Sample AWS Blockchain Node Runner app for Scroll Nodes
| Contributed by |
|---|
| @alickmail |
Scroll is a "Layer 2" scaling solution for Ethereum leveraging zero knowledge proofs. This blueprint helps to deploy Scroll nodes (L2Geth) on AWS as RPC nodes and use Amazon Managed Blockchain Access Ethereum node for "Layer 1". It is meant to be used for development, testing or Proof of Concept purposes.
Overview of Deployment Architectures for Single Node setups
Single node setup
- A Scroll node deployed in the Default VPC continuously synchronizes with the rest of nodes on Scroll Clusters through Internet Gateway.
- The Scroll node is used by dApps or development tools internally from within the Default VPC. JSON RPC API is not exposed to the Internet directly to protect nodes from unauthorized access.
- You will need access to a fully-synced Ethereum Mainnet RPC endpoint before running l2geth.
- The Scroll node sends various monitoring metrics for both EC2 and Scroll nodes to Amazon CloudWatch.
Additional materials
Review the for pros and cons of this solution.
Well-Architected Checklist
This is the Well-Architected checklist for Ethereum nodes implementation of the AWS Blockchain Node Runner app. This checklist takes into account questions from the AWS Well-Architected Framework which are relevant to this workload. Please feel free to add more checks from the framework if required for your workload.
| Pillar | Control | Question/Check | Remarks |
|---|---|---|---|
| Security | Network protection | Are there unnecessary open ports in security groups? | Please note that ports 30303 (TCP/UDP) for Scroll are open to public to support P2P protocols. We have to rely on the protection mechanisms built into the Scroll software to protect those ports. |
| Traffic inspection | AWS WAF could be implemented for traffic inspection. Additional charges will apply. | ||
| Compute protection | Reduce attack surface | This solution uses Ubuntu 20.04 LTS AMI. You may choose to run hardening scripts on it. | |
| Enable people to perform actions at a distance | This solution uses AWS Systems Manager for terminal session, not ssh ports. | ||
| Data protection at rest | Use encrypted Amazon Elastic Block Store (Amazon EBS) volumes | This solution uses encrypted Amazon EBS volumes. | |
| Data protection in transit | Use TLS | By design TLS is not used in Scroll RPC and P2P protocols because the data is considered public. To protect RPC traffic we expose the port only for internal use. | |
| Authorization and access control | Use instance profile with Amazon Elastic Compute Cloud (Amazon EC2) instances | This solution uses AWS Identity and Access Management (AWS IAM) role instead of IAM user. | |
| Following principle of least privilege access | In the node, root user is not used (using special user "ubuntu" instead). | ||
| Application security | Security focused development practices | cdk-nag is being used with documented suppressions. | |
| Cost optimization | Service selection | Use cost effective resources | Scroll nodes currently doesn't provide binaries for ARM architecture, so AMD-powered EC2 instance type for better cost effectiveness. |
| Cost awareness | Estimate costs | One Scroll node on m6a.2xlarge and 1T EBS gp3 volume will cost around US$367.21 per month in the US East (N. Virginia) region. Additionally the AMB Access Ethereum on bc.m5.xlarge will cost additional ~US$202 per month in the US East (N. Virginia) region. Approximately the total cost will be US$367.21 + US$202 = US$569.21 per month. | |
| Reliability | Resiliency implementation | Withstand component failures | This solution currently does not have high availability and is deployed to a single availability zone. |
| Data backup | How is data backed up? | The data is not specially backed up. The node will have to re-sync its state from other nodes in the Scroll network to recover. | |
| Resource monitoring | How are workload resources monitored? | Resources are being monitored using Amazon CloudWatch dashboards. Amazon CloudWatch custom metrics are being pushed via CloudWatch Agent. | |
| Performance efficiency | Compute selection | How is compute solution selected? | Compute solution is selected based on the recommendations the from Scroll community to provide stable and cost-effective operations. |
| Storage selection | How is storage solution selected? | Storage solution is selected based on the recommendations the from Scroll community to provide stable and cost-effective operations. | |
| Architecture selection | How is the best performance architecture selected? | In this solution we try to balance price and performance to achieve better cost efficiency, but not necessarily the best performance. | |
| Operational excellence | Workload health | How is health of workload determined? | We rely on the standard EC2 instance monitoring tool to detect stalled instances. |
| Sustainability | Hardware & services | Select most efficient hardware for your workload | Scroll nodes currently doesn't provide binaries for ARM architecture, so AMD-powered EC2 instance type for better cost effectiveness. |
Recommended Infrastructure
Hardware Requirements
Minimum for Scroll node
- Instance type m6a.large.
- 500GB EBS gp3 storage with at least 3000 IOPS.
Recommended for Scroll node
- Instance type m6a.2xlarge.
- 500GB EBS gp3 storage with at least 3000 IOPS.`
Amazon Managed Blockchain Ethereum L1
- Minimum instance type: bc.m5.xlarge
- Recommended instance type: bc.m5.2xlarge
Setup Instructions
Open AWS CloudShell
To begin, ensure you login to your AWS account with permissions to create and modify resources in IAM, EC2, EBS, VPC, S3, KMS, and Secrets Manager.
From the AWS Management Console, open the AWS CloudShell, a web-based shell environment. If unfamiliar, review the 2-minute YouTube video for an overview and check out CloudShell with VPC environment that we'll use to test nodes API from internal IP address space.
Once ready, you can run the commands to deploy and test blueprints in the CloudShell.
Clone this repository and install dependencies
git clone https://github.com/alickwong/aws-blockchain-node-runners
cd aws-blockchain-node-runners
npm install
Deploy Single Node
-
Make sure you are in the root directory of the cloned repository
-
If you have deleted or don't have the default VPC, create default VPC
aws ec2 create-default-vpc
NOTE: You may see the following error if the default VPC already exists:
An error occurred (DefaultVpcAlreadyExists) when calling the CreateDefaultVpc operation: A Default VPC already exists for this account in this region.. That means you can just continue with the following steps.
-
Configure your setup
Create your own copy of
.envfile and edit it to update with your AWS Account ID and Region:
# Make sure you are in aws-blockchain-node-runners/lib/scroll
cd lib/scroll
npm install
pwd
cp ./sample-configs/.env-sample-full .env
nano .env
NOTE: Example configuration parameters are set in the local
.env-samplefile. You can find more examples insidesample-configsdirectory.
- Deploy common components such as IAM role
pwd
# Make sure you are in aws-blockchain-node-runners/lib/scroll
npx cdk deploy scroll-common
IMPORTANT: All AWS CDK v2 deployments use dedicated AWS resources to hold data during deployment. Therefore, your AWS account and Region must be bootstrapped to create these resources before you can deploy. If you haven't already bootstrapped, issue the following command:
cdk bootstrap aws://ACCOUNT-NUMBER/REGION
- Deploy Amazon Managed Blockchain (AMB) Access Ethereum node and wait about 35-70 minutes for the node to sync
pwd
# Make sure you are in aws-blockchain-node-runners/lib/scroll
npx cdk deploy scroll-ethereum-l1-node --json --outputs-file scroll-ethereum-l1-node.json
To watch the progress, open the AMB Web UI, click the name of your target network from the list (Mainnet, Goerly, etc.) and watch the status of the node to change from Creating to Available.
- Deploy Scroll Full Node and wait for another 10-20 minutes for it to sync
pwd
# Make sure you are in aws-blockchain-node-runners/lib/scroll
npx cdk deploy scroll-single-node --json --outputs-file single-node-deploy.json
After starting the node you will need to wait for the initial synchronization process to finish.To see the progress, you may use SSM to connect into EC2 first and watch the log like this:
export INSTANCE_ID=$(cat single-node-deploy.json | jq -r '..|.node-instance-id? | select(. != null)')
echo "INSTANCE_ID=" $INSTANCE_ID
export AWS_REGION=us-east-1
aws ssm start-session --target $INSTANCE_ID --region $AWS_REGION
tail -f /var/log/scroll/error.log
When the process complete, you will see L1 message initial sync completed in the log:
INFO [12-13|08:25:46.095] Syncing L1 messages processed=18,683,700 confirmed=18,775,938 collected=77348 progress(%)=99.509
INFO [12-13|08:25:56.165] Syncing L1 messages processed=18,699,700 confirmed=18,775,938 collected=78100 progress(%)=99.594
INFO [12-13|08:26:06.122] Syncing L1 messages processed=18,709,300 confirmed=18,775,938 collected=79042 progress(%)=99.645
INFO [12-13|08:26:16.107] Syncing L1 messages processed=18,729,400 confirmed=18,775,938 collected=79585 progress(%)=99.752
INFO [12-13|08:26:26.127] Syncing L1 messages processed=18,741,900 confirmed=18,775,938 collected=80688 progress(%)=99.819
INFO [12-13|08:26:36.208] Syncing L1 messages processed=18,750,200 confirmed=18,775,938 collected=82535 progress(%)=99.863
INFO [12-13|08:26:46.124] Syncing L1 messages processed=18,755,400 confirmed=18,775,938 collected=84176 progress(%)=99.891
INFO [12-13|08:26:56.120] Syncing L1 messages processed=18,768,200 confirmed=18,775,938 collected=85240 progress(%)=99.959
INFO [12-13|08:27:00.524] L1 message initial sync completed latestProcessedBlock=18,775,938
- Test Scroll RPC API Use curl to query from within the node instance:
export INSTANCE_ID=$(cat single-node-deploy.json | jq -r '..|.node-instance-id? | select(. != null)')
echo "INSTANCE_ID=" $INSTANCE_ID
export AWS_REGION=us-east-1
aws ssm start-session --target $INSTANCE_ID --region $AWS_REGION
curl -s -X POST -H "Content-Type: application/json" --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' http://localhost:8545
Monitoring
A script on the Scroll node publishes current block and blocks behind metrics to CloudWatch metrics every 5 minutes. When the node is fully synced the blocks behind metric should get to 0, which might take about 1.5 days. To see the metrics:
- Navigate to CloudWatch service (make sure you are in the region you have specified for AWS_REGION)
- Open Dashboards and select
scroll-single-nodefrom the list of dashboards.
Clear up and undeploy everything
Destroy all Nodes and Common stacks
# Setting the AWS account id and region in case local .env file is lost
export AWS_ACCOUNT_ID=<your_target_AWS_account_id>
export AWS_REGION=<your_target_AWS_region>
pwd
# Make sure you are in aws-blockchain-node-runners/lib/scroll
# Destroy Single Node
npx cdk destroy scroll-single-node
# Destroy AMB Etheruem node
npx cdk destroy scroll-ethereum-l1-node
# Delete all common components like IAM role and Security Group
npx cdk destroy scroll-common
FAQ
- How to check the logs of the clients running on my Scroll node?
NOTE: In this tutorial we chose not to use SSH and use Session Manager instead. That allows you to log all sessions in AWS CloudTrail to see who logged into the server and when. If you receive an error similar to
SessionManagerPlugin is not found, install Session Manager plugin for AWS CLI
pwd
# Make sure you are in aws-blockchain-node-runners/lib/scroll
export INSTANCE_ID=$(cat single-node-deploy.json | jq -r '..|.node-instance-id? | select(. != null)')
echo "INSTANCE_ID=" $INSTANCE_ID
export AWS_REGION=us-east-1
aws ssm start-session --target $INSTANCE_ID --region $AWS_REGION
sudo journalctl -o cat -fu scroll
- How to check the logs from the EC2 user-data script?
pwd
# Make sure you are in aws-blockchain-node-runners/lib/scroll
export INSTANCE_ID=$(cat single-node-deploy.json | jq -r '..|.node-instance-id? | select(. != null)')
echo "INSTANCE_ID=" $INSTANCE_ID
export AWS_REGION=us-east-1
aws ssm start-session --target $INSTANCE_ID --region $AWS_REGION
sudo cat /var/log/cloud-init-output.log
- How can I restart the Scroll service?
export INSTANCE_ID=$(cat single-node-deploy.json | jq -r '..|.node-instance-id? | select(. != null)')
echo "INSTANCE_ID=" $INSTANCE_ID
export AWS_REGION=us-east-1
aws ssm start-session --target $INSTANCE_ID --region $AWS_REGION
sudo systemctl status scroll.service
sudo systemctl restart scroll.service
-
Where to find the key l2geth directories?
- The directory with binaries is
/home/ubuntu/l2geth-source. - The data directory of l2geth agent is
/home/ubuntu/l2geth-source/l2geth-datadir
- The directory with binaries is
-
You can now attach to l2geth?
sudo - ubuntu
cd /home/ubuntu/l2geth-source/
alias l2geth=./build/bin/geth
l2geth attach "./l2geth-datadir/geth.ipc"
> admin.peers.length
14
> eth.blockNumber
10000