Versions Compared

Old Version 6

changes.mady.by.user Kate Tun

Saved on

compared with

New Version 7

changes.mady.by.user Nikita Vodolazkyi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

For Internal Use Only

Ukrainian language is used for safety reasons.

...

де замість **** в http://*****:*****@10.116.0.3:8332 вказується ім'я та пароль rpc-користувача, визначеного в конфігураційному файлі bitcoin-ноди (як правило, це bitcoin.conf)
Replace **** in the http://*****:*****@10.116.0.3:8332 with the RPC username and password defined in the Bitcoin-node configuration file (bitcoin.conf)

...

Після рендерінга global/config.yam перезапуск демона BITCOIN-PI - обов'язковий. Перезапуск відбувається по CI-CD, налаштованому в gitlab.tunex.io для configurator, або вручну:
After making this change, rendering the global/config.yam file and restarting the BITCOIN-PI daemon is mandatory. This restart can be done via the CI/CD pipeline configured in gitlab.tunex.io for Configurator or manually.

Code Block
$ docker-compose restart BITCOIN-PI

>>>>>>>>TO APROVE<<<<<<<<

...

Task Description:

For security reasons, access to the Bitcoin node located on dev.marionette.dev should be restricted to only two servers: dev.marionette.dev and demo.marionette.dev.

Implementation Involves:

  1. Configuring the Network Firewall:
    Set up the network firewall on Digital Ocean, where the droplets dev.marionette.dev and demo.marionette.dev are located.

  2. Configuring the Docker-Compose File:
    Modify the Docker-Compose file for the Bitcoin node on dev.marionette.dev.

Note:
Additionally (not related to the Bitcoin node), for interactions with the demo environment (specifically the BITCOIN-PI service on this deployment), the internal IP address of dev.marionette.dev should be configured in the VPC network.

Implementation Details:

  • Internal IP Address of dev.marionette.dev in VPC: 10.116.0.3

  • Internal IP Address of demo.marionette.dev in VPC: 10.116.0.9

Firewall Configuration:

The following firewall inbound rules have been created, allowing port 8332 only for IP 10.116.0.9:

...

These rules have been applied to the dev.marionette.dev droplet:

...

For deploying the Bitcoin node on dev.marionette.dev, port 8332 is mapped from the Docker container bitcoind to port 8332 on the host. Since the docker-compose.yaml used in Configurator has been modified from the cryptonodes.yaml.t template by adding a port mapping section:

Code Block
languageyaml
ports:
  - "{{rpcport}}:{{rpcport}}"

After rendering on dev.marionette.dev, the resulting file is cryptonodes.yaml:

Code Block
languageyaml
version: "3.7"
services:
  blockchainRegistry:
    image: gitlab.tunex.io:5050/marionette-develop/backend:latest
    restart: always
    command: ./node_modules/.bin/moleculer-runner
    hostname: "blockchainRegistry"
    env_file:
      - ../config/database.env
    environment:
      SERVICES: services/blockchainRegistry
      LOGLEVEL: info
  bitcoind:
    image: gitlab.tunex.io:5050/marionette-stack/public/bitcoind24v
    restart: always
    user: root
    command: bitcoind
    ports:
      - "8332:8332"
    environment:
      HOSTNAME: bitcoind
    volumes:
      - ../data/bitcoin/.bitcoin:/bitcoin/.bitcoin
      - ../config/bitcointest.conf:/bitcoin/.bitcoin/bitcoin.conf

After rendering cryptonodes.yaml, restarting the Bitcoin daemon is mandatory. This restart can be done via the CI/CD pipeline configured in gitlab.tunex.io for Configurator or manually:

Code Block
languagebash
$ docker-compose restart bitcoind

Verification:

To ensure the Bitcoin node daemon is accessible only from the two droplets, use bitcoin-cli, curl, and the RPC API for the Bitcoin node (RPC API Reference — Bitcoin).

For dev.marionette.dev, use bitcoin-cli. For example, check the highest block in the node:

Code Block
languagebash
$ docker-compose exec bitcoind bitcoin-cli getblockcount
2470217

For demo.marionette.dev, use curl. For example, check the wallet balance in the node:

Code Block
languagebash
$ curl --data-binary '{"jsonrpc":"1.0","method":"getbalance","params":[]}' -H 'content-type: text/plain;' <http://*****:*****@10.116.0.3:8332>
{"result":0.21380328,"error":null,"id":null}

Replace **** in the <http://*****:*****@10.116.0.3:8332> with the RPC username and password defined in the Bitcoin node configuration file (usually bitcoin.conf).

To verify that access to the Bitcoin node is restricted to the VPC network, use curl to check the wallet balance by specifying the external IP address of dev.marionette.dev:

Code Block
languagebash
$ curl --data-binary '{"jsonrpc":"1.0","method":"getbalance","params":[]}' -H 'content-type: text/plain;' <http://****:*****@157.230.93.53:8332>
curl: (28) Failed to connect to 157.230.93.53 port 8332: Connection timed out

For any other case, use your own laptop or another server and send a request to get the highest block in the node:

Code Block
languagebash
$ curl --data-binary '{"jsonrpc":"1.0","method":"getblockcount","params":[]}' -H 'content-type: text/plain;' <http://****:*****@dev.marionette.dev:8332>
curl: (28) Failed to connect to 157.230.93.53 port 8332: Connection timed out

If the response is "Failed to connect to 157.230.93.53 port 8332: Connection timed out", the Bitcoin node security implementation is successful.

Additional: Ensuring BITCOIN-PI Communication on demo.marionette.dev with Bitcoin Node

Given that access to the Bitcoin node on dev.marionette.dev from the internal VPC network is restricted to port 8332 for RPC communication, update the Configurator variable in the global/config.yaml file under the BITCOIN-PI section in Configurator:

Code Block
languageyaml
rpchost: 10.116.0.3

After rendering global/config.yaml, restarting the BITCOIN-PI daemon is mandatory. This restart can be done via the CI/CD pipeline configured in gitlab.tunex.io for Configurator or manually:

Code Block
languagebash
$ docker-compose restart BITCOIN-PI

...