Remove -d:insecure compile option (#2468)

With metrics running on top of chronos, the metrics server no longer
needs to be compiled in conditionally - it remains disabled by default.

README.md

@@ -138,8 +138,7 @@ Specific steps:
 ```bash
 # This will generate the Prometheus config on the fly, based on the number of
 # nodes (which you can control by passing something like NODES=6 to `make`).
-# The `-d:insecure` flag starts an HTTP server from which the Prometheus daemon will pull the metrics.
+make VALIDATORS=192 NODES=6 USER_NODES=0 eth2_network_simulation
-make VALIDATORS=192 NODES=6 USER_NODES=0 NIMFLAGS="-d:insecure" eth2_network_simulation
 
 # In another terminal tab, after the sim started:
 cd tests/simulation/prometheus

beacon_chain/nimbus_beacon_node.nim

@@ -1661,16 +1661,13 @@ proc doRunBeaconNode(config: var BeaconNodeConf, rng: ref BrHmacDrbgContext) {.r
   config.createDumpDirs()
 
   if config.metricsEnabled:
-    when useInsecureFeatures:
+    let metricsAddress = config.metricsAddress
-      let metricsAddress = config.metricsAddress
+    notice "Starting metrics HTTP server",
-      notice "Starting metrics HTTP server",
+      url = "http://" & $metricsAddress & ":" & $config.metricsPort & "/metrics"
-        url = "http://" & $metricsAddress & ":" & $config.metricsPort & "/metrics"
+    try:
-      try:
+      startMetricsHttpServer($metricsAddress, config.metricsPort)
-        startMetricsHttpServer($metricsAddress, config.metricsPort)
+    except CatchableError as exc: raise exc
-      except CatchableError as exc: raise exc
+    except Exception as exc: raiseAssert exc.msg # TODO fix metrics
-      except Exception as exc: raiseAssert exc.msg # TODO fix metrics
-    else:
-      warn "Metrics support disabled, see https://status-im.github.io/nimbus-eth2/metrics-pretty-pictures.html#simple-metrics"
 
   # There are no managed event loops in here, to do a graceful shutdown, but
   # letting the default Ctrl+C handler exit is safe, since we only read from

beacon_chain/version.nim

@@ -20,8 +20,6 @@ const
 
   versionBlob* = "stateofus" # Single word - ends up in the default graffitti
 
-  useInsecureFeatures* = defined(insecure)
-
   gitRevision* = strip(staticExec("git rev-parse --short HEAD"))[0..5]
 
   nimBanner* = staticExec("nim --version | grep -v Compiled")

docs/the_nimbus_book/src/beacon-node-systemd.md

@@ -8,9 +8,9 @@ Systemd is used in order to have a command or program run when your device boots
 
 ### 1. Create a systemd service
 
-> ⚠️  The HTTP server used for obtaining metrics is considered insecure. If you wish to run the service with metrics enabled, you'll need to compile the beacon node with the insecure flag enabled — `make NIMFLAGS="-d:insecure" nimbus_beacon_node` — and replace `--metrics:off` with `--metrics:on` in the service file below. See [here](./metrics-pretty-pictures.md) for more on metrics.
+> ⚠️  If you wish to run the service with metrics enabled, you'll need to replace `--metrics:off` with `--metrics:on` in the service file below. See [here](./metrics-pretty-pictures.md) for more on metrics.
 
-Create a `systemd` service unit file -- `nbc.service` -- and save it in `/etc/systemd/system/`.
+Create a `systemd` service unit file -- `nimbus-eth2-pyrmont.service` -- and save it in `/etc/systemd/system/`.
 
 ```txt
 [Unit]
@@ -51,6 +51,5 @@ sudo systemctl daemon-reload
 ### 3. Start the service
 
 ```console
-sudo systemctl enable nbc --now
+sudo systemctl enable nimbus-eth2-pyrmont --now
 ```
-

docs/the_nimbus_book/src/eth2-stats.md

@@ -52,7 +52,7 @@ Click on `Compile from source` and copy the command at the bottom.
 
 From your `nimbus-eth2` repository, run:
 ```
-make NIMFLAGS="-d:insecure" nimbus_beacon_node
+make nimbus_beacon_node
 ```
 
 Followed by:
@@ -75,8 +75,3 @@ From your `eth2stats-client` repository, **run the command you copied in step 4.
 ```
 
 Your node should now be displayed on [https://pyrmont.eth2.wtf/](https://pyrmont.eth2.wtf/) :)
-
-
-
-
-

docs/the_nimbus_book/src/faq.md

@@ -4,10 +4,10 @@
 
 ### Why are metrics not working?
 
-Metrics are currently implemented using a HTTP server that hasn't been hardened sufficiently (which means it can't be exposed as a public endpoint). It must therefore be enabled specifically during build:
+The metrics server is disabled by default, enable it by passing `--metrics` to the run command:
 
 ```
-make NIMFLAGS="-d:insecure" nimbus_beacon_node --metrics ...
+./run-mainnet-beacon-node.sh --metrics ...
 ```
 
 ## Validating

docs/the_nimbus_book/src/metrics-pretty-pictures.md

@@ -8,21 +8,12 @@ Grafana is a tool for beautiful dashboard monitoring that works well with Promet
 
 ## Simple metrics
 
-The easiest way to see metrics concerning your validator / node is to build the beacon node with the `NIMFLAGS="-d:insecure"`:
-
-```
-make NIMFLAGS="-d:insecure" nimbus_beacon_node
-```
-
-> **Note:** Metrics are not included in the binary by default. The `NIMFLAGS="-d:insecure"` is needed because we consider the HTTP server that needs to start to serve the metrics to be insecure (without this flag it won't launch properly). As such, we recommend you make sure port 8008 is protected.
-
 Run the beacon node  with the `--metrics` flag:
 
 ```
 ./run-pyrmont-beacon-node.sh --metrics
 ```
 
-
 And visit [http://127.0.0.1:8008/metrics](http://127.0.0.1:8008/metrics) to see the raw metrics. You should see a plaintext page that looks something like this:
 
 ```
@@ -44,6 +35,8 @@ nim_gc_heap_instance_occupied_bytes{type_name="seq[TrustedAttestation]"} 29728.0
 ...
 ```
 
+> **Note:** Metrics are by default only accessible from the same machine as the beacon node is running on - to fetch metrics from a remote machine, an SSH tunnel is recommended.
+
 Unfortunately, this simple method only offers one snapshot in time (you'll need to keep refreshing to see the data update) which means it's impossible to see a useful history of the metrics. In short, it's far from optimal from an information design point of view.
 
 In order to settle on a better solution, we'll need the help of two external projects -- Prometheus and Grafana.

docs/the_nimbus_book/src/pyrmont.md

@@ -143,10 +143,10 @@ The `validators` folder contains your keystores (encrypted keys). Keystores are
 
 ## Metrics
 
-Metrics are not included in the binary by default - to enable them, use the following options when building the client:
+Metrics are not enabled by default - to enable, run with the `--metrics` flag
 
 ```
-make NIMFLAGS="-d:insecure" nimbus_beacon_node
+./run-pyrmont-beacon-node.sh --metrics
 ```
 
 You can then browse the metrics by connecting to:

scripts/launch_local_testnet.sh

@@ -204,7 +204,7 @@ if [[ "$ENABLE_LOGTRACE" == "1" ]]; then
   BINARIES="${BINARIES} logtrace"
 fi
 NETWORK_NIM_FLAGS=$(scripts/load-testnet-nim-flags.sh "${NETWORK}")
-$MAKE -j ${NPROC} LOG_LEVEL="${LOG_LEVEL}" NIMFLAGS="${NIMFLAGS} -d:insecure -d:testnet_servers_image -d:local_testnet ${NETWORK_NIM_FLAGS}" ${BINARIES}
+$MAKE -j ${NPROC} LOG_LEVEL="${LOG_LEVEL}" NIMFLAGS="${NIMFLAGS} -d:testnet_servers_image -d:local_testnet ${NETWORK_NIM_FLAGS}" ${BINARIES}
 
 PIDS=""
 WEB3_ARG=""

scripts/reset_testnet.sh

@@ -66,7 +66,7 @@ if [ "$ETH1_PRIVATE_KEY" != "" ]; then
 fi
 
 echo "Building a local nimbus_beacon_node instance for 'deposits create' and 'createTestnet'"
-make -j2 NIMFLAGS="-d:insecure -d:testnet_servers_image ${NETWORK_NIM_FLAGS}" nimbus_beacon_node nimbus_signing_process process_dashboard
+make -j2 NIMFLAGS="-d:testnet_servers_image ${NETWORK_NIM_FLAGS}" nimbus_beacon_node nimbus_signing_process process_dashboard
 
 echo "Generating Grafana dashboards for remote testnet servers"
 for testnet in 0 1; do

tests/simulation/start.sh

@@ -49,7 +49,7 @@ mkdir -p "$SECRETS_DIR"
 
 cd "$GIT_ROOT"
 
-CUSTOM_NIMFLAGS="${NIMFLAGS} -d:useSysAsserts -d:chronicles_sinks:textlines,json[file] -d:const_preset=mainnet -d:insecure -d:local_testnet"
+CUSTOM_NIMFLAGS="${NIMFLAGS} -d:useSysAsserts -d:chronicles_sinks:textlines,json[file] -d:const_preset=mainnet -d:local_testnet"
 GANACHE_BLOCK_TIME=5
 
 # Run with "SLOTS_PER_EPOCH=8 ./start.sh" to change these