# build node on host, not docker, if host is ubuntu 22.04: `cargo build --release` # docker setup for worker build https://github.com/integritee-network/integritee-dev/tree/main/worker ``` docker run --name integritee-dev-worker-and-node -it -p 9944-9999:9944-9999 -v $(pwd):/home/ubuntu/worker -v $(pwd)/../integritee-node:/home/ubuntu/integritee-node -e MYUID=$(id -u) -e MYGUID=$(id -g) integritee/integritee-dev:0.2.2 /bin/bash cd integritee-node ./target/release/integritee-node --dev --unsafe-rpc-external --rpc-cors all ``` to re-enter docker later: `docker start -ai integritee-dev-worker-and-node` or if you NEED root access `docker exec -it integritee-dev-worker /bin/bash` # teeracle ## console 1: node ``` cd integritee-node ./target/release/integritee-node --dev --unsafe-rpc-external --rpc-cors all ``` ## console 2: worker build and run teeracle: ``` SGX_MODE=SW WORKER_MODE=teeracle WORKER_FEATURES=dcap make cd bin ./integritee-service -c run --skip-ra --dev --teeracle-interval 10s ``` ## console 3: demo ``` cd cli ./demo_teeracle_whitelist.sh -d 7 -i 10 ``` # sidechain ## console 1: node same as above ## console 2: worker1 build and run validateer: ``` SGX_MODE=SW WORKER_MODE=sidechain WORKER_FEATURES=dcap make cd bin export RUST_LOG=info,substrate_api_client=warn,ws=warn,mio=warn,its_consensus_common=info,sidechain=info,integritee_service=trace,enclave_runtime=trace,ac_node_api=warn,sp_io=warn,itc_parentchain_indirect_calls_executor=trace,itp_stf_executor=trace,itc_parentchain_light_client=trace,itc_parentchain_block_importer=trace,itp_stf_state_handler=trace,ita_stf=trace,itp-attestation-handler=debug,itc_parentchain_indirect_calls_executor=trace,itp_top_pool=debug,itc_offchain_worker_executor=debug,ita_parentchain_interface=trace,its_rpc_handler=debug ./integritee-service -c run 11111111111111111111111111111111 --skip-ra --dev ``` ## console 3: worker2 ``` RUST_LOG=info,substrate_api_client=warn,its_consensus_common=info,sidechain=info ./integritee-service -c -d ./worker2 -P 3000 -w 3001 -r 3444 -h 4546 run 11111111111111111111111111111111 --skip-ra --dev &> worker2.log ``` # only worker in docker, rest on host `docker run --name integritee-dev-worker -it --expose 9944-9999 -p 2000:2000 -v $(pwd):/home/ubuntu/worker -e MYUID=$(id -u) -e MYGUID=$(id -g) integritee/integritee-dev:0.2.2 /bin/bash` find out host ip: `ip addr show docker0 | grep -Po 'inet \K[\d.]+'` use this IP address when calling the worker ``` export RUST_LOG=info,substrate_api_client=warn,ws=warn,mio=warn,its_consensus_common=info,sidechain=info,integritee_service=trace,enclave_runtime=trace,ac_node_api=warn,sp_io=warn,itc_parentchain_indirect_calls_executor=trace,itp_stf_executor=trace,itc_parentchain_light_client=trace,itc_parentchain_block_importer=trace,itp_stf_state_handler=trace,ita_stf=trace,itp-attestation-handler=debug,itc_parentchain_indirect_calls_executor=trace,itp_top_pool=debug,itc_offchain_worker_executor=debug,ita_parentchain_interface=trace,its_rpc_handler=debug ./integritee-service -u ws://172.17.0.1 --ws-external -c run --skip-ra --dev &> worker.log ``` replace MRENCLAVE with yours ``` export MRENCLAVE=3APJaot1twApyYjYK1SrFHQQmySdadohkkdfKatYiWhn ./integritee-cli -u ws://172.17.0.1 shield-funds //Alice //Alice 20000000000000 $MRENCLAVE ./integritee-cli -u ws://172.17.0.1 trusted --mrenclave $MRENCLAVE --direct unshield-funds //Alice //Alice 1000000000000 ``` second worker requests provisioning in same container: ``` ./integritee-service -u ws://172.17.0.1 -r 3444 -P 2100 -h 2110 -w 2101 -i 8788 -c -d /tmp/worker2 request-state --skip-ra &> worker2.log ``` or, alternatively, just starts running and obtains provisioning on the fly: ``` ./integritee-service -u ws://172.17.0.1 -r 3444 -P 2100 -h 2110 -w 2101 -i 8788 -c -d /tmp/worker2 run --skip-ra --dev &> worker2.log ``` # multi-parentchain testing in integritee/parachain: spawn rococo-local with asset hub and integritee `zombienet-linux-x64 spawn --provider native zombienet/rococo-local-with-integritee-and-asset-hub.toml` start worker with target-b AssetHub setup ``` export RUST_LOG=info,substrate_api_client=warn,ws=warn,mio=warn,its_consensus_common=info,sidechain=info,integritee_service=trace,enclave_runtime=trace,ac_node_api=warn,sp_io=warn,itc_parentchain_indirect_calls_executor=trace,itp_stf_executor=trace,itc_parentchain_light_client=trace,itc_parentchain_block_importer=trace,itp_stf_state_handler=trace,ita_stf=trace,itp-attestation-handler=debug,itc_parentchain_indirect_calls_executor=trace,itp_top_pool=debug,itc_offchain_worker_executor=debug,ita_parentchain_interface=trace,its_rpc_handler=debug,itp_extrinsics_factory=trace ./integritee-service -c -u ws://172.17.0.1 --target-b-parentchain-rpc-url ws://172.17.0.1 --target-b-parentchain-rpc-port 9954 run --skip-ra --dev --shielding-target target-b &> worker.log ``` the client now needs to connect to to either integritee or target_a depending on the activity ``` export FLAVOR_ID=sidechain ./demo_shielding_unshielding_using_shard_vault_on_target_a.sh -u ws://172.17.0.1 -A ws://172.17.0.1 -a 9954 -t first ``` # privacy sidechain demo stuff ## cli ``` #run validateer worker ./integritee-service -c -u ws://172.17.0.1 --target-a-parentchain-rpc-url ws://172.17.0.1 --target-a-parentchain-rpc-port 9954 run --skip-ra --dev --shielding-target target_a | tee # setup alias integritee="../target/release/integritee-cli -u ws://172.17.0.1" alias assethub="../target/release/integritee-cli -u ws://172.17.0.1 -p 9954" read MRENCLAVE <<< $(integritee list-workers | awk '/ MRENCLAVE: / { print $2; exit }') alias incognitee="../target/release/integritee-cli -u ws://172.17.0.1 trusted --mrenclave $MRENCLAVE" assethub transfer //Alice //Laura 100000000000000 incognitee get-shard-vault read VAULT <<< $(incognitee get-shard-vault) # story assethub balance //Laura incognitee balance //Laura incognitee get-shard-vault assethub transfer //Laura $VAULT 50000000000000 assethub balance //Laura incognitee balance //Laura incognitee balance //Julian incognitee --direct transfer //Laura //Julian 10000000000000 incognitee balance //Laura incognitee balance //Julian assethub balance //Edward incognitee --direct unshield-funds //Julian //Edward 9000000000000 assethub balance //Edward incognitee balance //Julian ``` screencast hints: new terminal: ``` docker start -a -i integritee-dev-worker tmux -u # for unicode #Ctrl-B-: set -g mouse on #Ctrl-B-" cd worker/bin # both PS1="wallet> " PS1="validateer> " ``` then, start validateer and wait until ProxyAdded appears on AssetHub reasonable logging level for worker and cli: ``` export RUST_LOG=info,substrate_api_client=warn,ws=warn,mio=warn,ac_node_api=warn,sp_io=warn,sp_io::storage=error,tungstenite=warn export RUST_LOG=trace,substrate_api_client=warn,ws=warn,mio=warn,ac_node_api=warn,sp_io=warn,sp_io::storage=error,tungstenite=warn,rustls=info,soketto=info,itc_tls_websocket_server=info,itc_rpc_client=info ``` # browser UIs browsers are very restrictive, even for localhost. We need to use https for localhost or the browser will refuse to connect to the enclave with wss ## setup https://localhost **THIS WORKS BUT DOES NOT SOLVE THE PROBLEM** the browser can connect to https://localhost, but the ws won't open anyway ``` sudo apt install openssl nginx sudo mkdir /etc/ssl/localcerts cd /etc/ssl/localcerts sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt # enter 'localhost' for common name when prompted sudo nano /etc/nginx/sites-available/default ``` ``` server { listen 443 ssl; server_name localhost; ssl_certificate /etc/ssl/localcerts/localhost.crt; ssl_certificate_key /etc/ssl/localcerts/localhost.key; # Proxy requests to the application running on localhost:3000 location / { proxy_pass http://localhost:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` then ``` sudo systemctl restart nginx ``` ## integration tests for encointer-js/worker-api manually change these lines and run `yarn test` with the worker running in docker:2000 and the node running on host:9944 caveat: each new build of the worker needs a change of MRENCLAVE ```diff= diff --git a/packages/worker-api/src/integriteeWorker.spec.ts b/packages/worker-api/src/integriteeWorker.spec.ts index 2a62d8c..60281cc 100644 --- a/packages/worker-api/src/integriteeWorker.spec.ts +++ b/packages/worker-api/src/integriteeWorker.spec.ts @@ -1,6 +1,6 @@ import { Keyring } from '@polkadot/api'; import { cryptoWaitReady } from '@polkadot/util-crypto'; -import { paseoNetwork} from './testUtils/networks.js'; +import { localDockerNetwork} from './testUtils/networks.js'; import { IntegriteeWorker } from './integriteeWorker.js'; import WS from 'websocket'; import {type KeyringPair} from "@polkadot/keyring/types"; @@ -8,7 +8,7 @@ import {type KeyringPair} from "@polkadot/keyring/types"; const {w3cwebsocket: WebSocket} = WS; describe('worker', () => { - const network = paseoNetwork(); + const network = localDockerNetwork(); let keyring: Keyring; let worker: IntegriteeWorker; let alice: KeyringPair; @@ -39,7 +39,7 @@ describe('worker', () => { // skip it, as this requires a worker (and hence a node) to be running // To my knowledge jest does not have an option to run skipped tests specifically, does it? // Todo: add proper CI to test this too. - describe.skip('needs worker and node running', () => { + describe('needs worker and node running', () => { describe('getWorkerPubKey', () => { it('should return value', async () => { const result = await worker.getShieldingKey(); diff --git a/packages/worker-api/src/testUtils/networks.ts b/packages/worker-api/src/testUtils/networks.ts index a18308d..4e4d4d2 100644 --- a/packages/worker-api/src/testUtils/networks.ts +++ b/packages/worker-api/src/testUtils/networks.ts @@ -39,8 +39,8 @@ export const localDockerNetwork = () => { chain: 'ws://127.0.0.1:9944', worker: 'wss://127.0.0.1:2000', genesisHash: '0x388c446a804e24e77ae89f5bb099edb60cacc2ac7c898ce175bdaa08629c1439', - mrenclave: '9jm9Wm4DwGxsUUPA1cvcWWxyTuynpJ2YeEcNGnm8nztk', - chosenCid: '9jm9Wm4DwGxsUUPA1cvcWWxyTuynpJ2YeEcNGnm8nztk', + mrenclave: '6MEV9VrEpXaatzmohdVNS1rqFjE4EGQ8TzD3PtAypzLb', + chosenCid: '6MEV9VrEpXaatzmohdVNS1rqFjE4EGQ8TzD3PtAypzLb', customTypes: {}, palletOverrides: {} }; ```