chore: update enclave image document

ldclabs · Jul 19, 2024 · 2f7bda0 · 2f7bda0
1 parent ad65665
commit 2f7bda0
Show file tree

Hide file tree

Showing 2 changed files with 107 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -60,23 +60,25 @@ Go to the [idempotent-proxy-canister](./src/idempotent-proxy-canister) directory
 
 Run proxy:
 ```bash
-docker run --name redis -d -p 6379:6379 redis:latest
 cargo run -p idempotent-proxy-server
 ```
 
-### Building enclave image for Marlin Oyster
-
-The following steps should be run in AWS Nitro-based instances.
-
-#### Use Nitro Enclaves CLI on AWS Nitro-based instances:
-
-https://docs.aws.amazon.com/enclaves/latest/user/getting-started.html
-
+Make a request:
 ```bash
-sudo nitro-cli build-enclave --docker-uri ghcr.io/ldclabs/idempotent-proxy_enclave_amd64:latest --output-file idempotent-proxy_enclave_amd64.eif
+curl -v -X POST \
+  --url http://YOUR_HOST/eth \
+  --header 'content-type: application/json' \
+  --header 'x-forwarded-host: rpc.ankr.com' \
+  --header 'idempotency-key: key_001' \
+  --data '{
+	  "id": 1,
+    "jsonrpc": "2.0",
+    "method": "eth_getBlockByNumber",
+    "params": ["latest", false]
+}'
 ```
 
-#### Or spin up a new Docker container based on nitro-cli image:
+### Building enclave image for Marlin Oyster
 
 https://docs.marlin.org/user-guides/oyster/instances/quickstart/build
 
@@ -88,11 +90,16 @@ In a new terminal, run:
 ```bash
 cd /mnt/my-server
 sudo docker exec -it nitro-cli sh
-docker build -f enclave/amd64.Dockerfile -t enclave_amd64:latest .
-nitro-cli build-enclave --docker-uri enclave_amd64:latest --output-file enclave_amd64.eif
-# Or: nitro-cli build-enclave --docker-uri ghcr.io/ldclabs/idempotent-proxy_enclave_amd64:latest --output-file idempotent-proxy_enclave_amd64.eif
+nitro-cli build-enclave --docker-uri ghcr.io/ldclabs/idempotent-proxy_enclave_amd64:latest --output-file idempotent-proxy_enclave_amd64.eif
 ```
 
+The image URL to deploy on Marlin Oyster:
+```text
+https://pub-eea759c16b114748bd3b170eadbb2c30.r2.dev/idempotent-proxy_enclave_amd64.eif
+```
+
+Go to the [idempotent-proxy-server](./src/idempotent-proxy-server) directory for more information.
+
 ### Running as Cloudflare Worker
 
 Idempotent Proxy can be running as a Cloudflare Worker. In order to use Durable Objects, you must switch to a paid plan.

diff --git a/src/idempotent-proxy-server/README.md b/src/idempotent-proxy-server/README.md
@@ -26,10 +26,95 @@ This service can be used to proxy [HTTPS outcalls](https://internetcomputer.org/
 
 Run proxy:
 ```bash
-docker run --name redis -d -p 6379:6379 redis:latest
+# docker run --name redis -d -p 6379:6379 redis:latest # optional redis
 cargo run -p idempotent-proxy-server
 ```
 
+### Building and running AWS Nitro Enclave image
+
+#### Setup host machine
+
+https://docs.marlin.org/learn/oyster/core-concepts/networking/outgoing
+
+```bash
+wget -O vsock-to-ip-transparent http://public.artifacts.marlin.pro/projects/enclaves/vsock-to-ip-transparent_v1.0.0_linux_amd64
+chmod +x vsock-to-ip-transparent
+./vsock-to-ip-transparent --vsock-addr 3:1200
+```
+
+https://docs.marlin.org/learn/oyster/core-concepts/networking/incoming
+
+iptables rules:
+```bash
+# route incoming packets on port 80 to the transparent proxy
+iptables -A PREROUTING -t nat -p tcp --dport 80 -i ens5 -j REDIRECT --to-port 1200
+# route incoming packets on port 443 to the transparent proxy
+iptables -A PREROUTING -t nat -p tcp --dport 443 -i ens5 -j REDIRECT --to-port 1200
+# route incoming packets on port 1025:65535 to the transparent proxy
+iptables -A PREROUTING -t nat -p tcp --dport 1025:65535 -i ens5 -j REDIRECT --to-port 1200
+```
+
+```bash
+wget -O port-to-vsock-transparent http://public.artifacts.marlin.pro/projects/enclaves/port-to-vsock-transparent_v1.0.0_linux_amd64
+chmod +x port-to-vsock-transparent
+./port-to-vsock-transparent --vsock 88 --ip-addr 0.0.0.0:1200
+```
+
+#### Build and run enclave
+
+The following steps should be run in AWS Nitro-based instances.
+
+https://docs.aws.amazon.com/enclaves/latest/user/getting-started.html
+
+```bash
+sudo nitro-cli build-enclave --docker-uri ghcr.io/ldclabs/idempotent-proxy_enclave_amd64:latest --output-file idempotent-proxy_enclave_amd64.eif
+# Start building the Enclave Image...
+# Using the locally available Docker image...
+# Enclave Image successfully created.
+# {
+#   "Measurements": {
+#     "HashAlgorithm": "Sha384 { ... }",
+#     "PCR0": "bbfe317cdaba604e1364fbd254150ce25516d83e31a87f8b3d8acb163286f57f51d8b3f6b2a482ac209b758334d996d9",
+#     "PCR1": "4b4d5b3661b3efc12920900c80e126e4ce783c522de6c02a2a5bf7af3a2b9327b86776f188e4be1c1c404a129dbda493",
+#     "PCR2": "9ea2080d6e6bd61f03a62357a1cbbae278b070db5df6b1fe5c57821ff249b77add0f95dab0a5beec7aa6ef6735f27b14"
+#   }
+# }
+sudo nitro-cli run-enclave --cpu-count 2 --memory 512 --enclave-cid 88 --eif-path idempotent-proxy_enclave_amd64.eif --debug-mode
+# Started enclave with enclave-cid: 88, memory: 512 MiB, cpu-ids: [1, 3]
+# {
+#   "EnclaveName": "idempotent-proxy_enclave_amd64",
+#   "EnclaveID": "i-056e1ab9a31cd77a0-enc190ca7263013fd3",
+#   "ProcessID": 21493,
+#   "EnclaveCID": 88,
+#   "NumberOfCPUs": 2,
+#   "CPUIDs": [
+#     1,
+#     3
+#   ],
+#   "MemoryMiB": 512
+# }
+sudo nitro-cli describe-enclaves
+sudo nitro-cli console --enclave-id i-056e1ab9a31cd77a0-enc190ca7263013fd3
+sudo nitro-cli terminate-enclave --enclave-id i-056e1ab9a31cd77a0-enc190ca7263013fd3
+```
+
+
+#### Make a request
+
+```bash
+curl -v -X POST \
+  --url http://YOUR_HOST/ \
+  --header 'content-type: application/json' \
+  --header 'x-forwarded-host: cloudflare-eth.com' \
+  --header 'idempotency-key: key_001' \
+  --data '{
+	  "id": 1,
+    "jsonrpc": "2.0",
+    "method": "eth_getBlockByNumber",
+    "params": ["latest", false]
+}'
+```
+
 ## License
 Copyright © 2024 [LDC Labs](https://github.com/ldclabs).