diff --git a/.github/workflows/build-deb-package-and-integration-tests.yml b/.github/workflows/build-deb-package-and-integration-tests.yml index de5bbae10..803a2ac31 100644 --- a/.github/workflows/build-deb-package-and-integration-tests.yml +++ b/.github/workflows/build-deb-package-and-integration-tests.yml @@ -40,7 +40,6 @@ jobs: - name: Ensure that the relevant files are present in the package run: | - dpkg --contents packaging/target/${{ matrix.artifact_name }} | grep /opt/kubo/ipfs dpkg --contents packaging/target/${{ matrix.artifact_name }} | grep /opt/firecracker/firecracker dpkg --contents packaging/target/${{ matrix.artifact_name }} | grep /opt/firecracker/jailer dpkg --contents packaging/target/${{ matrix.artifact_name }} | grep /opt/firecracker/vmlinux.bin diff --git a/packaging/Makefile b/packaging/Makefile index 24a83f662..661ced5fa 100644 --- a/packaging/Makefile +++ b/packaging/Makefile @@ -22,13 +22,14 @@ debian-package-code: build_venv/bin/pip install --no-cache-dir --progress-bar off --target ./aleph-vm/opt/aleph-vm/ 'aleph-message~=1.0.1' 'eth-account==0.10' 'sentry-sdk==1.31.0' 'qmp==1.1.0' 'aleph-superfluid~=0.2.1' 'sqlalchemy[asyncio]>=2.0' 'aiosqlite==0.19.0' 'alembic==1.13.1' 'aiohttp_cors==0.7.0' 'pydantic-settings==2.6.1' 'pyroute2==0.7.12' 'python-cpuid==0.1.0' 'solathon==1.0.2' 'protobuf==5.28.3' build_venv/bin/python3 -m compileall ./aleph-vm/opt/aleph-vm/ -debian-package-resources: firecracker-bins vmlinux download-ipfs-kubo target/bin/sevctl +debian-package-resources: firecracker-bins vmlinux target/bin/sevctl rm -fr ./aleph-vm/opt/firecracker mkdir -p ./aleph-vm/opt/firecracker cp -pr ./target/vmlinux.bin ./aleph-vm/opt/firecracker/ cp -pr ./target/firecracker ./aleph-vm/opt/firecracker/ cp -pr ./target/jailer ./aleph-vm/opt/firecracker/ - cp -pr ./target/kubo/kubo ./aleph-vm/opt/kubo + # Disable Kubo installation for now + # cp -pr ./target/kubo/kubo ./aleph-vm/opt/kubo cp -pr ./target/bin/sevctl ./aleph-vm/opt/sevctl firecracker-bins: target-dir build-dir diff --git a/packaging/aleph-vm/DEBIAN/postinst b/packaging/aleph-vm/DEBIAN/postinst index 913e8c411..7eb70dfd2 100755 --- a/packaging/aleph-vm/DEBIAN/postinst +++ b/packaging/aleph-vm/DEBIAN/postinst @@ -9,18 +9,27 @@ rm -fr /srv/jailer # Upgrade from < 0.1.11 rm -fr /tmp/aleph # Upgrade from < 0.1.11 mkdir -p /var/lib/aleph/vm/jailer -# Create the IPFS directory if it does not exist -if [ ! -d "/var/lib/ipfs" ]; then - mkdir -p /var/lib/ipfs - # Set appropriate permissions if needed - chown ipfs:ipfs /var/lib/ipfs +# Clean the IPFS directory if it does exist +if [ -d "/var/lib/ipfs" ]; then + if ! [[ -v container ]]; then + # Check if service is running to stop it + if systemctl is-active --quiet ipfs.service; then + systemctl stop ipfs.service + fi + + # Check if service is enabled to disable it + if systemctl is-enabled --quiet ipfs.service; then + systemctl disable ipfs.service + fi + fi + + # Remove existing IPFS files to free some space + rm -rf /var/lib/ipfs fi # Systemd is absent from containers if ! [[ -v container ]]; then systemctl daemon-reload - systemctl enable ipfs.service - systemctl restart ipfs.service systemctl enable aleph-vm-supervisor.service systemctl restart aleph-vm-supervisor.service fi diff --git a/packaging/aleph-vm/DEBIAN/preinst b/packaging/aleph-vm/DEBIAN/preinst index 4fb97a8be..9b74c70c6 100755 --- a/packaging/aleph-vm/DEBIAN/preinst +++ b/packaging/aleph-vm/DEBIAN/preinst @@ -12,6 +12,4 @@ fi set -e -# We will not delete this user on uninstall since there may be files owned by that user in /var/lib/ipfs -addgroup --system ipfs -adduser --system --ingroup ipfs ipfs + diff --git a/packaging/aleph-vm/etc/systemd/system/aleph-vm-supervisor.service b/packaging/aleph-vm/etc/systemd/system/aleph-vm-supervisor.service index 755d971b1..2207987c6 100644 --- a/packaging/aleph-vm/etc/systemd/system/aleph-vm-supervisor.service +++ b/packaging/aleph-vm/etc/systemd/system/aleph-vm-supervisor.service @@ -1,7 +1,6 @@ [Unit] Description=Aleph.im VM execution engine -After=network.target ipfs.service -Wants=ipfs.service +After=network.target [Service] User=0 diff --git a/packaging/aleph-vm/etc/systemd/system/ipfs.service b/packaging/aleph-vm/etc/systemd/system/ipfs.service deleted file mode 100644 index 2009361e3..000000000 --- a/packaging/aleph-vm/etc/systemd/system/ipfs.service +++ /dev/null @@ -1,84 +0,0 @@ -# Source: https://github.com/ipfs/kubo/blob/master/misc/systemd/ipfs-hardened.service - -# This file will be overwritten on package upgrades, avoid customizations here. -# -# To make persistent changes, create file in -# "/etc/systemd/system/ipfs.service.d/overwrite.conf" with -# `systemctl edit ipfs.service`. This file will be parsed after this -# file has been parsed. -# -# To overwrite a variable, like ExecStart you have to specify it once -# blank and a second time with a new value, like: -# ExecStart= -# ExecStart=/usr/bin/ipfs daemon --flag1 --flag2 -# -# For more info about custom unit files see systemd.unit(5). - -# This service file enables systemd-hardening features compatible with IPFS, -# while breaking compatibility with the fuse-mount function. Use this one only -# if you don't need the fuse-mount functionality. - -[Unit] -Description=InterPlanetary File System (IPFS) daemon -Documentation=https://docs.ipfs.tech/ -After=network.target - -[Service] -# hardening -ReadOnlyPaths="/opt/kubo/" "/etc/ipfs" -ReadWritePaths="/var/lib/ipfs/" -NoNewPrivileges=true -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectKernelLogs=true -PrivateDevices=true -DevicePolicy=closed -ProtectControlGroups=true -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -ProtectHostname=true -PrivateTmp=true -ProtectClock=true -LockPersonality=true -RestrictNamespaces=true -RestrictRealtime=true -MemoryDenyWriteExecute=true -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged -ProtectHome=true -RemoveIPC=true -RestrictSUIDSGID=true -CapabilityBoundingSet=CAP_NET_BIND_SERVICE - -# enable for 1-1024 port listening -#AmbientCapabilities=CAP_NET_BIND_SERVICE -# enable to specify a custom path see docs/environment-variables.md for further documentations -#Environment=IPFS_PATH=/custom/ipfs/path -# enable to specify a higher limit for open files/connections -#LimitNOFILE=1000000 - -# Avoid a permission denier error when running `lstat /home/ipfs/.config/ipfs/denylists` -# due to checking $XDG_CONFIG_HOME/ipfs/denylists/ -Environment=XDG_CONFIG_HOME=/etc - -#don't use swap -MemorySwapMax=0 - -# Don't timeout on startup. Opening the IPFS repo can take a long time in some cases (e.g., when -# badger is recovering) and migrations can delay startup. -# -# Ideally, we'd be a bit smarter about this but there's no good way to do that without hooking -# systemd dependencies deeper into go-ipfs. -TimeoutStartSec=infinity - -Type=notify -User=ipfs -Group=ipfs -Environment=IPFS_PATH="/var/lib/ipfs" -ExecStart=/opt/kubo/ipfs daemon --init --migrate --init-profile=server --config-file /etc/ipfs/kubo.json -Restart=on-failure -KillSignal=SIGINT - -[Install] -WantedBy=default.target