@@ -5,10 +5,17 @@ NAME=searcher-container
55
66# PORT FORWARDS
77SEARCHER_SSH_PORT=10022
8- ENGINE_API_PORT=8551
98EL_P2P_PORT=30303
109SEARCHER_INPUT_CHANNEL=27017
1110
11+ # Run extra commands which are customized per image,
12+ # see bob*/mkosi.extra/etc/bob/searcher-container-before-init
13+ #
14+ # `source` is not supported in dash
15+ . /etc/bob/searcher-container-before-init
16+
17+ # BOB_SEARCHER_EXTRA_PODMAN_FLAGS is unescaped, it's sourced from trusted hardcoded file
18+
1219echo " Starting $NAME ..."
1320su -s /bin/sh searcher -c " cd ~ && podman run -d \
1421 --name $NAME --replace \
@@ -24,6 +31,7 @@ su -s /bin/sh searcher -c "cd ~ && podman run -d \
2431 -v /persistent/lighthouse_logs:/var/log/lighthouse:ro \
2532 -v /tmp/jwt.hex:/secrets/jwt.hex:ro \
2633 -v /etc/searcher-logrotate.conf:/tmp/searcher.conf:ro \
34+ $BOB_SEARCHER_EXTRA_PODMAN_FLAGS \
2735 docker.io/library/ubuntu:24.04 \
2836 /bin/sh -c ' \
2937 DEBIAN_FRONTEND=noninteractive apt-get update && \
@@ -41,7 +49,7 @@ su -s /bin/sh searcher -c "cd ~ && podman run -d \
4149 while true; do /usr/sbin/sshd -D -e; sleep 5; done'"
4250
4351# Attempt a quick check that the container is running
44- for i in 1 2 3 4 5 ; do
52+ for i in $( seq 1 5 ) ; do
4553 status=$( su -s /bin/sh - searcher -c " podman inspect --format '{{.State.Status}}' $NAME 2>/dev/null || true" )
4654 if [ " $status " = " running" ; then
4755 break
@@ -63,24 +71,25 @@ if [ -z "$pid" ] || [ "$pid" = "0" ]; then
6371fi
6472
6573echo " Applying iptables rules in $NAME (PID: $pid ) network namespace..."
74+ ns_iptables () {
75+ nsenter --target " $pid " " $@ "
76+ }
77+
78+ ns_iptables -A OUTPUT -d 169.254.169.254 -j DROP
6679
67- # Enter network namespace and apply DROP rules on port 9000 TCP/UDP
68- nsenter --target " $pid "
69- nsenter --target " $pid "
80+ ns_iptables -A OUTPUT -p tcp --dport 9000 -j DROP
81+ ns_iptables -A OUTPUT -p udp --dport 9000 -j DROP
7082
71- # Enter network namespace and apply DROP rule on port 123 UDP
72- nsenter --target " $pid "
83+ ns_iptables -A OUTPUT -p udp --dport 123 -j DROP
7384
74- # Drop outbound traffic from SEARCHER_INPUT_CHANNEL
75- nsenter --target " $pid " $SEARCHER_INPUT_CHANNEL -j DROP
76- nsenter --target " $pid " $SEARCHER_INPUT_CHANNEL -j DROP
85+ ns_iptables -A OUTPUT -p udp --sport $SEARCHER_INPUT_CHANNEL -j DROP
86+ ns_iptables -A OUTPUT -p tcp --sport $SEARCHER_INPUT_CHANNEL -j DROP
7787
78- echo " Injecting static hosts into $NAME ..."
88+ # Helper, only used in sourced script below
89+ exec_in_container () {
90+ su -s /bin/sh searcher -c " podman exec $NAME /bin/sh -c '$1 '"
91+ }
7992
80- su -s /bin/sh searcher -c " podman exec $NAME /bin/sh -c '
81- echo \" 3.149.14.12 tx.tee-searcher.flashbots.net\" >> /etc/hosts &&
82- echo \" 3.136.107.142 tx.tee-searcher.flashbots.net\" >> /etc/hosts &&
83- echo \" 18.221.59.61 backruns.tee-searcher.flashbots.net\" >> /etc/hosts &&
84- echo \" 3.15.88.156 backruns.tee-searcher.flashbots.net\" >> /etc/hosts &&
85- echo \" 52.207.17.217 fbtee.titanbuilder.xyz\" >> /etc/hosts
86- '"
93+ # Run extra commands which are customized per image,
94+ # see bob*/mkosi.extra/etc/bob/searcher-container-after-init
95+ . /etc/bob/searcher-container-after-init
0 commit comments