chore(ic-boundary): add configuration at deploy

dfinity · Feb 9, 2024 · 245c487 · 245c487
1 parent 201258a
commit 245c487
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 4 deletions.
diff --git a/ic-os/boundary-guestos/rootfs/etc/systemd/system/ic-boundary.service b/ic-os/boundary-guestos/rootfs/etc/systemd/system/ic-boundary.service
@@ -22,6 +22,8 @@ ExecStart=/bin/bash -c ' \
         --log-failed-requests-only \
         --nftables-system-replicas-path /run/ic-node/etc/nftables/system_replicas.ruleset \
         --rate-limit-ledger-transfer 5 \
+        ${MAX_CONCURRENCY:+ --max-concurrency "${MAX_CONCURRENCY}"} \
+        ${SHED_EWMA_PARAM:+ --shed-ewma-param "${SHED_EWMA_PARAM}"} \
         ${RPS_LIMIT_SUBNET:+ --rate-limit-per-second-per-subnet "${RPS_LIMIT_SUBNET}"} \
         ${CACHE_SIZE:+ --cache-size-bytes "${CACHE_SIZE}"} \
         ${CACHE_ITEM_MAX_SIZE:+ --cache-max-item-size-bytes "${CACHE_ITEM_MAX_SIZE}"} \

diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/bootstrap-ic-node.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/bootstrap-ic-node.sh
@@ -66,6 +66,7 @@ function process_bootstrap() {
         certificate_issuer.conf
         certificate_syncer.conf
         denylist.map
+        ic_boundary.conf
         network.conf
         nns_public_key.pem
         nns.conf

diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-ic-boundary.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-ic-boundary.sh
@@ -5,6 +5,8 @@ source '/opt/ic/bin/helpers.shlib'
 
 readonly SERVICE_NAME='ic-boundary'
 
+readonly IC_BOUNDARY_CONFIG="${BOOT_DIR}/ic_boundary.conf"
+
 readonly NNS_CONFIG="${BOOT_DIR}/nns.conf"
 readonly NNS_PEM="${BOOT_DIR}/nns_public_key.pem"
 
@@ -37,6 +39,15 @@ function read_variables() {
         err "missing NNS configuration value(s): $(cat "${NNS_CONFIG}")"
         exit 1
     fi
+
+    if [ -f "${IC_BOUNDARY_CONFIG}" ]; then
+        while IFS="=" read -r key value; do
+            case "${key}" in
+                "max_concurrency") MAX_CONCURRENCY+=("${value}") ;;
+                "shed_ewma_param") SHED_EWMA_PARAM+=("${value}") ;;
+            esac
+        done <"${IC_BOUNDARY_CONFIG}"
+    fi
 }
 
 function generate_config() {
@@ -51,6 +62,8 @@ NNS_URL=${NNS_URL}
 CACHE_SIZE=1073741824
 CACHE_ITEM_MAX_SIZE=131072
 CACHE_TTL=1
+MAX_CONCURRENCY=${MAX_CONCURRENCY:-}
+SHED_EWMA_PARAM=${SHED_EWMA_PARAM:-}
 EOF
 }
 

diff --git a/ic-os/boundary-guestos/scripts/build-deployment.sh b/ic-os/boundary-guestos/scripts/build-deployment.sh
@@ -49,7 +49,7 @@ Arguments:
        --cert-issuer-creds              specify a credentials file for certificate-issuer
        --cert-issuer-identity           specify an identity file for certificate-issuer
        --cert-issuer-enc-key            specify an encryption key for certificate-issuer
-       --cert-syncer-raw-domains-file   specify a path to a file containing a list of custom domains
+       --ic-boundary-config             specify a path to the ic-boundary config file
        --pre-isolation-canisters        specify a set of pre-domain-isolation canisters
        --ip-hash-salt                   specify a salt for hashing ip values
        --logging-url                    specify an endpoint for our logging backend
@@ -121,8 +121,8 @@ for argument in "${@}"; do
         --cert-issuer-enc-key=*)
             CERTIFICATE_ISSUER_ENCRYPTION_KEY="${argument#*=}"
             ;;
-        --cert-syncer-raw-domains-file=*)
-            CERTIFICATE_SYNCER_RAW_DOMAINS_FILE="${argument#*=}"
+        --ic-boundary-config=*)
+            IC_BOUNDARY_CONFIG="${argument#*=}"
             ;;
         --pre-isolation-canisters=*)
             PRE_ISOLATION_CANISTERS="${argument#*=}"
@@ -158,7 +158,6 @@ OUTPUT="${OUTPUT:=${BASE_DIR}/build-out}"
 SSH="${SSH:=${BASE_DIR}/../../testnet/config/ssh_authorized_keys}"
 CERT_DIR="${CERT_DIR:-}"
 CERTIFICATE_ISSUER_CREDENTIALS="${CERTIFICATE_ISSUER_CREDENTIALS:-}"
-CERTIFICATE_SYNCER_RAW_DOMAINS_FILE="${CERTIFICATE_SYNCER_RAW_DOMAINS_FILE:-}"
 if [ -z ${NNS_PUBLIC_KEY+x} ]; then
     err "--nns_public_key not set"
     exit 1
@@ -534,6 +533,27 @@ EOF
     done
 }
 
+function copy_ic_boundary_config() {
+    if [[ -z "${IC_BOUNDARY_CONFIG:-}" ]]; then
+        err "pre-domain-isolation canisters have not been provided, proceeding without copying them"
+        return
+    fi
+
+    for n in $NODES; do
+        declare -n NODE=$n
+        if [[ "${NODE["type"]}" != "boundary" ]]; then
+            continue
+        fi
+
+        local SUBNET_IDX="${NODE["subnet_idx"]}"
+        local NODE_IDX="${NODE["node_idx"]}"
+        local NODE_PREFIX="${DEPLOYMENT}.${SUBNET_IDX}.${NODE_IDX}"
+
+        mkdir -p "${CONFIG_DIR}/${NODE_PREFIX}"
+        cp "${IC_BOUNDARY_CONFIG}" "${CONFIG_DIR}/${NODE_PREFIX}/ic_boundary.conf"
+    done
+}
+
 function copy_pre_isolation_canisters() {
     if [[ -z "${PRE_ISOLATION_CANISTERS:-}" ]]; then
         err "pre-domain-isolation canisters have not been provided, proceeding without copying them"
@@ -668,6 +688,7 @@ function main() {
     copy_certs
     copy_deny_list
     copy_geolite2_dbs
+    copy_ic_boundary_config
     generate_certificate_issuer_config
     copy_pre_isolation_canisters
     copy_ip_hash_salt