Skip to content

deploy_tee: fix the genesis-ceremony path + label disk-provisioning progress#47

Merged
samlaf merged 3 commits into
mainfrom
genesis-ceremony-e2e-fixes
Jul 1, 2026
Merged

deploy_tee: fix the genesis-ceremony path + label disk-provisioning progress#47
samlaf merged 3 commits into
mainfrom
genesis-ceremony-e2e-fixes

Conversation

@samlaf

@samlaf samlaf commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes the operator-side seismic-tee-bootstrap genesis ceremony — which had
never actually run end-to-end against a real node — and labels the first-boot
disk-provisioning progress bar. Surfaced while bringing up the first
single-node TEE network to a live chain; with these changes (plus a companion
summit fix, see below) a node reaches a live chain (reth producing, summit
finalizing).

Changes

1. summit_client speaks JSON-RPC, not REST (fix)

summit's RPC is jsonrpsee (JSON-RPC 2.0, POST-only, camelCase methods — see
summit/rpc/src/api.rs), but summit_client did GET /<path> and
text/plain POSTs with snake_case paths. So getPublicKeys / sendGenesis
never worked against a real node.

Rewrote it as a JSON-RPC client: one _rpc(method, params) that POSTs the
envelope to the /summit base (nginx strips the prefix) and returns result,
using the real method names. Dropped the dead REST helpers and send_share
(no such endpoint, no caller). Added mocked tests for the envelope + error path.

2. Run the genesis binary from PATH with an explicit template (feat!)

genesis.py assumed a dev checkout — it shelled out to
~/summit/target/debug/genesis and ~/summit/example_genesis.toml.

Now it takes the genesis binary from PATH (the pattern summit uses for
reth), with a clear error if it's missing, and the template via
--summit-template. Dropped --code-path (its only job was locating
~/summit). Also logs the built genesis's path and each node it's sent to
before delivery (paths only, not contents), mirroring how configure logs
the config it POSTs.

Breaking: --summit-template is now required; --code-path is removed.

3. Label first-boot disk-provisioning progress (feat)

The progress bar showed bytes / % / eta but never said what it was doing.
Added an encrypting disk label and a one-time line when provisioning starts,
explaining it's the first-boot full-disk LUKS + dm-integrity wipe (one-time,
can take 1h+) so the long phase doesn't read as a hang.

Prereqs

seismic-tee-bootstrap genesis needs the genesis binary on PATH — built
from summit, e.g. cargo install --path node --bin genesis --locked (the
--locked matters; summit pins commonware via its lockfile).

Testing

  • Unit tests (mocked, no network): summit_client request envelope + RPC-error
    path; existing manifest/configure/status suites still pass. ruff clean.
  • Manually drove a single-node TEE network end-to-end to a live chain
    (cast block-number advancing) using these changes.

Follow-ups (not in this PR)

  • eth_genesis_hash still needs a manual -g. summit's genesis template
    carries an eth_genesis_hash that must equal reth's actual genesis hash;
    today the operator passes it via -g. Proposed: have the ceremony
    auto-derive it from the node's own reth (eth_getBlockByNumber 0) and
    cross-check the cohort, removing the manual step.
  • Companion summit fix (separate PR): the genesis binary defined its
    own genesis struct that had drifted from summit_types::Genesis and silently
    dropped required fields (validator_minimum_stake); fixed to use the
    canonical type. That PR also proposes moving genesis assembly into the node
    (sendGenesis taking template + validators) to retire the operator-side
    binary and the version-skew question entirely.
  • genesis reads each node's summit pubkey once (no retry). A node that
    isn't ready yet fails the ceremony; retry-until-ready is a separate change.

samlaf added 3 commits July 1, 2026 15:49
summit's RPC is jsonrpsee (JSON-RPC 2.0, POST-only, camelCase methods; see
summit/rpc/src/api.rs), but summit_client did GET /<path> and text/plain
POSTs with snake_case paths. So getPublicKeys / sendGenesis never actually
worked against a real node — the genesis ceremony had never run e2e.

Rewrite it as a JSON-RPC client: one `_rpc(method, params)` that POSTs the
envelope to the `/summit` base (nginx strips the prefix) and returns
`result`, using the real method names (getPublicKeys, sendGenesis, health).
Drop the dead REST helpers and `send_share` (no such endpoint, no caller).
Add mocked tests for the envelope + error path.
…template

genesis.py assumed a dev checkout: it shelled out to
~/summit/target/debug/genesis and ~/summit/example_genesis.toml. Take the
`genesis` binary from PATH instead (the pattern summit uses for `reth`), with
a clear error if it's missing, and require the template via --summit-template.
Drop --code-path, whose only purpose was locating ~/summit.

Also log the built genesis's path and each node it's sent to before delivery
(paths only, not the contents), mirroring how `configure` logs the config it
POSTs. README prereqs + example updated.
The progress bar showed bytes / % / eta but never said what it was doing.
Prefix the bar with "encrypting disk", and print a one-time line when
provisioning starts explaining it's the first-boot full-disk LUKS +
dm-integrity wipe (one-time, can take 1h+) so a long phase doesn't read as a
hang.
@samlaf samlaf merged commit 608f754 into main Jul 1, 2026
1 check passed
@samlaf samlaf deleted the genesis-ceremony-e2e-fixes branch July 1, 2026 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant