Document history expiry

website/docs/Support/HelpfulWebsites.md

@@ -1,6 +1,6 @@
 ---
 title: Helpful Websites
-sidebar_position: 13
+sidebar_position: 12
 sidebar_label: Helpful Websites
 ---
 

website/docs/Support/Windows.md

@@ -1,6 +1,6 @@
 ---
 title:  Windows
-sidebar_position: 12
+sidebar_position: 11
 sidebar_label: Windows
 ---
 

website/docs/Support/ipv6.md

@@ -1,6 +1,6 @@
 ---
 title: IPv6
-sidebar_position: 11
+sidebar_position: 10
 sidebar_label: IPv6 support
 ---
 

website/docs/Usage/Dashboards.md

@@ -1,6 +1,6 @@
 ---
 title: "Choose a Grafana dashboard (optional)"
-sidebar_position: 7
+sidebar_position: 8
 sidebar_label: Dashboards
 ---
 

website/docs/Usage/Hardware.md

@@ -1,6 +1,6 @@
 ---
 title: Resources, hardware
-sidebar_position: 3
+sidebar_position: 4
 sidebar_label: Hardware
 ---
 

website/docs/Usage/ImportKeys.md

@@ -1,6 +1,6 @@
 ---
 title: "Create and import validator keys to the client"
-sidebar_position: 2
+sidebar_position: 3
 sidebar_label: Import Validator Keys
 ---
 

website/docs/Usage/LinuxSecurity.md

@@ -1,6 +1,6 @@
 ---
 title: Linux security and setup recommendations
-sidebar_position: 5
+sidebar_position: 6
 sidebar_label: Linux Security
 ---
 

website/docs/Usage/Networking.md

@@ -1,6 +1,6 @@
 ---
 title: Networking and port forwarding
-sidebar_position: 4
+sidebar_position: 5
 sidebar_label: Network configuration
 ---
 

website/docs/Usage/NodeTypes.md

@@ -0,0 +1,53 @@
+---
+title: Archive, Full or Expired node
+sidebar_position: 2
+sidebar_label: History and Pruning
+---
+
+## Types of nodes
+
+You can run an Archive node, with all history and full lookup for all historical transactions. This may take large amounts of space, depending on the execution layer client.
+
+You can run a Full node, with all history and limited lookup for historical transactions. This fits into a 4TB drive and is often the choice for RPC nodes.
+
+You can run an Expired node, with pre-merge history and receipts gone. This fits into a 2TB drive and is foten the choice for validator nodes.
+
+This is controlled by variables in `.env`, which can be set with `nano .env`. Switching from one type to another often requires a full resync.
+
+`CL_ARCHIVE_NODE` - run the consensus layer node as an archive, including blobs where supported  
+`CL_MINIMAL_NODE` - run the consensus layer node with minimal storage
+
+`EL_ARCHIVE_NODE` - run the execution layer node as an archive. The required space can vary widely depending on the client: From right around 2 TB to well over 50TB  
+`EL_MINIMAL_NODE` - run the execution layer node with history expiry. `true` is pre-merge history expiry; `rolling` is 1-year rolling if the client supports it;
+`aggressive` expires all but the last few blocks, if the client supoorts it
+
+## Switch from Full to Expired node
+
+You can use `./ethd prune-history` to switch the client to history expiry, in some cases without resync. Note that Besu requires 200 GiB free for this, and
+it will take less space if instead it is resynced with `./ethd resync-execution` while `EL_MINIMAL_NODE=true`
+
+## State pruning
+
+In addition to history, execution layer clients also carry state. Historically, the size of the state DB has been growing and can be pruned periodically.
+Today, only Nethermind still requires a state prune. Note this is entirely separate from history expiry. It applies to Full and Expired nodes. Archive
+nodes should never have their state pruned.
+
+### Automatic Nethermind prune
+
+By default, Nethermind will prune when free disk space falls below 350 GiB on mainnet, or 50 GiB on testnet. If you
+want to disable that, `nano .env` and change `AUTOPRUNE_NM` to `false`.
+
+If you have disabled automatic prune, you can run `./ethd prune-nethermind`. It will check prerequisites, online prune Nethermind, and restart it.
+
+### Continuous Besu prune
+
+Besu continuously prunes with BONSAI, and from 24.1.0 on also prunes its trie-logs. A long-running Besu may benefit
+from a manual trie-log prune, once.
+
+If you have a large amount of trie logs, run `./ethd prune-besu` on a  long-running Besu. It will check prerequisites, offline prune Besu trie-logs, and
+restart it.
+
+### Continuous Geth prune
+
+Geth continuously prunes if synced with PBSS. If you are using an old hash-synced Geth, run `./ethd resync-execution`
+to use PBSS. This will cause downtime while Geth syncs, which can take 6-12 hours.

website/docs/Usage/Prerequisites.md

@@ -1,6 +1,6 @@
 ---
 title: "Install Prerequisites."
-sidebar_position: 11
+sidebar_position: 12
 sidebar_label: Prerequisites
 ---
 

website/docs/Usage/ResourceUsage.md

@@ -1,6 +1,6 @@
 ---
 title: Client Resource Usage
-sidebar_position: 10
+sidebar_position: 11
 sidebar_label: Client Resource Usage
 ---
 
@@ -42,7 +42,7 @@ DB Size is shown with two values like "1.2 TiB / 830 GiB", for a full node and a
 
 Notes on disk usage
 - Reth, Besu, Geth, Erigon and Nimbus continously prune
-- Nethermind - DB size can be reduced when it grew too large, by [online prune](../Support/Prune.md). Keep an eye
+- Nethermind - DB size can be reduced when it grew too large, by [online prune](NodeTypes.md). Keep an eye
 on [Paprika](https://github.com/NethermindEth/nethermind/pull/7157) and
 [Path](https://github.com/NethermindEth/nethermind/pull/6499) work
 

website/docs/Usage/ReverseProxy.md

@@ -1,6 +1,6 @@
 ---
 title: "Additional security: Secure Web Proxy"
-sidebar_position: 9
+sidebar_position: 10
 sidebar_label: Secure Web Proxy
 ---
 

website/docs/Usage/WebUI.md

@@ -1,6 +1,6 @@
 ---
 title: Web UI
-sidebar_position: 8
+sidebar_position: 9
 sidebar_label: Web UI
 ---
 

website/i18n/de/docusaurus-plugin-content-docs/current/About/Changelog.md

@@ -13,9 +13,103 @@ modifications. If you want to reset the source or binary build targets in `.env`
 instead.
 * `./ethd up` - use the new client version(s)
 
-> On 1/27/2022, Eth Docker's repository name changed. Everything should work as it did.
-> If you do wish to manually update your local reference, run `git remote set-url origin https://github.com/eth-educators/eth-docker.git`
+> On 6/21/2025, Eth Docker's repository name changed. Everything should work as it did.
+> If you do wish to manually update your local reference, run `git remote set-url origin https://github.com/ethstaker/eth-docker.git`
 
+## v2.16.0.0 2025-07-04
+
+*This release is recommended*
+
+The headline feature is execution layer history expiry, so an Ethereum node fits into roughly 1 TiB.
+
+**Breaking changes**
+- Require Besu `25.7.0`, use promoted Besu pruning parameters without `-X`
+
+Changes
+- Support pre-merge history expiry for all execution layer clients: `./ethd prune-history`
+- Geth archive node fresh sync uses path-based state scheme
+- Enable Vero keymanager API
+- `./ethd install` can apply host-level optimizations
+- `ext-network.yml` now is controlled by the `DOCKER_EXT_NETWORK` variable and no longer
+needs to be edited directly
+- Remove deprecated VC parameter from Teku
+- Improve Grafana dashboards
+- The size of `ANCIENT_DIR` is shown during `./ethd space`, if it is set
+- `./ethd resync-execution` also removes contents of `ANCIENT_DIR`, if it is set
+- Add `--trace` option to `./ethd update` and `./ethd keys`. Please be careful, the output may include secrets.
+- Update Lido exit oracles on Hoodi and Mainnet
+- Remove pre-Pectra migration logic
+- Update Siren and Prysm repo locations
+- Update Eth Docker repo location to `ethstaker` organization, from `eth-educators`
+
+Bug fixes
+- Remove an extra `https://` in default Hoodi relays
+- Fix `./ethd prune-reth` command
+- Fix detection logic for Erigon Caplin
+
+## v2.15.3.0 2025-05-13
+
+*This release is optional, yet recommended*
+
+Changes
+
+- Support pre-merge history expiry with Geth, Nethermind and Nimbus-EL: `./ethd prune-history`
+- Offer Nimbus EL alpha during `./ethd config` if on Hoodi or Sepolia
+- Support Era1/Era file import for Nimbus EL
+- Support Fluffy Portal client for use with Nimbus EL
+- Offer Teku when configuring Ephemery testnet during `./ethd config`
+- Nag users about old Docker Compose and about hosts that haven't been updated in 300+ days
+- Erigon's current expiry changed to `EL_MINIMAL_NODE=aggressive`, to support coming pre-merge expiry
+- Switch users to new Offchainlabs Prysm repos
+- Switch users to new Besu tags
+- Update Lido default oracles on Hoodi
+- Bump `cadvisor` to `0.52.1`
+- Enable `cadvisor` to detect OOM events
+- Interactive `./ethd update` writes a log into `/tmp`
+- Support doppelganger protection in SSV `2.3.1` and later
+- Create `.env.bak` earlier when migrating `.env`, improve the error handler: Better chance a backup exists
+and user is not left with a broken `.env` if `./ethd update` fails
+- Increase Web3signer heap to 6g. There is a memory issue here somewhere - a remote signer *should* work
+just fine with 2g, and mine does. If yours takes >2g on startup, recommend discussing with Consensys so
+this can be fixed.
+
+Bug fixes
+- Fix Lighthouse IPv6 ENR
+- Nimbus EL Compose labels cleaned up
+- Resolve an incompatibility with Docker Compose 2.17.2 and earlier
+- Exact match for `--help` - can now run `./ethd cmd run --rm execution --help` for example and get the help
+screen for the execution layer client, not the help screen for `./ethd`
+- Fix Nimbus slottime source build
+- `ethereum-metrics-exporter` will query the `consensus` service when used in a Lido x Obol setup
+
+## v2.15.2.0 2025-04-20
+
+*This release is optional, yet recommended*
+
+Changes
+
+- Support Vero "in a box" with multiple Ethereum nodes, by introducing additional aliases
+- Better support for Caplin
+- Split EL and CL archive nodes
+- Better PostgreSQL update
+- `./ethd update` runs in `screen` by default: Use `./ethd update --non-interactive` to override that
+- Default to PostgreSQL 17
+- Source build with Go 1.24
+- New SSV Grafana dashboard
+- Dependency upgrades, such as ethereum-metrics-exporter and pre-commit-hooks
+- Web3signer heap is configurable
+- `./ethd update` refactor to eliminate "did not migrate an .env variable" style bugs
+- Hoodi network support in `./ethd config`
+- Caplin support in `./ethd config`
+- Besu no longer defaults to "high spec" on 64 GiB RAM - I don't know that Besu may use the RAM. If you want it
+to, use `EL_EXTRAS`
+- Query history expiry when using Erigon: Expect this to change again as history expiry gets fleshed out
+post-Pectra
+- A small zoo of messaging improvements to make things (hopefully) clearer
+
+Bug fixes
+- Custom `NETWORK` as a github repo adjusted to work again, this had been broken for a while. Thanks early Hoodi!
+- Lido Obol works with Lodestar
 
 ## v2.15.1.0 2025-02-04
 

website/i18n/de/docusaurus-plugin-content-docs/current/About/SecurityAudit.md

@@ -4,7 +4,28 @@ sidebar_position: 6
 sidebar_label: Security Audit
 ---
 
-# Findings
+## Reaudit Findings October 2024
+
+Sigma Prime conducted a security audit of the changes to Eth Docker v2.12.3.0 since v2.3, with findings presented in October 2024.
+
+A huge thank-you to both Sigma Prime for the audit, and Ethstaker for funding it.
+
+[Findings as PDF](../../static/pdf/Sigma_Prime_Eth_Docker_Update_2_v2_0.pdf)
+
+There is one informational finding.
+
+### Response
+
+Sigma Prime point out that "Sensitive Data Can Be Handled By Secrets", such as the JWT Secret, which secures the Engine API connection.
+
+Their testing team concurs with the response:
+> [Docker secrets] are of marginal utility, [since] if the host is breached on the user running Eth Docker, then by virtue of needing to be
+able to run Docker, that user can access the JWT secret no matter how it is stored. In addition, the engine port is
+kept within the Docker bridge network by default, not mapped to host.
+
+More to the point, though, Docker does not support secrets unless run in Docker swarm mode.
+
+## Initial Audit Findings May 2023
 
 Sigma Prime conducted a security audit of Eth Docker 2.2.8.4 during March and April 2023, with findings presented on April 30th 2023.
 
@@ -15,7 +36,7 @@ A huge thank-you to both Sigma Prime for the audit, and Ethereum Foundation for
 There are one medium severity and four informational findings. The medium-severity finding is about the entropy used for JWT secret,
 API manager token in Nimbus and Lodestar, Prysm wallet password, and Teku cert password: Entropy comes from `$RANDOM` and is therefore only 16 bits.
 
-# Response
+### Response
 
 Eth Docker v2.3 addresses these findings. It now uses 64 bits of entropy and SHA-256 hash.
 

website/i18n/de/docusaurus-plugin-content-docs/current/Support/Cloud.md

@@ -116,13 +116,15 @@ It can be useful to have a single execution client service multiple consensus cl
 To allow Docker traffic to the execution client while dropping all other traffic:
 - `sudo ufw allow from 172.16.0.0/12 to any port 8545`
 - `sudo ufw allow from 192.168.0.0/16 to any port 8545`
-- `sudo ufw allow from 10.0.0.0/8 to any port 8545`
 - `sudo ufw deny 8545`
 - `sudo ufw allow from 172.16.0.0/12 to any port 8546`
 - `sudo ufw allow from 192.168.0.0/16 to any port 8546`
-- `sudo ufw allow from 10.0.0.0/8 to any port 8546`
 - `sudo ufw deny 8546`
 
+The rules above are a little overly broad for simplicity, to cover all default Docker subnets. You can restrict this
+to the actual defaults by adding more specific rules. For the Docker default subnets, see the section about
+`after.rules`.
+
 > With ISP traffic caps, it could be quite attractive to run the execution client in a small VPS, and reference it from a consensus client somewhere
 > else. This requires a [secure proxy](../Usage/ReverseProxy.md).
 

website/i18n/de/docusaurus-plugin-content-docs/current/Support/HelpfulWebsites.md

@@ -1,6 +1,6 @@
 ---
 title: Helpful Websites
-sidebar_position: 13
+sidebar_position: 12
 sidebar_label: Helpful Websites
 ---