The attestor service can be deployed using two method
- From local device
To run from a local device, please make sure the AWS CLI tool and AWS access credentials have been correctly configured. Follow steps here.
- Using AWS CloudShell from the AWS Management Console UI(Recommended)
- MTLS certiciate/ key and CA certificate
For testnet/staging/demo depolyment Venture23 will proivde MTLS CA certificate, attestor certificate and attestor key.
https://docs.google.com/document/d/1K8-PXsaJHolj4TuOVRPLqLTRoD2-PHnh0lSE3vfpsQc/edit For Mainnet, use the openssl tool or any other method to generate the keys and a CSR, and submit CSR to Venture23. The signed certificate will be provided back. Example steps can be found here. - Have Ethereum and Aleo wallet address and private keys ready
If using AWS cloudShell, no need to install the dependencies to run the installer script.
-
Install AWS CLI Tool
-
Add IAM permission to user (needed for both local and CloudShell) The user running the installer script should have the following IAM permissions.
Reference: Creating and Attaching IAM Policy to userIAM Policy JSON
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EC2Permissions", "Effect": "Allow", "Action": [ "ec2:AssociateIamInstanceProfile", "ec2:CreateKeyPair", "ec2:DescribeImages", "ec2:CreateTags", "ec2:DescribeSecurityGroups", "ec2:CreateSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeInstances", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*" }, { "Sid": "IAMPermissions", "Effect": "Allow", "Action": [ "iam:PassRole", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:ChangePassword", "iam:GetUser", "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey", "iam:GetAccessKeyLastUsed", "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey", "iam:CreateInstanceProfile", "iam:UpdateAssumeRolePolicy", "iam:PutUserPermissionsBoundary", "iam:AttachUserPolicy", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "iam:CreateAccessKey", "iam:CreatePolicy", "iam:DetachRolePolicy", "iam:AttachGroupPolicy", "iam:PutUserPolicy", "iam:DetachGroupPolicy", "iam:CreatePolicyVersion", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:SetDefaultPolicyVersion", "iam:TagRole", "iam:GetRole", "iam:GetInstanceProfile" ], "Resource": "*" }, { "Sid": "KMSAndSecretsManagerPermissions", "Effect": "Allow", "Action": [ "kms:*", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:ListSecrets", "secretsmanager:UpdateSecret" ], "Resource": "*" }, { "Sid": "S3Permissions", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "CloudShellPermissions", "Effect": "Allow", "Action": "cloudshell:*", "Resource": "*" } ] } -
Create AWS Access key
Reference: To create AWS Access key -
Configuring aws credentials using Environment variables Set AWS credentials and region as environment variables
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/ bPxRfiCYEXAMPLEKEY export AWS_DEFAULT_REGION=us-east-1
Reference: Refer to this AWS documentation for other environment
-
Clone the github project repository
git clone https://github.com/venture23-aleo/verulink.git
-
cd into project directory
cd verulink -
Checkout to
mainbranchgit checkout main
-
Setup python virtual environment
make python-venv
-
Activate python virtual environment
source venv/bin/activate -
Run the script
Note: To work around the issue described in the Troubleshooting section, it is recommended to export the environment variable
OBJC_DISABLE_INITIALIZE_FORK_SAFETY.export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YESDeployment is on docker container
make deploy-to-aws
-
Provide all the inputs as the script asks.
- AWS Region (default:
us-east-1) - AMI ID
- AWS Instance Type (default:
t3.medium) - Attestor node name (<env>_attestor_verulink_<yourcompanyname> Eg. mainnet_attestor_verulink_v23)
- AWS Secret Manager secret name for signing keys (default:
mainnet/verulink/attestor/signingservice)- Ethereum private key
- Ethereum wallet address
- Aleo private key
- Aleo wallet address
- AWS Secret Manager secret name MTLS secret name (default:
mainnet/verulink/attestor/mtls)- MTLS ca certificate file
- Attestor certificate file
- Attestor key file
- AWS Region (default:
-
Once successfully deployed, secure and backup the SSH key file of the machine located in your home directory.
Note: If using CloudShell, download the key by going to Actions and selecting Download file. Input the correct full path of the key file.
-
Access the remote attestor machine via SSH and verify the services (From your deployment machine). The IP address is located in the
inventory.txtfile (in the current directory) and the SSH private key is also available in the same project directory.ssh -i <private_key_file.pem> ubuntu@IP_ADDRESS
-
Verify the services:
chainServiceandsigningServicedocker ps
Verify the logs in services
docker exec -it <attestor-chainservice-id> sh cd ../logs cat verulink.log
At times, keys may not be retrievable during installation. In such cases, we can manually attempt to fetch the keys by executing the following command:
If you haven't made any changes, the default SSH key name remains "mainnet_attestor_verulink_<attestor_name>-ssh-key.pem."
This command checks with AWS Secret Manager if the keys can be retreived.
ansible-playbook scripts/aws/deploy.yml -i inventory.txt -u ubuntu --private-key=<ssh_key_name> --tags debug,retrieve_secretIf the attestor deployment phase encounters an installation failure, we should proceed by running the Ansible playbook only for the remaining deployment tasks.
ansible-playbook scripts/aws/deploy.yml -i inventory.txt -u ubuntu --private-key=<ssh_key_name>Alternatively, we can directly provide the public IP of the AWS EC2 instance instead of inventory.txt file
ansible-playbook scripts/aws/deploy.yml -i 54.198.147.67, -u ubuntu --private-key attestor-ssh-key.pemIf no Docker containers are running, check the existing containers and view their logs.
- Show existing containers
docker ps -a- View the logs of the existing container
docker logs <container_id>In case of failure while deploying the attestor
-
Re-run the deployment script
make deploy-to-aws
-
You will be notified if you want to continue or reconfigure
Do you want to continue (C) deployment or reconfigure (R)?
-
If you are using the same configuration like MTLS certificates, Ethereum and Aleo keys, we can just type "C" to continue with deployment.
If you are changing any of them, type "R" to reconfigure with new values. -
If the following error occurs, follow the steps provided below:
objc[844]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
objc[844]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state
2024-09-08 09:44:45 INFO: An error occurred while executing the playbook.
or
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
- Generate private key:
openssl genpkey -algorithm RSA -out attestor.key -pkeyopt rsa_keygen_bits:4096
- Create csr
openssl req -new -key attestor.key -out attestor.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=example.com"