Merge pull request #32 from aws-samples/pr-28

This PR contains improvements in Solana blueprint based on the feedback from #28

Author: frbrkoala

lib/solana/README.md

@@ -145,6 +145,16 @@ Create your own copy of `.env` file and edit it to update with your AWS Account
     - Navigate to [CloudWatch service](https://console.aws.amazon.com/cloudwatch/) (make sure you are in the region you have specified for `AWS_REGION`)
     - Open `Dashboards` and select `solana-single-node` from the list of dashboards.
 
+7. Connect with the RPC API exposed by the node:
+
+```bash
+   INSTANCE_ID=$(cat single-node-deploy.json | jq -r '..|.node-instance-id? | select(. != null)')
+   NODE_INTERNAL_IP=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)
+    # We query token balance this account: https://solanabeach.io/address/9WzDXwBbmkg8ZTbNMqUxvQRAyrZzDsGYdLVL9zYtAWWM
+    curl http://$NODE_INTERNAL_IP:8899 -X POST -H "Content-Type: application/json" \
+    --data '{ "jsonrpc": "2.0", "id": 1, "method": "getBalance", "params": ["9WzDXwBbmkg8ZTbNMqUxvQRAyrZzDsGYdLVL9zYtAWWM"]}'
+```
+
 ### Deploy the HA Nodes
 
 1. Configure and deploy multiple HA Nodes

lib/solana/lib/assets/solana/node-consensus-template.sh

@@ -4,9 +4,13 @@ set -o nounset
 set -o pipefail
 # Remove empty snapshots
 find "/var/solana/data/ledger" -name "snapshot-*" -size 0 -print -exec rm {} \; || true
-export RUST_LOG=warning
+export RUST_LOG=error
 export RUST_BACKTRACE=full
 export SOLANA_METRICS_CONFIG=__SOLANA_METRICS_CONFIG__
+
+TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+export EC2_INTERNAL_IP=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/local-ipv4)
+
 /home/solana/bin/solana-validator \
 --ledger /var/solana/data/ledger \
 --identity /home/solana/config/validator-keypair.json \
@@ -15,12 +19,10 @@ __KNOWN_VALIDATORS__ \
 --expected-genesis-hash __EXPECTED_GENESIS_HASH__ \
 __ENTRY_POINTS__ \
 --rpc-port 8899 \
---no-port-check \
+--private-rpc \
+--rpc-bind-address $EC2_INTERNAL_IP \
 --wal-recovery-mode skip_any_corrupted_record \
 --init-complete-file /var/solana/data/init-completed \
---limit-ledger-size 50000000 \
+--limit-ledger-size \
 --accounts /var/solana/accounts \
---no-os-cpu-stats-reporting \
---no-os-memory-stats-reporting \
---no-os-network-stats-reporting \
 --log -

lib/solana/lib/assets/solana/node-heavy-rpc-template.sh

@@ -4,35 +4,34 @@ set -o nounset
 set -o pipefail
 # Remove empty snapshots
 find "/var/solana/data/ledger" -name "snapshot-*" -size 0 -print -exec rm {} \; || true
-export RUST_LOG=warning
+export RUST_LOG=error
 export RUST_BACKTRACE=full
 export SOLANA_METRICS_CONFIG=__SOLANA_METRICS_CONFIG__
+
+TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+export EC2_INTERNAL_IP=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/local-ipv4)
+
 /home/solana/bin/solana-validator \
 --ledger /var/solana/data/ledger \
 --identity /home/solana/config/validator-keypair.json \
 __KNOWN_VALIDATORS__ \
 --expected-genesis-hash __EXPECTED_GENESIS_HASH__ \
 __ENTRY_POINTS__ \
 --no-voting \
---snapshot-interval-slots 500 \
---maximum-local-snapshot-age 500 \
 --full-rpc-api \
 --rpc-port 8899 \
---gossip-port 8801 \
---dynamic-port-range 8800-8813 \
---no-port-check \
+--gossip-port 8800 \
+--dynamic-port-range 8800-8814 \
+--private-rpc \
+--rpc-bind-address $EC2_INTERNAL_IP \
 --wal-recovery-mode skip_any_corrupted_record \
 --enable-rpc-transaction-history \
 --enable-cpi-and-log-storage \
 --init-complete-file /var/solana/data/init-completed \
---snapshot-compression none \
 --require-tower \
 --no-wait-for-vote-to-start-leader \
---limit-ledger-size 50000000 \
+--limit-ledger-size \
 --accounts /var/solana/accounts \
---no-os-cpu-stats-reporting \
---no-os-memory-stats-reporting \
---no-os-network-stats-reporting \
 --account-index spl-token-owner \
 --account-index program-id \
 --account-index spl-token-mint \

lib/solana/lib/assets/solana/node-light-rpc-template.sh

@@ -4,33 +4,37 @@ set -o nounset
 set -o pipefail
 # Remove empty snapshots
 find "/var/solana/data/ledger" -name "snapshot-*" -size 0 -print -exec rm {} \; || true
-export RUST_LOG=warning
+export RUST_LOG=error
 export RUST_BACKTRACE=full
 export SOLANA_METRICS_CONFIG=__SOLANA_METRICS_CONFIG__
+
+TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+export EC2_INTERNAL_IP=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/local-ipv4)
+
+# TODO: Delete below
+# --gossip-port 8800 \
+# --dynamic-port-range 8801-8814 \ SG ports 8802-8814
+# --no-port-check \
+
 /home/solana/bin/solana-validator \
 --ledger /var/solana/data/ledger \
 --identity /home/solana/config/validator-keypair.json \
 __KNOWN_VALIDATORS__ \
 --expected-genesis-hash __EXPECTED_GENESIS_HASH__ \
 __ENTRY_POINTS__ \
 --no-voting \
---snapshot-interval-slots 500 \
---maximum-local-snapshot-age 500 \
 --full-rpc-api \
 --rpc-port 8899 \
---gossip-port 8801 \
---dynamic-port-range 8800-8813 \
---no-port-check \
+--gossip-port 8800 \
+--dynamic-port-range 8800-8814 \
+--private-rpc \
+--rpc-bind-address $EC2_INTERNAL_IP \
 --wal-recovery-mode skip_any_corrupted_record \
 --enable-rpc-transaction-history \
 --enable-cpi-and-log-storage \
 --init-complete-file /var/solana/data/init-completed \
---snapshot-compression none \
 --require-tower \
 --no-wait-for-vote-to-start-leader \
---limit-ledger-size 50000000 \
+--limit-ledger-size \
 --accounts /var/solana/accounts \
---no-os-cpu-stats-reporting \
---no-os-memory-stats-reporting \
---no-os-network-stats-reporting \
 --log -

lib/solana/lib/assets/sync-checker/syncchecker-solana.sh

@@ -1,13 +1,16 @@
 #!/bin/bash
 
 INIT_COMPLETED_FILE=/var/solana/data/init-completed
-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
-REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq .region -r)
+
+TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/instance-id)
+REGION=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq .region -r)
+EC2_INTERNAL_IP=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/local-ipv4)
 TIMESTAMP=$(date +"%Y-%m-%dT%H:%M:%S%:z")
 
 if [ -f "$INIT_COMPLETED_FILE" ]; then
-    SOLANA_BLOCK_HEIGHT=$(curl -s -X POST -H "Content-Type: application/json" -d ' {"jsonrpc":"2.0","id":1,"method":"getBlockHeight"}' http://localhost:8899 | jq .result)
-    SOLANA_SLOTS_BEHIND_DATA=$(curl -s -X POST -H "Content-Type: application/json" -d ' {"jsonrpc":"2.0","id":1, "method":"getHealth"}' http://localhost:8899 | jq .error.data)
+    SOLANA_BLOCK_HEIGHT=$(curl -s -X POST -H "Content-Type: application/json" -d ' {"jsonrpc":"2.0","id":1,"method":"getBlockHeight"}' http://$EC2_INTERNAL_IP:8899 | jq .result)
+    SOLANA_SLOTS_BEHIND_DATA=$(curl -s -X POST -H "Content-Type: application/json" -d ' {"jsonrpc":"2.0","id":1, "method":"getHealth"}' http://$EC2_INTERNAL_IP:8899 | jq .error.data)
     SOLANA_SLOTS_BEHIND=$(echo $SOLANA_SLOTS_BEHIND_DATA | jq .numSlotsBehind -r)
 
     if [ $SOLANA_SLOTS_BEHIND == "null" ]

lib/solana/lib/assets/user-data/node.sh

@@ -213,7 +213,6 @@ sudo usermod -aG sudo solana
 cd /home/solana
 sudo mkdir ./bin
 
-echo "Download and unpack Solana"
 echo "Downloading x86 binaries for version v$SOLANA_VERSION"
 
 sudo wget -q https://github.com/solana-labs/solana/releases/download/v$SOLANA_VERSION/solana-release-x86_64-unknown-linux-gnu.tar.bz2
@@ -227,38 +226,39 @@ cd /home/solana/bin
 if [[ $NODE_IDENTITY_SECRET_ARN == "none" ]]; then
     echo "Create node identity"
     sudo ./solana-keygen new --no-passphrase -o /home/solana/config/validator-keypair.json
-    NODE_IDENTITY=$(sudo ./solana-keygen pubkey /home/solana/config/validator-keypair.json)
-    echo "Backing up node identity to AWS Secrets Manager"
-    sudo aws secretsmanager create-secret --name "solana-node/"$NODE_IDENTITY --description "Solana Node Identity Secret created for stack $CF_STACK_NAME" --secret-string file:///home/solana/config/validator-keypair.json --region $AWS_REGION
 else
-    echo "Retrieving node identity from AWS Secrets Manager"
+    echo "Get node identity from AWS Secrets Manager"
     sudo aws secretsmanager get-secret-value --secret-id $NODE_IDENTITY_SECRET_ARN --query SecretString --output text --region $AWS_REGION > ~/validator-keypair.json
     sudo mv ~/validator-keypair.json /home/solana/config/validator-keypair.json
 fi
-
 if [[ "$SOLANA_NODE_TYPE" == "consensus" ]]; then
+    if [[ $NODE_IDENTITY_SECRET_ARN == "none" ]]; then
+        echo "Storing generated node identity to AWS Secrets Manager"
+        NODE_IDENTITY=$(sudo ./solana-keygen pubkey /home/solana/config/vote-account-keypair.json)
+        sudo aws secretsmanager create-secret --name "solana-node/"$NODE_IDENTITY --description "Solana Node Identity Secret created for stack $CF_STACK_NAME" --secret-string file:///home/solana/config/validator-keypair.json --region $AWS_REGION
+    fi
     if [[ $VOTE_ACCOUNT_SECRET_ARN == "none" ]]; then
         echo "Create Vote Account Secret"
         sudo ./solana-keygen new --no-passphrase -o /home/solana/config/vote-account-keypair.json
         NODE_IDENTITY=$(sudo ./solana-keygen pubkey /home/solana/config/vote-account-keypair.json)
-        echo "Backing up Vote Account Secret to AWS Secrets Manager"
+        echo "Storing Vote Account Secret to AWS Secrets Manager"
         sudo aws secretsmanager create-secret --name "solana-node/"$NODE_IDENTITY --description "Solana Vote Account Secret created for stack $CF_STACK_NAME" --secret-string file:///home/solana/config/vote-account-keypair.json --region $AWS_REGION
 
         if [[ $AUTHORIZED_WITHDRAWER_ACCOUNT_SECRET_ARN == "none" ]]; then
             echo "Create Authorized Withdrawer Account Secret"
             sudo ./solana-keygen new --no-passphrase -o /home/solana/config/authorized-withdrawer-keypair.json
             NODE_IDENTITY=$(sudo ./solana-keygen pubkey /home/solana/config/authorized-withdrawer-keypair.json)
-            echo "Backing up Authorized Withdrawer Account  to AWS Secrets Manager"
+            echo "Storing Authorized Withdrawer Account  to AWS Secrets Manager"
             sudo aws secretsmanager create-secret --name "solana-node/"$NODE_IDENTITY --description "Authorized Withdrawer Account Secret created for stack $CF_STACK_NAME" --secret-string file:///home/solana/config/authorized-withdrawer-keypair.json --region $AWS_REGION
 
         else
-            echo "Retrieving Authorized Withdrawer Account Secret from AWS Secrets Manager"
+            echo "Get Authorized Withdrawer Account Secret from AWS Secrets Manager"
             sudo aws secretsmanager get-secret-value --secret-id $AUTHORIZED_WITHDRAWER_ACCOUNT_SECRET_ARN --query SecretString --output text --region $AWS_REGION > ~/authorized-withdrawer-keypair.json
             sudo mv ~/authorized-withdrawer-keypair.json /home/solana/config/authorized-withdrawer-keypair.json
         fi
 
         if [[ $REGISTRATION_TRANSACTION_FUNDING_ACCOUNT_SECRET_ARN != "none" ]]; then
-          echo "Retrieving Registration Transaction Funding Account Secret from AWS Secrets Manager"
+          echo "Get Registration Transaction Funding Account Secret from AWS Secrets Manager"
           sudo aws secretsmanager get-secret-value --secret-id $REGISTRATION_TRANSACTION_FUNDING_ACCOUNT_SECRET_ARN --query SecretString --output text --region $AWS_REGION > ~/id.json
           sudo mkdir -p /root/.config/solana
           sudo mv ~/id.json /root/.config/solana/id.json
@@ -274,7 +274,7 @@ if [[ "$SOLANA_NODE_TYPE" == "consensus" ]]; then
         echo "Deleting Authorized Withdrawer Account from the local disc"
         sudo rm /home/solana/config/authorized-withdrawer-keypair.json
     else
-        echo "Retrieving Vote Account Secret from AWS Secrets Manager"
+        echo "Get Vote Account Secret from AWS Secrets Manager"
         sudo aws secretsmanager get-secret-value --secret-id $VOTE_ACCOUNT_SECRET_ARN --query SecretString --output text --region $AWS_REGION > ~/vote-account-keypair.json
         sudo mv ~/vote-account-keypair.json /home/solana/config/vote-account-keypair.json
     fi
@@ -296,7 +296,6 @@ sed -i "s/__KNOWN_VALIDATORS__/$KNOWN_VALIDATORS/g" /home/solana/bin/validator.s
 sed -i "s/__ENTRY_POINTS__/$ENTRY_POINTS/g" /home/solana/bin/validator.sh
 sudo chmod +x /home/solana/bin/validator.sh
 
-echo "Making sure the solana user has access to everything needed"
 sudo chown -R solana:solana /var/solana
 sudo chown -R solana:solana /home/solana
 

lib/solana/lib/constructs/solana-node-security-group.ts

@@ -24,8 +24,8 @@ export interface SolanaNodeSecurityGroupConstructProps {
       });
 
       // Public ports
-      sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcpRange(8801, 8812), "P2P protocols (gossip, turbine, repair, etc)");
-      sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.udpRange(8801, 8812), "P2P protocols (gossip, turbine, repair, etc)");
+      sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcpRange(8800, 8814), "P2P protocols (gossip, turbine, repair, etc)");
+      sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.udpRange(8800, 8814), "P2P protocols (gossip, turbine, repair, etc)");
 
       // Private ports restricted only to the VPC IP range
       sg.addIngressRule(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(8899), "RPC port HTTP (user access needs to be restricted. Allowed access only from internal IPs)");