Barak/update operator guide dstack setup3

docs/node-migration-guide.md

@@ -125,9 +125,11 @@ You should see your account and registered backup_cli  public key listed, someth
 {
   "your-account.testnet": [
     {
-      "public_key": "ed25519:AbC123"
+      "public_key": "ed25519:AbC123..."
     },
-} 
+    null
+  ]
+}
 ```
 
 ## Step 3: Generate and Set Encryption Key
@@ -207,9 +209,9 @@ Set up your new node on the new host with the following:
 1. **Install and configure the MPC node software** on the new host (the new node should use the same NEAR account as the old node)
 2. **Set the encryption key**: on the backup-cli and the new node (note: this can be a different key from the one used in the previous steps, but it's safe to re-use the same key).
 
-For the new node, add this to the .env file.
+For the new node, add this to the .env file (replace `<value>` with the actual key from Step 3):
    ```env
-   MPC_BACKUP_ENCRYPTION_KEY_HEX=$BACKUP_ENCRYPTION_KEY
+   MPC_BACKUP_ENCRYPTION_KEY_HEX=<value>
    ```
 
 
@@ -278,15 +280,15 @@ Call the `start_node_migration` method on the MPC contract to register the new n
 near contract call-function as-transaction \
   $MPC_CONTRACT_ACCOUNT_ID \
   start_node_migration \
-  json-args '{
-    "destination_node_info": {
-      "signer_account_pk": "$near_signer_public_key",
-      "destination_node_info": {
-        "url": "new-node.example.com:80",
-        "sign_pk": "$P2P_KEY"
+  json-args "{
+    \"destination_node_info\": {
+      \"signer_account_pk\": \"$near_signer_public_key\",
+      \"destination_node_info\": {
+        \"url\": \"new-node.example.com:80\",
+        \"sign_pk\": \"$P2P_KEY\"
       }
     }
-  }' \
+  }" \
   prepaid-gas '300.0 Tgas' \
   attached-deposit '0 NEAR' \
   sign-as $SIGNER_ACCOUNT_ID \

docs/running-an-mpc-node-in-tdx-external-guide.md

@@ -11,7 +11,13 @@ We use Dstack (from Phala) to orchestrate the environment and run the MPC contai
 ## Limitations and Restrictions
 
  **Important:**
-You cannot migrate an existing MPC node out of its CVM without data loss (for example: key share, P2P key). In addition, replacing or changing TDX-related hardware or dependencies (e.g., a CPU swap) may render the data unrecoverable.
+
+The CVM filesystem is encrypted with a hardware-bound key derived from SGX sealing, so copying the CVM or disk data to another machine will not work and may result in data loss, including loss of key shares and P2P identity keys.
+
+Platform-bound sealed data may also become unrecoverable if TDX-related hardware changes (for example, a CPU replacement).
+
+To move a node between hosts, follow the supported procedure described in the Node Migration section, which uses the backup-cli tool to securely transfer keyshares.
+
 
 ## Main difference between TEE and non TEE MPC nodes
 
@@ -578,9 +584,9 @@ RUST_LOG=mpc=debug,info
 
 NEAR_BOOT_NODES=$BOOT_NODES
 
+# telemertry,migration,debug,node-node,DSS
+PORTS=8080:8080,8079:8079,3030:3030,80:80,24567:24567
 
-# Port forwarding 
-PORTS=8080:8080,24567:24567,80:80
 
 ```
 
@@ -658,9 +664,10 @@ This creates a limitation when trying to run both **mainnet** and **testnet** no
 | Port   | Purpose                                                                 |
 |--------|-------------------------------------------------------------------------|
 | **80** | Node-to-node communication (port override convention)                   |
-| **24567** | Decentralized state sync                                               |
-| **8080** | Debug and telemetry collection, plus the new `getdata` endpoint         |
+| **24567** | Decentralized state sync                                             |
+| **8080** | Debug and telemetry collection, plus the new `/get_data` endpoint      |
 | **3030** | Debug and telemetry collection                                         |
+| **8079** | Migration port                    |
 
 ### Configuring and starting the MPC binary in a CVM
 

tee_launcher/default.env

@@ -12,7 +12,7 @@ VMM_RPC=http://127.0.0.1:10000
 
 # The type of sealing key to used by the VM (SGX,KMS)
 # KMS should only be used for development and SGX for production.
-SEALING_KEY_TYPE=KMS
+SEALING_KEY_TYPE=SGX
 
 # Port on the host machine to connect to the dstack guest agent
 EXTERNAL_DSTACK_AGENT_PORT=127.0.0.1:9208
@@ -35,10 +35,10 @@ INTERNAL_MPC_MAIN_PORT=80
 # The dstack OS image name use for the CVM
 
 # production OS image
-#OS_IMAGE=dstack-0.5.2
+#OS_IMAGE=dstack-0.5.4
 
 # development OS image
-OS_IMAGE=dstack-dev-0.5.2
+OS_IMAGE=dstack-dev-0.5.4
 
 # Path of the launcher docker_compose_file
 DOCKER_COMPOSE_FILE_PATH=launcher_docker_compose.yaml

tee_launcher/launcher_docker_compose.yaml

@@ -9,7 +9,7 @@ services:
     environment:
       - PLATFORM=TEE
       - DOCKER_CONTENT_TRUST=1
-      - DEFAULT_IMAGE_DIGEST=sha256:07bba7c60565750f6d5fe6800cd73513dd2d0d02e6893184064e209ff37c25a2
+      - DEFAULT_IMAGE_DIGEST=sha256:9143bc98aaae3408c14cf4490d7b0e96a5a32d989ec865a0cf8dde391831a7a9
 
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock

tee_launcher/user-config.conf

@@ -1,18 +1,20 @@
 # Optional override parameters to find fetch the MPC docker image.
 MPC_IMAGE_NAME=nearone/mpc-node
-MPC_IMAGE_TAGS=3.3.2
+MPC_IMAGE_TAGS=3.6.0
 MPC_REGISTRY=registry.hub.docker.com
 
-MPC_ACCOUNT_ID=mpc-3-barak-launch1-b654bfa0a52e.5035bf56abb0.testnet
+MPC_ACCOUNT_ID=n1-multichain.testnet
 MPC_LOCAL_ADDRESS=127.0.0.1
-MPC_SECRET_STORE_KEY=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-MPC_CONTRACT_ID=mpc-contract-barak-launch1-4c5e2fe1fb42.5035bf56abb0.testnet
+MPC_SECRET_STORE_KEY=9f3c7a1e5b6d4c20a8f1d2e9b3c7f04a
+MPC_CONTRACT_ID=v1.signer-prod.testnet
 MPC_ENV=testnet
 MPC_HOME_DIR=/data
 RUST_BACKTRACE=full
 RUST_LOG=mpc=debug,info
 
-NEAR_BOOT_NODES=ed25519:9qyu1RaJ5shX6UEb7UooPQYVXCC1tNHCiDPPxJ8Pv1UJ@116.202.220.238:34567,ed25519:8mzYnfuT5zQYqV99CfYAX6XoRmNxVJ1nAZHXXW4GrFD@34.221.144.70:24567,ed25519:B87Qq34LbWadFx2dq5bwUEtB5KBgr8ZhsoEpAiSP2qVX@142.132.203.80:24567,ed25519:EufXMhFVixgFpg2bBaHGL4Zrks1DDrhAZTQYwbjRTAUX@65.109.25.109:24567,ed25519:HJJde5skATXLA4wGk8P9awvfzaW47tCU2EsRXnMoFRA9@129.150.39.19:24567,ed25519:BavpjuYrnXRFQVWjLdx9vx9vAvanit9NhhcPeM6gjAkE@95.217.198.233:24567,ed25519:81zk9MvvoxB1AzTW721o9m2NeYx3pDFDZyRJUQej65uc@195.14.6.172:24567,ed25519:E4gQXBovauvqxx85TdemezhkDDsAsqEL7ZJ4cp5Cdhsb@129.80.119.109:24567,ed25519:6cWtXFAzqpZ8D7EpLGYBmkw95oKYkzN8i99UcRgsyRMy@164.132.247.155:24567,ed25519:CLnWy9xv2GUqfgepzLwpv4bozj3H3kgzjbVREyS6wcqq@47.242.112.172:24567,ed25519:2NmT9Wy9HGBmH8sTWSq2QfaMk4R8ZHBEhk8ZH4g4f1Qk@65.109.88.175:24567,ed25519:9dhPYd1ArZ6mTMP7nnRzm8JBPwKCaBxiYontS5KfXz5h@34.239.1.54:24567,ed25519:8iiQH4vtqsqWgsm4ypCJQQwqJR3AGp9o7F69YRaCHKxA@141.95.204.11:24567,ed25519:4L97JnFFFVbfE8M3tY9bRtgV5376y5dFH8cSaoBDRWnK@5.199.170.103:24567,ed25519:DGJ91V2wJ8NFpkqZvphtSeM4CBeiLsrHGdinTugiRoFF@52.35.74.212:24567,ed25519:B9LSvCTimoEUtuUvpfu1S54an54uTetVabmkT5dELUCN@91.134.22.129:24567,ed25519:cRGmtzkkSZT6wXNjbthSXMD6dHrEgSeDtiEJAcnLLxH@15.204.213.166:24567
-# needed: Port forwarding - telemetry.
-PORTS=8080:8080,3030:3030,80:80,24567:24567
+# telemertry,migration,debug,node-node,DSS
+PORTS=8080:8080,8079:8079,3030:3030,80:80,24567:24567
+
+NEAR_BOOT_NODES=ed25519:2956bsTqWmXcVmXDSovLYS4HRpdyh51euNCiuQjy1h8Y@65.108.141.230:24567,ed25519:2Ej627FDrHUBA1Mp55qw3zyhACSvJHF25sxtZfyFqasc@65.108.133.7:24567,ed25519:2GorYSFQUWB1But3sXLEM6zARfwb9Pj27QhQMsMpK8Dx@150.136.35.62:24567,ed25519:2nGLw9isJYVqCfaYzA6KHBE9YbtjzGQPPtVcRwYvpJj6@23.88.74.249:24567,ed25519:3MftyqGAFWFKAdz7zzRyiE9PCQXLnL4ZvHHywgays1PY@69.61.23.178:24567,ed25519:461PUjEvryeCck5cLDz65m9pZZjxaVdArYsN1UCdtg98@35.236.38.110:24567,ed25519:49F9yZpbQVefzWegVZYTh18WwFPPcfgvkDmhm7zM5MR4@89.58.28.231:24567,ed25519:4Fx8rLhGobUPVie1FXQCAxFaMQ3Dg6PYMDdm5keZcKW6@84.207.214.228:24567,ed25519:4M63uf6ccsjBkFygqx4T45fKSvKsFFMva9g7FRxjwzTH@176.9.105.103:24568,ed25519:4Rj2NR92umGC4xtXeJFkyCUYymdad3zii1zVEMVnVKqH@5.9.40.211:24567,ed25519:4gdz1kjG7ndfbSwgMRtgNYZ7D6reHdnBgZN71U3agwtw@198.244.253.126:24567
+