certusone
/
wormhole
mirror of https://github.com/certusone/wormhole.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add systemd units to operations.md

This commit is contained in:
Leo 2020-12-06 22:51:35 +01:00
parent 8b10b96362
commit 89afda64bf
1 changed files with 81 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
docs/operations.md
View File

@ -103,10 +103,90 @@ The key file includes a human-readable part that includes the public key and the
## Deploying ## Deploying
⚠ TODO: _systemd service file examples (not entirely trivial)_ We strongly recommend a separate user and systemd services for both services.
Example systemd unit for `guardiand.service`, including the right capabilities and best-practice security mitigations:
```
# /etc/systemd/system/guardiand.service
[Unit]
Description=Wormhole Bridge guardian daemon
Documentation=https://github.com/certusone/wormhole
Requires=network.target
Wants=guardiand-solana-agent.service
After=network.target
[Service]
User=wormhole
Group=wormhole
ExecStart=/usr/local/bin/guardiand bridge \
--bootstrap "<see launch repo>" \
--network "<see launch repo>" \
--ethContract <see launch repo> \
--nodeName "my-node-name" \
--nodeKey /path/to/your/node.key \
--bridgeKey /path/to/your/guardian.key \
--ethRPC ws://your-eth-node:8545 \
--adminSocket /run/guardiand/admin.socket \
--agentRPC /run/guardiand/agent.socket
RuntimeDirectory=guardiand
RuntimeDirectoryMode=700
RuntimeDirectoryPreserve=yes
PermissionsStartOnly=yes
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_IPC_LOCK
NoNewPrivileges=yes
Restart=on-failure
RestartSec=5s
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target
```
And `guardiand-solana-agent.service`:
```
# /etc/systemd/system/guardiand-solana-agent.service
[Unit]
Description=Wormhole Bridge Solana agent
Documentation=https://github.com/certusone/wormhole
Requires=network.target
[Service]
User=solana
Group=solana
ExecStart=/usr/local/bin/guardiand-solana-agent \
--bridge "<see launch repo>" \
--rpc http://solana-host:8899 \
--ws ws://solana-devnet:8900 \
--keypair /path/to/feepayer.key \
--socket /run/guardiand/agent.socket
RuntimeDirectory=guardiand
RuntimeDirectoryMode=700
RuntimeDirectoryPreserve=yes
PermissionsStartOnly=yes
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
Restart=on-failure
RestartSec=5s
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
```
You need to open port 8999/tcp in your firewall for the P2P network. Nothing else has to be exposed externally.
### Kubernetes ### Kubernetes
Kubernetes deployment is fully supported.
Refer to [devnet/](../devnet) for example k8s deployments as a starting point for your own production deployment. You'll Refer to [devnet/](../devnet) for example k8s deployments as a starting point for your own production deployment. You'll
have to build your own containers. Unless you already run Kubernetes in production, we strongly recommend a traditional have to build your own containers. Unless you already run Kubernetes in production, we strongly recommend a traditional
deployment on a dedicated instance - it's easier to understand and troubleshoot. deployment on a dedicated instance - it's easier to understand and troubleshoot.