BN: remove ic-boundary from image, use ic-gateway API BN discovery

ic-os/boundary-guestos/defs.bzl

@@ -25,7 +25,6 @@ def image_deps(mode):
             "//publish/binaries:canary-proxy": "/opt/ic/bin/canary-proxy:0755",
             "//publish/binaries:certificate-issuer": "/opt/ic/bin/certificate-issuer:0755",
             "//publish/binaries:systemd-journal-gatewayd-shim": "/opt/ic/bin/systemd-journal-gatewayd-shim:0755",
-            "//publish/binaries:ic-boundary": "/opt/ic/bin/ic-boundary:0755",
         },
     }
 

ic-os/boundary-guestos/scripts/build-deployment.sh

@@ -47,8 +47,6 @@ Arguments:
        --cert-issuer-creds              specify a credentials file for certificate-issuer
        --cert-issuer-identity           specify an identity file for certificate-issuer
        --cert-issuer-enc-key            specify an encryption key for certificate-issuer
-       --ic-boundary-config             specify a path to the ic-boundary config file
-       --ic-boundary-ratelimits         specify a path to the ic-boundary ratelimits file
        --pre-isolation-canisters        specify a set of pre-domain-isolation canisters
        --logging-url                    specify an endpoint for our logging backend
        --logging-user                   specify a user for our logging backend
@@ -113,12 +111,6 @@ for argument in "${@}"; do
         --cert-issuer-enc-key=*)
             CERTIFICATE_ISSUER_ENCRYPTION_KEY="${argument#*=}"
             ;;
-        --ic-boundary-config=*)
-            IC_BOUNDARY_CONFIG="${argument#*=}"
-            ;;
-        --ic-boundary-ratelimits=*)
-            IC_BOUNDARY_RATELIMITS="${argument#*=}"
-            ;;
         --pre-isolation-canisters=*)
             PRE_ISOLATION_CANISTERS="${argument#*=}"
             ;;
@@ -499,48 +491,6 @@ EOF
     done
 }
 
-function copy_ic_boundary_config() {
-    if [[ -z "${IC_BOUNDARY_CONFIG:-}" ]]; then
-        err "ic-boundary config file has not been provided, proceeding without copying it"
-        return
-    fi
-
-    for n in $NODES; do
-        declare -n NODE=$n
-        if [[ "${NODE["type"]}" != "boundary" ]]; then
-            continue
-        fi
-
-        local SUBNET_IDX="${NODE["subnet_idx"]}"
-        local NODE_IDX="${NODE["node_idx"]}"
-        local NODE_PREFIX="${DEPLOYMENT}.${SUBNET_IDX}.${NODE_IDX}"
-
-        mkdir -p "${CONFIG_DIR}/${NODE_PREFIX}"
-        cp "${IC_BOUNDARY_CONFIG}" "${CONFIG_DIR}/${NODE_PREFIX}/ic_boundary.conf"
-    done
-}
-
-function copy_ic_boundary_ratelimits() {
-    if [[ -z "${IC_BOUNDARY_RATELIMITS:-}" ]]; then
-        err "ratelimits file has not been provided, proceeding without copying it"
-        return
-    fi
-
-    for n in $NODES; do
-        declare -n NODE=$n
-        if [[ "${NODE["type"]}" != "boundary" ]]; then
-            continue
-        fi
-
-        local SUBNET_IDX="${NODE["subnet_idx"]}"
-        local NODE_IDX="${NODE["node_idx"]}"
-        local NODE_PREFIX="${DEPLOYMENT}.${SUBNET_IDX}.${NODE_IDX}"
-
-        mkdir -p "${CONFIG_DIR}/${NODE_PREFIX}"
-        cp "${IC_BOUNDARY_RATELIMITS}" "${CONFIG_DIR}/${NODE_PREFIX}/canister-ratelimit.yml"
-    done
-}
-
 function copy_pre_isolation_canisters() {
     if [[ -z "${PRE_ISOLATION_CANISTERS:-}" ]]; then
         err "pre-domain-isolation canisters have not been provided, proceeding without copying them"
@@ -654,8 +604,6 @@ function main() {
     copy_certs
     copy_deny_list
     copy_geolite2_dbs
-    copy_ic_boundary_config
-    copy_ic_boundary_ratelimits
     generate_certificate_issuer_config
     copy_pre_isolation_canisters
     copy_logging_credentials

ic-os/components/boundary-guestos.bzl

@@ -39,7 +39,6 @@ component_files = {
     Label("boundary-guestos/etc/systemd/system/generate-network-config.service"): "/etc/systemd/system/generate-network-config.service",
     Label("boundary-guestos/etc/systemd/system-generators/mount-generator"): "/etc/systemd/system-generators/mount-generator",
     Label("boundary-guestos/etc/systemd/system-generators/systemd-gpt-auto-generator"): "/etc/systemd/system-generators/systemd-gpt-auto-generator",
-    Label("boundary-guestos/etc/systemd/system/ic-boundary.service"): "/etc/systemd/system/ic-boundary.service",
     Label("boundary-guestos/etc/systemd/system/ic-gateway.service"): "/etc/systemd/system/ic-gateway.service",
     Label("boundary-guestos/etc/systemd/system/logrotate.timer"): "/etc/systemd/system/logrotate.timer",
     Label("boundary-guestos/etc/systemd/system/nftables.service.d/override.conf"): "/etc/systemd/system/nftables.service.d/override.conf",
@@ -52,7 +51,6 @@ component_files = {
     Label("boundary-guestos/etc/systemd/system/setup-crowdsec.service"): "/etc/systemd/system/setup-crowdsec.service",
     Label("boundary-guestos/etc/systemd/system/setup-encryption.service"): "/etc/systemd/system/setup-encryption.service",
     Label("boundary-guestos/etc/systemd/system/setup-hostname.service"): "/etc/systemd/system/setup-hostname.service",
-    Label("boundary-guestos/etc/systemd/system/setup-ic-boundary.service"): "/etc/systemd/system/setup-ic-boundary.service",
     Label("boundary-guestos/etc/systemd/system/setup-ic-gateway.service"): "/etc/systemd/system/setup-ic-gateway.service",
     Label("boundary-guestos/etc/systemd/system/setup-lvs.service"): "/etc/systemd/system/setup-lvs.service",
     Label("boundary-guestos/etc/systemd/system/setup-nftables.service"): "/etc/systemd/system/setup-nftables.service",
@@ -82,7 +80,6 @@ component_files = {
     Label("boundary-guestos/opt/ic/bin/setup-crowdsec.sh"): "/opt/ic/bin/setup-crowdsec.sh",
     Label("boundary-guestos/opt/ic/bin/setup-encryption.sh"): "/opt/ic/bin/setup-encryption.sh",
     Label("boundary-guestos/opt/ic/bin/setup-hostname.sh"): "/opt/ic/bin/setup-hostname.sh",
-    Label("boundary-guestos/opt/ic/bin/setup-ic-boundary.sh"): "/opt/ic/bin/setup-ic-boundary.sh",
     Label("boundary-guestos/opt/ic/bin/setup-ic-gateway.sh"): "/opt/ic/bin/setup-ic-gateway.sh",
     Label("boundary-guestos/opt/ic/bin/setup-lvs.sh"): "/opt/ic/bin/setup-lvs.sh",
     Label("boundary-guestos/opt/ic/bin/setup-nftables.sh"): "/opt/ic/bin/setup-nftables.sh",

ic-os/components/boundary-guestos/etc/nftables.conf

@@ -27,7 +27,6 @@ define ipv6_monitoring_tcp_ports = {
   9317, # vector
   9321, # certificate-issuer
   9323, # danted (socks proxy)
-  9324, # ic-boundary
 }
 
 # Defines `ipv6_system_replica_ips`

ic-os/components/boundary-guestos/etc/vector/vector.yaml

@@ -9,7 +9,6 @@ sources:
     type: journald
     include_units:
     - certificate-issuer
-    - ic-boundary
     - danted
 
 transforms:
@@ -79,35 +78,6 @@ transforms:
       .service = "certificate-issuer"
       .timestamp = parse_timestamp!(.timestamp, "%+")
 
-  ic_boundary:
-    type: filter
-    inputs:
-    - journal
-
-    condition: ._SYSTEMD_UNIT == "ic-boundary.service"
-
-  ic_boundary_normalized:
-    type: remap
-    inputs:
-    - ic_boundary
-
-    source: |
-      . = parse_json!(.message)
-
-      .service = "ic-boundary"
-      .timestamp = parse_timestamp!(.timestamp, "%+")
-
-  ic_boundary_filtered:
-    type: filter
-    inputs:
-    - ic_boundary_normalized
-
-    condition: |
-      !includes([
-          "check",
-          "http_request_in",
-      ], .action)
-
 sinks:
   vector_exporter:
     type: prometheus_exporter
@@ -132,7 +102,6 @@ sinks:
     type: console
     inputs:
     - certificate_issuer_normalized
-    - ic_boundary_filtered
 
     encoding:
       codec: json

ic-os/components/boundary-guestos/opt/ic/bin/bootstrap-ic-node.sh

@@ -65,8 +65,6 @@ function process_bootstrap() {
         certificate_issuer_identity.pem
         certificate_issuer.conf
         denylist.json
-        ic_boundary.conf
-        canister-ratelimit.yml
         network.conf
         nns_public_key.pem
         nns.conf

ic-os/components/boundary-guestos/opt/ic/bin/setup-ic-gateway.sh

@@ -4,7 +4,6 @@ set -euox pipefail
 source '/opt/ic/bin/helpers.shlib'
 
 readonly BN_CONFIG="${BOOT_DIR}/bn_vars.conf"
-readonly IC_BOUNDARY_CONFIG="${BOOT_DIR}/ic_boundary.conf"
 
 readonly RUN_DIR='/run/ic-node/etc/ic-gateway'
 readonly ENV_FILE="${RUN_DIR}/env"
@@ -62,18 +61,6 @@ function read_variables() {
 
     API_DOMAINS+=("rosetta.dfinity.network")
 
-    # TODO move this later to bn_vars or somewhere else
-    MAX_CONCURRENCY=""
-    SHED_EWMA_PARAM=""
-    if [ -f "${IC_BOUNDARY_CONFIG}" ]; then
-        while IFS="=" read -r key value; do
-            case "${key}" in
-                "max_concurrency") MAX_CONCURRENCY="${value}" ;;
-                "shed_ewma_param") SHED_EWMA_PARAM="${value}" ;;
-            esac
-        done <"${IC_BOUNDARY_CONFIG}"
-    fi
-
     check_nns_pem
 }
 
@@ -134,8 +121,9 @@ POLICY_DENYLIST_ALLOWLIST="${RUN_DIR}/allowlist.txt"
 POLICY_DENYLIST_SEED="${RUN_DIR}/denylist.json"
 DOMAIN_CANISTER_ALIAS="identity:rdmx6-jaaaa-aaaaa-aaadq-cai,nns:qoctq-giaaa-aaaaa-aaaea-cai"
 GEOIP_DB="${RUN_DIR}/GeoLite2-Country.mmdb"
-IC_URL="http://127.0.0.1:9000"
+IC_URL="https://bc1-dll02.blockchaindevlabs.com,https://dll02.sg2.icp.162.technology,https://br1-dll01.aviatelabs.co,https://ic0.app"
 IC_ROOT_KEY="${ROOT_KEY}"
+IC_USE_DISCOVERY="true"
 CERT_PROVIDER_DIR="${RUN_DIR}/certs"
 CERT_PROVIDER_ISSUER_URL="http://127.0.0.1:3000"
 CERT_DEFAULT="icp0.io"
@@ -151,6 +139,7 @@ SHED_SYSTEM_MEMORY="0.95"
 SHED_SHARDED_EWMA="0.6"
 SHED_SHARDED_PASSTHROUGH="20000"
 SHED_SHARDED_LATENCY="query:2s,call:2s,sync_call:13s,read_state:2s,read_state_subnet:2s,status:100ms,health:100ms,registrations:5s,http:5s"
+LOAD_MAX_CONCURRENCY="8192"
 EOF
 
     if [ ! -z "${DENYLIST_URL:-}" ]; then
@@ -162,14 +151,6 @@ EOF
         echo "LOG_VECTOR_USER=\"${LOGGING_USER}\"" >>"${ENV_FILE}"
         echo "LOG_VECTOR_PASS=\"${LOGGING_PASSWORD}\"" >>"${ENV_FILE}"
     fi
-
-    if [ ! -z "${MAX_CONCURRENCY:-}" ]; then
-        echo "LOAD_MAX_CONCURRENCY=\"${MAX_CONCURRENCY}\"" >>"${ENV_FILE}"
-    fi
-
-    if [ ! -z "${SHED_EWMA_PARAM:-}" ]; then
-        echo "LOAD_SHED_EWMA_PARAM=\"${SHED_EWMA_PARAM}\"" >>"${ENV_FILE}"
-    fi
 }
 
 function setup_pre_isolation_canisters() {

ic-os/components/misc/guestos/sysctl.d/privileged-ports.conf

@@ -1,2 +1,2 @@
 # This allows ic-boundary to listen on ports 80/443 while also not running as root
-net.ipv4.ip_unprivileged_port_start = 80
+net.ipv4.ip_unprivileged_port_start = 443