Add docker-compose.yml and fix shutdow script

.github/workflows/build-eif.yml

@@ -22,6 +22,8 @@ on:
     branches:
       - main
 
+run-name: Build Enclaver Docker Image - ${{ github.event.inputs.enclaver_image_name || github.ref_name }}
+
 jobs:
   build:
     runs-on: ubuntu-latest

docker/aws-nitro-entrypoint.sh

@@ -5,12 +5,12 @@ set -e
 echo "Using config hash: $EXPECTED_CONFIG_SHA256"
 
 ENCLAVE_CONFIG_SOURCE_DIR=/mnt/config # temporary mounted directory in enclave to read config from parent instance
-PARENT_SOURCE_CONFIG_DIR=/home/ec2-user/config # config path on parent directory
+PARENT_SOURCE_CONFIG_DIR=/opt/nitro/config # config path on parent directory
 ENCLAVE_CONFIG_TARGET_DIR=/config # directory to copy config contents to inside enclave
-PARENT_SOURCE_DB_DIR=/home/ec2-user/.arbitrum # database path on parent directory
+PARENT_SOURCE_DB_DIR=/opt/nitro/arbitrum # database path on parent directory
 
 echo "Start vsock proxy"
-socat TCP-LISTEN:2049,bind=127.0.0.1,fork,reuseaddr,keepalive VSOCK-CONNECT:3:8004,keepalive &
+socat TCP-LISTEN:2049,bind=127.0.0.1,fork,reuseaddr,keepalive VSOCK-CONNECT:3:8004,keepalive >/dev/null 2>&1 &
 sleep 2
 
 echo "Mount config from ${PARENT_SOURCE_CONFIG_DIR} to ${ENCLAVE_CONFIG_SOURCE_DIR}"
@@ -70,7 +70,6 @@ start_vsock_termination_server() {
             if [ "$message" = "TERMINATE" ]; then
                 echo "Received TERMINATE signal"
                 pkill -INT -f "/usr/local/bin/nitro"
-                break
             else
                 echo "Ignoring message: $message"
             fi
@@ -80,6 +79,8 @@ start_vsock_termination_server() {
 
 start_vsock_termination_server &
 
+sleep 5
+
 exec /usr/local/bin/nitro \
   --validation.wasm.enable-wasmroots-check=false \
   --conf.file "${ENCLAVE_CONFIG_TARGET_DIR}/poster_config.json"

docker/docker-compose.yml

@@ -0,0 +1,9 @@
+services:
+  enclave-batch-poster:
+    image: # ghcr.io/espressosystems/aws-nitro-poster:<docker-tag>
+    devices:
+      - "/dev/nitro_enclaves:/dev/nitro_enclaves:rwm"
+    ports:
+      - "8547:8547"
+      - "8548:8548"
+    privileged: true

enclaver/enclaver.yaml

@@ -5,11 +5,9 @@ sources:
   app: "nitro-image:latest"
 defaults:
   memory_mb: 8192
-  cpu_count: 4
+  cpu_count: 2
 egress:
   allow:
     - "*"
     - "**"
-    - 0.0.0.0/0
-ingress:
-  - listen_port: 8547
+    - 0.0.0.0/0

scripts/installation-tools.sh

@@ -14,6 +14,12 @@ sudo systemctl enable docker || { echo "ERROR: Failed to enable docker"; exit 1;
 sudo systemctl start docker || { echo "ERROR: Failed to start docker"; exit 1; }
 sudo usermod -aG docker ec2-user || echo "WARNING: Failed to add user to docker group"
 
+# Download docker compose to bin
+sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+
+# Give execute permission
+sudo chmod +x /usr/local/bin/docker-compose
+
 # Install enclaver
 echo "Downloading and installing Enclaver..."
 ARCH=$(uname -m)

scripts/setup-ec2-instance.sh

@@ -5,21 +5,38 @@ set -e
 
 # Setup Arbitrum directory
 echo "Setting up Arbitrum db directory..."
-mkdir -p /home/ec2-user/.arbitrum || { echo "Failed to create .arbitrum directory"; exit 1; }
-sudo chown -R ec2-user:ec2-user /home/ec2-user/.arbitrum || { echo "Failed to set permissions for .arbitrum"; exit 1; }
+mkdir -p /opt/nitro/arbitrum || { echo "Failed to create .arbitrum directory"; exit 1; }
+sudo chown -R ec2-user:ec2-user /opt/nitro/arbitrum || { echo "Failed to set permissions for .arbitrum"; exit 1; }
 
 # Setup config directory
 echo "Setting up config directory..."
-mkdir -p /home/ec2-user/config || { echo "Failed to create config directory"; exit 1; }
-sudo chown -R ec2-user:ec2-user /home/ec2-user/config || { echo "Failed to set permissions for config"; exit 1; }
-
-# Start socat proxy in background with logging
+mkdir -p /opt/nitro/config || { echo "Failed to create config directory"; exit 1; }
+sudo chown -R ec2-user:ec2-user /opt/nitro/config || { echo "Failed to set permissions for config"; exit 1; }
+
+# Create systemd service for socat
+echo "Creating systemd service for socat..."
+sudo bash -c 'cat << EOF > /etc/systemd/system/socat-vsock.service
+[Unit]
+Description=socat VSOCK to TCP proxy
+After=network.target nfs-server.service
+
+[Service]
+ExecStart=/usr/bin/socat -d -d VSOCK-LISTEN:8004,fork,keepalive TCP:127.0.0.1:2049,keepalive,retry=5,interval=10
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+EOF' || { echo "Failed to create socat systemd service file"; exit 1; }
+
+# Enable and start socat service
 echo "Starting socat proxy..."
-sudo socat VSOCK-LISTEN:8004,fork,keepalive TCP:127.0.0.1:2049,keepalive &
+sudo systemctl enable socat-vsock.service || { echo "Failed to enable socat service"; exit 1; }
+sudo systemctl start socat-vsock.service || { echo "Failed to start socat service"; exit 1; }
 
 # Configure NFS exports
-echo "/home/ec2-user/.arbitrum 127.0.0.1/32(rw,insecure,crossmnt,no_subtree_check,sync,all_squash,anonuid=1000,anongid=1000)" | sudo tee -a /etc/exports || { echo "Failed to configure NFS exports"; exit 1; }
-echo "/home/ec2-user/config 127.0.0.1/32(ro,insecure,crossmnt,no_subtree_check,sync,all_squash,anonuid=1000,anongid=1000)" | sudo tee -a /etc/exports || { echo "Failed to configure NFS exports"; exit 1; }
+echo "/opt/nitro/arbitrum 127.0.0.1/32(rw,insecure,crossmnt,no_subtree_check,sync,all_squash,anonuid=1000,anongid=1000)" | sudo tee -a /etc/exports || { echo "Failed to configure NFS exports"; exit 1; }
+echo "/opt/nitro/config 127.0.0.1/32(ro,insecure,crossmnt,no_subtree_check,sync,all_squash,anonuid=1000,anongid=1000)" | sudo tee -a /etc/exports || { echo "Failed to configure NFS exports"; exit 1; }
 sudo exportfs -ra || { echo "Failed to reload NFS exports"; exit 1; }
 
 # Enable and start NFS server

scripts/shutdown-batch-poster.sh

@@ -1,40 +1,35 @@
+#!/bin/bash
+
 MESSAGE="TERMINATE"
 PORT=8005
-echo "Starting VSOCK connection attempts at CID $CID, port $PORT..."
-CID=16
-MAX_CID=100
-# When running inside the enclaver it is not possible to get enclave context id
-# Which is why we have to have this script incrementing the $CID
-# See issue: https://github.com/enclaver-io/enclaver/issues/215
-while [ $CID -le $MAX_CID ]; do
-    echo "Trying CID $CID..."
-
-    # Run socat and capture output and exit status
-    OUTPUT=$(echo "$MESSAGE" | socat - VSOCK-CONNECT:$CID:$PORT 2>&1)
-    EXIT_STATUS=$?
-
-    # Check if the output contains "Connection timed out"
-    if echo "$OUTPUT" | grep -q "Connection timed out"; then
-        echo "Connection timed out for CID $CID: $OUTPUT"
-        # Increment CID and continue
-        CID=$((CID + 1))
-    else
-        # Success or different error
-        echo "Connection attempt for CID $CID completed with exit status $EXIT_STATUS"
-        echo "Output: $OUTPUT"
-        if [ $EXIT_STATUS -eq 0 ]; then
-            echo "Success: Connected to CID $CID, port $PORT"
-            break
-        else
-            echo "Non-timeout error occurred for CID $CID. Stopping."
-            break
-        fi
-    fi
-done
 
-if [ $CID -gt $MAX_CID ]; then
-    echo "Reached maximum CID ($MAX_CID) without success."
+# Get the latest CID from journal logs
+CID=$(sudo journalctl -u socat.service -n 50 --no-pager | \
+      grep -oP 'accepting connection from AF=40 cid:\K\d+' | \
+      tail -n 1 | \
+      tr -d '[:space:]')
+
+# Validate CID
+if [[ ! "$CID" =~ ^[0-9]+$ ]]; then
+    echo "Error: No valid CID found in socat.service logs"
     exit 1
 fi
 
-exit 0
+echo "Attempting VSOCK connection to CID $CID, port $PORT..."
+
+# Run socat and capture output and exit status
+OUTPUT=$(echo "$MESSAGE" | socat - VSOCK-CONNECT:$CID:$PORT 2>&1)
+EXIT_STATUS=$?
+
+# Handle connection results
+if echo "$OUTPUT" | grep -q "Connection timed out"; then
+    echo "Connection timed out for CID $CID: $OUTPUT"
+    exit 1
+elif [ $EXIT_STATUS -eq 0 ]; then
+    echo "Success: Connected to CID $CID, port $PORT"
+    exit 0
+else
+    echo "Error: Connection failed for CID $CID (Exit Status: $EXIT_STATUS)"
+    echo "Output: $OUTPUT"
+    exit 1
+fi