wip

Author: 0x416e746f6e

Makefile

@@ -42,11 +42,11 @@ preflight:
 
 # Build module
 build: check-perms setup ## Build the specified module
-	$(WRAPPER) mkosi --force -I $(IMAGE).conf
+	time $(WRAPPER) mkosi --force -I $(IMAGE).conf
 
 # Build module with devtools profile
 build-dev: check-perms setup ## Build module with development tools
-	$(WRAPPER) mkosi --force --profile=devtools -I $(IMAGE).conf
+	time $(WRAPPER) mkosi --force --profile=devtools -I $(IMAGE).conf
 
 ##@ Utilities
 
@@ -60,31 +60,28 @@ check-repro: ## Build same module twice and compare resulting images
 	@sleep 15
 
 	@echo "Building image #1..."
-	$(WRAPPER) mkosi --force -I $(IMAGE).conf
-	@cp -r build build.1
+	time $(WRAPPER) mkosi --force -I $(IMAGE).conf
+	@mkdir -p build/cache
+	@mv mkosi.builddir/* build/cache/
+	@mv build build.1
 
 	@rm -rf build/* mkosi.builddir/* mkosi.cache/* mkosi.packages/*
 #	hack:  there's some race condition under lima that causes apt to fail while trying to
 #	       create a temp dir under apt cache
 	@sleep 15
 
 	@echo "Building image #2..."
-	$(WRAPPER) mkosi --force -I $(IMAGE).conf
-	@cp -r build build.2
+	time $(WRAPPER) mkosi --force -I $(IMAGE).conf
+	@mkdir -p build/cache
+	@mv mkosi.builddir/* build/cache/
+	@mv build build.2
 
 	@echo "Comparing..."
-
-	@echo ""
-	@sha256sum build.1/tdx-debian.vmlinuz
-	@sha256sum build.2/tdx-debian.vmlinuz
-
-	@echo ""
-	@sha256sum build.1/tdx-debian.initrd
-	@sha256sum build.2/tdx-debian.initrd
-
-	@echo ""
-	@sha256sum build.1/tdx-debian.efi
-	@sha256sum build.2/tdx-debian.efi
+	@for file in $$( find build.1 -type f ); do \
+		sha256sum $$file; \
+		sha256sum $${file/build1/build.2}; \
+		echo ""; \
+	done
 
 measure: ## Export TDX measurements for the built EFI file
 	@if [ ! -f build/tdx-debian.efi ]; then \

README.md

@@ -26,7 +26,10 @@ For more information about this repository, see
 
 ### Prerequisites
 
-In order to build images, you'll need to install [Lima](https://lima-vm.io/) for your operating system. Building images without Lima is possible, but due to inconsistencies between distributions, it is not supported for generating official reproducible images.
+In order to build images, you'll need to install [Lima](https://lima-vm.io/) for
+your operating system. Building images without Lima is possible, but due to
+inconsistencies between distributions, it is not supported for generating
+official reproducible images.
 
 ### Building Images
 
@@ -94,7 +97,7 @@ This generates measurement files in the `build/` directory for attestation and v
   ```
 
 > [!NOTE]
-> 
+>
 > Depending on your Linux distro, these commands may require changing the
 > supplied OVMF paths or installing your distro's OVMF package.
 

l2-builder.conf

@@ -0,0 +1,6 @@
+[Include]
+Include=base/mkosi.conf
+Include=l2/l2-builder.conf
+
+[Config]
+Profiles=gcp

l2/_op_rbuilder/mkosi.build

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+ENV_YAML="$SRCDIR/l2/_op_rbuilder/mkosi.extra/etc/flashbots/op-rbuilder.yaml"
+
+RUST_VERSION=$(mkosi-chroot yq -r .rust.version < "$ENV_YAML")
+
+OP_RBUILDER_REF=$(mkosi-chroot yq -r .op_rbuilder.git_reference < "$ENV_YAML")
+TDX_QUOTE_PROVIDER_REF=$(mkosi-chroot yq -r .tdx_quote_provider.git_reference < "$ENV_YAML")
+RPROXY_REF=$(mkosi-chroot yq -r .rproxy.git_reference < "$ENV_YAML")
+NODE_HEALTHCHECKER_REF=$(mkosi-chroot yq -r .node_healthchecker.git_reference < "$ENV_YAML")
+
+export RUSTUP_HOME="/rustup"
+export CARGO_HOME="/cargo"
+mkosi-chroot rustup toolchain install $RUST_VERSION
+mkosi-chroot rustup default $RUST_VERSION
+export PATH="$CARGO_HOME/bin:$PATH"
+
+source scripts/make_git_package.sh
+source scripts/build_rust_package.sh
+
+# build op-rbuilder
+
+if [ -f "l2/_op_rbuilder/mkosi.extra/usr/bin/op-rbuilder" ]; then
+    echo "Using pre-built op-rbuilder binary"
+else
+    build_rust_package \
+        "op-rbuilder" \
+        "${OP_RBUILDER_REF}" \
+        "https://github.com/flashbots/op-rbuilder.git" \
+        "" "" "-g"
+fi
+
+# build tdx-quote-provider
+
+if [ -f "l2/_op_rbuilder/mkosi.extra/usr/bin/tdx-quote-provider" ]; then
+    echo "Using pre-built tdx-quote-provider binary"
+else
+    build_rust_package \
+        "tdx-quote-provider" \
+        "${TDX_QUOTE_PROVIDER_REF}" \
+        "https://github.com/flashbots/op-rbuilder.git" \
+        "" "" "-g"
+fi
+
+# build rproxy
+
+if [ -f "l2/_op_rbuilder/mkosi.extra/usr/bin/rproxy" ]; then
+    echo "Using pre-built rproxy binary"
+else
+    make_git_package \
+        "rproxy" \
+        "${RPROXY_REF}" \
+        "https://github.com/flashbots/rproxy.git" \
+        'TARGET=x86_64-unknown-linux-gnu ./build.sh' \
+        "target/x86_64-unknown-linux-gnu/release/rproxy:/usr/bin/rproxy"
+    chmod +x $DESTDIR/usr/bin/rproxy
+fi
+
+# build node-healthchecker
+
+if [ -f "l2/mkosi.extra/usr/bin/node-healthchecker" ]; then
+    echo "Using pre-built node-healthchecker binary"
+else
+    make_git_package \
+        "node-healthchecker" \
+        "${NODE_HEALTHCHECKER_REF}" \
+        "https://github.com/flashbots/node-healthchecker.git" \
+        'go build -trimpath -ldflags "-s -w -X main.version=${NODE_HEALTHCHECKER_REF} -buildid=" -o ./bin/node-healthchecker github.com/flashbots/node-healthchecker/cmd' \
+        "bin/node-healthchecker:/usr/bin/node-healthchecker"
+    chmod +x $DESTDIR/usr/bin/node-healthchecker
+fi

l2/_op_rbuilder/mkosi.conf

@@ -0,0 +1,17 @@
+[Build]
+WithNetwork=true
+
+[Content]
+BuildScripts=l2/_op_rbuilder/mkosi.build
+ExtraTrees=l2/_op_rbuilder/mkosi.extra
+PostInstallationScripts=l2/_op_rbuilder/mkosi.postinst
+
+Packages=libtss2-dev
+         sudo
+         unzip
+
+BuildPackages=golang
+              libssl-dev
+              rustup
+              unzip
+              yq

l2/_op_rbuilder/mkosi.extra/etc/default/prometheus-node-exporter

@@ -0,0 +1,7 @@
+# Set the command-line arguments to pass to the server.
+ARGS="\
+--collector.systemd \
+--collector.systemd.unit-include=\".*(node-healthchecker|op-rbuilder|prometheus-node-exporter|prometheus-process-exporter|rproxy|vault-agent).*\" \
+--log.format=json \
+--web.listen-address=0.0.0.0:9100 \
+"

l2/_op_rbuilder/mkosi.extra/etc/flashbots/op-rbuilder.yaml

@@ -0,0 +1,14 @@
+rust:
+  version: 1.91.1
+
+node_healthchecker:
+  git_reference: v0.1.11
+
+op_rbuilder:
+  git_reference: op-rbuilder/v0.2.9
+
+rproxy:
+  git_reference: v0.0.6
+
+tdx_quote_provider:
+  git_reference: tdx-quote-provider/v0.1.0

l2/_op_rbuilder/mkosi.extra/etc/prometheus-process-exporter/config.yaml

@@ -0,0 +1,13 @@
+process_names:
+  - name: node-healthchecker
+    cmdline:
+      - '^\/([-.0-9a-zA-Z]+\/)*node-healthchecker[-.0-9a-zA-Z]* '
+  - name: op-rbuilder
+    cmdline:
+      - '^\/([-.0-9a-zA-Z]+\/)*op-rbuilder[-.0-9a-zA-Z]* '
+  - name: rproxy
+    cmdline:
+      - '^\/([-.0-9a-zA-Z]+\/)*rproxy[-.0-9a-zA-Z]* '
+  - name: vault-agent
+    cmdline:
+      - '^\/([-.0-9a-zA-Z]+\/)*vault[-.0-9a-zA-Z]* '

l2/_op_rbuilder/mkosi.extra/etc/sysconfig/automount-data.env

@@ -0,0 +1 @@
+AUTOMOUNT_PATH_DATA=/var/opt/optimism

l2/_op_rbuilder/mkosi.extra/etc/systemd/system/node-healthchecker.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Blockchain node healthchecker
+After=network.target
+Wants=network.target
+
+[Service]
+Type=simple
+SyslogIdentifier=node-healthchecker
+User=op-rbuilder
+Group=optimism
+
+Restart=always
+RestartSec=5
+TimeoutStopSec=60
+
+ExecStart=/usr/bin/node-healthchecker serve \
+    --healthcheck-block-age-threshold 10s \
+    --healthcheck-timeout 500ms \
+    --healthcheck-reth-base-url http://127.0.0.1:18645 \
+    --healthcheck-unconditional-fail-duration 1m \
+    --http-status-warning 200 \
+    --server-listen-address 0.0.0.0:8080
+
+[Install]
+WantedBy=default.target