Try #5276:

CHANGELOG.md

@@ -25,7 +25,7 @@ Nodes that do not update before epoch 11 risk their proposals being rejected by
 
 This release is the first step towards separating PoST from the node. Proof generation is now done via a dedicated
 service. This service is started automatically by the node and is shut down when the node shuts down. In most
-setups this should work out of the box, but if you are running into issues please check the REAMDE.md file
+setups this should work out of the box, but if you are running into issues please check the README.md file
 for more information on how to configure the node to work with the PoST service.
 
 ### Highlights
@@ -102,8 +102,10 @@ for more information on how to configure the node to work with the PoST service.
 
 * [#5209](https://github.com/spacemeshos/go-spacemesh/pull/5209) Removed API to update poet servers from SmesherService.
 
-* [#5259](https://github.com/spacemeshos/go-spacemesh/pull/5259) Node now tries to fix a 1.2.x config to be compatible with
-  1.3.x at startup.
+* [#5276](https://github.com/spacemeshos/go-spacemesh/pull/5276) Removed the option to configure API services per endpoint.
+  The public listener exposes the following services: "debug", "global", "mesh", "transaction", "node", "activation"
+  The private listener exposes the following services: "admin", "smesher", "post"
+  The mTLS listener exposes only the "post" service.
 
 ## v1.2.0
 
@@ -150,7 +152,7 @@ In order to enable provide following configuration:
   Ephemeral data are deleted and state compacted at the time of upgrade. In steady-state, data is pruned periodically.
 * [#5021](https://github.com/spacemeshos/go-spacemesh/pull/5021) Drop support for old certificate sync protocol.
 * [#5024](https://github.com/spacemeshos/go-spacemesh/pull/5024) Active set will be saved in state separately from ballots.
-* [#5032](https://github.com/spacemeshos/go-spacemesh/pull/5032) Ativeset data pruned from ballots.
+* [#5032](https://github.com/spacemeshos/go-spacemesh/pull/5032) Activeset data pruned from ballots.
 * [#5035](https://github.com/spacemeshos/go-spacemesh/pull/5035) Fix possible nil pointer panic when node fails to persist
   nipost builder state.
 * [#5079](https://github.com/spacemeshos/go-spacemesh/pull/5079) increase atx cache to 50 000 to reduce disk reads.
@@ -191,7 +193,7 @@ active set will not be gossipped together with proposals. That was the main netw
 * [#4765](https://github.com/spacemeshos/go-spacemesh/pull/4765) hare 3 consensus protocol.
 
 Replacement for original version of hare. Won't be enabled on mainnet for now.
-Otherwise protocol uses significantly less traffic (atlest x20), and will allow
+Otherwise protocol uses significantly less traffic (at least x20), and will allow
 to set lower expected latency in the network, eventually reducing layer time.
 
 ### Improvements

README.md

@@ -262,29 +262,10 @@ on Windows you can use Intel OpenAPI:
 choco install opencl-intel-cpu-runtime
 ```
 
-If your config contains `"grpc-private-services"` make sure this list includes `"post"`:
-
-```json
-"api": {
-    "grpc-private-services": ["admin", "smesher", "post"],
-    "grpc-private-listener": "127.0.0.1:9093"
-}
-```
-
-or use the `--grpc-private-services=admin,smesher,post` flag.
-
-If you are using a `"grpc-private-listener"` other than the default (`"127.0.0.1:9093"`) you need to ensure that the
-post service is configured to connect to the correct address. This can be done via the `--post-opts-node-address`
-flag or the `"post-opts-node-address"` config option:
-
-```json
-"post-service": {
-    "post-opts-node-address": "http://ip:port"
-}
-```
-
 #### Using a remote machine as provider for PoST proofs
 
+**NOTE:** this feature is currently experimental and not fully tested yet.
+
 To disable the internal PoST service and disable smeshing on your node you can use the following config:
 
 ```json
@@ -296,10 +277,8 @@ To disable the internal PoST service and disable smeshing on your node you can u
 or use the `--smeshing-start=false` flag. This will disable smeshing on your node causing it not generate any PoST
 proofs until a remote post service connects.
 
-By default the node listens for the PoST service on `grpc-private-listener` (defaults to 127.0.0.1:9093). This endpoint
-does not require authentication and should only be accessible from the same machine. If you want to allow connections
-from post services on other hosts to your node, you should do so via the `grpc-tls-listener` (defaults to 0.0.0.0:9094)
-and setup TLS for the connection.
+If you want to allow connections from post services on other hosts to your node, you need to set a public endpoint via
+the `grpc-tls-listener` configuration parameter and setup TLS for the connection.
 
 This is useful for example if you want to run a node on a cloud provider with fewer resources and run PoST on a local
 machine with more resources. The post service only needs to be online for the initial proof (i.e. when joining the
@@ -309,32 +288,16 @@ To setup TLS-secured public connections the API config has been extended with th
 
 ```json
 "api": {
-    "grpc-private-services": ["admin", "smesher"], // remove "post" from the list of services only exposed to the local machine
-    "grpc-tls-services": ["post"],                 // add "post" to the list of services that should be exposed via TLS
-    "grpc-tls-listener": "0.0.0.0:9094",           // listen address for TLS connections
-    "grpc-tls-ca-cert": "/path/to/ca.pem",         // CA certificate that signed the node's and the PoST service's certificates
-    "grpc-tls-cert": "/path/to/cert.pem",          // certificate for the node
-    "grpc-tls-key": "/path/to/key.pem",            // private key for the node
+  "grpc-tls-listener": "0.0.0.0:9094",           // listen address for TLS connections
+  "grpc-tls-ca-cert": "/path/to/ca.pem",         // CA certificate that signed the node's and the PoST service's certificates
+  "grpc-tls-cert": "/path/to/cert.pem",          // certificate for the node
+  "grpc-tls-key": "/path/to/key.pem",            // private key for the node
 }
 ```
 
 Ensure that remote PoST services are setup to connect to your node via TLS, that they trust your node's certificate and
 use a certificate that is signed by the same CA as your node's certificate.
 
-The local (supervised) PoST service can also be configured to connect to your node via TLS if needed. The following
-config options are available:
-
-```json
-"post-service": {
-    "post-opts-node-address": "http://domain:port",      // defaults to 127.0.0.1:9093 - the same default value as for "grpc-private-listener"
-
-    // the following settings are required when connecting to the node via TLS - not when connecting via the private listener
-    "post-opts-tls-ca-cert": "/path/to/ca.pem",  // CA certificate that signed the node's and the PoST service's certificates
-    "post-opts-tls-cert": "/path/to/cert.pem",   // certificate for the PoST service
-    "post-opts-tls-key": "/path/to/key.pem",     // private key for the PoST service
-}
-```
-
 ---
 
 ### Testing

activation/post_supervisor.go

@@ -48,12 +48,12 @@ func DefaultTestPostServiceConfig() PostSupervisorConfig {
 }
 
 type PostSupervisorConfig struct {
-	PostServiceCmd string `mapstructure:"post-opts-post-service"`
-	NodeAddress    string `mapstructure:"post-opts-node-address"`
+	PostServiceCmd string
+	NodeAddress    string
 
-	CACert string `mapstructure:"post-opts-ca-cert"`
-	Cert   string `mapstructure:"post-opts-cert"`
-	Key    string `mapstructure:"post-opts-key"`
+	CACert string
+	Cert   string
+	Key    string
 }
 
 // PostSupervisor manages a local post service.

api/grpcserver/config.go

@@ -6,18 +6,18 @@ import (
 )
 
 type Config struct {
-	PublicServices  []Service `mapstructure:"grpc-public-services"`
-	PublicListener  string    `mapstructure:"grpc-public-listener"`
-	PrivateServices []Service `mapstructure:"grpc-private-services"`
-	PrivateListener string    `mapstructure:"grpc-private-listener"`
-	TLSServices     []Service `mapstructure:"grpc-tls-services"`
-	TLSListener     string    `mapstructure:"grpc-tls-listener"`
-	TLSCACert       string    `mapstructure:"gprc-tls-ca-cert"`
-	TLSCert         string    `mapstructure:"grpc-tls-cert"`
-	TLSKey          string    `mapstructure:"grpc-tls-key"`
-	GrpcSendMsgSize int       `mapstructure:"grpc-send-msg-size"`
-	GrpcRecvMsgSize int       `mapstructure:"grpc-recv-msg-size"`
-	JSONListener    string    `mapstructure:"grpc-json-listener"`
+	PublicServices  []Service
+	PublicListener  string `mapstructure:"grpc-public-listener"`
+	PrivateServices []Service
+	PrivateListener string `mapstructure:"grpc-private-listener"`
+	TLSServices     []Service
+	TLSListener     string `mapstructure:"grpc-tls-listener"`
+	TLSCACert       string `mapstructure:"gprc-tls-ca-cert"`
+	TLSCert         string `mapstructure:"grpc-tls-cert"`
+	TLSKey          string `mapstructure:"grpc-tls-key"`
+	GrpcSendMsgSize int    `mapstructure:"grpc-send-msg-size"`
+	GrpcRecvMsgSize int    `mapstructure:"grpc-recv-msg-size"`
+	JSONListener    string `mapstructure:"grpc-json-listener"`
 
 	SmesherStreamInterval time.Duration
 }
@@ -39,12 +39,12 @@ const (
 // DefaultConfig defines the default configuration options for api.
 func DefaultConfig() Config {
 	return Config{
-		PublicServices:        []Service{Debug, GlobalState, Mesh, Transaction, Node, Activation},
+		PublicServices:        []Service{GlobalState, Mesh, Transaction, Node, Activation},
 		PublicListener:        "0.0.0.0:9092",
-		PrivateServices:       []Service{Admin, Smesher, Post},
+		PrivateServices:       []Service{Admin, Smesher, Debug, Post},
 		PrivateListener:       "127.0.0.1:9093",
-		TLSServices:           []Service{},
-		TLSListener:           "0.0.0.0:9094",
+		TLSServices:           []Service{Post},
+		TLSListener:           "",
 		JSONListener:          "",
 		GrpcSendMsgSize:       1024 * 1024 * 10,
 		GrpcRecvMsgSize:       1024 * 1024 * 10,
@@ -57,7 +57,7 @@ func DefaultTestConfig() Config {
 	conf := DefaultConfig()
 	conf.PublicListener = "127.0.0.1:0"
 	conf.PrivateListener = "127.0.0.1:0"
-	conf.JSONListener = "127.0.0.1:0"
-	conf.TLSListener = "127.0.0.1:0"
+	conf.JSONListener = ""
+	conf.TLSListener = ""
 	return conf
 }

api/grpcserver/grpcserver_tls_test.go

@@ -29,6 +29,7 @@ func launchTLSServer(tb testing.TB, services ...ServiceAPI) (Config, func()) {
 	require.FileExists(tb, serverKey)
 
 	cfg := DefaultTestConfig()
+	cfg.TLSListener = "127.0.0.1:0"
 	cfg.TLSCACert = caCert
 	cfg.TLSCert = serverCert
 	cfg.TLSKey = serverKey

cmd/root.go

@@ -140,20 +140,24 @@ func AddCommands(cmd *cobra.Command) {
 
 	/** ======================== API Flags ========================== **/
 
-	cmd.PersistentFlags().StringSliceVar(&cfg.API.PublicServices, "grpc-public-services",
-		cfg.API.PublicServices, "List of services that are safe to open for the network.")
 	cmd.PersistentFlags().StringVar(&cfg.API.PublicListener, "grpc-public-listener",
-		cfg.API.PublicListener, "Socket for the list of services specified in grpc-public-services.")
-	cmd.PersistentFlags().StringSliceVar(&cfg.API.PrivateServices, "grpc-private-services",
-		cfg.API.PrivateServices, "List of services that must be kept private or exposed only in secure environments.")
+		cfg.API.PublicListener, "Socket for grpc services that are save to expose publicly.")
 	cmd.PersistentFlags().StringVar(&cfg.API.PrivateListener, "grpc-private-listener",
-		cfg.API.PrivateListener, "Socket for the list of services specified in grpc-private-services.")
+		cfg.API.PrivateListener, "Socket for grpc services that are not safe to expose publicly.")
+	cmd.PersistentFlags().StringVar(&cfg.API.TLSListener, "grpc-tls-listener",
+		cfg.API.TLSListener, "Socket for the grpc services that need to be accessible via mTLS.")
+	cmd.PersistentFlags().StringVar(&cfg.API.TLSCACert, "gprc-tls-ca-cert",
+		cfg.API.TLSCACert, "Path to the file containing the CA certificate for mTLS.")
+	cmd.PersistentFlags().StringVar(&cfg.API.TLSCert, "grpc-tls-cert",
+		cfg.API.TLSCert, "Path to the file containing the nodes certificate for mTLS.")
+	cmd.PersistentFlags().StringVar(&cfg.API.TLSKey, "grpc-tls-key",
+		cfg.API.TLSKey, "Path to the file containing the nodes private key for mTLS.")
 	cmd.PersistentFlags().IntVar(&cfg.API.GrpcRecvMsgSize, "grpc-recv-msg-size",
 		cfg.API.GrpcRecvMsgSize, "GRPC api recv message size")
 	cmd.PersistentFlags().IntVar(&cfg.API.GrpcSendMsgSize, "grpc-send-msg-size",
 		cfg.API.GrpcSendMsgSize, "GRPC api send message size")
-	cmd.PersistentFlags().StringVar(&cfg.API.JSONListener, "grpc-json-listener", cfg.API.JSONListener,
-		"Endpoint for services in grpc-public-services. If left empty - grpc gateway won't be enabled.")
+	cmd.PersistentFlags().StringVar(&cfg.API.JSONListener, "grpc-json-listener",
+		cfg.API.JSONListener, "(Optional) endpoint to expose public grpc services via HTTP/JSON.")
 
 	/**======================== Hare Eligibility Oracle Flags ========================== **/
 
@@ -264,19 +268,6 @@ func AddCommands(cmd *cobra.Command) {
 		DefValue: cfg.SMESHING.VerifyingOpts.Flags.String(),
 	})
 
-	/**======================== PoST service Flags ========================== **/
-
-	cmd.PersistentFlags().StringVar(&cfg.POSTService.PostServiceCmd, "post-opts-post-service",
-		cfg.POSTService.PostServiceCmd, "")
-	cmd.PersistentFlags().StringVar(&cfg.POSTService.NodeAddress, "post-opts-node-address",
-		cfg.POSTService.NodeAddress, "")
-	cmd.PersistentFlags().StringVar(&cfg.POSTService.CACert, "post-opts-ca-cert",
-		cfg.POSTService.CACert, "")
-	cmd.PersistentFlags().StringVar(&cfg.POSTService.Cert, "post-opts-cert",
-		cfg.POSTService.Cert, "")
-	cmd.PersistentFlags().StringVar(&cfg.POSTService.Key, "post-opts-key",
-		cfg.POSTService.Key, "")
-
 	/**======================== Consensus Flags ========================== **/
 
 	cmd.PersistentFlags().Uint32Var(&cfg.LayersPerEpoch, "layers-per-epoch",

config/config.go

@@ -46,27 +46,27 @@ func init() {
 // Config defines the top level configuration for a spacemesh node.
 type Config struct {
 	BaseConfig      `mapstructure:"main"`
-	Genesis         *GenesisConfig                  `mapstructure:"genesis"`
-	PublicMetrics   PublicMetrics                   `mapstructure:"public-metrics"`
-	Tortoise        tortoise.Config                 `mapstructure:"tortoise"`
-	P2P             p2p.Config                      `mapstructure:"p2p"`
-	API             grpcserver.Config               `mapstructure:"api"`
-	HARE3           hare3.Config                    `mapstructure:"hare3"`
-	HareEligibility eligConfig.Config               `mapstructure:"hare-eligibility"`
-	Certificate     blocks.CertConfig               `mapstructure:"certificate"`
-	Beacon          beacon.Config                   `mapstructure:"beacon"`
-	TIME            timeConfig.TimeConfig           `mapstructure:"time"`
-	VM              vm.Config                       `mapstructure:"vm"`
-	POST            activation.PostConfig           `mapstructure:"post"`
-	POSTService     activation.PostSupervisorConfig `mapstructure:"post-service"`
-	POET            activation.PoetConfig           `mapstructure:"poet"`
-	SMESHING        SmeshingConfig                  `mapstructure:"smeshing"`
-	LOGGING         LoggerConfig                    `mapstructure:"logging"`
-	FETCH           fetch.Config                    `mapstructure:"fetch"`
-	Bootstrap       bootstrap.Config                `mapstructure:"bootstrap"`
-	Sync            syncer.Config                   `mapstructure:"syncer"`
-	Recovery        checkpoint.Config               `mapstructure:"recovery"`
-	Cache           datastore.Config                `mapstructure:"cache"`
+	Genesis         *GenesisConfig        `mapstructure:"genesis"`
+	PublicMetrics   PublicMetrics         `mapstructure:"public-metrics"`
+	Tortoise        tortoise.Config       `mapstructure:"tortoise"`
+	P2P             p2p.Config            `mapstructure:"p2p"`
+	API             grpcserver.Config     `mapstructure:"api"`
+	HARE3           hare3.Config          `mapstructure:"hare3"`
+	HareEligibility eligConfig.Config     `mapstructure:"hare-eligibility"`
+	Certificate     blocks.CertConfig     `mapstructure:"certificate"`
+	Beacon          beacon.Config         `mapstructure:"beacon"`
+	TIME            timeConfig.TimeConfig `mapstructure:"time"`
+	VM              vm.Config             `mapstructure:"vm"`
+	POST            activation.PostConfig `mapstructure:"post"`
+	POSTService     activation.PostSupervisorConfig
+	POET            activation.PoetConfig `mapstructure:"poet"`
+	SMESHING        SmeshingConfig        `mapstructure:"smeshing"`
+	LOGGING         LoggerConfig          `mapstructure:"logging"`
+	FETCH           fetch.Config          `mapstructure:"fetch"`
+	Bootstrap       bootstrap.Config      `mapstructure:"bootstrap"`
+	Sync            syncer.Config         `mapstructure:"syncer"`
+	Recovery        checkpoint.Config     `mapstructure:"recovery"`
+	Cache           datastore.Config      `mapstructure:"cache"`
 }
 
 // DataDir returns the absolute path to use for the node's data. This is the tilde-expanded path given in the config

config/presets/standalone.go

@@ -80,7 +80,5 @@ func standalone() config.Config {
 
 	conf.API.PublicListener = "0.0.0.0:10092"
 	conf.API.PrivateListener = "127.0.0.1:10093"
-
-	conf.POSTService.NodeAddress = "http://127.0.0.1:10093"
 	return conf
 }