36,6 @@ ARG VECTOR_SHA ARG NODE_EXPORTER_VERSION ARG NODE_EXPORTER_SHA -# Download and verify vector -RUN \ - curl -L -O https://packages.timber.io/vector/${VECTOR_VERSION}/vector_${VECTOR_VERSION}-1_amd64.deb && \ - echo "${VECTOR_SHA} vector_${VECTOR_VERSION}-1_amd64.deb" | shasum -c - -# Download and verify node_exporter -RUN \ - curl -L -O https://github.com/prometheus/node_exporter/releases/download/v${NODE_EXPORTER_VERSION}/node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz && \ - echo "${NODE_EXPORTER_SHA} node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz" | shasum -c - -# Download and verify crowdsec bouncer -RUN \ - curl -L -O https://github.com/blind-oracle/cs-firewall-bouncer/releases/download/v${CROWDSEC_BOUNCER_VERSION}/crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb && \ - echo "${CROWDSEC_BOUNCER_SHA} crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb" | shasum -c - -# -# Second build stage: -# - Download and cache minimal Ubuntu Server 20.04 LTS Docker image -# - Install and cache upstream packages from built-in Ubuntu repositories -# - Copy downloaded archives from first build stage into the target image -# -FROM ubuntu:20.04 - USER root:root ENV TZ=UTC @@ -106,54 +59,60 @@ RUN \ gettext-base \ haveged \ initramfs-tools \ - inotify-tools \ iproute2 \ iputils-ping \ - isc-dhcp-client \ less \ - libffi-dev \ - liblmdb0 \ - libssl-dev \ - linux-image-virtual-hwe-20.04 \ logrotate \ lshw \ lvm2 \ + nano \ net-tools \ netbase \ nftables \ - opensc \ - openssh-client openssh-server \ + openssh-client \ + openssh-server \ parted \ - pciutils \ - pcsc-tools pcscd \ - policycoreutils \ - python \ - python3-dev \ rsync \ ssl-cert \ sudo \ - systemd systemd-sysv systemd-journal-remote \ + systemd \ + systemd-sysv \ + systemd-journal-remote \ + tcpdump \ + traceroute \ + mtr-tiny \ udev \ usbutils \ vim \ zstd +WORKDIR /tmp + +# Download and verify vector +RUN \ + curl -L -O https://packages.timber.io/vector/${VECTOR_VERSION}/vector_${VECTOR_VERSION}-1_amd64.deb && \ + echo "${VECTOR_SHA} vector_${VECTOR_VERSION}-1_amd64.deb" | sha256sum -c + +# Download and verify node_exporter +RUN \ + curl -L -O https://github.com/prometheus/node_exporter/releases/download/v${NODE_EXPORTER_VERSION}/node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz && \ + echo "${NODE_EXPORTER_SHA} node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz" | sha256sum -c + +# Download and verify crowdsec bouncer +RUN \ + curl -L -O https://github.com/blind-oracle/cs-firewall-bouncer/releases/download/v${CROWDSEC_BOUNCER_VERSION}/crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb && \ + echo "${CROWDSEC_BOUNCER_SHA} crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb" | sha256sum -c + # Install vector -ARG VECTOR_VERSION -COPY --from=download /tmp/vector_${VECTOR_VERSION}-1_amd64.deb /tmp/vector_${VECTOR_VERSION}-1_amd64.deb RUN dpkg -i --force-confold /tmp/vector_${VECTOR_VERSION}-1_amd64.deb && \ rm /tmp/vector_${VECTOR_VERSION}-1_amd64.deb # Install node_exporter -ARG NODE_EXPORTER_VERSION -COPY --from=download /tmp/node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz /tmp/node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz RUN cd /tmp/ && \ mkdir -p /etc/node_exporter && \ tar --strip-components=1 -C /usr/local/bin/ -zvxf node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64/node_exporter && \ rm /tmp/node_exporter-${NODE_EXPORTER_VERSION}.linux-amd64.tar.gz # Install crowdsec bouncer -ARG CROWDSEC_BOUNCER_VERSION -COPY --from=download /tmp/crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb /tmp/crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb RUN dpkg -i --force-confold /tmp/crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb && \ rm /tmp/crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb diff --git a/ic-os/boundary-guestos/defs.bzl b/ic-os/boundary-guestos/defs.bzl index 8b89f8d5fd8..0f6c4a66acd 100644 --- a/ic-os/boundary-guestos/defs.bzl +++ b/ic-os/boundary-guestos/defs.bzl @@ -23,9 +23,7 @@ def image_deps(mode): "bootfs": {}, "rootfs": { "//publish/binaries:canary-proxy": "/opt/ic/bin/canary-proxy:0755", - "//publish/binaries:boundary-node-prober": "/opt/ic/bin/boundary-node-prober:0755", "//publish/binaries:certificate-issuer": "/opt/ic/bin/certificate-issuer:0755", - "//publish/binaries:ic-balance-exporter": "/opt/ic/bin/ic-balance-exporter:0755", "//publish/binaries:systemd-journal-gatewayd-shim": "/opt/ic/bin/systemd-journal-gatewayd-shim:0755", "//publish/binaries:ic-boundary": "/opt/ic/bin/ic-boundary:0755", }, diff --git a/ic-os/boundary-guestos/docs/Components.adoc b/ic-os/boundary-guestos/docs/Components.adoc index 276d24f9ec0..b4c08656bc0 100644 --- a/ic-os/boundary-guestos/docs/Components.adoc +++ b/ic-os/boundary-guestos/docs/Components.adoc @@ -5,10 +5,6 @@ The Boundary Node has a number of specific components: - `ic-gateway` is used to proxy HTTP calls to `ic-boundary` using IC protocol - `ic-boundary` forwards the IC requests to replicas -== Prober -- Creates canisters that are probed -- Performs dynamic probes and export the results to Prometheus - == Socks proxy - A SOCKS proxy will be running on port 1443 and 1080 on the boundary nodes, only accessible from IPv6 netblock addresses. diff --git a/ic-os/boundary-guestos/scripts/build-bootstrap-config-image.sh b/ic-os/boundary-guestos/scripts/build-bootstrap-config-image.sh index c90f891184a..8e1538a7839 100755 --- a/ic-os/boundary-guestos/scripts/build-bootstrap-config-image.sh +++ b/ic-os/boundary-guestos/scripts/build-bootstrap-config-image.sh @@ -77,9 +77,6 @@ options may be specified: --denylist_url url Specify the url where to download denylist - --prober-identity path - specify an identity file for the prober - --system-domains comma-delimited list of domains serving system canisters (e.g., ic0.dev or ic0.app) @@ -292,9 +289,6 @@ function build_ic_bootstrap_tar() { --denylist_url) local DENYLIST_URL="$2" ;; - --prober-identity) - local PROBER_IDENTITY="$2" - ;; --system-domains) local SYSTEM_DOMAINS="$2" ;; @@ -519,12 +513,6 @@ logging_user=${LOGGING_USER:-"undefined"} logging_password=${LOGGING_PASSWORD:-"undefined"} EOF - # setup the prober identity - if [[ -n "${PROBER_IDENTITY:-}" ]]; then - echo "Using prober identity ${PROBER_IDENTITY}" - cp "${PROBER_IDENTITY}" "${BOOTSTRAP_TMPDIR}/prober_identity.pem" - fi - # setup the certificates if [[ -n "${CERT_DIR:-}" && -f "${CERT_DIR}/fullchain.pem" && -f "${CERT_DIR}/privkey.pem" && -f "${CERT_DIR}/chain.pem" ]]; then echo "Using certificates ${CERT_DIR}/fullchain.pem ${CERT_DIR}/privkey.pem ${CERT_DIR}/chain.pem" diff --git a/ic-os/boundary-guestos/scripts/build-deployment.sh b/ic-os/boundary-guestos/scripts/build-deployment.sh index 7c30d66b3de..541ea307861 100755 --- a/ic-os/boundary-guestos/scripts/build-deployment.sh +++ b/ic-os/boundary-guestos/scripts/build-deployment.sh @@ -43,7 +43,6 @@ Arguments: --nns_urls= specify a file that lists on each line a nns url of the form `http://[ip]:port` this file will override nns urls derived from input json file --replicas-ipv6= specify a file that lists on each line an ipv6 firewall rule to allow replicas of the form `ipv6-addr/prefix-length` (# comments and trailing whitespace will be stripped) --denylist= a deny list of canisters - --prober-identity= specify an identity file for the prober --geolite2-country-db= specify path to GeoLite2 Country Database --cert-issuer-creds specify a credentials file for certificate-issuer --cert-issuer-identity specify an identity file for certificate-issuer @@ -102,9 +101,6 @@ for argument in "${@}"; do --denylist=*) DENY_LIST="${argument#*=}" ;; - --prober-identity=*) - PROBER_IDENTITY="${argument#*=}" - ;; --geolite2-country-db=*) GEOLITE2_COUNTRY_DB="${argument#*=}" ;; @@ -206,20 +202,18 @@ VALUES=$(echo ${CONFIG} \ .ipv6_gateway, .ipv4_gateway, .ipv4_address, - .prober, .hostname, .subnet_type, .subnet_idx, .node_idx, .type ] | join("\u0001")') -while IFS=$'\1' read -r ipv6_address ipv6_gateway ipv4_gateway ipv4_address prober hostname subnet_type subnet_idx node_idx type; do +while IFS=$'\1' read -r ipv6_address ipv6_gateway ipv4_gateway ipv4_address hostname subnet_type subnet_idx node_idx type; do eval "declare -A __RAW_NODE_$NODES=( ['ipv6_address']=$ipv6_address ['ipv6_gateway']=$ipv6_gateway - ['ipv4_gateway']=$ipv4_gateway + ['ipv4_gateway']=$ipv4_gateway ['ipv4_address']=$ipv4_address - ['prober']=$prober ['hostname']=$hostname ['subnet_type']=$subnet_type ['subnet_idx']=$subnet_idx @@ -374,28 +368,6 @@ function generate_network_config() { done } -function generate_prober_config() { - for n in $NODES; do - declare -n NODE=$n - if [[ "${NODE["type"]}" == "boundary" ]]; then - local hostname=${NODE["hostname"]} - local subnet_idx=${NODE["subnet_idx"]} - local node_idx=${NODE["node_idx"]} - local prober=${NODE["prober"]} - - NODE_PREFIX=${DEPLOYMENT}.$subnet_idx.$node_idx - - mkdir -p "${CONFIG_DIR}/${NODE_PREFIX}" - - # copy prober identity if enabled - if [[ -f "${PROBER_IDENTITY:-}" && "${prober:-}" == "true" ]]; then - echo "Using prober identity ${PROBER_IDENTITY}" - cp "${PROBER_IDENTITY}" "${CONFIG_DIR}/${NODE_PREFIX}/prober_identity.pem" - fi - fi - done -} - function copy_ssh_keys() { for n in $NODES; do declare -n NODE=$n @@ -678,7 +650,6 @@ function main() { create_tarball_structure generate_boundary_node_config generate_network_config - generate_prober_config copy_ssh_keys copy_certs copy_deny_list diff --git a/ic-os/components/boundary-guestos.bzl b/ic-os/components/boundary-guestos.bzl index b6f50b50f01..535edf797ca 100644 --- a/ic-os/components/boundary-guestos.bzl +++ b/ic-os/components/boundary-guestos.bzl @@ -20,9 +20,6 @@ component_files = { Label("boundary-guestos/etc/initramfs-tools/scripts/init-bottom/set-machine-id"): "/etc/initramfs-tools/scripts/init-bottom/set-machine-id", Label("boundary-guestos/etc/initramfs-tools/scripts/init-premount/verity-root"): "/etc/initramfs-tools/scripts/init-premount/verity-root", Label("boundary-guestos/etc/nftables.conf"): "/etc/nftables.conf", - Label("boundary-guestos/etc/prober/ic_public_key.pem"): "/etc/prober/ic_public_key.pem", - Label("boundary-guestos/etc/prober-wallets-exporter/wallets.json"): "/etc/prober-wallets-exporter/wallets.json", - Label("boundary-guestos/etc/prober/wallets.json"): "/etc/prober/wallets.json", Label("boundary-guestos/etc/resolv.conf"): "/etc/resolv.conf", Label("boundary-guestos/etc/security/limits.conf"): "/etc/security/limits.conf", Label("boundary-guestos/etc/stunnel/stunnel.conf"): "/etc/stunnel/stunnel.conf", @@ -47,8 +44,6 @@ component_files = { Label("boundary-guestos/etc/systemd/system/logrotate.timer"): "/etc/systemd/system/logrotate.timer", Label("boundary-guestos/etc/systemd/system/nftables.service.d/override.conf"): "/etc/systemd/system/nftables.service.d/override.conf", Label("boundary-guestos/etc/systemd/system/node_exporter.service"): "/etc/systemd/system/node_exporter.service", - Label("boundary-guestos/etc/systemd/system/prober.service"): "/etc/systemd/system/prober.service", - Label("boundary-guestos/etc/systemd/system/prober-wallets-exporter.service"): "/etc/systemd/system/prober-wallets-exporter.service", Label("boundary-guestos/etc/systemd/system/relabel-machine-id.service"): "/etc/systemd/system/relabel-machine-id.service", Label("boundary-guestos/etc/systemd/system/retry-ipv6-config.service"): "/etc/systemd/system/retry-ipv6-config.service", Label("boundary-guestos/etc/systemd/system/save-machine-id.service"): "/etc/systemd/system/save-machine-id.service", @@ -62,7 +57,6 @@ component_files = { Label("boundary-guestos/etc/systemd/system/setup-ic-gateway.service"): "/etc/systemd/system/setup-ic-gateway.service", Label("boundary-guestos/etc/systemd/system/setup-lvs.service"): "/etc/systemd/system/setup-lvs.service", Label("boundary-guestos/etc/systemd/system/setup-nftables.service"): "/etc/systemd/system/setup-nftables.service", - Label("boundary-guestos/etc/systemd/system/setup-prober.service"): "/etc/systemd/system/setup-prober.service", Label("boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service"): "/etc/systemd/system/setup-ssh-account-keys.service", Label("boundary-guestos/etc/systemd/system/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service", Label("boundary-guestos/etc/systemd/system/setup-var-log.service"): "/etc/systemd/system/setup-var-log.service", @@ -94,7 +88,6 @@ component_files = { Label("boundary-guestos/opt/ic/bin/setup-ic-gateway.sh"): "/opt/ic/bin/setup-ic-gateway.sh", Label("boundary-guestos/opt/ic/bin/setup-lvs.sh"): "/opt/ic/bin/setup-lvs.sh", Label("boundary-guestos/opt/ic/bin/setup-nftables.sh"): "/opt/ic/bin/setup-nftables.sh", - Label("boundary-guestos/opt/ic/bin/setup-prober.sh"): "/opt/ic/bin/setup-prober.sh", Label("boundary-guestos/opt/ic/bin/setup-ssh-account-keys.sh"): "/opt/ic/bin/setup-ssh-account-keys.sh", Label("boundary-guestos/opt/ic/bin/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh", Label("boundary-guestos/opt/ic/bin/setup-var-encryption.sh"): "/opt/ic/bin/setup-var-encryption.sh", diff --git a/ic-os/components/boundary-guestos/etc/nftables.conf b/ic-os/components/boundary-guestos/etc/nftables.conf index 6bf7813027a..79d37f80f07 100644 --- a/ic-os/components/boundary-guestos/etc/nftables.conf +++ b/ic-os/components/boundary-guestos/etc/nftables.conf @@ -23,9 +23,7 @@ define icmp_v6_types_accept = { define ipv6_monitoring_tcp_ports = { 9100, # node-exporter - 9313, # prober 9314, # ic-gateway - 9315, # prober-wallets-exporter 9317, # vector 9321, # certificate-issuer 9323, # danted (socks proxy) diff --git a/ic-os/components/boundary-guestos/etc/prober-wallets-exporter/wallets.json b/ic-os/components/boundary-guestos/etc/prober-wallets-exporter/wallets.json deleted file mode 100644 index 9a3bb823799..00000000000 --- a/ic-os/components/boundary-guestos/etc/prober-wallets-exporter/wallets.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "wallets": [ - "2dk3q-zqaaa-aaaah-aavxa-cai", - "n4shp-zaaaa-aaaaj-aacga-cai", - "a2dw6-kqaaa-aaaai-aavca-cai", - "ajjwl-maaaa-aaaaj-qacda-cai", - "n56qd-taaaa-aaaai-qavea-cai", - "4bxpk-jqaaa-aaaah-qcbdq-cai", - "mgjb5-vaaaa-aaaae-qaatq-cai", - "msbyc-6qaaa-aaaag-aaaaa-cai", - "aiojb-fqaaa-aaaad-aaapa-cai", - "arrrn-6aaaa-aaaag-qaaaa-cai", - "yhbhp-yyaaa-aaaad-qaxmq-cai", - "2vstd-2aaaa-aaaac-aaaaa-cai", - "p3mxl-tyaaa-aaaak-qaaaa-cai", - "mdsda-zqaaa-aaaab-aaa6q-cai", - "242h5-wqaaa-aaaae-aaf2a-cai", - "d7tp4-2iaaa-aaaaf-qaerq-cai", - "ym3xe-paaaa-aaaaf-aaasq-cai", - "2b2k4-rqaaa-aaaaa-qaatq-cai", - "rrh7r-yyaaa-aaaab-qadwa-cai", - "wwc2m-2qaaa-aaaac-qaaaa-cai", - "dy46e-tiaaa-aaaak-aaaaa-cai" - ] -} diff --git a/ic-os/components/boundary-guestos/etc/prober/ic_public_key.pem b/ic-os/components/boundary-guestos/etc/prober/ic_public_key.pem deleted file mode 100644 index 21ccf24074f..00000000000 --- a/ic-os/components/boundary-guestos/etc/prober/ic_public_key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIGCMB0GDSsGAQQBgtx8BQMBAgEGDCsGAQQBgtx8BQMCAQNhAIFMDm7HH6tYOwi9 -gTc8JVw8NxsuhIY8mKTx4It0I10U+12cDNVG2WhfkToMCyzFNBWDv0tDkuRn25bW -W5u0y3FxEvhHLg1aTRRQX/10hLASkQkcX4e5iINGP5gJGguqrg== ------END PUBLIC KEY----- diff --git a/ic-os/components/boundary-guestos/etc/prober/wallets.json b/ic-os/components/boundary-guestos/etc/prober/wallets.json deleted file mode 100644 index 5215c2cf353..00000000000 --- a/ic-os/components/boundary-guestos/etc/prober/wallets.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "subnet": { - "gmq5v-hbozq-uui6y-o55wc-ihop3-562wb-3qspg-nnijg-npqp5-he3cj-3ae": "2dk3q-zqaaa-aaaah-aavxa-cai", - "qdvhd-os4o2-zzrdw-xrcv4-gljou-eztdp-bj326-e6jgr-tkhuc-ql6v2-yqe": "n4shp-zaaaa-aaaaj-aacga-cai", - "brlsh-zidhj-3yy3e-6vqbz-7xnih-xeq2l-as5oc-g32c4-i5pdn-2wwof-oae": "a2dw6-kqaaa-aaaai-aavca-cai", - "jtdsg-3h6gi-hs7o5-z2soi-43w3z-soyl3-ajnp3-ekni5-sw553-5kw67-nqe": "ajjwl-maaaa-aaaaj-qacda-cai", - "mpubz-g52jc-grhjo-5oze5-qcj74-sex34-omprz-ivnsm-qvvhr-rfzpv-vae": "n56qd-taaaa-aaaai-qavea-cai", - "pjljw-kztyl-46ud4-ofrj6-nzkhm-3n4nt-wi3jt-ypmav-ijqkt-gjf66-uae": "4bxpk-jqaaa-aaaah-qcbdq-cai", - "ejbmu-grnam-gk6ol-6irwa-htwoj-7ihfl-goimw-hlnvh-abms4-47v2e-zqe": "mgjb5-vaaaa-aaaae-qaatq-cai", - "lspz2-jx4pu-k3e7p-znm7j-q4yum-ork6e-6w4q6-pijwq-znehu-4jabe-kqe": "msbyc-6qaaa-aaaag-aaaaa-cai", - "io67a-2jmkw-zup3h-snbwi-g6a5n-rm5dn-b6png-lvdpl-nqnto-yih6l-gqe": "aiojb-fqaaa-aaaad-aaapa-cai", - "lhg73-sax6z-2zank-6oer2-575lz-zgbxx-ptudx-5korm-fy7we-kh4hl-pqe": "arrrn-6aaaa-aaaag-qaaaa-cai", - "5kdm2-62fc6-fwnja-hutkz-ycsnm-4z33i-woh43-4cenu-ev7mi-gii6t-4ae": "yhbhp-yyaaa-aaaad-qaxmq-cai", - "4zbus-z2bmt-ilreg-xakz4-6tyre-hsqj4-slb4g-zjwqo-snjcc-iqphi-3qe": "2vstd-2aaaa-aaaac-aaaaa-cai", - "opn46-zyspe-hhmyp-4zu6u-7sbrh-dok77-m7dch-im62f-vyimr-a3n2c-4ae": "p3mxl-tyaaa-aaaak-qaaaa-cai", - "qxesv-zoxpm-vc64m-zxguk-5sj74-35vrb-tbgwg-pcird-5gr26-62oxl-cae": "mdsda-zqaaa-aaaab-aaa6q-cai", - "shefu-t3kr5-t5q3w-mqmdq-jabyv-vyvtf-cyyey-3kmo4-toyln-emubw-4qe": "242h5-wqaaa-aaaae-aaf2a-cai", - "csyj4-zmann-ys6ge-3kzi6-onexi-obayx-2fvak-zersm-euci4-6pslt-lae": "d7tp4-2iaaa-aaaaf-qaerq-cai", - "eq6en-6jqla-fbu5s-daskr-h6hx2-376n5-iqabl-qgrng-gfqmv-n3yjr-mqe": "ym3xe-paaaa-aaaaf-aaasq-cai", - "snjp4-xlbw4-mnbog-ddwy6-6ckfd-2w5a2-eipqo-7l436-pxqkh-l6fuv-vae": "2b2k4-rqaaa-aaaaa-qaatq-cai", - "pae4o-o6dxf-xki7q-ezclx-znyd6-fnk6w-vkv5z-5lfwh-xym2i-otrrw-fqe": "rrh7r-yyaaa-aaaab-qadwa-cai", - "w4asl-4nmyj-qnr7c-6cqq4-tkwmt-o26di-iupkq-vx4kt-asbrx-jzuxh-4ae": "wwc2m-2qaaa-aaaac-qaaaa-cai", - "k44fs-gm4pv-afozh-rs7zw-cg32n-u7xov-xqyx3-2pw5q-eucnu-cosd4-uqe": "dy46e-tiaaa-aaaak-aaaaa-cai" - } -} diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/prober-wallets-exporter.service b/ic-os/components/boundary-guestos/etc/systemd/system/prober-wallets-exporter.service deleted file mode 100644 index 7c38e182ede..00000000000 --- a/ic-os/components/boundary-guestos/etc/systemd/system/prober-wallets-exporter.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Boundary Node Prober Wallets Exporter -After=network-online.target -Wants=network-online.target -After=setup-prober.service -BindsTo=setup-prober.service - -[Service] -User=prober -Group=prober -Restart=always -ExecStart=/opt/ic/bin/ic-balance-exporter \ - --wallets-path "/etc/prober-wallets-exporter/wallets.json" \ - --identity-path "/run/ic-node/etc/prober/identity.pem" \ - --root-key-path "/run/ic-node/etc/prober/root_key.der" \ - --scrape-interval "1m" \ - --metrics-addr "[::]:9315" - -[Install] -WantedBy=multi-user.target diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/prober.service b/ic-os/components/boundary-guestos/etc/systemd/system/prober.service deleted file mode 100644 index 99c8d697aa1..00000000000 --- a/ic-os/components/boundary-guestos/etc/systemd/system/prober.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=Boundary Node Prober -After=network-online.target -Wants=network-online.target -After=setup-prober.service -BindsTo=setup-prober.service - -[Service] -User=prober -Group=prober -Restart=always -ExecStart=/opt/ic/bin/boundary-node-prober \ - --routes-dir "/var/cache/ic_routes" \ - --wallets-path "/etc/prober/wallets.json" \ - --identity-path "/run/ic-node/etc/prober/identity.pem" \ - --root-key-path "/run/ic-node/etc/prober/root_key.der" \ - --canister-ttl "24h" \ - --probe-interval "1m" \ - --metrics-addr "[::]:9313" - -[Install] -WantedBy=multi-user.target diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/setup-prober.service b/ic-os/components/boundary-guestos/etc/systemd/system/setup-prober.service deleted file mode 100644 index 1acb7016ca6..00000000000 --- a/ic-os/components/boundary-guestos/etc/systemd/system/setup-prober.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Setup Prober -DefaultDependencies=no -After=bootstrap-ic-node.service -Requires=bootstrap-ic-node.service - -[Service] -Type=oneshot -RemainAfterExit=true -ExecCondition=/opt/ic/bin/setup-prober.sh -ExecStart=/usr/bin/true diff --git a/ic-os/components/boundary-guestos/opt/ic/bin/bootstrap-ic-node.sh b/ic-os/components/boundary-guestos/opt/ic/bin/bootstrap-ic-node.sh index 6e742e8dffb..deabab10808 100755 --- a/ic-os/components/boundary-guestos/opt/ic/bin/bootstrap-ic-node.sh +++ b/ic-os/components/boundary-guestos/opt/ic/bin/bootstrap-ic-node.sh @@ -71,7 +71,6 @@ function process_bootstrap() { nns_public_key.pem nns.conf pre_isolation_canisters.txt - prober_identity.pem ) for FILE in ${FILES[@]}; do diff --git a/ic-os/components/boundary-guestos/opt/ic/bin/setup-prober.sh b/ic-os/components/boundary-guestos/opt/ic/bin/setup-prober.sh deleted file mode 100644 index a8b2bcc9ef2..00000000000 --- a/ic-os/components/boundary-guestos/opt/ic/bin/setup-prober.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -set -euox pipefail -source '/opt/ic/bin/helpers.shlib' -source '/opt/ic/bin/exec_condition.shlib' - -readonly IDENTITY_PEM="${BOOT_DIR}/prober_identity.pem" - -readonly RUN_DIR='/run/ic-node/etc/prober' -readonly ROOT_KEY="${RUN_DIR}/root_key.der" - -function read_variables() { - if [[ ! -d "${BOOT_DIR}" ]]; then - err "missing prober configuration directory: ${BOOT_DIR}" - exit 1 - fi - - check_nns_pem -} - -function generate_prober_config() { - if [ ! -f "${IDENTITY_PEM}" ]; then - echo "missing prober identity: ${IDENTITY_PEM}, disabling prober" - disable - return - fi - - # Create config dir - mkdir -p "${RUN_DIR}" - - # Setup prober identity - cp "${IDENTITY_PEM}" "${RUN_DIR}/identity.pem" - - # Setup network key - get_nns_der >"${ROOT_KEY}" -} - -function main() { - read_variables - generate_prober_config -} - -main "$@" diff --git a/publish/binaries/BUILD.bazel b/publish/binaries/BUILD.bazel index 0837ad93175..1f4b2cbddf9 100644 --- a/publish/binaries/BUILD.bazel +++ b/publish/binaries/BUILD.bazel @@ -10,11 +10,9 @@ ALL_BINARIES = { "compiler_sandbox": "//rs/canister_sandbox:compiler_sandbox", "ic-btc-adapter": "//rs/bitcoin/adapter:ic-btc-adapter", "replica": "//rs/replica:replica", - "boundary-node-prober": "//rs/boundary_node/prober:boundary-node-prober", "certificate-issuer": "//rs/boundary_node/certificate_issuance/certificate_issuer:certificate-issuer", "ic-admin": "//rs/registry/admin:ic-admin", "ic-backup": "//rs/backup:ic-backup", - "ic-balance-exporter": "//rs/boundary_node/ic_balance_exporter:ic-balance-exporter", "ic-boundary": "//rs/boundary_node/ic_boundary:ic-boundary", "ic-boundary-tls": "//rs/boundary_node/ic_boundary:ic-boundary-tls", "ic-starter": "//rs/starter:ic-starter", From 184d25b1f9b43c83903c00ebca1461165c7aaf8e Mon Sep 17 00:00:00 2001 From: Carly Gundy <47304080+cgundy@users.noreply.github.com> Date: Wed, 2 Oct 2024 16:49:20 +0200 Subject: [PATCH 2/2] fix(IDX): fix run-build-ic (#1804) Co-authored-by: IDX GitHub Automation --- .github/workflows-source/ci-main.yml | 2 +- .github/workflows/ci-main.yml | 2 +- ci/scripts/run-build-ic.sh | 7 +++++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows-source/ci-main.yml b/.github/workflows-source/ci-main.yml index b404f48b696..92b1d540d7f 100644 --- a/.github/workflows-source/ci-main.yml +++ b/.github/workflows-source/ci-main.yml @@ -259,7 +259,7 @@ jobs: rm -rf "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}" env: BAZEL_COMMAND: "build" - RUN_ON_DIFF_ONLY: ${{ !contains(github.event.pull_request.labels.*.name, 'CI_ALL_BAZEL_TARGETS') }} + RUN_ON_DIFF_ONLY: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'CI_ALL_BAZEL_TARGETS') }} MERGE_BASE_SHA: ${{ github.event.pull_request.base.sha }} - name: Upload build-ic.tar uses: actions/upload-artifact@v4 diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index 2cffbb5498b..089f234b7ce 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -345,7 +345,7 @@ jobs: rm -rf "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}" env: BAZEL_COMMAND: "build" - RUN_ON_DIFF_ONLY: ${{ !contains(github.event.pull_request.labels.*.name, 'CI_ALL_BAZEL_TARGETS') }} + RUN_ON_DIFF_ONLY: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'CI_ALL_BAZEL_TARGETS') }} MERGE_BASE_SHA: ${{ github.event.pull_request.base.sha }} - name: Upload build-ic.tar uses: actions/upload-artifact@v4 diff --git a/ci/scripts/run-build-ic.sh b/ci/scripts/run-build-ic.sh index e90dc207147..ae970e7bd16 100755 --- a/ci/scripts/run-build-ic.sh +++ b/ci/scripts/run-build-ic.sh @@ -18,9 +18,8 @@ done # run build with release on protected branches or if a pull_request is targeting an rc branch if [ "${IS_PROTECTED_BRANCH:-}" == "true" ] || [[ "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:-}" == "rc--"* ]]; then ci/container/build-ic.sh -i -c -b -fi # check if the job requested running only on diff, otherwise run full build with no release -if [[ "${RUN_ON_DIFF_ONLY:-}" == "true" ]]; then +elif [[ "${RUN_ON_DIFF_ONLY:-}" == "true" ]]; then TARGETS=$(ci/bazel-scripts/diff.sh) ARGS=(--no-release) @@ -39,6 +38,10 @@ if [[ "${RUN_ON_DIFF_ONLY:-}" == "true" ]]; then fi if [ ${#ARGS[@]} -eq 1 ]; then + if [ "${IS_PROTECTED_BRANCH:-}" == "true" ]; then + echo "Error: No changes to build on protected branch. Aborting." + exit 1 + fi echo "No changes that require building IC-OS, binaries or canisters." touch build-ic.tar exit 0