From 13843cea539409da9aed819dd8ff710d084338e1 Mon Sep 17 00:00:00 2001 From: "iguerNL@Functori" Date: Tue, 13 May 2025 16:57:08 +0200 Subject: [PATCH 1/2] KVS: switch from 660 to 644 for KVS files' rights We probably don't want to grant write rights for group. --- src/lib_stdlib_unix/key_value_store.ml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib_stdlib_unix/key_value_store.ml b/src/lib_stdlib_unix/key_value_store.ml index dfc6e756f0e3..def04f6ff1d5 100644 --- a/src/lib_stdlib_unix/key_value_store.ml +++ b/src/lib_stdlib_unix/key_value_store.ml @@ -720,7 +720,7 @@ end = struct let load_file files last_actions lru filename = let open Lwt_syntax in let* lru_node = add_lru files last_actions lru filename in - let* fd = Lwt_unix.openfile filename [O_RDWR; O_CLOEXEC] 0o660 in + let* fd = Lwt_unix.openfile filename [O_RDWR; O_CLOEXEC] 0o644 in (* TODO: https://gitlab.com/tezos/tezos/-/issues/6033 Should we check that the file is at least as big as the bitset? *) let bitset = @@ -748,7 +748,7 @@ end = struct Lwt_unix.openfile layout.filepath [O_RDWR; O_CREAT; O_EXCL; O_CLOEXEC] - 0o660 + 0o644 in let total_size = bitset_size + (layout.number_of_keys_per_file * layout.value_size) -- GitLab From cac4098ac0b5ae720d79e3a99df5e8fe851146dc Mon Sep 17 00:00:00 2001 From: "iguerNL@Functori" Date: Mon, 19 May 2025 18:00:15 +0200 Subject: [PATCH 2/2] DAL/Nginx: add basic server template to serve DAL slot_store as static files --- .../http_backup_nginx_server/basic.server | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 src/bin_dal_node/http_backup_nginx_server/basic.server diff --git a/src/bin_dal_node/http_backup_nginx_server/basic.server b/src/bin_dal_node/http_backup_nginx_server/basic.server new file mode 100644 index 000000000000..7cc0d3b0f4c1 --- /dev/null +++ b/src/bin_dal_node/http_backup_nginx_server/basic.server @@ -0,0 +1,54 @@ +# What is this? + +## This NGINX configuration template allows you to serve the content of the +## `store/slot_store` directory of a DAL node as static files over HTTP. +## +## DAL nodes can be configured to fetch missing slots via fallback HTTP servers +## using the following URI layout: +## +## /v0/slots/by_published_level/__ +## +## This layout is expected by the `--http-backup` option of the DAL node. + +# How to deploy? + +## When deploying this server, ensure that the parent directories of the DAL +## node's data directory have appropriate permissions. In particular, NGINX +## (often running under a separate user) must have execution rights (`+x`) +## to traverse the directory tree, and read permissions (`+r`) on the target +## directory and its contents: +## +## chmod o+x /absolute/path +## chmod o+x /absolute/path/to +## chmod o+x /absolute/path/to/tezos-dal-node +## chmod o+x /absolute/path/to/tezos-dal-node/store +## chmod o+rx /absolute/path/to/tezos-dal-node/store/slot_store + +# How to test via command-line? + +## Fetch a single slot file: +# wget /v0/slots/by_published_level/__ + +## Mirror the remote slot store locally: +# wget \ +# --mirror \ +# --no-parent \ +# --no-host-directories \ +# --cut-dirs=3 \ +# --directory-prefix=store/slot_store \ +# --accept-regex '[0-9]+_[0-9]+_[0-9]+' \ +# --reject "index.html*" \ +# /v0/slots/by_published_level/ + +# NGINX configuration +# Replace "/absolute/path/to/tezos-dal-node" with the actual path to your DAL node's data directory + +server { + listen 80; + server_name _; + + location /v0/slots/by_published_level/ { + alias /absolute/path/to/tezos-dal-node/store/slot_store/; + autoindex on; + } +} -- GitLab