diff --git a/docs/node-migration-guide.md b/docs/node-migration-guide.md index b04278d35..c0811c2c3 100644 --- a/docs/node-migration-guide.md +++ b/docs/node-migration-guide.md @@ -125,9 +125,11 @@ You should see your account and registered backup_cli public key listed, someth { "your-account.testnet": [ { - "public_key": "ed25519:AbC123" + "public_key": "ed25519:AbC123..." }, -} + null + ] +} ``` ## Step 3: Generate and Set Encryption Key @@ -207,9 +209,9 @@ Set up your new node on the new host with the following: 1. **Install and configure the MPC node software** on the new host (the new node should use the same NEAR account as the old node) 2. **Set the encryption key**: on the backup-cli and the new node (note: this can be a different key from the one used in the previous steps, but it's safe to re-use the same key). -For the new node, add this to the .env file. +For the new node, add this to the .env file (replace `` with the actual key from Step 3): ```env - MPC_BACKUP_ENCRYPTION_KEY_HEX=$BACKUP_ENCRYPTION_KEY + MPC_BACKUP_ENCRYPTION_KEY_HEX= ``` @@ -278,15 +280,15 @@ Call the `start_node_migration` method on the MPC contract to register the new n near contract call-function as-transaction \ $MPC_CONTRACT_ACCOUNT_ID \ start_node_migration \ - json-args '{ - "destination_node_info": { - "signer_account_pk": "$near_signer_public_key", - "destination_node_info": { - "url": "new-node.example.com:80", - "sign_pk": "$P2P_KEY" + json-args "{ + \"destination_node_info\": { + \"signer_account_pk\": \"$near_signer_public_key\", + \"destination_node_info\": { + \"url\": \"new-node.example.com:80\", + \"sign_pk\": \"$P2P_KEY\" } } - }' \ + }" \ prepaid-gas '300.0 Tgas' \ attached-deposit '0 NEAR' \ sign-as $SIGNER_ACCOUNT_ID \ diff --git a/docs/running-an-mpc-node-in-tdx-external-guide.md b/docs/running-an-mpc-node-in-tdx-external-guide.md index 9a3b6fbec..a3aff4551 100644 --- a/docs/running-an-mpc-node-in-tdx-external-guide.md +++ b/docs/running-an-mpc-node-in-tdx-external-guide.md @@ -11,7 +11,13 @@ We use Dstack (from Phala) to orchestrate the environment and run the MPC contai ## Limitations and Restrictions **Important:** -You cannot migrate an existing MPC node out of its CVM without data loss (for example: key share, P2P key). In addition, replacing or changing TDX-related hardware or dependencies (e.g., a CPU swap) may render the data unrecoverable. + +The CVM filesystem is encrypted with a hardware-bound key derived from SGX sealing, so copying the CVM or disk data to another machine will not work and may result in data loss, including loss of key shares and P2P identity keys. + +Platform-bound sealed data may also become unrecoverable if TDX-related hardware changes (for example, a CPU replacement). + +To move a node between hosts, follow the supported procedure described in the Node Migration section, which uses the backup-cli tool to securely transfer keyshares. + ## Main difference between TEE and non TEE MPC nodes @@ -578,9 +584,9 @@ RUST_LOG=mpc=debug,info NEAR_BOOT_NODES=$BOOT_NODES +# telemertry,migration,debug,node-node,DSS +PORTS=8080:8080,8079:8079,3030:3030,80:80,24567:24567 -# Port forwarding -PORTS=8080:8080,24567:24567,80:80 ``` @@ -658,9 +664,10 @@ This creates a limitation when trying to run both **mainnet** and **testnet** no | Port | Purpose | |--------|-------------------------------------------------------------------------| | **80** | Node-to-node communication (port override convention) | -| **24567** | Decentralized state sync | -| **8080** | Debug and telemetry collection, plus the new `getdata` endpoint | +| **24567** | Decentralized state sync | +| **8080** | Debug and telemetry collection, plus the new `/get_data` endpoint | | **3030** | Debug and telemetry collection | +| **8079** | Migration port | ### Configuring and starting the MPC binary in a CVM diff --git a/tee_launcher/default.env b/tee_launcher/default.env index 9eb15569c..553008d3a 100644 --- a/tee_launcher/default.env +++ b/tee_launcher/default.env @@ -12,7 +12,7 @@ VMM_RPC=http://127.0.0.1:10000 # The type of sealing key to used by the VM (SGX,KMS) # KMS should only be used for development and SGX for production. -SEALING_KEY_TYPE=KMS +SEALING_KEY_TYPE=SGX # Port on the host machine to connect to the dstack guest agent EXTERNAL_DSTACK_AGENT_PORT=127.0.0.1:9208 @@ -35,10 +35,10 @@ INTERNAL_MPC_MAIN_PORT=80 # The dstack OS image name use for the CVM # production OS image -#OS_IMAGE=dstack-0.5.2 +#OS_IMAGE=dstack-0.5.4 # development OS image -OS_IMAGE=dstack-dev-0.5.2 +OS_IMAGE=dstack-dev-0.5.4 # Path of the launcher docker_compose_file DOCKER_COMPOSE_FILE_PATH=launcher_docker_compose.yaml diff --git a/tee_launcher/launcher_docker_compose.yaml b/tee_launcher/launcher_docker_compose.yaml index aa1b1922a..b51c067ac 100644 --- a/tee_launcher/launcher_docker_compose.yaml +++ b/tee_launcher/launcher_docker_compose.yaml @@ -9,7 +9,7 @@ services: environment: - PLATFORM=TEE - DOCKER_CONTENT_TRUST=1 - - DEFAULT_IMAGE_DIGEST=sha256:07bba7c60565750f6d5fe6800cd73513dd2d0d02e6893184064e209ff37c25a2 + - DEFAULT_IMAGE_DIGEST=sha256:9143bc98aaae3408c14cf4490d7b0e96a5a32d989ec865a0cf8dde391831a7a9 volumes: - /var/run/docker.sock:/var/run/docker.sock diff --git a/tee_launcher/user-config.conf b/tee_launcher/user-config.conf index 711b67c41..2df3effaa 100644 --- a/tee_launcher/user-config.conf +++ b/tee_launcher/user-config.conf @@ -1,18 +1,20 @@ # Optional override parameters to find fetch the MPC docker image. MPC_IMAGE_NAME=nearone/mpc-node -MPC_IMAGE_TAGS=3.3.2 +MPC_IMAGE_TAGS=3.6.0 MPC_REGISTRY=registry.hub.docker.com -MPC_ACCOUNT_ID=mpc-3-barak-launch1-b654bfa0a52e.5035bf56abb0.testnet +MPC_ACCOUNT_ID=n1-multichain.testnet MPC_LOCAL_ADDRESS=127.0.0.1 -MPC_SECRET_STORE_KEY=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -MPC_CONTRACT_ID=mpc-contract-barak-launch1-4c5e2fe1fb42.5035bf56abb0.testnet +MPC_SECRET_STORE_KEY=9f3c7a1e5b6d4c20a8f1d2e9b3c7f04a +MPC_CONTRACT_ID=v1.signer-prod.testnet MPC_ENV=testnet MPC_HOME_DIR=/data RUST_BACKTRACE=full RUST_LOG=mpc=debug,info -NEAR_BOOT_NODES=ed25519:9qyu1RaJ5shX6UEb7UooPQYVXCC1tNHCiDPPxJ8Pv1UJ@116.202.220.238:34567,ed25519:8mzYnfuT5zQYqV99CfYAX6XoRmNxVJ1nAZHXXW4GrFD@34.221.144.70:24567,ed25519:B87Qq34LbWadFx2dq5bwUEtB5KBgr8ZhsoEpAiSP2qVX@142.132.203.80:24567,ed25519:EufXMhFVixgFpg2bBaHGL4Zrks1DDrhAZTQYwbjRTAUX@65.109.25.109:24567,ed25519:HJJde5skATXLA4wGk8P9awvfzaW47tCU2EsRXnMoFRA9@129.150.39.19:24567,ed25519:BavpjuYrnXRFQVWjLdx9vx9vAvanit9NhhcPeM6gjAkE@95.217.198.233:24567,ed25519:81zk9MvvoxB1AzTW721o9m2NeYx3pDFDZyRJUQej65uc@195.14.6.172:24567,ed25519:E4gQXBovauvqxx85TdemezhkDDsAsqEL7ZJ4cp5Cdhsb@129.80.119.109:24567,ed25519:6cWtXFAzqpZ8D7EpLGYBmkw95oKYkzN8i99UcRgsyRMy@164.132.247.155:24567,ed25519:CLnWy9xv2GUqfgepzLwpv4bozj3H3kgzjbVREyS6wcqq@47.242.112.172:24567,ed25519:2NmT9Wy9HGBmH8sTWSq2QfaMk4R8ZHBEhk8ZH4g4f1Qk@65.109.88.175:24567,ed25519:9dhPYd1ArZ6mTMP7nnRzm8JBPwKCaBxiYontS5KfXz5h@34.239.1.54:24567,ed25519:8iiQH4vtqsqWgsm4ypCJQQwqJR3AGp9o7F69YRaCHKxA@141.95.204.11:24567,ed25519:4L97JnFFFVbfE8M3tY9bRtgV5376y5dFH8cSaoBDRWnK@5.199.170.103:24567,ed25519:DGJ91V2wJ8NFpkqZvphtSeM4CBeiLsrHGdinTugiRoFF@52.35.74.212:24567,ed25519:B9LSvCTimoEUtuUvpfu1S54an54uTetVabmkT5dELUCN@91.134.22.129:24567,ed25519:cRGmtzkkSZT6wXNjbthSXMD6dHrEgSeDtiEJAcnLLxH@15.204.213.166:24567 -# needed: Port forwarding - telemetry. -PORTS=8080:8080,3030:3030,80:80,24567:24567 +# telemertry,migration,debug,node-node,DSS +PORTS=8080:8080,8079:8079,3030:3030,80:80,24567:24567 + +NEAR_BOOT_NODES=ed25519:2956bsTqWmXcVmXDSovLYS4HRpdyh51euNCiuQjy1h8Y@65.108.141.230:24567,ed25519:2Ej627FDrHUBA1Mp55qw3zyhACSvJHF25sxtZfyFqasc@65.108.133.7:24567,ed25519:2GorYSFQUWB1But3sXLEM6zARfwb9Pj27QhQMsMpK8Dx@150.136.35.62:24567,ed25519:2nGLw9isJYVqCfaYzA6KHBE9YbtjzGQPPtVcRwYvpJj6@23.88.74.249:24567,ed25519:3MftyqGAFWFKAdz7zzRyiE9PCQXLnL4ZvHHywgays1PY@69.61.23.178:24567,ed25519:461PUjEvryeCck5cLDz65m9pZZjxaVdArYsN1UCdtg98@35.236.38.110:24567,ed25519:49F9yZpbQVefzWegVZYTh18WwFPPcfgvkDmhm7zM5MR4@89.58.28.231:24567,ed25519:4Fx8rLhGobUPVie1FXQCAxFaMQ3Dg6PYMDdm5keZcKW6@84.207.214.228:24567,ed25519:4M63uf6ccsjBkFygqx4T45fKSvKsFFMva9g7FRxjwzTH@176.9.105.103:24568,ed25519:4Rj2NR92umGC4xtXeJFkyCUYymdad3zii1zVEMVnVKqH@5.9.40.211:24567,ed25519:4gdz1kjG7ndfbSwgMRtgNYZ7D6reHdnBgZN71U3agwtw@198.244.253.126:24567 +