@@ -5,25 +5,30 @@ NAME=searcher-container
55
66# PORT FORWARDS
77SEARCHER_SSH_PORT=10022
8- ENGINE_API_PORT=8551
98EL_P2P_PORT=30303
109SEARCHER_INPUT_CHANNEL=27017
1110
11+ # Run extra commands which are customized per image,
12+ # see bob*/mkosi.extra/etc/bob/searcher-container-before-init
13+ #
14+ # `source` is not supported in dash
15+ . /etc/bob/searcher-container-before-init
16+
17+ # BOB_SEARCHER_EXTRA_PODMAN_FLAGS is unescaped, it's sourced from trusted hardcoded file
18+
1219echo " Starting $NAME ..."
1320su -s /bin/sh searcher -c " cd ~ && podman run -d \
1421 --name $NAME --replace \
1522 --init \
1623 -p ${SEARCHER_SSH_PORT} :22 \
17- -p ${ENGINE_API_PORT} :${ENGINE_API_PORT} \
1824 -p ${EL_P2P_PORT} :${EL_P2P_PORT} \
1925 -p ${EL_P2P_PORT} :${EL_P2P_PORT} /udp \
2026 -p ${SEARCHER_INPUT_CHANNEL} :${SEARCHER_INPUT_CHANNEL} /udp \
2127 -v /persistent/searcher:/persistent:rw \
2228 -v /etc/searcher/ssh_hostkey:/etc/searcher/ssh_hostkey:rw \
2329 -v /persistent/searcher_logs:/var/log/searcher:rw \
24- -v /persistent/lighthouse_logs:/var/log/lighthouse:ro \
25- -v /tmp/jwt.hex:/secrets/jwt.hex:ro \
2630 -v /etc/searcher-logrotate.conf:/tmp/searcher.conf:ro \
31+ $BOB_SEARCHER_EXTRA_PODMAN_FLAGS \
2732 docker.io/library/ubuntu:24.04 \
2833 /bin/sh -c ' \
2934 DEBIAN_FRONTEND=noninteractive apt-get update && \
@@ -41,7 +46,7 @@ su -s /bin/sh searcher -c "cd ~ && podman run -d \
4146 while true; do /usr/sbin/sshd -D -e; sleep 5; done'"
4247
4348# Attempt a quick check that the container is running
44- for i in 1 2 3 4 5 ; do
49+ for i in $( seq 1 5 ) ; do
4550 status=$( su -s /bin/sh - searcher -c " podman inspect --format '{{.State.Status}}' $NAME 2>/dev/null || true" )
4651 if [ " $status " = " running" ; then
4752 break
@@ -63,24 +68,25 @@ if [ -z "$pid" ] || [ "$pid" = "0" ]; then
6368fi
6469
6570echo " Applying iptables rules in $NAME (PID: $pid ) network namespace..."
71+ ns_iptables () {
72+ nsenter --target " $pid " " $@ "
73+ }
74+
75+ ns_iptables -A OUTPUT -d 169.254.169.254 -j DROP
6676
67- # Enter network namespace and apply DROP rules on port 9000 TCP/UDP
68- nsenter --target " $pid "
69- nsenter --target " $pid "
77+ ns_iptables -A OUTPUT -p tcp --dport 9000 -j DROP
78+ ns_iptables -A OUTPUT -p udp --dport 9000 -j DROP
7079
71- # Enter network namespace and apply DROP rule on port 123 UDP
72- nsenter --target " $pid "
80+ ns_iptables -A OUTPUT -p udp --dport 123 -j DROP
7381
74- # Drop outbound traffic from SEARCHER_INPUT_CHANNEL
75- nsenter --target " $pid " $SEARCHER_INPUT_CHANNEL -j DROP
76- nsenter --target " $pid " $SEARCHER_INPUT_CHANNEL -j DROP
82+ ns_iptables -A OUTPUT -p udp --sport $SEARCHER_INPUT_CHANNEL -j DROP
83+ ns_iptables -A OUTPUT -p tcp --sport $SEARCHER_INPUT_CHANNEL -j DROP
7784
78- echo " Injecting static hosts into $NAME ..."
85+ # Helper, only used in sourced script below
86+ exec_in_container () {
87+ su -s /bin/sh searcher -c " podman exec $NAME /bin/sh -c '$1 '"
88+ }
7989
80- su -s /bin/sh searcher -c " podman exec $NAME /bin/sh -c '
81- echo \" 3.149.14.12 tx.tee-searcher.flashbots.net\" >> /etc/hosts &&
82- echo \" 3.136.107.142 tx.tee-searcher.flashbots.net\" >> /etc/hosts &&
83- echo \" 18.221.59.61 backruns.tee-searcher.flashbots.net\" >> /etc/hosts &&
84- echo \" 3.15.88.156 backruns.tee-searcher.flashbots.net\" >> /etc/hosts &&
85- echo \" 52.207.17.217 fbtee.titanbuilder.xyz\" >> /etc/hosts
86- '"
90+ # Run extra commands which are customized per image,
91+ # see bob*/mkosi.extra/etc/bob/searcher-container-after-init
92+ . /etc/bob/searcher-container-after-init
0 commit comments