Upgrades: max map + sync-proxy + wss/https by astarinmymind · Pull Request #30 · flashbots/meta-searcher

astarinmymind · 2025-03-19T18:39:25Z

package increase-map-count increases the vm.max_map_count from 65530 to 2097152 by default
switches from baked in lighthouse to syncing with sync-proxy
adds new firewall rules that allows titan's new wss/https ports

MoeMahhouk · 2025-03-20T18:09:26Z

recipes-core/searcher-container/files/99-searcher

@@ -1 +1,2 @@
-searcher ALL=(root) NOPASSWD: /usr/bin/toggle 
+searcher ALL=(root) NOPASSWD: /usr/bin/toggle 
+searcher ALL=(root) NOPASSWD: /sbin/sysctl -w vm.max_map_count=2097152


why is needed if you expose it as a SSH action below to trigger from the searcher user?

sysctl commands requires sudo privileges (similar to iptables, which is why toggle is also here)

I see, then I agree with what @ilyaluk / @Ruteri suggest to have it natively there instead of an exposed functionality for the searcher to trigger.

ilyaluk · 2025-03-20T18:09:34Z

recipes-core/searcher-container/files/searcher-network-init

+    # Sync proxy outbound on port 8552 (TCP only) - IP whitelisted
+    $IPTABLES -A $CHAIN_ALWAYS_ON_OUT -p tcp -d $FLASHBOTS_NGINX_IP_1 --dport $SYNC_PROXY_PORT \
        -m conntrack --ctstate NEW -j ACCEPT
-    $IPTABLES -A $CHAIN_ALWAYS_ON_OUT -p udp --dport $CL_P2P_PORT \
+    $IPTABLES -A $CHAIN_ALWAYS_ON_OUT -p tcp -d $FLASHBOTS_NGINX_IP_2 --dport $SYNC_PROXY_PORT \
        -m conntrack --ctstate NEW -j ACCEPT


Ah, I see that above we have

$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

In that case, these outbound rules are not required and can safely be removed

ilyaluk · 2025-03-20T18:14:20Z

recipes-core/searcher-container/files/searchersh.c


+    // If command == "increase-map-count", set vm.max_map_count to 2097152
+    else if (strcmp(command, "increase-map-count") == 0) {
+        execl("/usr/bin/sudo", "sudo", "/sbin/sysctl", "-w", "vm.max_map_count=2097152", NULL);


Can this be made default? E.g. in /etc/sysctl.conf or container init script

this should be on the host directly and not the container because the container is running in rootless mode and would inherit the hosts configuration. (I tested it manually in a dev instance).
So this could be offloaded as part of the guest OS configuration instead

Ruteri · 2025-03-21T16:30:59Z

recipes-core/searcher-container/files/searcher-network-init

 FLASHBOTS_BUILDER_IP="131.153.11.211"
 TITAN_BUILDER_IP="52.207.17.217"
 RBUILDER_02_IP="3.16.169.173"
+FLASHBOTS_NGINX_IP_1="18.220.237.111"


Probably better to name those FLASHBOTS_CL_ENGINE_EVENTS_1

This reverts commit c818a78.

This reverts commit 5efe355.

astarinmymind added 7 commits March 19, 2025 17:56

increase vm.max_map_count

c818a78

remove L1 lighthouse

1df895b

port forward 30303 udp

f891c61

port-forward sync-proxy 8552

a04b169

sync proxy firewall ruleset

7f2b7fb

restrict engine event input to only FB

6e84b5e

add wss/https port whitelist

0177a24

astarinmymind requested review from MoeMahhouk and Ruteri March 19, 2025 18:39

MoeMahhouk reviewed Mar 20, 2025

View reviewed changes

ilyaluk reviewed Mar 20, 2025

View reviewed changes

astarinmymind added 2 commits March 20, 2025 18:59

remove unnecessary outbound rules

a51168a

remove old titan ports

21cff8d

astarinmymind requested a review from MoeMahhouk March 21, 2025 13:13

fix bug: make sure to kill 42203 on mode switch

e522835

Ruteri reviewed Mar 21, 2025

View reviewed changes

astarinmymind added 3 commits March 21, 2025 16:41

name change: nginx -> CL

acf8c13

increase vm max map by default

5efe355

Revert "increase vm.max_map_count"

740a660

This reverts commit c818a78.

astarinmymind requested review from Ruteri and ilyaluk March 21, 2025 20:39

astarinmymind added 2 commits March 21, 2025 20:59

Revert "increase vm max map by default"

4fc3154

This reverts commit 5efe355.

vm max map package approach

32a3723

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrades: max map + sync-proxy + wss/https#30

Upgrades: max map + sync-proxy + wss/https#30
astarinmymind wants to merge 15 commits intomasterfrom
v2.1

astarinmymind commented Mar 19, 2025 •

edited

Loading

Uh oh!

MoeMahhouk Mar 20, 2025

Uh oh!

astarinmymind Mar 20, 2025

Uh oh!

MoeMahhouk Mar 21, 2025 •

edited

Loading

Uh oh!

ilyaluk Mar 20, 2025

Uh oh!

ilyaluk Mar 20, 2025 •

edited

Loading

Uh oh!

MoeMahhouk Mar 21, 2025

Uh oh!

Ruteri Mar 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

astarinmymind commented Mar 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

MoeMahhouk Mar 20, 2025

Choose a reason for hiding this comment

Uh oh!

astarinmymind Mar 20, 2025

Choose a reason for hiding this comment

Uh oh!

MoeMahhouk Mar 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ilyaluk Mar 20, 2025

Choose a reason for hiding this comment

Uh oh!

ilyaluk Mar 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

MoeMahhouk Mar 21, 2025

Choose a reason for hiding this comment

Uh oh!

Ruteri Mar 21, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

astarinmymind commented Mar 19, 2025 •

edited

Loading

MoeMahhouk Mar 21, 2025 •

edited

Loading

ilyaluk Mar 20, 2025 •

edited

Loading