Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revise Siren documentation #6553

Open
wants to merge 9 commits into
base: unstable
Choose a base branch
from
Open

Revise Siren documentation #6553

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ce0581e
revise Siren doc
chong-he Oct 31, 2024
647b11e
Fix broken links
chong-he Oct 31, 2024
2e5d9ab
Fix broken links
chong-he Oct 31, 2024
58dbf22
broken links
chong-he Oct 31, 2024
a4ad26c
mdlint
chong-he Oct 31, 2024
3d83d06
mdlint
chong-he Oct 31, 2024
d085315
mdlint again
chong-he Oct 31, 2024
c54a557
Merge branch 'unstable' into book-siren
chong-he Oct 31, 2024
bc52513
test whether I have the required privs :-)
antondlr Oct 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions book/src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,8 @@
* [Signature Header](./api-vc-sig-header.md)
* [Prometheus Metrics](./advanced_metrics.md)
* [Lighthouse UI (Siren)](./lighthouse-ui.md)
* [Installation](./ui-installation.md)
* [Authentication](./ui-authentication.md)
* [Configuration](./ui-configuration.md)
* [Authentication](./ui-authentication.md)
* [Usage](./ui-usage.md)
* [FAQs](./ui-faqs.md)
* [Advanced Usage](./advanced.md)
Expand Down
4 changes: 2 additions & 2 deletions book/src/api-vc-auth-header.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@ Authorization: Bearer hGut6B8uEujufDXSmZsT0thnxvdvKFBvh

The API token is stored as a file in the `validators` directory. For most users
this is `~/.lighthouse/{network}/validators/api-token.txt`. Here's an
example using the `cat` command to print the token to the terminal, but any
example using the `cat` command to print the token for mainnet to the terminal, but any
text editor will suffice:

```bash
cat api-token.txt
cat ~/.lighthouse/mainnet/validators/api-token.txt
hGut6B8uEujufDXSmZsT0thnxvdvKFBvh
```

Expand Down
1 change: 0 additions & 1 deletion book/src/lighthouse-ui.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ The UI is currently in active development. It resides in the
See the following Siren specific topics for more context-specific
information:

- [Installation Guide](./ui-installation.md) - Information to install and run the Lighthouse UI.
- [Configuration Guide](./ui-configuration.md) - Explanation of how to setup
and configure Siren.
- [Authentication Guide](./ui-authentication.md) - Explanation of how Siren authentication works and protects validator actions.
Expand Down
4 changes: 2 additions & 2 deletions book/src/ui-authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@

## Siren Session

For enhanced security, Siren will require users to authenticate with their session password to access the dashboard. This is crucial because Siren now includes features that can permanently alter the status of user validators. The session password must be set during the [installation](./ui-installation.md) process before running the Docker or local build, either in an `.env` file or via Docker flags.
For enhanced security, Siren will require users to authenticate with their session password to access the dashboard. This is crucial because Siren now includes features that can permanently alter the status of the user's validators. The session password must be set during the [configuration](./ui-configuration.md) process before running the Docker or local build, either in an `.env` file or via Docker flags.

![exit](imgs/ui-session.png)

## Protected Actions

Prior to executing any sensitive validator action, Siren will request authentication of the session password. If you wish to update your password please refer to the Siren [installation process](./ui-installation.md).
Prior to executing any sensitive validator action, Siren will request authentication of the session password. If you wish to update your password please refer to the Siren [configuration process](./ui-configuration.md).

![exit](imgs/ui-auth.png)
122 changes: 101 additions & 21 deletions book/src/ui-configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,37 +1,117 @@
# Configuration
# 📦 Installation

Siren requires a connection to both a Lighthouse Validator Client and a Lighthouse Beacon Node.
To enable connection, you must generate .env file based on the provided .env.example
Siren supports any operating system that supports container runtimes and/or NodeJS 18, this includes Linux, MacOS, and Windows. The recommended way of running Siren is by launching the [docker container](https://hub.docker.com/r/sigp/siren).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Siren supports any operating system that supports container runtimes and/or NodeJS 18, this includes Linux, MacOS, and Windows. The recommended way of running Siren is by launching the [docker container](https://hub.docker.com/r/sigp/siren).
Siren supports any operating system that supports container runtimes and/or NodeJS 18, this includes Linux, MacOS, and Windows. The recommended way of running Siren is by launching the [docker container](https://hub.docker.com/r/sigp/siren).
Ubuntu users: Please note that Docker installed as a snap is not ideal; the preferred way to install Docker on Ubuntu is outlined [here.](https://docs.docker.com/engine/install/ubuntu/)

## Version Requirement

To ensure proper functionality, the Siren app requires Lighthouse v4.3.0 or higher. You can find these versions on the [releases](https://github.com/sigp/lighthouse/releases) page of the Lighthouse repository.

## Connecting to the Clients
## Configuration

Siren requires a connection to both a Lighthouse Validator Client and a Lighthouse Beacon Node.

Both the Beacon node and the Validator client need to have their HTTP APIs enabled.
These ports should be accessible from Siren.
These ports should be accessible from Siren. This means adding the flag `--http` on both beacon node and validator client.

To enable the HTTP API for the beacon node, utilize the `--gui` CLI flag. This action ensures that the HTTP API can be accessed by other software on the same machine.

> The Beacon Node must be run with the `--gui` flag set.

If you require accessibility from another machine within the network, configure the `--http-address` to match the local LAN IP of the system running the Beacon Node and Validator Client.
## Running the Docker container (Recommended)

The common usage is to run Siren at a client computer connecting to a server running the node. The following guide is to setup Siren at a client computer and connect it to the server via SSH, so that Siren can be accessed and viewed from the client computer's browser.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is 100% not the case anymore with the "new" dockerised setup.
the preferred way to run it nowadays is to have the docker container as close to the BN and VC as possible, running all the time, with its https port exposed to local LAN.
(this was the whole reason of the architectural overahaul)

1. Create a directory to run Siren:

```bash
cd ~
mkdir Siren
cd Siren
```

1. Create a configuration file in the `Siren` directory: `nano .env` and insert the following fields to the `.env` file. The field values are given here as an example, modify the fields as necessary. For example, the `API_TOKEN` can be obtained from [`Validator Authorization`](./api-vc-auth-header.md):

```
BEACON_URL=http://localhost:5052
VALIDATOR_URL=http://localhost:5062
API_TOKEN=R6YhbDO6gKjNMydtZHcaCovFbQ0izq5Hk
SESSION_PASSWORD=your_password
```

1. You can now start Siren with:

```bash
docker run --rm -ti --name siren -p 4443:443 --env-file $PWD/.env --net host sigp/siren
```
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still don't get the port 4443:443. Removing the flag -p 4443:443 still works, though with a warning:
metadata.metadataBase is not set for resolving social open graph or twitter images, using "http://localhost:3000". See https://nextjs.org/docs/app/api-reference/functions/generate-metadata#metadatabase

Should we keep this? I am not sure if we keep this, but we haven't used it anywhere else later. Please feel free to correct me.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--net host is the culprit here: it automatically exposes all ports to the host (including port 80)
it is really bad to advise it as default as it is hugely unsafe.
for some reason it it necessary for people who installed docker though a snap though.


If it fails to start, an error message will be shown. For example, the error

```
http://localhost:5062 unreachable, check settings and connection
```

means that the validator client is not running, or the `--http` flag is not provided. Another common error is:

```
validator api issue, server response: 403
```

which means that the API token is incorrect. Check that you have provided the correct token in the field `API_TOKEN` in `.env`.

When Siren is successfully run, you should see the log `LOG [NestApplication] Nest application successfully started +118ms`, indicating that Siren has started.

1. On the client computer, SSH to the server:

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment as before; no ssh should be necessary.
expose the https port on the node, access over https.

```bash
ssh -L 3000:127.0.0.1:3000 username@server_IP
```

You can now access siren by entering `localhost:3000` in a browser on the client computer.

Advanced users can mount their own certificates, see the `SSL Certificates` section below

## Building From Source

### Docker

The docker image can be built with the following command:
`docker build -f Dockerfile -t siren .`

### Building locally

To build from source, ensure that your system has `Node v18.18` and `yarn` installed.

#### Build and run the backend

Navigate to the backend directory `cd backend`. Install all required Node packages by running `yarn`. Once the installation is complete, compile the backend with `yarn build`. Deploy the backend in a production environment, `yarn start:production`. This ensures optimal performance.

#### Build and run the frontend

After initializing the backend, return to the root directory. Install all frontend dependencies by executing `yarn`. Build the frontend using `yarn build`. Start the frontend production server with `yarn start`.

This will allow you to access siren at `http://localhost:3000` by default.

## Advanced configuration

### About self-signed SSL certificates

By default, Siren will generate and use a self-signed certificate on startup.
This will generate a security warning when you try to access the interface.
We recommend to only disable SSL if you would access Siren over a local LAN or otherwise highly trusted or encrypted network (i.e. VPN).

#### Generating persistent SSL certificates and installing them to your system

> To access from another machine on the same network (192.168.0.200) set the Beacon Node and Validator Client `--http-address` as `192.168.0.200`. When this is set, the validator client requires the flag `--beacon-nodes http://192.168.0.200:5052` to connect to the beacon node.
[mkcert](https://github.com/FiloSottile/mkcert) is a tool that makes it super easy to generate a self-signed certificate that is trusted by your browser.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure about this part. I think this is not necessary if we can connect Siren via SSH. Proposing to remove this to make things simpler.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The aim for Siren is to be as easily accessible as possible, asking them to expose a port over a reverse ssh tunnel is way more complicated. Just exposing the port and accessing the webapp directly that way fits better in the end-user application


In a similar manner, the validator client requires activation of the `--http` flag, along with the optional consideration of configuring the `--http-address` flag. If `--http-address` flag is set on the Validator Client, then the `--unencrypted-http-transport` flag is required as well. These settings will ensure compatibility with Siren's connectivity requirements.
To use it for `siren`, install it following the instructions. Then, run `mkdir certs; mkcert -cert-file certs/cert.pem -key-file certs/key.pem 127.0.0.1 localhost` (add or replace any IP or hostname that you would use to access it at the end of this command)

If you run the Docker container, it will fail to startup if your BN/VC are not accessible, or if you provided a wrong API token.
The nginx SSL config inside Siren's container expects 3 files: `/certs/cert.pem` `/certs/key.pem` `/certs/key.pass`. If `/certs/cert.pem` does not exist, it will generate a self-signed certificate as mentioned above. If `/certs/cert.pem` does exist, it will attempt to use your provided or persisted certificates.

## API Token
### Configuration through environment variables

The API Token is a secret key that allows you to connect to the validator
client. The validator client's HTTP API is guarded by this key because it
contains sensitive validator information and the ability to modify
validators. Please see [`Validator Authorization`](./api-vc-auth-header.md)
for further details.
For those who prefer to use environment variables to configure Siren instead of using an `.env` file, this is fully supported. In some cases this may even be preferred.

Siren requires this token in order to connect to the Validator client.
The token is located in the default data directory of the validator
client. The default path is
`~/.lighthouse/<network>/validators/api-token.txt`.
#### Docker installed through `snap`

The contents of this file for the desired validator client needs to be
entered.
If you installed Docker through a snap (i.e. on Ubuntu), Docker will have trouble accessing the `.env` file. In this case it is highly recommended to pass the config to the container with environment variables.
Note that the defaults in `.env.example` will be used as fallback, if no other value is provided.
4 changes: 2 additions & 2 deletions book/src/ui-faqs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,15 @@ The required Api token may be found in the default data directory of the validat

## 3. How do I fix the Node Network Errors?

If you receive a red notification with a BEACON or VALIDATOR NODE NETWORK ERROR you can refer to the lighthouse ui configuration and [`connecting to clients section`](./ui-configuration.md#connecting-to-the-clients).
If you receive a red notification with a BEACON or VALIDATOR NODE NETWORK ERROR you can refer to the lighthouse ui [`configuration`](./ui-configuration.md#configuration).

## 4. How do I connect Siren to Lighthouse from a different computer on the same network?

Siren is a webapp, you can access it like any other website. We don't recommend exposing it to the internet; if you require remote access a VPN or (authenticated) reverse proxy is highly recommended.

## 5. How can I use Siren to monitor my validators remotely when I am not at home?

Most contemporary home routers provide options for VPN access in various ways. A VPN permits a remote computer to establish a connection with internal computers within a home network. With a VPN configuration in place, connecting to the VPN enables you to treat your computer as if it is part of your local home network. The connection process involves following the setup steps for connecting via another machine on the same network on the Siren configuration page and [`connecting to clients section`](./ui-configuration.md#connecting-to-the-clients).
Most contemporary home routers provide options for VPN access in various ways. A VPN permits a remote computer to establish a connection with internal computers within a home network. With a VPN configuration in place, connecting to the VPN enables you to treat your computer as if it is part of your local home network. The connection process involves following the setup steps for connecting via another machine on the same network on the Siren configuration page and [`configuration`](./ui-configuration.md#configuration).

## 6. Does Siren support reverse proxy or DNS named addresses?

Expand Down
73 changes: 0 additions & 73 deletions book/src/ui-installation.md
View file
Open in desktop

This file was deleted.

Loading