How I almost created a constellation of Bitcoin nodes

Tuesday, 14 March, Year 9 d.Tr. | Author: Mircea Popescu

Originally I intended to bring up a half dozen boxes or so using alf's well advertised ssh tunneling scheme, and I started this article as a reference for that. Meanwhile we ran into various minor bugs ; and the major wtf whereby my box sits with a bunch of connections in TIME_WAIT state and nothing useful happens past that -- the tunnel evidently dun work.

The process was slower than it needs to be, certainly, but what actually put the kibosh on the idea was the twin discovery that a) nodes can still be blackholed with this arrangement, and if they are they will happily drop their ssh pipes and b) even when this doesn't happen there is no advantage whateveri to the piped node, it is still treated exactly like an all-comers node in all respects. These two factors combined make it both unfeasible and unappealing to eat the significant materiel and management costs of maintaining the proposed constellation, at least from my point of view.

Evidently, a solution to both a) and b) is expected to emerge from the eventual implementation of the TRB.N / TRB.B wallet split. The TRB.N could be run as servlets, one dedicated for tunneling peers, another dedicated to allcomers, which would make the peered one both immune to blackholing and passible of being priviledged in whatever other manner.

That said, I will be preserving the recipe I was preparing while doing all this so I can just pick up from here in half year or so when I try again.

~ * ~

We will be broadly relying on the Bitcoin Foundation's most recent release : The item is curated by mod6, who is doing an absolutely fabulous job of it. To watch the whole process unravel, safely and correctly, is one of those extremely rare pleasures in the *nix world, notwithstanding their promise was why we even got into nixen in the first place.

We will be however making some adjustments to it, so as to serve our own purposes (the introduction of an experimental patchii in the press). For convenience the whole thing is reproduced below :

  1. Log into a box, such as for instance via ssh root@wherever
  2. Install autossh.iii
  3. Create fuckoff.c, to contain :

    #include <stdio.h>
    #include <unistd.h>
    #include <stdlib.h>

    int main() {
    while(1) { sleep(1); }

  4. gcc fuckoff.c -o fuckoff
  5. cp fuckoff /sbin/fuckoff
  6. useradd -d /home/tbnode -s /sbin/fuckoffiv
  7. su tbnodev
  8. mkdir trb-sshvi
  9. cd trb-ssh
  10. curl -s -o V-20160220.tar.gzvii
  11. curl -s -o V-20160220.tar.gz.mod6.sig
  12. mkdir .wotviii
  13. curl -o ben_vulpes.asc
  14. curl -o trinque.asc
  15. curl -o asciilifeform.asc
  16. curl -o mircea_popescu.asc
  17. curl -o mod6.asc
  18. gpg --verify V-20160220.tar.gz.mod6.sig V-20160220.tar.gzix
  19. tar -xf V-20160220.tar.gzx
  20. ./ i http://thebitcoin.foundationxi
  21. curl -o ~/trb-ssh/patches/asciilifeform_wires_rev1.vpatchxii
  22. curl -o ~/trb-ssh/.seals/asciilifeform_wires_rev1.vpatch.asciilifeform.sig
  23. ./ p v trb54 asciilifeform_wires_rev1.vpatchxiii
  24. cd trb54/bitcoin
  25. make ONLINE=1xiv
  26. Create a ssh keyxv
  27. cat ~/.ssh/id_rsa.pubxvi
  28. echo "autossh -f -M 0 -L 9000: name@master" > do_tunnel.shxvii
  29. chmod +x do_tunnel.shxviii
  30. ./do_tunnel.shxix
  31. LC_ALL="C" nohup ./bitcoind -myip= -addwire= -wirerefresh=3600 -verifyall 2>&1 &xx
  1. This is disputed ; there exists the to my eyes entirely negligible advantage that the node won't forget about the piped node. Leaving aside this theory hasn't been tested at all, this forgetting (which does happen, glory be to the genius of the original author) nevertheless isn't a major problem in the field for operational reasons. []
  2. Consequently significant portions borrowed from asciilifeform's own instructions. []
  3. On the system we used (2.6.32-573.12.1.el6.x86_64) this works as

    yum autossh

    but your system might use apt or whatever it uses. []

  4. Create a user (here "tbnode") that will be doing the node work, with fuckoff shell. []
  5. We're done with root stuff. []
  6. Simply creates a new directory. []
  7. These two steps acquire the current pressing mechanism as well as its signature. It will be verified later. []
  8. These six steps procure the public keys that you need in order to verify the patches as well as the V version you obtained in steps 3 and 4. []
  9. We are now in a position to verify the Vtron we're about to use. []
  10. Assuming the above step yielded

    gpg: Signature made Sat 20 Feb 2016 06:26:52 PM UTC using RSA key ID B71EADAF
    gpg: Good signature from "mod6 (mod6) "
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 027A 8D7C 0FB8 A166 4372 0F40 7217 05A8 B71E ADAF

    If it didn't please report. []

  11. The i flag inits, in this case on the basis of the mirror kept by the foundation. This will populate your /.seals and /patches directories with the standard TRB tree as of the date of issuance (22 February 2017, in this case).

    See the description of the Vtron's functioning via ./ --help by the way. []

  12. This step and the next add the relevant portions of the experimental patch we wish to use (asciilifeform_wires_rev1) to the patches and seals directories respectively.

    If adding other patches, repeat the process for all of them. []

  13. Press a TRB tree. []
  14. Compile the press, loading the dependencies from deedbot's central repository. []
  15. If your user already has a ssh key, simply use its pubkey (it may be a good idea to create a separate user for this entire process).

    It is a horrendously bad idea to use ssh-keygen for this process, as you won't really obtain a key. []

  16. You will give this to people you connect via ssh tunnel to. []
  17. If you are connecting to master hurr @ the "name@master" part will read hurr@ Do not mess with the 9000: part, that's good as it is. []
  18. We do want to run it. []
  19. Might also put it in cron for good measure, @boot or something. []
  20. We are done, our node at will create a resilient ssh tunnel to the master specified, and accept incoming tunnels from whichever slaves you allowed via authorized_keys. Should you wish to tunnel towards more than one masters, make sure you increment the port, 9001 etc.

    Mind that the original patch has the complaint timeout set at one second, which results in four lines per second per dead connection being spit into your debug.log. This is excessive, for which reason we have the above switch. It however doesn't actually work in the original, to quote

    mircea_popescu one a second. why does it ignore the setting ?
    asciilifeform this, i figured out last night. tardoshi did the disconnect routine in a very 'special' way, where it slowly sits and drools and 'waits for any references to expire'

    mircea_popescu ahahaha
    asciilifeform i oughta have throttled the eggog, it gets printed continuously during this idiocy

    mircea_popescu because if he did it like he thinks he should it crashes right
    asciilifeform aha.

    but I understand will be fixed in a future development. []

Category: Bitcoin
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

5 Responses

  1. Mircea Popescu`s avatar
    Mircea Popescu 
    Tuesday, 14 March 2017

    Wikilix bonux :

    mircea_popescu in conclusion.
    asciilifeform didja mention the actual cause ?
    * asciilifeform reads

    mircea_popescu well i dunno teh actual cause beyond "ssh tunnels suck".
    asciilifeform btw does ssh work on that box at all ?
    asciilifeform ( can ssh to localhost ? )

    mircea_popescu im in neh ?
    asciilifeform nope, that's sshd
    asciilifeform i mean ssh.
    asciilifeform client.

    mircea_popescu ah
    mircea_popescu i have nfi.
    asciilifeform try?

    mircea_popescu Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
    mircea_popescu i dun have a key.
    asciilifeform that's farther than it gets here.

    mircea_popescu yea.
    asciilifeform btw if you addwire dulap straight, it'll run plaintext.

    mircea_popescu bout same as -addnode neh
    asciilifeform again, no
    asciilifeform trb FORGETS NODES
    asciilifeform deliberately.

    mircea_popescu yes yes.
    mircea_popescu anyway, nevermind this, it's a total timesink and out of line anyway.
    mircea_popescu pick rsatron or wallet split, do that.
    mircea_popescu evidently new ssh is needed altogether.
    asciilifeform funnily enough that's what the wire thing was originally intended to run with
    asciilifeform but 'g' not ready for prime time yet.
    asciilifeform i'ma knee deep in rsatron.

    mircea_popescu well... when it is.
    asciilifeform anyway you can switch wire off (just omit the flag, dun have to rebuild the binary) if you're happy to let the thing occasionally forget that dulap or any of the other known boxes exist
    asciilifeform i'd still like to know wtf is the deal with your ssh client, but 0 clue and yes potentially infinite tarpit.

    mircea_popescu the sad fact of the matter is that "dulap" or any specified boxes don't, actually, exist. not as of yet.
    asciilifeform aha.
    asciilifeform this also.
    asciilifeform sorta why i did not recommend straight tcp wire.
    asciilifeform i'ma let folx back in nao.

    mircea_popescu and i'm not too eager to spend resources to convince the machine to not forget my own cherished hallucinations. might as well call things thinking(); for that money
    mircea_popescu and yes, do.
    asciilifeform (the ones whose ssh worx..)

    mircea_popescu i am not sure a situation where you can't say why it "works" and why it doesn't work can be called working, but let's go with it.
    asciilifeform whole machine is made of this, can laugh or cry. sorta why i want to make a new one.
    asciilifeform thx for grunting through this experiment. consider updating article with the find..

    mircea_popescu which find ?
    asciilifeform that ssh breaks

  2. For step #23, don't you want to press the tree to "asciilifeform_wires_rev1.vpatch" ?

  3. Mircea Popescu`s avatar
    Mircea Popescu 
    Tuesday, 14 March 2017

    Right you are, revisions conflict failure! Fixed.

  4. Step 23 again : leading "." in front of "/" required. My guide also had this error and I just caught it. Cheers!

  5. Mircea Popescu`s avatar
    Mircea Popescu 
    Friday, 17 March 2017

    Ah there we go.

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.