flashbots · astarinmymind · Feb 5, 2025
diff --git a/recipes-core/images/cvm-initramfs.bbappend b/recipes-core/images/cvm-initramfs.bbappend
@@ -1 +1 @@
-PACKAGE_INSTALL:append = " dropbear ssh-pubkey-server disk-encryption searcher-container searcher-container-network fluentbit-container lighthouse conntrack-tools logrotate curl"
+PACKAGE_INSTALL:append = " dropbear ssh-pubkey-server disk-encryption searcher-container searcher-container-network fluentbit-container conntrack-tools logrotate curl"
diff --git a/recipes-core/lighthouse/init b/recipes-core/lighthouse/init
diff --git a/recipes-core/lighthouse/lighthouse.inc b/recipes-core/lighthouse/lighthouse.inc
diff --git a/recipes-core/lighthouse/lighthouse_v5.3.0.bb b/recipes-core/lighthouse/lighthouse_v5.3.0.bb
diff --git a/recipes-core/searcher-container/files/searcher-network-init b/recipes-core/searcher-container/files/searcher-network-init
@@ -29,7 +29,7 @@ TITAN_BUILDER_IP="52.207.17.217"
 SSH_CONTROL_PORT=22        # Inbound: SSH control plane (always on)
 SSH_DATA_PORT=10022        # Inbound: SSH data plane (maintenance mode only)
 
-CL_P2P_PORT=9000           # TCP/UDP inbound/outbound: Consensus client P2P (always on)
+SYNC_PROXY_PORT=25590      # TCP inbound: Sync Proxy (always on)
 EL_P2P_PORT=30303          # TCP/UDP outbound: Execution client P2P (maintenance mode only)
 
 DNS_PORT=53                # Outbound: DNS (maintenance mode only)
@@ -121,10 +121,8 @@ start_firewall() {
     $IPTABLES -A $CHAIN_ALWAYS_ON_IN -p udp --dport $SEARCHER_INPUT_CHANNEL \
         -m conntrack --ctstate NEW -j ACCEPT
 
-    # Consensus (CL) P2P inbound on port 9000 (TCP + UDP)
-    $IPTABLES -A $CHAIN_ALWAYS_ON_IN -p tcp --dport $CL_P2P_PORT \
-        -m conntrack --ctstate NEW -j ACCEPT
-    $IPTABLES -A $CHAIN_ALWAYS_ON_IN -p udp --dport $CL_P2P_PORT \
+    # Sync proxy inbound on port 25590 (TCP)
+    $IPTABLES -A $CHAIN_ALWAYS_ON_IN -p tcp --dport $SYNC_PROXY_PORT \
         -m conntrack --ctstate NEW -j ACCEPT
 
     # CVM reverse-proxy inbound on port 8745 (TCP)
@@ -137,12 +135,6 @@ start_firewall() {
     ###########################################################################
     # (7) ALWAYS_ON_OUT: Outbound rules that never turn off
     ###########################################################################
-    # CL P2P outbound on port 9000 (TCP + UDP)
-    $IPTABLES -A $CHAIN_ALWAYS_ON_OUT -p tcp --dport $CL_P2P_PORT \
-        -m conntrack --ctstate NEW -j ACCEPT
-    $IPTABLES -A $CHAIN_ALWAYS_ON_OUT -p udp --dport $CL_P2P_PORT \
-        -m conntrack --ctstate NEW -j ACCEPT
-
     # Flashbots & Titan builder bundle endpoints (always on)
     $IPTABLES -A $CHAIN_ALWAYS_ON_OUT -p tcp -d $FLASHBOTS_BUILDER_IP --dport $FLASHBOTS_BUNDLE_ENDPOINT \
         -m conntrack --ctstate NEW -j ACCEPT

diff --git a/recipes-core/searcher-container/files/searcher-pod-init b/recipes-core/searcher-container/files/searcher-pod-init
@@ -15,7 +15,7 @@ NAME=searcher-container
 
 # PORT FORWARDS
 SEARCHER_SSH_PORT=10022
-ENGINE_API_PORT=8551
+SYNC_PROXY_PORT=25590
 EL_P2P_PORT=30303
 SEARCHER_INPUT_CHANNEL=27017
 
@@ -32,14 +32,13 @@ start_searcher_container() {
     su -s /bin/sh $USER -c "cd ~ && $DAEMON run -d \
         --name $NAME \
         -p ${SEARCHER_SSH_PORT}:22 \
-        -p ${ENGINE_API_PORT}:${ENGINE_API_PORT} \
+        -p ${SYNC_PROXY_PORT}:${SYNC_PROXY_PORT} \
         -p ${EL_P2P_PORT}:${EL_P2P_PORT} \
         -p ${SEARCHER_INPUT_CHANNEL}:${SEARCHER_INPUT_CHANNEL} \
         -v /etc/searcher_key:/container_auth_keys:ro \
         -v /persistent/searcher:/persistent:rw \
         -v /etc/searcher/ssh_hostkey:/etc/searcher/ssh_hostkey:rw \
         -v /searcher_logs:/var/log/searcher:rw \
-        -v /var/volatile/jwt.hex:/secrets/jwt.hex:ro \
         docker.io/library/ubuntu:24.04 \
         /bin/sh -c ' \
             DEBIAN_FRONTEND=noninteractive apt-get update && \
@@ -53,40 +52,9 @@ start_searcher_container() {
             /usr/sbin/sshd -D -e'"
 }
 
-apply_firewall_rules() {
-    # Attempt a quick check that the container is running
-    for i in 1 2 3 4 5; do
-        status=$(su -s /bin/sh - $USER -c "$DAEMON inspect --format '{{.State.Status}}' $NAME 2>/dev/null || true")
-        if [ "$status" = "running" ]; then
-            break
-        fi
-        echo "Waiting for $NAME container to reach 'running' state..."
-        sleep 1
-    done
-
-    if [ "$status" != "running" ]; then
-        echo "ERROR: $NAME container is not running (status: $status)"
-        return 1
-    fi
-
-    # Retrieve the PID
-    pid=$(su -s /bin/sh - $USER -c "$DAEMON inspect --format '{{.State.Pid}}' $NAME")
-    if [ -z "$pid" ] || [ "$pid" = "0" ]; then
-        echo "ERROR: Could not retrieve PID for container $NAME."
-        return 1
-    fi
-
-    echo "Applying iptables rules in $NAME (PID: $pid) network namespace..."
-
-    # Enter network namespace and apply DROP rules on port 9000 TCP/UDP
-    nsenter --target "$pid" --net iptables -A OUTPUT -p tcp --dport 9000 -j DROP
-    nsenter --target "$pid" --net iptables -A OUTPUT -p udp --dport 9000 -j DROP
-}
-
 case "$1" in
     start)
         start_searcher_container
-        apply_firewall_rules
         ;;
     stop)
         echo "Stopping $NAME..."
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		PACKAGE_INSTALL:append = " dropbear ssh-pubkey-server disk-encryption searcher-container searcher-container-network fluentbit-container lighthouse conntrack-tools logrotate curl"
		PACKAGE_INSTALL:append = " dropbear ssh-pubkey-server disk-encryption searcher-container searcher-container-network fluentbit-container conntrack-tools logrotate curl"