Skip to content

Handle the case when vault metadata is not present#101

Open
pablin-10 wants to merge 18 commits intomainfrom
fix_boot_in_gcp_without_vault
Open

Handle the case when vault metadata is not present#101
pablin-10 wants to merge 18 commits intomainfrom
fix_boot_in_gcp_without_vault

Conversation

@pablin-10
Copy link
Contributor

@pablin-10 pablin-10 commented Feb 26, 2026
edited
Loading

  • Handle missing Vault metadata in fetch-config.sh by writing empty defaults instead of failing
  • Guard CONFIG_EL_PEERS_IPS and CONFIG_SIMULATOR_IP iptables rules with -n checks to prevent host/network '' not found errors
  • Soften dropbear's dependency on searcher-firewall from Requires to Wants so SSH stays accessible if the firewall fails

MoeMahhouk and others added 13 commits February 6, 2026 15:38
alexhulbert
alexhulbert requested changes Mar 2, 2026
View reviewed changes
Copy link
Member

@alexhulbert alexhulbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried about the implications of allowing ssh to run if firewall falls. what's the purpose of that change?

@pablin-10 pablin-10 changed the base branch from moe/flashbox-observability to main March 10, 2026 20:25
MoeMahhouk
MoeMahhouk reviewed Mar 11, 2026
View reviewed changes
bob-l2/mkosi.extra/etc/bob/firewall-config
Comment on lines +101 to +104
if [ -n "$CONFIG_SIMULATOR_IP" ]; then
accept_dst_ip_port $CHAIN_PRODUCTION_OUT tcp "$CONFIG_SIMULATOR_IP" $SIMULATOR_RPC_PORT "Simulator RPC (sendBackrun)"
accept_dst_ip_port $CHAIN_PRODUCTION_OUT tcp "$CONFIG_SIMULATOR_IP" $SIMULATOR_WS_PORT "Simulator WebSocket (tx stream)"
fi
Copy link
Member

@MoeMahhouk MoeMahhouk Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recall I didn't add this check explicitly because the image startup should fail critically if those endpoints were not configured/served correctly upon boot-up process.
My only concern here is that, in this case here the image will boot and suppress the issue in case those endpoints weren't fetched and set correctly. Hence, the image won't function correctly after a searcher has setup everything and trying to connect to those endpoints in production mode

bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf
Comment on lines -3 to +4
Requires=wait-for-key.service searcher-firewall.service
Requires=wait-for-key.service
Wants=searcher-firewall.service
Copy link
Member

@MoeMahhouk MoeMahhouk Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain the rational behind this change? what is the scenario causing this to be locked out?
To my knowledge, this is the execution flow:

  • Image boots (in maintenance mode) and fetches the configuration that includes secrets and firewall configs.
  • searcher-firewall service triggers and sets up the correct firewall rules with the correctly configured IPtables
  • Simultaneously, the wait-for-key service is expecting the operator to server the user's (searcher) ssh pubkey through curl command to be set and allow the ssh command control panel to be ready for the searcher only.
  • dropbear service starts and searcher can executes ssh commands like initialize, toggle, log, etc...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MoeMahhouk MoeMahhouk MoeMahhouk left review comments

@alexhulbert alexhulbert alexhulbert requested changes

@niccoloraspa niccoloraspa Awaiting requested review from niccoloraspa

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

flashbox

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pablin-10 @alexhulbert @MoeMahhouk @niccoloraspa