Open cortze opened 1 week ago
What do you mean by advertise the localhost
IP?
When hermes
adds itself as a trusted node at the control Prysm node, it has to set a multi-address
that Prysm can also ping to.
Prysm generally rejects the first connection from hermes
-> prysm
, but it tries to open the connection back to the given multi-address
.
If we want to open a SSH
tunnel between the local hermes
and the remote prysm
to test changes (with a reverse port forwarding for the hermes
p2p port), the current private
address that hermes
advertises won't be reachable by Prysm, as both are in different private networks.
Thus, establishing the connection requires hermes
to share the 127.0.0.1
IP inside the trusted multi-address
.
OK I see. Would it be a security issue to have Hermes advertise both addresses? It seems to be the easiest solution.
Alternatively the --local-prysm=true/false
flag also seems a good option.
On the security side, I would say that there is nothing to worry about, as this is just how Hermes
lets Prysm
know how to reach it back.
It could indeed advertise both addresses, the private
and localhost
ones, but it means that Prysm will constantly try to connect both addresses while one of them is always unreachable 🤷🏽
Alright, then maybe the flag is best in this case
Alright, then maybe the flag is best in this case
Nice, I'll set it to the private
one as default, and change it to the localhost
one if the flag --local-trusted-address
is given
Description
Hermes currently advertises only the private address when connecting to the local Prysm node. This makes local testing harder, as the Prysm node might not always be on the same local network (target for the production deployment at AWS or similar).
Creating an
SSH
tunnel with the Hermes port reverse-tunneled is convenient. However, this requires the Hermes instance to advertise thelocalhost
IP, which opens a few questions:--local-prysm=true/false
?