IA1.6.1 Add batcher service running in TEE (#205)

* a working script without args

* a working script without args

* everything works in the scripts despite the args

* fix socat proxy script

* working op-batcher inside docker-compose

* rename the script to build batcher enclave image

* cleanup and profile the op-batcher-non-tee

* use port number from env and shorten nc listener timeout as it will not be used in most cases

* fix dasel format

* remove uneeded ESPRESSO_RUN_ENCLAVE_TESTS

* fix scripts

* Add op-batcher-tee image in CI (#210)

* push op-batcher-tee image init

* fix tag and push

* test image creation without enclaver

* try to use env

* fix enclaver download

* use env in docker images yml

* restore other task

* remove unneeded steps

* special case to common case

* use default for op-batcher and tee for op-batcher-tee

* fix double ports mapping

* fix batcher restart test

* add a script to use enclave tool

* works to some extend

* also works for passing in arguments from cmd

* try to upload the image

* add my branch patter

* fix dockerfile

* a simplified version

* adding packages/contracts-bedrock/forge-artifacts to op-batcher-enclave-target

* PCR0 registered in op-batcher-tee docker compose and add monitor for enclave logs

* copy deployment/ to op-batcher-enclave-target

* fix docker-images

* Remove unneeded script

* remove unneeded script and cleanup readme

* fix overlapping ports and move long cmd of op-batcher-tee to script

* update readme

Author: dailinsubjam

.github/workflows/docker-images.yml

@@ -348,3 +348,58 @@ jobs:
             TARGET_BASE_IMAGE=alpine:3.22
             TARGETOS=linux
             TARGETARCH=amd64
+
+  build-op-batcher-tee:
+    needs: prepare-deployment
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download deployment artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: deployment-artifacts
+
+      - name: Copy config for op-batcher
+        run: |
+          mkdir -p packages/contracts-bedrock/lib/superchain-registry/ops/testdata/monorepo
+          # Copy any required config files here, or create placeholder
+          echo "Config prepared for op-batcher"
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_PREFIX }}/op-batcher-tee
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha,prefix={{branch}}-,enable={{is_default_branch}}
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=pr-${{ github.event.number }},enable=${{ github.event_name == 'pull_request' }}
+
+      - name: Build and push OP Batcher TEE
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: espresso/docker/op-stack/Dockerfile
+          target: op-batcher-enclave-target
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            TARGET_BASE_IMAGE=alpine:3.22
+            TARGETOS=linux
+            TARGETARCH=amd64

README_ESPRESSO.md

@@ -303,6 +303,10 @@ docker compose down -v --remove-orphans
 ```console
 docker compose up --build -d
 ```
+If you're on a machine with [AWS Nitro Enclaves enabled](#guide-setting-up-an-enclave-enabled-nitro-ec2-instance), use the `tee` profile instead to start the enclave batcher.
+```console
+COMPOSE_PROFILES=tee docker compose up --build -d
+```
 
 * Run the services and check the log.
 ```console

espresso/.env

@@ -36,3 +36,5 @@ OPERATOR_ADDRESS=0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266
 
 L1_CHAIN_ID=11155111
 L2_CHAIN_ID=22266222
+
+COMPOSE_PROFILES=default

espresso/docker-compose-op-geth.yml

@@ -20,6 +20,3 @@ services:
       L1_RPC: http://l1-geth:${L1_HTTP_PORT:?err}
       OP_HTTP_PORT: ${OP_HTTP_PORT:?err}
       OP_ENGINE_PORT: ${OP_ENGINE_PORT:?err}
-    ports:
-      - "${OP_HTTP_PORT}"
-      - "${OP_ENGINE_PORT}"

espresso/docker-compose.yml

@@ -142,20 +142,29 @@ services:
       service: op-geth
     volumes:
       - op-data-seq:/data
+    ports:
+      - "${OP_HTTP_PORT}:${OP_HTTP_PORT}"
+      - "${OP_ENGINE_PORT}:${OP_ENGINE_PORT}"
 
   op-geth-verifier:
     extends:
       file: docker-compose-op-geth.yml
       service: op-geth
     volumes:
       - op-data-verifier:/data
+    ports:
+      - "8547:${OP_HTTP_PORT}"
+      - "8553:${OP_ENGINE_PORT}"
 
   op-geth-caff-node:
     extends:
       file: docker-compose-op-geth.yml
       service: op-geth
     volumes:
       - op-data-caff-node:/data
+    ports:
+      - "8548:${OP_HTTP_PORT}"
+      - "8554:${OP_ENGINE_PORT}"
 
   op-node-sequencer:
     build:
@@ -269,6 +278,7 @@ services:
     restart: "no"
 
   op-batcher:
+    profiles: ["default"]
     build:
       context: ../
       dockerfile: espresso/docker/op-stack/Dockerfile
@@ -304,7 +314,82 @@ services:
       - --max-channel-duration=1
       - --target-num-frames=1
 
+  # HTTP proxy for enclave Odyn proxy requirement
+  http-proxy:
+    image: alpine:latest
+    command: >
+      sh -c "
+      apk add --no-cache tinyproxy &&
+      echo 'Allow 127.0.0.1' >> /etc/tinyproxy/tinyproxy.conf &&
+      echo 'Allow 0.0.0.0/0' >> /etc/tinyproxy/tinyproxy.conf &&
+      echo 'DisableViaHeader Yes' >> /etc/tinyproxy/tinyproxy.conf &&
+      tinyproxy -d
+      "
+    ports:
+      - "3128:8888"
+    networks:
+      default:
+        aliases:
+          - proxy
+
+  op-batcher-tee:
+    profiles: ["tee"]
+    build:
+      context: ../
+      dockerfile: espresso/docker/op-stack/Dockerfile
+      target: op-batcher-enclave-target
+    image: op-batcher-tee:espresso
+    healthcheck:
+      test: ["CMD-SHELL", "test -f /tmp/enclave-tools.pid && kill -0 $(cat /tmp/enclave-tools.pid) 2>/dev/null || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    depends_on:
+      l1-geth:
+        condition: service_healthy
+      op-geth-sequencer:
+        condition: service_started
+      op-node-sequencer:
+        condition: service_started
+      espresso-dev-node:
+        condition: service_started
+      l2-genesis:
+        condition: service_completed_successfully
+      http-proxy:
+        condition: service_started
+    network_mode: "host"
+    environment:
+      http_proxy: http://127.0.0.1:3128
+      HTTP_PROXY: http://127.0.0.1:3128
+      OPERATOR_PRIVATE_KEY: ${OPERATOR_PRIVATE_KEY}
+      ENCLAVE_DEBUG: ${ENCLAVE_DEBUG:-false}
+      CONTAINER_MONITOR_INTERVAL: ${CONTAINER_MONITOR_INTERVAL:-1}
+      ENCLAVE_MEMORY_MB: ${ENCLAVE_MEMORY_MB:-4096}
+      ENCLAVE_CPU_COUNT: ${ENCLAVE_CPU_COUNT:-2}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ..:/source:ro
+      - ./scripts/batcher-enclave-tool-image.sh:/app/espresso/scripts/batcher-enclave-tool-image.sh:ro
+      - /tmp:/tmp
+    privileged: true
+    devices:
+      - /dev/nitro_enclaves:/dev/nitro_enclaves
+    restart: "no"
+    command:
+    - sh
+    - -c
+    - |
+      export DEPLOYMENT_MODE=local
+      export L1_RPC_URL="http://127.0.0.1:${L1_HTTP_PORT}"
+      export L2_RPC_URL="http://127.0.0.1:${OP_HTTP_PORT}"
+      export ROLLUP_RPC_URL="http://127.0.0.1:${ROLLUP_PORT}"
+      export ESPRESSO_URL1="http://127.0.0.1:${ESPRESSO_SEQUENCER_API_PORT}"
+      /source/espresso/docker/op-batcher-tee/run-enclave.sh 
+
+
   op-proposer:
+    profiles: ["default"]
     build:
       context: ../
       dockerfile: espresso/docker/op-stack/Dockerfile