packaging updates (#3974)

* packaging updates

* one package per binary (nimbus_beacon_node, nimbus_validator_client)
* use `-` in package name (`_` is separating the version)
* don't include (un)installation scripts in package
* default metrics port 8108 for vc
* fix several upgrade/install errors in scripts
* add JWT option to service files
* don't attempt to remove user on purge

.github/workflows/release.yml

@@ -61,7 +61,9 @@ jobs:
         with:
           ruby-version: '3.1' # Not needed with a .ruby-version file
       - name: Create RPM/DEB
-        run: scripts/make_packages.sh -t dist/*.tar.gz --install-fpm
+        run: |
+          scripts/make_packages.sh -b nimbus_beacon_node -t dist/*.tar.gz --install-fpm
+          scripts/make_packages.sh -b nimbus_validator_client -t dist/*.tar.gz --install-fpm
       - name: Upload DEB
         uses: actions/upload-artifact@v3
         with:
@@ -133,7 +135,9 @@ jobs:
         with:
           ruby-version: '3.1' # Not needed with a .ruby-version file
       - name: Create RPM/DEB
-        run: scripts/make_packages.sh -t dist/*.tar.gz --install-fpm
+        run: |
+          scripts/make_packages.sh -b nimbus_beacon_node -t dist/*.tar.gz --install-fpm
+          scripts/make_packages.sh -b nimbus_validator_client -t dist/*.tar.gz --install-fpm
       - name: Upload DEB
         uses: actions/upload-artifact@v3
         with:
@@ -205,7 +209,9 @@ jobs:
         with:
           ruby-version: '3.1' # Not needed with a .ruby-version file
       - name: Create RPM/DEB
-        run: scripts/make_packages.sh -t dist/*.tar.gz --install-fpm
+        run: |
+          scripts/make_packages.sh -b nimbus_beacon_node -t dist/*.tar.gz --install-fpm
+          scripts/make_packages.sh -b nimbus_validator_client -t dist/*.tar.gz --install-fpm
       - name: Upload DEB
         uses: actions/upload-artifact@v3
         with:

beacon_chain/conf.nim

@@ -841,7 +841,7 @@ type
 
     metricsPort* {.
       desc: "Listening HTTP port of the metrics server"
-      defaultValue: 8008
+      defaultValue: 8108
       name: "metrics-port" .}: Port
 
     graffiti* {.

scripts/.gitignore

@@ -1,3 +1,4 @@
 *.rpm
 *.deb
+package_image
 

scripts/make_packages.sh

@@ -26,10 +26,11 @@ if [ ${PIPESTATUS[0]} != 4 ]; then
   exit 1
 fi
 
-OPTS="ht:"
-LONGOPTS="help,tarball:,install-fpm"
+OPTS="hb:t:"
+LONGOPTS="help,binary:,tarball:,install-fpm"
 
 # default values
+BINARY=""
 TARBALL=""
 PKG_ARCH=""
 
@@ -38,6 +39,7 @@ print_help() {
 Usage: $(basename "$0") --tarball dist/nimbus-eth2_Linux_amd64_1.5.4_382be3fd.tar.gz
 
   -h, --help                  this help message
+  -b, --binary                which binary to package (nimbus_beacon_node, nimbus_validator_client, ...)
   -t, --tarball               tarball produced by "make dist-..."
   --install-fpm               install the appropriate fpm version with "gem'
 EOF
@@ -57,6 +59,10 @@ while true; do
       print_help
       exit
       ;;
+    -b|--binary)
+      BINARY="$2"
+      shift 2
+      ;;
     -t|--tarball)
       TARBALL="$2"
       shift 2
@@ -96,14 +102,16 @@ case "${TARBALL}" in
 esac
 
 SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")"
-PKG_NAME="nimbus_beacon_node"
-PKG_IMG_DIR="${SCRIPT_DIR}/package_image"
-BINARIES="nimbus_beacon_node"
+PKG_NAME="$(echo ${BINARY} | tr '_' '-')"
+PKG_IMG_DIR="${SCRIPT_DIR}/package_image/${BINARY}"
+PKG_SRC_DIR="${SCRIPT_DIR}/package_src/${BINARY}"
 PKG_VERSION="$(echo "${TARBALL}" | sed 's/^.*_\([^_]\+\)_[^_]\+$/\1/')"
 TARBALL_TOP_DIR="$(echo "${TARBALL}" | sed 's#^.*/\([^/]\+\)\.tar\.gz$#\1#')"
 PKG_PATH_DEB="${SCRIPT_DIR}/../dist/${PKG_NAME}_${PKG_VERSION}_${PKG_ARCH_DEB}.deb"
 PKG_PATH_RPM="${SCRIPT_DIR}/../dist/${PKG_NAME}_${PKG_VERSION}_${PKG_ARCH_RPM}.rpm"
 
+[ -d $PKG_SRC_DIR ] || { echo Unsupported binary "${BINARY}"; exit 1; }
+
 FPM_VERSION=1.14.2
 if [[ "$(fpm -v)" != "$FPM_VERSION" ]] ; then
   if [[ "$INSTALL_FPM" == "1" ]] ; then
@@ -118,12 +126,12 @@ EOF
   fi
 fi
 
+rm -rf  "${PKG_IMG_DIR}"
 BIN_DIR="${PKG_IMG_DIR}/usr/bin"
 rm -rf "${BIN_DIR}"
 mkdir -p "${BIN_DIR}"
-for BINARY in ${BINARIES}; do
-  tar -xzf "${TARBALL}" --strip-components 2 -C "${BIN_DIR}" "${TARBALL_TOP_DIR}/build/${BINARY}"
-done
+tar -xzf "${TARBALL}" --strip-components 2 -C "${BIN_DIR}" "${TARBALL_TOP_DIR}/build/${BINARY}"
+cp -ar ${PKG_SRC_DIR}/image/* ${PKG_IMG_DIR}
 
 # delete existing packages
 rm -f "${PKG_PATH_DEB}" "${PKG_PATH_RPM}"
@@ -135,14 +143,14 @@ fpm -s dir -t deb -n "${PKG_NAME}" \
   -p "${PKG_PATH_DEB}" \
   -a "${PKG_ARCH_DEB}" \
   --depends lsb-release \
-  --after-install "${PKG_IMG_DIR}/after_install" \
-  --before-remove "${PKG_IMG_DIR}/before_remove" \
-  --after-remove "${PKG_IMG_DIR}/after_remove" \
-  --after-upgrade "${PKG_IMG_DIR}/after_upgrade" \
-  --deb-after-purge "${PKG_IMG_DIR}/deb_after_purge" \
+  --after-install "${PKG_SRC_DIR}/after_install" \
+  --before-remove "${PKG_SRC_DIR}/before_remove" \
+  --after-remove "${PKG_SRC_DIR}/after_remove" \
+  --after-upgrade "${PKG_SRC_DIR}/after_upgrade" \
+  --deb-after-purge "${PKG_SRC_DIR}/deb_after_purge" \
   --license "Apache 2.0 + MIT" \
   --maintainer "The Nimbus Team" \
-  --description "Nimbus Beacon Chain / Ethereum Consensus client" \
+  --description "$(cat ${PKG_SRC_DIR}/description)" \
   --url "https://nimbus.team/" \
   2>/dev/null
 
@@ -152,13 +160,13 @@ fpm -s dir -t rpm -n "${PKG_NAME}" \
   -p "${PKG_PATH_RPM}" \
   -a "${PKG_ARCH_RPM}" \
   --depends redhat-lsb-core \
-  --after-install "${PKG_IMG_DIR}/after_install" \
-  --before-remove "${PKG_IMG_DIR}/before_remove" \
-  --after-remove "${PKG_IMG_DIR}/after_remove" \
-  --after-upgrade "${PKG_IMG_DIR}/after_upgrade" \
+  --after-install "${PKG_SRC_DIR}/after_install" \
+  --before-remove "${PKG_SRC_DIR}/before_remove" \
+  --after-remove "${PKG_SRC_DIR}/after_remove" \
+  --after-upgrade "${PKG_SRC_DIR}/after_upgrade" \
   --license "Apache 2.0 + MIT" \
   --maintainer "The Nimbus Team" \
-  --description "Nimbus Beacon Chain / Ethereum Consensus client" \
+  --description "$(cat ${PKG_SRC_DIR}/description)" \
   --url "https://nimbus.team/" \
   2>/dev/null
 

scripts/package_image/after_upgrade

@@ -1,6 +0,0 @@
-#!/bin/sh
-
-set -e
-
-systemctl is-active --quiet nimbus_beacon_node.service &&
-  echo "Nimbus has been upgraded, don't forget to restart with 'sudo systemctl restart nimbus_beacon_node.service'!"

scripts/package_image/before_remove

@@ -1,6 +0,0 @@
-#!/bin/sh
-
-set -e
-
-systemctl stop 'nimbus_beacon_node.service'
-systemctl disable 'nimbus_beacon_node.service'

scripts/package_image/deb_after_purge

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-set -e
-
-rm -rf /var/lib/nimbus
-
-if id -u nimbus > /dev/null 2>&1; then
-  userdel nimbus # userdel will also delete the nimbus group
-fi

scripts/package_src/nimbus_beacon_node/after_install

@@ -6,13 +6,12 @@ DISTRO=$(lsb_release -si)
 if ! id -u nimbus > /dev/null 2>&1; then
   case $DISTRO in
     Ubuntu|Debian)
+      # Debian uses `adduser` to create user...
       adduser --system --no-create-home --group nimbus
       ;;
-    Fedora|CentOS*|RedHat*|Scientific|Amazon*|Oracle*)
-      adduser --system --no-create-home --user-group nimbus
-      ;;
-    *) # blind shot... ToDo: add more DISTRO cases here
-      adduser --system --no-create-home --group nimbus
+    *)
+      # ... while `useradd` is more standard
+      useradd --system --no-create-home --user-group nimbus
       ;;
   esac
 fi

scripts/package_src/nimbus_beacon_node/after_upgrade

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -e
+
+( systemctl is-active --quiet nimbus_beacon_node.service && \
+  echo "Nimbus has been upgraded, don't forget to restart with 'sudo systemctl restart nimbus_beacon_node.service'!" ) || true

scripts/package_src/nimbus_beacon_node/before_remove

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+SERVICE_NAME="nimbus_beacon_node"
+
+if systemctl --all --type service | grep -q "$SERVICE_NAME"; then
+  systemctl stop "$SERVICE_NAME"
+  systemctl disable "$SERVICE_NAME"
+fi
+

scripts/package_src/nimbus_beacon_node/deb_after_purge

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+rm -rf /var/lib/nimbus
+
+# https://wiki.debian.org/AccountHandlingInMaintainerScripts argues "mostly"
+# that users should not be removed, as do several debian bug debates that have
+# been ongoing since forever. Fedora is clear on the topic: don't remove
+# https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Allocation_Strategies
+if id -u `nimbus` > /dev/null 2>&1; then
+  echo User `nimbus` needs to be removed manually
+fi

scripts/package_src/nimbus_beacon_node/description

@@ -0,0 +1 @@
+Nimbus Beacon Node / Ethereum Consensus client

scripts/package_src/nimbus_beacon_node/image/lib/systemd/system/nimbus_beacon_node.service

@@ -4,9 +4,11 @@
 # Environment="WEB3_URL=wss://provider/"
 #
 # To completely override the start command (to add custom parameters such as
-# graffiti), override the `ExecStart` value instead:
+# graffiti), override the `ExecStart` value instead by first emptying it, then
+# specifying a new one:
 #
 # [Service]
+# ExecStart=
 # ExecStart=/usr/bin/nimbus_beacon_node --network=${NETWORK} \
 #  --data-dir="${DATA_DIR_PREFIX}/shared_${NETWORK}_${NODE_ID}" \
 #  --graffiti=123
@@ -27,8 +29,10 @@ Environment=NETWORK=mainnet
 
 # You need to have have access to an execution client - by default, we assume
 # a compatible execution client is running on the same machine on the default
-# websocket port.
+# websocket port. Make sure to supply the right path to the JWT secret.
+
 Environment=WEB3_URL=ws://127.0.0.1:8546
+Environment=JWT_SECRET=/tmp/jwtsecret
 
 # Where to store chain data
 Environment=DATA_DIR_PREFIX=/var/lib/nimbus
@@ -60,4 +64,5 @@ ExecStart=/usr/bin/nimbus_beacon_node \
   --udp-port=${UDP_PORT} \
   --rest=${REST_ENABLED} --rest-port=${REST_PORT} \
   --metrics=${METRICS_ENABLED} --metrics-port=${METRICS_PORT} \
-  --web3-url=${WEB3_URL}
+  --web3-url=${WEB3_URL} \
+  --jwt-secret=${JWT_SECRET}

scripts/package_src/nimbus_validator_client/after_install

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+DISTRO=$(lsb_release -si)
+if ! id -u nimbus > /dev/null 2>&1; then
+  case $DISTRO in
+    Ubuntu|Debian)
+      # Debian uses `adduser` to create user...
+      adduser --system --no-create-home --group nimbus
+      ;;
+    *)
+      # ... while `useradd` is more standard
+      useradd --system --no-create-home --user-group nimbus
+      ;;
+  esac
+fi
+
+mkdir -p /var/lib/nimbus
+chown nimbus:nimbus /var/lib/nimbus
+
+systemctl daemon-reload

scripts/package_src/nimbus_validator_client/after_remove

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -e
+
+# We don't do anything here since a normal "uninstall" should generally not
+# remove data - debian has "purge" to deal with this, others don't.

scripts/package_src/nimbus_validator_client/after_upgrade

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -e
+
+( systemctl is-active --quiet nimbus_validator_client.service && \
+  echo "Nimbus has been upgraded, don't forget to restart with 'sudo systemctl restart nimbus_validator_client.service'!" ) || true

scripts/package_src/nimbus_validator_client/before_remove

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+SERVICE_NAME="nimbus_validator_client"
+
+if systemctl --all --type service | grep -q "$SERVICE_NAME";then
+  systemctl stop "$SERVICE_NAME"
+  systemctl disable "$SERVICE_NAME"
+fi
+

scripts/package_src/nimbus_validator_client/deb_after_purge

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -e
+
+# The data folder will be removed as part of uninstallin the beacon node - this
+# is not ideal, but otoh, the VC data folder is small.
+
+# https://wiki.debian.org/AccountHandlingInMaintainerScripts argues "mostly"
+# that users should not be removed, as do several debian bug debates that have
+# been ongoing since forever. Fedora is clear on the topic: don't remove
+# https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Allocation_Strategies
+if id -u `nimbus` > /dev/null 2>&1; then
+  echo User `nimbus` needs to be removed manually
+fi

scripts/package_src/nimbus_validator_client/description

@@ -0,0 +1 @@
+Nimbus Validator Client

scripts/package_src/nimbus_validator_client/image/lib/systemd/system/nimbus_validator_client.service

@@ -0,0 +1,54 @@
+# To configure the service, use `systemctl edit nimbus_beacon_node.service`
+# and override the environment variables in this file:
+# [Service]
+# Environment="BEACON_NODE=http://backup-beacon:8551"
+#
+# To completely override the start command (to add custom parameters such as
+# graffiti), override the `ExecStart` value instead by first emptying it, then
+# specifying a new one:
+#
+# [Service]
+# ExecStart=
+# ExecStart=/usr/bin/nimbus_validator_client --network=${NETWORK} \
+#  --data-dir="${DATA_DIR_PREFIX}/vc \
+#  --graffiti=123
+#
+# See https://nimbus.guide/ for more information
+
+[Unit]
+Description=Nimbus Validator Client
+Wants=network-online.target
+After=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+# You need to have have access to a beacon node exposing the beacon API - by
+# default, we assume a compatible beacon node is running on the same machine.
+# You can add more beacon nodes by editing `ExecStart` instead.
+Environment=BEACON_NODE=http://127.0.0.1:5052
+
+# Where to store chain data
+Environment=DATA_DIR_PREFIX=/var/lib/nimbus
+
+# Default ports - if you want to run multiple instances of nimbus, for example
+# to run both prater and mainnet, separate ports must be used
+Environment=METRICS_PORT=8108
+
+# Interaction and monitoring
+Environment=METRICS_ENABLED=Yes
+
+# Default group = nimbus
+User=nimbus
+WorkingDirectory=/var/lib/nimbus
+TimeoutSec=1200
+Restart=always
+
+# Don't restart when Doppelganger detection has been activated
+RestartPreventExitStatus=129
+
+ExecStart=/usr/bin/nimbus_validator_client \
+  --data-dir="${DATA_DIR_PREFIX}/vc" \
+  --metrics=${METRICS_ENABLED} --metrics-port=${METRICS_PORT} \
+  --beacon-node=${BEACON_NODE}