├── README.md ├── kiln.md ├── kintsugi.md ├── nut-multi-system.md ├── prune_geth.md ├── prysm-medalla.md ├── v1 ├── README.md ├── merge_updates.md ├── mev-boost.md └── setup.md └── v2 ├── README.md ├── mev-boost.md └── setup.md /README.md: -------------------------------------------------------------------------------- 1 | # Setup an Ethereum Mainnet Staking System with Prysm/Geth on Ubuntu 2 | 3 | These pages contain instructions for setting up an Ethereum mainnet staking system on Ubuntu. These instructions have been tested on Intel NUC systems with 2TB SSD and 32GB RAM, but the instructions should apply equally to most AMD64 architecture systems running Ubuntu. 4 | 5 | If you are setting up a new system for staking, I recommend you begin with my [v2 instructions](v2/). If you set up your system on or before July 19, 2022, you may be looking for information about my [v1 instructions](v1/). 6 | 7 | ## Current Setup and Maintenance Instructions 8 | 9 | - [Setup an Ethereum Mainnet Staking System on Ubuntu](v2/setup.md) - v2 of my setup instructions to install and configure an Ethereum mainnet staking system using Prysm and Geth. 10 | - [Prune Geth](prune_geth.md) - How to prune Geth to reduce disk usage. 11 | - [MEV-Boost: Mainnet](v2/mev-boost.md) - How to set up MEV-Boost for mainnet for v2 installations. 12 | 13 | ## Setup and Maintenance for Prior Versions 14 | 15 | ### v1 Installations 16 | 17 | - [Setup an Ethereum Mainnet Staking System on Ubuntu](v1/setup.md) - v1 of my setup instructions to install and configure an Ethereum mainnet staking system using Prysm and Geth. 18 | - [Merge Updates for v1 Installations](v1/merge_updates.md) - Prepare your v1 Prysm/Geth installation for the merge. 19 | - [Prune Geth](prune_geth.md) - How to prune Geth to reduce disk usage. 20 | - [MEV-Boost: Mainnet](v1/mev-boost.md) - How to set up MEV-Boost for mainnet for v1 installations. 21 | 22 | ## Which Version Do You Have? 23 | 24 | The easiest way to tell which version of my instructions you used is to look at the systemd service files for Prysm. 25 | 26 | ```console 27 | ls -l /etc/systemd/system/*beacon*.service 28 | ``` 29 | 30 | If this command returns a file named `beacon-chain.service`, then you installed with [v1](v1/) of my instructions. If this command returns a file named `prysm-beacon.service`, then you installed with [v2](v2/) of my instructions. 31 | -------------------------------------------------------------------------------- /kiln.md: -------------------------------------------------------------------------------- 1 | # Setup a Merge Kiln Testnet Validator System on Ubuntu 2 | 3 | This document contains instructions for setting up an Ethereum Kiln merge testnet staking system using Prysm and geth. 4 | 5 | These instructions have been adapted from the instructions available at https://hackmd.io/dFzKxB3ISWO8juUqPpJFfw for the Kintsugi testnet, and have been updated based on Kiln-specific configurations. I have added enough details so that I can start from a base Ubuntu Server installation and get all the way through setting up monitoring. The monitoring portion is optional, is not fully functional under Kiln and does not presently include details for monitoring geth. These instructions are also not intended for a production system. I have kept the folder structure in line with the instructions in the link above, which may provide an easier upgrade to future merge testnets. In a final production version, the executables and data would not be in my user directories. 6 | 7 | These instructions were developed to configure an Ethereum Kiln merge testnet staking system using Ubuntu 20.04 LTS Server on an Intel NUC 10i5FNK with 2TB SSD and 32GB RAM. I have added a few additional packages that I believe should cover Ubuntu Desktop as well. 8 | 9 | Setup includes installation and configuration of the following services, including setting up systemd to automatically run services, where applicable: 10 | 11 | - Prysm Beacon Chain 12 | - Prysm Validator 13 | - geth 14 | - Prometheus 15 | - Grafana 16 | - node_exporter 17 | - blackbox_exporter 18 | - json_exporter 19 | 20 | Steps to install and configure all software have been copied from or inspired by a number of additional sources, which are cited at the end of this file. 21 | 22 | This process assumes starting from first login on a clean Ubuntu 20.04 LTS installation, and were last tested on March 12, 2022. 23 | 24 | ## Prerequisities 25 | 26 | ### BIOS Update 27 | 28 | If you have not updated the BIOS on your system, find and follow the manufacturer instructions for updating the BIOS. An updated BIOS may improve system performance or repair issues with your system. Instructions will vary dependent on the hardware you are using, but the following links should direct Intel NUC users to appropriate instructions. 29 | 30 | - [2018 and earlier NUC BIOS Update Instructions](https://www.intel.com/content/www/us/en/support/articles/000005636/intel-nuc.html) 31 | - [2019 and later NUC BIOS Update Instructions](https://www.intel.com/content/www/us/en/support/articles/000033291/intel-nuc.html) 32 | 33 | ### Configure Behavior After Power Failure 34 | 35 | After a power failure, you may want your staking system to automatically restart and resume staking. Unfortunately, this is not the default behavior of many systems. Please check your system documentation to determine how to change this behavior in the system BIOS. For an Intel NUC, please check the following instructions. 36 | 37 | - [Can Intel NUC Mini PCs turn on automatically as soon as a power source is connected?](https://www.intel.com/content/www/us/en/support/articles/000054773/intel-nuc.html) 38 | 39 | ### Software Update 40 | 41 | After an initial install, it is a good idea to update everything to the latest versions. 42 | 43 | ```console 44 | sudo apt-get update 45 | sudo apt-get upgrade 46 | sudo apt-get dist-upgrade 47 | sudo apt-get autoremove 48 | sudo reboot 49 | ``` 50 | 51 | ### Set Time Zone 52 | 53 | Run the following command to see the list of time zones, then copy the appropriate time zone to your clipboard. 54 | 55 | ```console 56 | timedatectl list-timezones 57 | ``` 58 | 59 | Run the following command, replacing `` with the time zone you have copied onto your clipboard. 60 | 61 | ```console 62 | sudo timedatectl set-timezone 63 | ``` 64 | 65 | ### Install Prerequisites 66 | 67 | - net-tools - Used to determine the network device for bandwidth reporting. 68 | - make - Used to build geth 69 | - gcc - Compiling software 70 | - g++ - Compiling software 71 | - curl - Ubuntu Desktop may not include this by default 72 | - git - Ubuntu Desktop may not include this by default 73 | - jq - Used for JSON parsing in deposit script 74 | 75 | ```console 76 | sudo apt-get install net-tools make gcc g++ curl git jq 77 | ``` 78 | 79 | ### Install golang 80 | 81 | Install golang v1.17 and create a link to the executable at /usr/bin/go. 82 | 83 | ```console 84 | cd 85 | wget https://go.dev/dl/go1.17.8.linux-amd64.tar.gz 86 | cd /usr/local/bin 87 | sudo tar xzvf ~/go1.17.8.linux-amd64.tar.gz 88 | echo "export PATH=\$PATH:/usr/local/bin/go" >> ~/.profile 89 | source ~/.profile 90 | sudo ln -s /usr/local/bin/go/bin/go /usr/bin/go 91 | ``` 92 | 93 | ### Install bazelisk 94 | 95 | ``` 96 | cd 97 | go install github.com/bazelbuild/bazelisk@latest 98 | echo "export PATH=\$PATH:\$(go env GOPATH)/bin" >> ~/.profile 99 | source ~/.profile 100 | ``` 101 | 102 | ### Download Kiln Package 103 | 104 | ``` 105 | cd 106 | git clone https://github.com/eth-clients/merge-testnets.git 107 | ``` 108 | 109 | ## geth 110 | 111 | A geth full node is required to provide access to deposits made to the deposit contract. It could take some time for geth to sync, so start this process immediately. 112 | 113 | ### Install geth 114 | 115 | ```console 116 | cd ~/merge-testnets/kiln/ 117 | git clone -b merge-kiln-v2 https://github.com/MariusVanDerWijden/go-ethereum.git 118 | cd go-ethereum 119 | make geth 120 | ``` 121 | 122 | ### Set Up systemd Service File 123 | 124 | This sets up geth to automatically run on start. 125 | 126 | ```console 127 | sudo nano /etc/systemd/system/geth.service 128 | ``` 129 | 130 | Copy and paste the following text into the geth.service file. 131 | 132 | **Replace with your system username/login.** 133 | 134 | ``` 135 | [Unit] 136 | Description=Go Ethereum Client 137 | StartLimitIntervalSec=0 138 | 139 | [Service] 140 | Type=simple 141 | Restart=always 142 | RestartSec=5 143 | User= 144 | WorkingDirectory=/home//merge-testnets/kiln/ 145 | ExecStart=/home//merge-testnets/kiln/go-ethereum/build/bin/geth --datadir /home//merge-testnets/kiln/datadir-prysm --networkid=1337802 --http --http.api engine,net,eth --ws --ws.api net,eth,engine --bootnodes enode://c354db99124f0faf677ff0e75c3cbbd568b2febc186af664e0c51ac435609badedc67a18a63adb64dacc1780a28dcefebfc29b83fd1a3f4aa3c0eb161364cf94@164.92.130.5:30303 146 | 147 | [Install] 148 | WantedBy=multi-user.target 149 | ``` 150 | 151 | ### Initialize Genesis State 152 | 153 | ``` 154 | ~/merge-testnets/kiln/go-ethereum/build/bin/geth --datadir ~/merge-testnets/kiln/datadir-prysm init ~/merge-testnets/kiln/genesis.json 155 | ``` 156 | 157 | ### Start geth 158 | 159 | Start and enable the validator service. 160 | 161 | ```console 162 | sudo systemctl daemon-reload 163 | sudo systemctl start geth 164 | sudo systemctl enable geth 165 | ``` 166 | 167 | You can check the geth logs with the following command. 168 | 169 | ```console 170 | sudo journalctl -u geth -f 171 | ``` 172 | 173 | ## Prysm 174 | 175 | ### Build Prysm 176 | 177 | ```console 178 | cd ~/merge-testnets/kiln 179 | git clone -b kiln https://github.com/prysmaticlabs/prysm.git 180 | cd prysm 181 | git checkout 293b9761efe6edf4a57369e38aabb4f3dddca469 182 | bazelisk build //beacon-chain:beacon-chain 183 | bazelisk build //validator:validator 184 | ``` 185 | 186 | ### Set Up systemd Service File 187 | 188 | This sets up prysm.sh to automatically run on start. This file is slightly different than the version under the Building Prysm section. 189 | 190 | #### Beacon Chain 191 | 192 | ```console 193 | sudo nano /etc/systemd/system/beacon-chain.service 194 | ``` 195 | 196 | Copy and paste the following text into the beacon-chain.service file. 197 | 198 | **Replace with your system username/login.** 199 | 200 | ``` 201 | [Unit] 202 | Description=Prysm Ethereum Beacon Chain 203 | After=network.target 204 | StartLimitIntervalSec=0 205 | 206 | [Service] 207 | Type=simple 208 | Restart=always 209 | RestartSec=5 210 | User= 211 | WorkingDirectory=/home//merge-testnets/kiln/prysm 212 | ExecStart=/home//go/bin/bazelisk run //beacon-chain -- --genesis-state /home//merge-testnets/kiln/genesis.ssz --datadir /home//merge-testnets/kiln/datadir-prysm --http-web3provider=http://127.0.0.1:8545 --execution-provider=http://127.0.0.1:8545 --chain-config-file=/home//merge-testnets/kiln/config.yaml --accept-terms-of-use 213 | 214 | [Install] 215 | WantedBy=multi-user.target 216 | Alias=beacon 217 | ``` 218 | 219 | #### Validator 220 | 221 | ```console 222 | sudo nano /etc/systemd/system/validator.service 223 | ``` 224 | 225 | Copy and paste the following text into the validator.service file. 226 | 227 | **Replace with your system username/login.** 228 | 229 | ``` 230 | [Unit] 231 | Description=Prysm Ethereum Validator 232 | Wants=beacon-chain.service 233 | After=beacon-chain.service 234 | StartLimitIntervalSec=0 235 | 236 | [Service] 237 | Type=simple 238 | Restart=always 239 | RestartSec=5 240 | User= 241 | WorkingDirectory=/home//merge-testnets/kiln/prysm 242 | ExecStart=/home//go/bin/bazelisk run validator -- --accept-terms-of-use --wallet-password-file /home//merge-testnets/kiln/datadir-prysm/password.txt --wallet-dir /home//merge-testnets/kiln/datadir-prysm/prysm-wallet-v2 243 | 244 | [Install] 245 | WantedBy=multi-user.target 246 | 247 | ``` 248 | 249 | ### Setup MetaMask 250 | 251 | Connect MetaMask to the Kiln network by going to https://kiln.themerge.dev/ and clicking on the "Add to MetaMask" button. If necessary, create a new account in MetaMask into which the deposit funds will be stored. Request Kiln ETH from the [Kiln faucet](https://faucet.kiln.themerge.dev/). 252 | 253 | ### Make Validator Deposits and Install Keys 254 | 255 | #### Install eth2-val-tools 256 | 257 | ``` 258 | cd 259 | git clone https://github.com/protolambda/eth2-val-tools 260 | cd eth2-val-tools 261 | go install . 262 | ``` 263 | 264 | #### Install ethereal 265 | 266 | ```console 267 | cd 268 | go install github.com/wealdtech/ethereal/v2@latest 269 | ``` 270 | 271 | #### Generate Mnemonics 272 | 273 | Create the secrets.env file. 274 | 275 | ``` 276 | touch ~/merge-testnets/kiln/secrets.env 277 | chmod 600 ~/merge-testnets/kiln/secrets.env 278 | nano ~/merge-testnets/kiln/secrets.env 279 | ``` 280 | 281 | Copy and paste the following text into the secrets.env file. 282 | 283 | ``` 284 | # sets the deposit amount to use 285 | DEPOSIT_AMOUNT=32000000000 286 | # sets the genesis fork version of the testnet 287 | FORK_VERSION="0x60000069" 288 | # sets the mnemonic to derive the keys from 289 | VALIDATORS_MNEMONIC="" 290 | # sets the mnemonic for withdrawal credentials 291 | WITHDRAWALS_MNEMONIC="" 292 | # temporary location to store the deposit data 293 | DEPOSIT_DATAS_FILE_LOCATION="/tmp/deposit_data.txt" 294 | # sets the deposit contract address 295 | DEPOSIT_CONTRACT_ADDRESS="0x4242424242424242424242424242424242424242" 296 | # sets the eth1 address from which the transaction will be made 297 | ETH1_FROM_ADDR="" 298 | # sets the eth1 private key used to sign the transaction 299 | ETH1_FROM_PRIV="" 300 | # forces the deposit since the deposit contract will not be recognized by the tool 301 | FORCE_DEPOSIT=true 302 | # sets an RPC endpoint to submit the transaction to 303 | ETH1_RPC=https://rpc.kiln.themerge.dev 304 | ``` 305 | 306 | Generate passphrases to secure your validator keys and your withdrawal keys. The command to generate a pass phrase will be run once for the validator keys and once for the withdrawal keys. Save both sets of keys in the secrets.env file, and save copies in a secure offline location as well. 307 | 308 | ```console 309 | eth2-val-tools mnemonic 310 | ``` 311 | 312 | Insert the generated validator pass phrase in between the quotes on the VALIDATORS_MNEMONIC line. Insert the generated withdrawal pass phrase in between the quotes on the WITHDRAWALS_MNEMONIC line. Save and close the file. 313 | 314 | #### Create Prysm Wallet Password 315 | 316 | Create a unique password and store it in the password.txt file. Have this password available when generating the Prysm keys. 317 | 318 | ```console 319 | touch ~/merge-testnets/kiln/datadir-prysm/password.txt 320 | chmod 600 ~/merge-testnets/kiln/datadir-prysm/password.txt 321 | nano ~/merge-testnets/kiln/datadir-prysm/password.txt 322 | ``` 323 | 324 | #### Add MetaMask Account Details 325 | 326 | Add MetaMask account details to the secrets.env file so that the deposit script can transfer funds. 327 | 328 | In MetaMask, go to the account with the Kiln ETH and copy the account address into the ETH1_FROM_ADDR line in the secrets.env file. The address must begin with "0x". 329 | 330 | Copy the private key for this account into the ETH1_FROM_PRIV line in the secrets.env file. The private key can be found in MetaMask by going to the account, clicking on the three dots button, clicking on Account Details, and then clicking on Export Private Key. The private key must begin with "0x". If the private key does not begin with "0x", simply add "0x" to the beginning of the private key. 331 | 332 | #### Deposit Kiln ETH 333 | 334 | ``` 335 | cd ~/merge-testnets/kiln 336 | nano devnet_deposits.sh 337 | ``` 338 | 339 | Insert the following text into the devnet_deposits.sh file. Then save and close the file. 340 | 341 | ```bash 342 | #!/bin/bash 343 | 344 | echo "USE AT YOUR OWN RISK" 345 | read -p "Are you sure you've doubl e checked the values and want to make this deposit? " -n 1 -r 346 | echo 347 | if [[ ! $REPLY =~ ^[Yy]$ ]] 348 | then 349 | [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 350 | fi 351 | 352 | source secrets.env 353 | 354 | if [[ -z "${ETH1_FROM_ADDR}" ]]; then 355 | echo "need ETH1_FROM_ADDR environment var" 356 | exit 1 || return 1 357 | fi 358 | if [[ -z "${ETH1_FROM_PRIV}" ]]; then 359 | echo "need ETH1_FROM_PRIV environment var" 360 | exit 1 || return 1 361 | fi 362 | 363 | 364 | eth2-val-tools deposit-data \ 365 | --source-min=0 \ 366 | --source-max=1 \ 367 | --amount=$DEPOSIT_AMOUNT \ 368 | --fork-version=$FORK_VERSION \ 369 | --withdrawals-mnemonic="$WITHDRAWALS_MNEMONIC" \ 370 | --validators-mnemonic="$VALIDATORS_MNEMONIC" > $DEPOSIT_DATAS_FILE_LOCATION 371 | 372 | 373 | # Iterate through lines, each is a json of the deposit data and some metadata 374 | while read x; do 375 | account_name="$(echo "$x" | jq '.account')" 376 | pubkey="$(echo "$x" | jq '.pubkey')" 377 | echo "Sending deposit for validator $account_name $pubkey" 378 | ethereal beacon deposit \ 379 | --allow-unknown-contract=$FORCE_DEPOSIT \ 380 | --address="$DEPOSIT_CONTRACT_ADDRESS" \ 381 | --connection=$ETH1_RPC \ 382 | --data="$x" \ 383 | --value="$DEPOSIT_ACTUAL_VALUE" \ 384 | --from="$ETH1_FROM_ADDR" \ 385 | --privatekey="$ETH1_FROM_PRIV" 386 | echo "Sent deposit for validator $account_name $pubkey" 387 | sleep 3 388 | done < "$DEPOSIT_DATAS_FILE_LOCATION" 389 | ``` 390 | 391 | Reset permissions on the script so that it is executable. 392 | 393 | ```console 394 | chmod +x devnet_deposits.sh 395 | ``` 396 | 397 | Assuming you have sufficient Kiln ETH in your MetaMask account, run the deposit script. 398 | 399 | ```console 400 | ./devnet_deposits.sh 401 | ``` 402 | 403 | ### Generate Prysm Keys 404 | 405 | Use the validator mnemonic/pass phrase to generate Prysm keys. 406 | 407 | - When asked for your pass phrase, enter the validator pass phrase generated earlier and entered into the secrets.env file. 408 | - When asked for the director into which the keys should be stored, enter the following `~/merge-testnets/kiln/datadir-prysm/prysm-wallet-v2`. 409 | - When asked for the wallet password, enter the same password you added to the file at `~/merge-testnets/kiln/datadir-prysm/password.txt`. 410 | 411 | ```console 412 | cd ~/merge-testnets/kiln/prysm/ 413 | bazelisk run validator wallet recover 414 | ``` 415 | 416 | ### Start Beacon Chain and Validator 417 | 418 | Start and enable the validator service. 419 | 420 | ```console 421 | sudo systemctl daemon-reload 422 | sudo systemctl start beacon-chain validator 423 | sudo systemctl enable beacon-chain validator 424 | ``` 425 | 426 | You can check the geth logs with the following command. 427 | 428 | ```console 429 | sudo journalctl -u beacon-chain -f 430 | sudo journalctl -u validator -f 431 | ``` 432 | 433 | ## Monitoring 434 | 435 | The following will set up prometheus for collecting data, grafana for displaying dashboards, node_exporter for providing system data to prometheus, and blackbox_exporter for providing ping data to prometheus. 436 | 437 | node_exporter and blackbox_exporter are optional, though some charts on the dashboard provided may need to be removed if those tools are not used. The prometheus configuration file may also need to be updated. 438 | 439 | ### Prometheus 440 | 441 | #### Create User Account 442 | 443 | ```console 444 | sudo adduser --system prometheus --group --no-create-home 445 | ``` 446 | 447 | #### Install Prometheus 448 | 449 | Find the URL to the latest amd64 version of Prometheus at https://prometheus.io/download/. In the commands below, replace any references to the version 2.23.0 to the latest version available. 450 | 451 | ```console 452 | cd 453 | wget https://github.com/prometheus/prometheus/releases/download/v2.32.1/prometheus-2.32.1.linux-amd64.tar.gz 454 | tar xzvf prometheus-2.32.1.linux-amd64.tar.gz 455 | cd prometheus-2.32.1.linux-amd64 456 | sudo cp promtool /usr/local/bin/ 457 | sudo cp prometheus /usr/local/bin/ 458 | sudo chown root:root /usr/local/bin/promtool /usr/local/bin/prometheus 459 | sudo chmod 755 /usr/local/bin/promtool /usr/local/bin/prometheus 460 | cd 461 | rm prometheus-2.32.1.linux-amd64.tar.gz 462 | ``` 463 | 464 | #### Configure Prometheus 465 | 466 | ```console 467 | sudo mkdir -p /etc/prometheus/console_libraries /etc/prometheus/consoles /etc/prometheus/files_sd /etc/prometheus/rules /etc/prometheus/rules.d 468 | ``` 469 | 470 | Copy and paste the following text into the prometheus.yml configuration file: 471 | 472 | ```console 473 | sudo nano /etc/prometheus/prometheus.yml 474 | ``` 475 | 476 | ``` 477 | global: 478 | scrape_interval: 15s 479 | 480 | scrape_configs: 481 | - job_name: 'prometheus' 482 | scrape_interval: 5s 483 | static_configs: 484 | - targets: ['127.0.0.1:9090'] 485 | - job_name: 'beacon node' 486 | scrape_interval: 5s 487 | static_configs: 488 | - targets: ['127.0.0.1:8080'] 489 | - job_name: 'node_exporter' 490 | scrape_interval: 5s 491 | static_configs: 492 | - targets: ['127.0.0.1:9100'] 493 | - job_name: 'validator' 494 | scrape_interval: 5s 495 | static_configs: 496 | - targets: ['127.0.0.1:8081'] 497 | - job_name: 'ping_google' 498 | metrics_path: /probe 499 | params: 500 | module: [icmp] 501 | static_configs: 502 | - targets: 503 | - 8.8.8.8 504 | relabel_configs: 505 | - source_labels: [__address__] 506 | target_label: __param_target 507 | - source_labels: [__param_target] 508 | target_label: instance 509 | - target_label: __address__ 510 | replacement: 127.0.0.1:9115 # The blackbox exporter's real hostname:port. 511 | - job_name: 'ping_cloudflare' 512 | metrics_path: /probe 513 | params: 514 | module: [icmp] 515 | static_configs: 516 | - targets: 517 | - 1.1.1.1 518 | relabel_configs: 519 | - source_labels: [__address__] 520 | target_label: __param_target 521 | - source_labels: [__param_target] 522 | target_label: instance 523 | - target_label: __address__ 524 | replacement: 127.0.0.1:9115 # The blackbox exporter's real hostname:port. 525 | - job_name: json_exporter 526 | static_configs: 527 | - targets: 528 | - 127.0.0.1:7979 529 | - job_name: json 530 | metrics_path: /probe 531 | static_configs: 532 | - targets: 533 | - https://api.coingecko.com/api/v3/simple/price?ids=ethereum&vs_currencies=usd 534 | relabel_configs: 535 | - source_labels: [__address__] 536 | target_label: __param_target 537 | - source_labels: [__param_target] 538 | target_label: instance 539 | - target_label: __address__ 540 | replacement: 127.0.0.1:7979 541 | ``` 542 | 543 | Change the ownership of the prometheus directory. 544 | 545 | ```console 546 | sudo chown -R prometheus:prometheus /etc/prometheus 547 | ``` 548 | 549 | #### Data Directory 550 | 551 | ```console 552 | sudo mkdir /var/lib/prometheus 553 | sudo chown prometheus:prometheus /var/lib/prometheus 554 | sudo chmod 755 /var/lib/prometheus 555 | ``` 556 | 557 | #### Set Up systemd Service 558 | 559 | ```console 560 | sudo nano /etc/systemd/system/prometheus.service 561 | ``` 562 | 563 | Copy and paste the following text into the prometheus.service file. 564 | 565 | ``` 566 | [Unit] 567 | Description=Prometheus 568 | Wants=network-online.target 569 | After=network-online.target 570 | 571 | [Service] 572 | User=prometheus 573 | Group=prometheus 574 | Type=simple 575 | Restart=always 576 | RestartSec=5 577 | ExecStart=/usr/local/bin/prometheus \ 578 | --config.file /etc/prometheus/prometheus.yml \ 579 | --storage.tsdb.path /var/lib/prometheus/ \ 580 | --storage.tsdb.retention.time=31d \ 581 | --web.console.templates=/etc/prometheus/consoles \ 582 | --web.console.libraries=/etc/prometheus/console_libraries 583 | 584 | [Install] 585 | WantedBy=multi-user.target 586 | ``` 587 | 588 | ```console 589 | sudo systemctl daemon-reload 590 | sudo systemctl start prometheus.service 591 | sudo systemctl enable prometheus.service 592 | ``` 593 | 594 | ### Grafana 595 | 596 | ```console 597 | cd 598 | sudo apt-get install -y apt-transport-https 599 | sudo apt-get install -y software-properties-common wget 600 | wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add - 601 | sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main" 602 | sudo apt-get update 603 | sudo apt-get install grafana 604 | ``` 605 | 606 | #### Setup systemd 607 | 608 | **Optional:** Edit the `grafana-server.service` file to add "grafana" as an alias to grafana server. I generally forget that the default name for this service is `grafana-server`. 609 | 610 | ``` 611 | sudo nano /lib/systemd/system/grafana-server.service 612 | ``` 613 | 614 | At the end of this file, in the `[Install]` section, add the following line: 615 | 616 | ``` 617 | Alias=grafana.service 618 | ``` 619 | 620 | Start the service. 621 | 622 | ```console 623 | sudo systemctl daemon-reload 624 | sudo systemctl start grafana-server 625 | sudo systemctl enable grafana-server 626 | ``` 627 | 628 | Login to grafana at http://XXX.XXX.XXX.XXX:3000/, replacing `XXX.XXX.XXX.XXX` with the IP address of your server. If you do not know the IP address, run `ifconfig`. 629 | 630 | Default username `admin`. Default password `admin`. Grafana will ask you to set a new password. 631 | 632 | #### Setup Prometheus Data Source 633 | 634 | 1. On the left-hand menu, hover over the gear menu and click on Data Sources. 635 | 2. Then click on the Add Data Source button. 636 | 3. Hover over the Prometheus card on screen, then click on the Select button. 637 | 4. Enter `http://127.0.0.1:9090/` into the URL field, then click Save & Test. 638 | 639 | #### Install Grafana Dashboard 640 | 641 | 1. Hover over the plus symbol icon in the left-hand menu, then click on Import. 642 | 2. Copy and paste the dashboard at [https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source-beacon_node.json](https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source-beacon_node.json) into the "Import via panel json" text box on the screen. If you used an older version of these instructions, where the Prometheus configuration file uses the beacon node job name of "beacon" instead of "beacon node", please (use this dashboard)[https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source.json] instead for backwards compatibility. 643 | 3. Then click the Load button. 644 | 4. Then click the Import button. 645 | 646 | Note: At this point in the process, any widgets showing details from the validator will show "N/A", because the validator still has no keys configured. As soon as keys are configured for the validator, the validator details should begin to show up. 647 | 648 | #### Final Grafana Dashboard Configuration 649 | 650 | A few of the queries driving the Grafana dashboard may need different settings, depending on your hardware. 651 | 652 | ##### Network Traffic Configuration 653 | 654 | To ensure that network traffic is correctly reflected on your Grafana dashboard, update the network interface in the Network Traffic widget. Run the following command to find your Linux network device. 655 | 656 | ```console 657 | ifconfig 658 | ``` 659 | 660 | Output of the command should look like the following: 661 | 662 | ``` 663 | eno1: flags=4163 mtu 1500 664 | inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255 665 | inet6 fe80::1e69:7aff:fe63:14b0 prefixlen 64 scopeid 0x20 666 | ether 1c:69:7a:63:14:b0 txqueuelen 1000 (Ethernet) 667 | RX packets 238936 bytes 78487335 (78.4 MB) 668 | RX errors 0 dropped 1819 overruns 0 frame 0 669 | TX packets 257824 bytes 112513038 (112.5 MB) 670 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 671 | device interrupt 16 memory 0x96300000-96320000 672 | 673 | lo: flags=73 mtu 65536 674 | inet 127.0.0.1 netmask 255.0.0.0 675 | inet6 ::1 prefixlen 128 scopeid 0x10 676 | loop txqueuelen 1000 (Local Loopback) 677 | RX packets 39805 bytes 29126770 (29.1 MB) 678 | RX errors 0 dropped 0 overruns 0 frame 0 679 | TX packets 39805 bytes 29126770 (29.1 MB) 680 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 681 | ``` 682 | 683 | Of the two entries shows above, the first lists my IP address on the second line, network interface `eno1`. Find the entry that represents the network connection you want to monitor and copy the device name, which is the part before the colon on the first line of each entry. In my case the value is `eno1`. 684 | 685 | 1. Go to the Grafana dashboard previously installed 686 | 2. Find the Network Traffic widget, and open the drop down that can be found by the Network Traffic title. 687 | 3. Click Edit. 688 | 4. There will be four references to `eno1` in the queries that appear. Replace all four with the name of the network interface you found in the `ifconfig` command. 689 | 690 | ### node_exporter 691 | 692 | #### Create User Account 693 | 694 | ```console 695 | sudo adduser --system node_exporter --group --no-create-home 696 | ``` 697 | 698 | #### Install node_exporter 699 | 700 | ```console 701 | cd 702 | wget https://github.com/prometheus/node_exporter/releases/download/v1.3.1/node_exporter-1.3.1.linux-amd64.tar.gz 703 | tar xzvf node_exporter-1.3.1.linux-amd64.tar.gz 704 | sudo cp node_exporter-1.3.1.linux-amd64/node_exporter /usr/local/bin/ 705 | sudo chown node_exporter:node_exporter /usr/local/bin/node_exporter 706 | rm node_exporter-1.3.1.linux-amd64.tar.gz 707 | ``` 708 | 709 | #### Set Up System Service 710 | 711 | ```console 712 | sudo nano /etc/systemd/system/node_exporter.service 713 | ``` 714 | 715 | Copy and paste the following text into the node_exporter.service file. 716 | 717 | ``` 718 | [Unit] 719 | Description=Node Exporter 720 | 721 | [Service] 722 | Type=simple 723 | Restart=always 724 | RestartSec=5 725 | User=node_exporter 726 | ExecStart=/usr/local/bin/node_exporter 727 | 728 | [Install] 729 | WantedBy=multi-user.target 730 | ``` 731 | 732 | ```console 733 | sudo systemctl daemon-reload 734 | sudo systemctl start node_exporter.service 735 | sudo systemctl enable node_exporter.service 736 | ``` 737 | 738 | ### json_exporter 739 | 740 | #### Create User Account 741 | 742 | ```console 743 | sudo adduser --system json_exporter --group --no-create-home 744 | ``` 745 | 746 | #### Install json_exporter 747 | 748 | ```console 749 | cd 750 | git clone https://github.com/prometheus-community/json_exporter.git 751 | cd json_exporter 752 | make build 753 | sudo cp json_exporter /usr/local/bin/ 754 | sudo chown json_exporter:json_exporter /usr/local/bin/json_exporter 755 | ``` 756 | 757 | #### Configure json_exporter 758 | 759 | ```console 760 | sudo mkdir /etc/json_exporter 761 | sudo chown json_exporter:json_exporter /etc/json_exporter 762 | ``` 763 | 764 | ```console 765 | sudo nano /etc/json_exporter/json_exporter.yml 766 | ``` 767 | 768 | Copy and paste the following text into the json_exporter.yml file. 769 | 770 | ``` 771 | metrics: 772 | - name: ethusd 773 | path: "{.ethereum.usd}" 774 | help: Ethereum (ETH) price in USD 775 | ``` 776 | 777 | Change ownership of the configuration file to the json_exporter account. 778 | 779 | ```console 780 | sudo chown json_exporter:json_exporter /etc/json_exporter/json_exporter.yml 781 | ``` 782 | 783 | #### Set Up System Service 784 | 785 | ```console 786 | sudo nano /etc/systemd/system/json_exporter.service 787 | ``` 788 | 789 | Copy and paste the following text into the node_exporter.service file. 790 | 791 | ``` 792 | [Unit] 793 | Description=JSON Exporter 794 | 795 | [Service] 796 | Type=simple 797 | Restart=always 798 | RestartSec=5 799 | User=json_exporter 800 | ExecStart=/usr/local/bin/json_exporter --config.file /etc/json_exporter/json_exporter.yml 801 | 802 | [Install] 803 | WantedBy=multi-user.target 804 | ``` 805 | 806 | ```console 807 | sudo systemctl daemon-reload 808 | sudo systemctl start json_exporter.service 809 | sudo systemctl enable json_exporter.service 810 | ``` 811 | 812 | 813 | ## Optional 814 | 815 | ### Install ntpd 816 | 817 | For now, I prefer to use ntpd over the default systemd-timesyncd for syncing my system clock to an official time source. 818 | 819 | From [this](https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04) tutorial on setting up time syncing on Ubuntu. 820 | 821 | > Though timesyncd is fine for most purposes, some applications that 822 | > are very sensitive to even the slightest perturbations in time may be 823 | > better served by ntpd, as it uses more sophisticated techniques to 824 | > constantly and gradually keep the system time on track. 825 | 826 | ```console 827 | sudo apt-get install ntp 828 | ``` 829 | 830 | Update the NTP pool time server configuration to those that are geographically close to you. See [http://support.ntp.org/bin/view/Servers/NTPPoolServers](http://support.ntp.org/bin/view/Servers/NTPPoolServers) to find servers near you. 831 | 832 | ```console 833 | sudo nano /etc/ntp.conf 834 | ``` 835 | 836 | Look for lines that begin with `server` and replace the current values with the values you identified from ntp.org. 837 | 838 | Restart ntp. This will automatically shut down systemd-timesyncd, the default Ubuntu time syncing solution. 839 | 840 | ```console 841 | sudo systemctl restart ntp 842 | ``` 843 | 844 | ### blackbox_exporter 845 | 846 | I have used blackbox_exporter to provide [ping](https://en.wikipedia.org/wiki/Ping_(networking_utility)) time data between my staking system and two DNS providers. Data is sent to Prometheus and on to Grafana. I have not found a practical use for this yet, though I have seen some interesting short-term shifts in ping times to Google. Therefore, blackbox_exporter is optional. 847 | 848 | The Grafana dashboard in these instructions includes a panel with a ping time graph. If you choose not to install blackbox_exporter, simply remove that panel from your Grafana dashboard. It will not show data. 849 | 850 | #### Create User Account 851 | 852 | ```console 853 | sudo adduser --system blackbox_exporter --group --no-create-home 854 | ``` 855 | 856 | #### Install blackbox_exporter 857 | 858 | ```console 859 | cd 860 | wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.19.0/blackbox_exporter-0.19.0.linux-amd64.tar.gz 861 | tar xvzf blackbox_exporter-0.19.0.linux-amd64.tar.gz 862 | sudo cp blackbox_exporter-0.19.0.linux-amd64/blackbox_exporter /usr/local/bin/ 863 | sudo chown blackbox_exporter:blackbox_exporter /usr/local/bin/blackbox_exporter 864 | sudo chmod 755 /usr/local/bin/blackbox_exporter 865 | ``` 866 | 867 | Allow blackbox_exporter to ping servers. 868 | 869 | ```console 870 | sudo setcap cap_net_raw+ep /usr/local/bin/blackbox_exporter 871 | ``` 872 | 873 | ```console 874 | rm blackbox_exporter-0.19.0.linux-amd64.tar.gz 875 | ``` 876 | 877 | #### Configure blackbox_exporter 878 | 879 | ```console 880 | sudo mkdir /etc/blackbox_exporter 881 | sudo chown blackbox_exporter:blackbox_exporter /etc/blackbox_exporter 882 | ``` 883 | 884 | ```console 885 | sudo nano /etc/blackbox_exporter/blackbox.yml 886 | ``` 887 | 888 | Copy and paste the following text into the blackbox.yml file. 889 | 890 | ``` 891 | modules: 892 | icmp: 893 | prober: icmp 894 | timeout: 10s 895 | icmp: 896 | preferred_ip_protocol: ipv4 897 | ``` 898 | 899 | Change ownership of the configuration file to the blackbox_exporter account. 900 | 901 | ```console 902 | sudo chown blackbox_exporter:blackbox_exporter /etc/blackbox_exporter/blackbox.yml 903 | ``` 904 | 905 | #### Set Up System Service 906 | 907 | `sudo nano /etc/systemd/system/blackbox_exporter.service` 908 | 909 | Copy and paste the following text into the blackbox_exporter.service file. 910 | 911 | ``` 912 | [Unit] 913 | Description=Blackbox Exporter 914 | 915 | [Service] 916 | Type=simple 917 | Restart=always 918 | RestartSec=5 919 | User=blackbox_exporter 920 | ExecStart=/usr/local/bin/blackbox_exporter --config.file /etc/blackbox_exporter/blackbox.yml 921 | 922 | [Install] 923 | WantedBy=multi-user.target 924 | ``` 925 | 926 | ```console 927 | sudo systemctl daemon-reload 928 | sudo systemctl start blackbox_exporter.service 929 | sudo systemctl enable blackbox_exporter.service 930 | ``` 931 | 932 | ## Router Configuration 933 | 934 | You may need to configure your router to forward the following ports to your staking system. See your router documentation for details. 935 | 936 | Prysm Beacon Chain: 12000/udp 937 | Prysm Beacon Chain: 13000/tcp 938 | geth: 30303/udp 939 | geth: 30303/tcp 940 | 941 | 942 | ## Security 943 | 944 | ### SSH 945 | 946 | The following changes can be made to increase the security of SSH, but are not required. 947 | 948 | ```console 949 | sudo nano /etc/ssh/sshd_config 950 | ``` 951 | 952 | Add the following lines, but replacing with your login. You are not logging in to ssh with root, right? If you are, you probably don't want to add the `AllowUsers` and `PermitRootLogin` lines below. 953 | 954 | ``` 955 | AllowUsers 956 | PermitEmptyPasswords no 957 | PermitRootLogin no 958 | Protocol 2 959 | ``` 960 | 961 | **Optional:** I prefer to change the default SSH port to a non-standard port. Do not forget what you change this to. Find the following line, uncomment it line by removing the "#", and replace "22" with your preferred port. 962 | 963 | ``` 964 | #Port 22 965 | ``` 966 | 967 | ```console 968 | sudo reboot 969 | ``` 970 | 971 | ### Firewall 972 | 973 | If your staking system is behind a router with a firewall, you may not want to add another level of firewall to your network security. This section may be skipped. 974 | 975 | The following commands set up the minimal firewall rules necessary to run the Prysm beacon-chain and geth 976 | 977 | ```console 978 | # beacon chain 979 | sudo ufw allow 12000/udp 980 | sudo ufw allow 13000/tcp 981 | 982 | # geth 983 | sudo ufw allow 30303/tcp 984 | sudo ufw allow 30303/udp 985 | 986 | # grafana 987 | sudo ufw allow 3000/tcp 988 | ``` 989 | 990 | Run the following command to set up firewalls rules for SSH. If you changed your default SSH port above, change the `22` in this command to the port you are using. 991 | 992 | ```console 993 | # ssh 994 | sudo ufw allow 22/tcp 995 | ``` 996 | 997 | Set up default firewall rules and enable the firewall. 998 | 999 | ```console 1000 | # Defaults 1001 | sudo ufw default deny incoming 1002 | sudo ufw default allow outgoing 1003 | sudo ufw enable 1004 | ``` 1005 | 1006 | The following commands open up the remaining ports that are used by the software in this set of instructions. These ports are typically used only by other software internal to the staking system, and do not need to be opened on the firewall unless you would like direct access to some of the administrative/metrics pages, or if systems external to your staking system will be services on your staking system. 1007 | 1008 | ```console 1009 | # beacon chain 1010 | # - This only needs to be enabled if external validators will be accessing this beacon chain. 1011 | sudo ufw allow 4000/tcp 1012 | 1013 | # node_exporter 1014 | # - This only needs to be enabled if you want to access node_exporter stats directly. 1015 | sudo ufw allow 9100/tcp 1016 | 1017 | #geth 1018 | # - This only needs to be enabled if external beacon chains will be accessing this geth full node. 1019 | sudo ufw allow 8545/tcp 1020 | 1021 | # beacon-chain metrics 1022 | # - This only needs to be enabled if you want to access beacon-chain stats directly. 1023 | sudo ufw allow 8080/tcp 1024 | 1025 | # blackbox_exporter 1026 | # - This only needs to be enabled if you want to access blackbox_exporter stats directly. 1027 | sudo ufw allow 9115/tcp 1028 | 1029 | # prometheus 1030 | # - This only needs to be enabled if you want to access prometheus directly. 1031 | sudo ufw allow 9090/tcp 1032 | 1033 | # json_exporter 1034 | # - This only needs to be enabled if you want to access blackbox_exporter stats directly. 1035 | sudo ufw allow 7979/tcp 1036 | ``` 1037 | 1038 | ## Common Commands 1039 | 1040 | The following are some common commands you may want to use while running this setup. 1041 | 1042 | ### Service Statuses 1043 | 1044 | To see the status of system services: 1045 | 1046 | ```console 1047 | sudo systemctl status beacon-chain 1048 | sudo systemctl status validator 1049 | sudo systemctl status geth 1050 | sudo systemctl status prometheus 1051 | sudo systemctl status grafana-server 1052 | sudo systemctl status node_exporter 1053 | sudo systemctl status blackbox_exporter 1054 | sudo systemctl status json_exporter 1055 | ``` 1056 | 1057 | Or, to see the status of all at once: 1058 | 1059 | ```console 1060 | sudo systemctl status beacon-chain validator geth prometheus grafana-server node_exporter blackbox_exporter json_exporter 1061 | ``` 1062 | 1063 | ### Service Logs 1064 | 1065 | To watch the logs in real time: 1066 | 1067 | ```console 1068 | sudo journalctl -u beacon-chain -f 1069 | sudo journalctl -u validator -f 1070 | sudo journalctl -u geth -f 1071 | sudo journalctl -u prometheus -f 1072 | sudo journalctl -u grafana-server -f 1073 | sudo journalctl -u node_exporter -f 1074 | sudo journalctl -u blackbox_exporter -f 1075 | sudo journalctl -u json_exporter -f 1076 | ``` 1077 | 1078 | ### Restarting Services 1079 | 1080 | To restart a service: 1081 | 1082 | ```console 1083 | sudo systemctl restart beacon-chain 1084 | sudo systemctl restart validator 1085 | sudo systemctl restart geth 1086 | sudo systemctl restart prometheus 1087 | sudo systemctl restart grafana-server 1088 | sudo systemctl restart node_exporter 1089 | sudo systemctl restart blackbox_exporter 1090 | sudo systemctl restart json_exporter 1091 | ``` 1092 | 1093 | ### Stopping Services 1094 | 1095 | Stopping a service is separate from disabling a service. Stopping a service stops the current execution of the server, but does not prohibit the service from starting again after a system reboot. If you intend for the service to stop running and to not restart after a reboot, you will want to stop and disable a service. 1096 | 1097 | To stop a service: 1098 | 1099 | ```console 1100 | sudo systemctl stop beacon-chain 1101 | sudo systemctl stop validator 1102 | sudo systemctl stop geth 1103 | sudo systemctl stop prometheus 1104 | sudo systemctl stop grafana-server 1105 | sudo systemctl stop node_exporter 1106 | sudo systemctl stop blackbox_exporter 1107 | sudo systemctl stop json_exporter 1108 | ``` 1109 | 1110 | **Important:** If you intend to stop the beacon chain and validator in order to run these services on a different system, stop the services using the instructions in this section, and disable these services following the instructions in the next section. You will be at risk of losing funds through slashing if you accidentally validate the same keys on two different systems, and failing to disable the services may result in your beacon chain and validator running again after a system reboot. 1111 | 1112 | ### Disabling Services 1113 | 1114 | To disable a service so that it no longer starts automatically after a reboot: 1115 | 1116 | ```console 1117 | sudo systemctl disable beacon-chain 1118 | sudo systemctl disable validator 1119 | sudo systemctl disable geth 1120 | sudo systemctl disable prometheus 1121 | sudo systemctl disable grafana-server 1122 | sudo systemctl disable node_exporter 1123 | sudo systemctl disable blackbox_exporter 1124 | sudo systemctl disable json_exporter 1125 | ``` 1126 | 1127 | ### Enabling Services 1128 | 1129 | To re-enable a service that has been disabled: 1130 | 1131 | ```console 1132 | sudo systemctl enable beacon-chain 1133 | sudo systemctl enable validator 1134 | sudo systemctl enable geth 1135 | sudo systemctl enable prometheus 1136 | sudo systemctl enable grafana-server 1137 | sudo systemctl enable node_exporter 1138 | sudo systemctl enable blackbox_exporter 1139 | sudo systemctl enable json_exporter 1140 | ``` 1141 | 1142 | ### Starting Services 1143 | 1144 | Re-enabling a service will not necessarily start the service as well. To start a service that is stopped: 1145 | 1146 | ```console 1147 | sudo systemctl start beacon-chain 1148 | sudo systemctl start validator 1149 | sudo systemctl start geth 1150 | sudo systemctl start prometheus 1151 | sudo systemctl start grafana-server 1152 | sudo systemctl start node_exporter 1153 | sudo systemctl start blackbox_exporter 1154 | sudo systemctl start json_exporter 1155 | ``` 1156 | 1157 | ### Upgrading Prysm 1158 | 1159 | Upgrading the Prysm beacon chain and validator clients is as easy as restarting the service when running the prysm.sh script as we are in these instructions. To upgrade to the latest release, simple restart the services. Use the commands above to check the log files of both the beacon chain and validator. If any important command line flags have changed, a notice should appear in the logs. Even better, read the release notes in advance of an upgrade. 1160 | 1161 | ```console 1162 | sudo systemctl restart beacon-chain 1163 | sudo systemctl restart validator 1164 | ``` 1165 | 1166 | ### Changing systemd Service Files 1167 | 1168 | If you edit any of the systemd service files in `/etc/systemd/system` or another location, run the following command prior to restarting the affected service: 1169 | 1170 | ```console 1171 | sudo systemctl daemon-reload 1172 | ``` 1173 | 1174 | Then restart the affected service: 1175 | 1176 | ```console 1177 | sudo systemctl restart SERVICE_NAME 1178 | ``` 1179 | 1180 | - Replace SERVICE_NAME with the name of the service for which the service file was updated. For example, `sudo systemctl restart beacon-chain`. 1181 | 1182 | ### Updating Prysm Options 1183 | 1184 | To update the configuration options of the beacon chain or validator, edit the Prysm configuration file located in the home directories for the services. 1185 | 1186 | ```console 1187 | sudo nano /home/validator/prysm-validator.yaml 1188 | sudo nano /home/beacon/prysm-beacon.yaml 1189 | ``` 1190 | 1191 | Then restart the services: 1192 | 1193 | ```console 1194 | sudo systemctl restart validator 1195 | sudo systemctl restart beacon-chain 1196 | ``` 1197 | 1198 | ## Future Updates 1199 | 1200 | There are at least one area where I may expand on my system configuration or instructions, but I have not pursued it yet. 1201 | 1202 | - SSH Key-Based Login 1203 | - This seems to be a good security move, but it also seems to be the perfect way to get me locked out of my own system. I have never set this up before, but may look into it. 1204 | 1205 | 1206 | ## Sources/Inspiration 1207 | 1208 | Prysm: [https://docs.prylabs.network/docs/getting-started/](https://docs.prylabs.network/docs/getting-started/) 1209 | 1210 | Go: [https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/golang-1.14-go_1.14.2-1ubuntu1_arm64.deb.html](https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/golang-1.14-go_1.14.2-1ubuntu1_arm64.deb.html) 1211 | 1212 | Timezone: [https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/](https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/) 1213 | 1214 | Account creation and systemd setup: [https://github.com/attestantio/ubuntu-server](https://github.com/attestantio/ubuntu-server) 1215 | 1216 | blackbox_exporter: [https://github.com/prometheus/blackbox_exporter](https://github.com/prometheus/blackbox_exporter) 1217 | 1218 | node_exporter: [https://github.com/prometheus/node_exporter](https://github.com/prometheus/node_exporter) 1219 | 1220 | Prometheus: [https://prometheus.io/docs/prometheus/latest/getting_started/](https://prometheus.io/docs/prometheus/latest/getting_started/) 1221 | 1222 | Grafana: [https://grafana.com/docs/grafana/latest/installation/debian/](https://grafana.com/docs/grafana/latest/installation/debian/) 1223 | 1224 | Dashboard: [https://github.com/metanull-operator/eth2-grafana](https://github.com/metanull-operator/eth2-grafana) 1225 | 1226 | systemd: [https://www.freedesktop.org/software/systemd/man/systemd.unit.html](https://www.freedesktop.org/software/systemd/man/systemd.unit.html) 1227 | 1228 | geth: [https://geth.ethereum.org/docs/install-and-build/installing-geth](https://geth.ethereum.org/docs/install-and-build/installing-geth) 1229 | 1230 | sshd: [https://blog.devolutions.net/2017/04/10-steps-to-secure-open-ssh](https://blog.devolutions.net/2017/04/10-steps-to-secure-open-ssh) 1231 | 1232 | ufw: [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04) 1233 | 1234 | ufw: [https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands) 1235 | 1236 | ntpd: [https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04) 1237 | 1238 | Connecting to the Kintsugi Testnet: https://hackmd.io/dFzKxB3ISWO8juUqPpJFfw 1239 | 1240 | eth2-val-tools: https://github.com/protolambda/eth2-val-tools 1241 | 1242 | ethereal: https://github.com/wealdtech/ethereal/ 1243 | 1244 | Prysm Setup Instructions for Kiln: https://hackmd.io/@prysmaticlabs/B1Q2SluWq 1245 | -------------------------------------------------------------------------------- /kintsugi.md: -------------------------------------------------------------------------------- 1 | # Setup an Eth2 Mainnet Validator System on Ubuntu 2 | 3 | This document contains instructions for setting up an Ethereum Kintsugi merge testnet staking system using Prysm and geth. 4 | 5 | These instructions have been adapted from the instructions available at https://hackmd.io/dFzKxB3ISWO8juUqPpJFfw. I have added enough details so that I can start from a base Ubuntu installation and get all the way through the setting up monitoring. The monitoring portion is optional, is not fully functional under kintsugi and does not presently include details for monitoring geth. These instructions are also not intended for a production system. I have kept the folder structure in line with the instructions in the link above, which may provide an easier upgrade to future merge testnets. In a final production version, the executables and data would not be in my user directories. 6 | 7 | These instructions were developed to configure an Ethereum Kintsugi merge testnet staking system using Ubuntu 20.04 LTS on an Intel NUC 10i5FNK with 2TB SSD and 32GB RAM. 8 | 9 | Setup includes installation and configuration of the following services, including setting up systemd to automatically run services, where applicable: 10 | 11 | - Prysm Beacon Chain 12 | - Prysm Validator 13 | - geth 14 | - Prometheus 15 | - Grafana 16 | - node_exporter 17 | - blackbox_exporter 18 | - json_exporter 19 | 20 | Steps to install and configure all software have been copied from or inspired by a number of additional sources, which are cited at the end of this file. 21 | 22 | This process assumes starting from first login on a clean Ubuntu 20.04 LTS installation, and were last tested on January 21, 2022. 23 | 24 | ## Prerequisities 25 | 26 | ### BIOS Update 27 | 28 | If you have not updated the BIOS on your system, find and follow the manufacturer instructions for updating the BIOS. An updated BIOS may improve system performance or repair issues with your system. Instructions will vary dependent on the hardware you are using, but the following links should direct Intel NUC users to appropriate instructions. 29 | 30 | - [2018 and earlier NUC BIOS Update Instructions](https://www.intel.com/content/www/us/en/support/articles/000005636/intel-nuc.html) 31 | - [2019 and later NUC BIOS Update Instructions](https://www.intel.com/content/www/us/en/support/articles/000033291/intel-nuc.html) 32 | 33 | ### Configure Behavior After Power Failure 34 | 35 | After a power failure, you may want your staking system to automatically restart and resume staking. Unfortunately, this is not the default behavior of many systems. Please check your system documentation to determine how to change this behavior in the system BIOS. For an Intel NUC, please check the following instructions. 36 | 37 | - [Can Intel NUC Mini PCs turn on automatically as soon as a power source is connected?](https://www.intel.com/content/www/us/en/support/articles/000054773/intel-nuc.html) 38 | 39 | ### Software Update 40 | 41 | After an initial install, it is a good idea to update everything to the latest versions. 42 | 43 | ```console 44 | sudo apt-get update 45 | sudo apt-get upgrade 46 | sudo apt-get dist-upgrade 47 | sudo apt-get autoremove 48 | sudo reboot 49 | ``` 50 | 51 | ### Set Time Zone 52 | 53 | Run the following command to see the list of time zones, then copy the appropriate time zone to your clipboard. 54 | 55 | ```console 56 | timedatectl list-timezones 57 | ``` 58 | 59 | Run the following command, replacing `` with the time zone you have copied onto your clipboard. 60 | 61 | ```console 62 | sudo timedatectl set-timezone 63 | ``` 64 | 65 | ### Install Prerequisites 66 | 67 | - net-tools - Used to determine the network device for bandwidth reporting. 68 | - make - Used to build geth 69 | 70 | ```console 71 | sudo apt-get install net-tools make gcc g++ 72 | ``` 73 | 74 | ### Install golang 75 | 76 | Install golang v1.17 and create a link to the executable at /usr/bin/go. 77 | 78 | ```console 79 | cd 80 | wget https://go.dev/dl/go1.17.6.linux-amd64.tar.gz 81 | cd /usr/local/bin 82 | sudo tar xzvf ~/go1.17.6.linux-amd64.tar.gz 83 | echo "export PATH=\$PATH:/usr/local/bin/go" >> ~/.profile 84 | source ~/.profile 85 | sudo ln -s /usr/local/bin/go/bin/go /usr/bin/go 86 | ``` 87 | 88 | ### Install bazelisk 89 | 90 | ``` 91 | cd 92 | go install github.com/bazelbuild/bazelisk@latest 93 | echo "export PATH=\$PATH:\$(go env GOPATH)/bin" >> ~/.profile 94 | source ~/.profile 95 | ``` 96 | 97 | ### Download kintsugi Package 98 | 99 | ``` 100 | cd 101 | git clone https://github.com/eth-clients/merge-testnets.git 102 | ``` 103 | 104 | ## geth 105 | 106 | A geth full node is required to provide access to deposits made to the deposit contract. It could take some time for geth to sync, so start this process immediately. 107 | 108 | ### Install geth 109 | 110 | ```console 111 | cd ~/merge-testnets/kintsugi/ 112 | git clone -b merge-kintsugi https://github.com/MariusVanDerWijden/go-ethereum.git 113 | cd go-ethereum 114 | make geth 115 | ``` 116 | 117 | ### Set Up systemd Service File 118 | 119 | This sets up geth to automatically run on start. 120 | 121 | ```console 122 | sudo nano /etc/systemd/system/geth.service 123 | ``` 124 | 125 | Copy and paste the following text into the geth.service file. 126 | 127 | **Replace with your system username/login.** 128 | 129 | ``` 130 | [Unit] 131 | Description=Go Ethereum Client 132 | StartLimitIntervalSec=0 133 | 134 | [Service] 135 | Type=simple 136 | Restart=always 137 | RestartSec=5 138 | User= 139 | WorkingDirectory=/home//merge-testnets/kintsugi/ 140 | ExecStart=/home//merge-testnets/kintsugi/go-ethereum/build/bin/geth --catalyst --datadir /home//merge-testnets/kintsugi/datadir-prysm --port 30188 --networkid=1337702 --http --http.api engine,net,eth --ws --ws.api net,eth,engine --bootnodes enode://57745805245c441b71a9f3b3e7d78f75dd576d36b236b9f64cf9a9cccdcb574ec1f64d69c05add598ef26e3d7f646534b4c9976ca53551f71ad579a472635086@165.232.185.207:30303 141 | 142 | [Install] 143 | WantedBy=multi-user.target 144 | ``` 145 | 146 | ### Initialize Genesis State 147 | 148 | ``` 149 | ~/merge-testnets/kintsugi/go-ethereum/build/bin/geth --datadir ~/merge-testnets/kintsugi/datadir-prysm --catalyst init ~/merge-testnets/kintsugi/genesis.json 150 | ``` 151 | 152 | ### Start geth 153 | 154 | Start and enable the validator service. 155 | 156 | ```console 157 | sudo systemctl daemon-reload 158 | sudo systemctl start geth 159 | sudo systemctl enable geth 160 | ``` 161 | 162 | ## Prysm 163 | 164 | ### Build Prysm 165 | 166 | ```console 167 | cd ~/merge-testnets/kintsugi 168 | git clone -b kintsugi https://github.com/prysmaticlabs/prysm.git 169 | cd prysm 170 | bazelisk build //beacon-chain:beacon-chain 171 | bazelisk build //validator:validator 172 | ``` 173 | 174 | ### Set Up systemd Service File 175 | 176 | This sets up prysm.sh to automatically run on start. This file is slightly different than the version under the Building Prysm section. 177 | 178 | #### Beacon Chain 179 | 180 | ```console 181 | sudo nano /etc/systemd/system/beacon-chain.service 182 | ``` 183 | 184 | Copy and paste the following text into the beacon-chain.service file. 185 | 186 | **Replace with your system username/login.** 187 | 188 | ``` 189 | [Unit] 190 | Description=Prysm Ethereum Beacon Chain 191 | After=network.target 192 | StartLimitIntervalSec=0 193 | 194 | [Service] 195 | Type=simple 196 | Restart=always 197 | RestartSec=5 198 | User= 199 | WorkingDirectory=/home//merge-testnets/kintsugi/prysm 200 | ExecStart=/home//go/bin/bazelisk run //beacon-chain -- --p2p-tcp-port 13188 --p2p-udp-port 12188 --genesis-state /home//merge-testnets/kintsugi/genesis.ssz --datadir /home//merge-testnets/kintsugi/datadir-prysm --http-web3provider=http://127.0.0.1:8545 --min-sync-peers=1 --kintsugi-testnet --accept-terms-of-use 201 | 202 | [Install] 203 | WantedBy=multi-user.target 204 | Alias=beacon 205 | ``` 206 | 207 | #### Validator 208 | 209 | ```console 210 | sudo nano /etc/systemd/system/validator.service 211 | ``` 212 | 213 | Copy and paste the following text into the validator.service file. 214 | 215 | **Replace with your system username/login.** 216 | 217 | ``` 218 | [Unit] 219 | Description=Prysm Ethereum Validator 220 | Wants=beacon-chain.service 221 | After=beacon-chain.service 222 | StartLimitIntervalSec=0 223 | 224 | [Service] 225 | Type=simple 226 | Restart=always 227 | RestartSec=5 228 | User= 229 | WorkingDirectory=/home//merge-testnets/kintsugi/prysm 230 | ExecStart=/home//go/bin/bazelisk run validator -- --kintsugi-testnet --accept-terms-of-use --wallet-password-file /home//merge-testnets/kintsugi/datadir-prysm/password.txt --wallet-dir /home//merge-testnets/kintsugi/datadir-prysm/prysm-wallet-v2 231 | 232 | [Install] 233 | WantedBy=multi-user.target 234 | ``` 235 | 236 | ### Setup MetaMask 237 | 238 | Connect MetaMask to the Kintsugi network by going to https://kintsugi.themerge.dev/ and clicking on the "Add to MetaMask" button. If necessary, create a new account in MetaMask into which the deposit funds will be stored. Request Kintsugi ETH from the [Kintsugi faucet](https://faucet.kintsugi.themerge.dev/). You may need to make multiple requests to accumulate enough Kintsugi ETH for a deposit (32 ETH). 239 | 240 | ### Make Validator Deposits and Install Keys 241 | 242 | #### Install eth2-val-tools 243 | 244 | ``` 245 | cd 246 | git clone https://github.com/protolambda/eth2-val-tools 247 | cd eth2-val-tools 248 | go install . 249 | ``` 250 | 251 | #### Install ethereal 252 | 253 | ```console 254 | cd 255 | GO111MODULE=on go get github.com/wealdtech/ethereal 256 | ``` 257 | 258 | #### Generate Mnemonics 259 | 260 | Create the secrets.env file. 261 | 262 | ``` 263 | touch ~/merge-testnets/kintsugi/secrets.env 264 | chmod 600 ~/merge-testnets/kintsugi/secrets.env 265 | nano ~/merge-testnets/kintsugi/secrets.env 266 | ``` 267 | 268 | Copy and paste the following text into the secrets.env file. 269 | 270 | ``` 271 | # sets the deposit amount to use 272 | DEPOSIT_AMOUNT=32000000000 273 | # sets the genesis fork version of the testnet 274 | FORK_VERSION="0x60000069" 275 | # sets the mnemonic to derive the keys from 276 | VALIDATORS_MNEMONIC="" 277 | # sets the mnemonic for withdrawal credentials 278 | WITHDRAWALS_MNEMONIC="" 279 | # temporary location to store the deposit data 280 | DEPOSIT_DATAS_FILE_LOCATION="/tmp/deposit_data.txt" 281 | # sets the deposit contract address 282 | DEPOSIT_CONTRACT_ADDRESS="0x4242424242424242424242424242424242424242" 283 | # sets the eth1 address from which the transaction will be made 284 | ETH1_FROM_ADDR="" 285 | # sets the eth1 private key used to sign the transaction 286 | ETH1_FROM_PRIV="" 287 | # forces the deposit since the deposit contract will not be recognized by the tool 288 | FORCE_DEPOSIT=true 289 | # sets an RPC endpoint to submit the transaction to 290 | ETH1_RPC=https://rpc.kintsugi.themerge.dev 291 | ``` 292 | 293 | Generate passphrases to secure your validator keys and your withdrawal keys. The command to generate a pass phrase will be run once for the validator keys and once for the withdrawal keys. Save both sets of keys in the secrets.env file, and save copies in a secure offline location as well. 294 | 295 | ```console 296 | eth2-val-tools mnemonic 297 | ``` 298 | 299 | Insert the generated validator pass phrase in between the quotes on the VALIDATORS_MNEMONIC line. Insert the generated withdrawal pass phrase in between the quotes on the WITHDRAWALS_MNEMONIC line. Save and close the file. 300 | 301 | #### Create Prysm Wallet Password 302 | 303 | Create a unique password and store it in the password.txt file. Have this password available when generating the Prysm keys. 304 | 305 | ```console 306 | vi ~/merge-testnets/kintsugi/datadir-prysm/password.txt 307 | ``` 308 | 309 | #### Add MetaMask Account Details 310 | 311 | Add MetaMask account details to the secrets.env file so that the deposit script can transfer funds. 312 | 313 | In MetaMask, go to the account with the Kintsugi ETH and copy the account address into the ETH1_FROM_ADDR line in the secrets.env file. The address must begin with "0x". 314 | 315 | Copy the private key for this account into the ETH1_FROM_PRIV line in the secrets.env file. The private key can be found in MetaMask by going to the account, clicking on the three dots button, clicking on Account Details, and then clicking on Export Private Key. The private key must begin with "0x". If the private key does not begin with "0x", simply add "0x" to the beginning of the private key. 316 | 317 | #### Deposit Kintsugi ETH 318 | 319 | ``` 320 | cd ~/merge-testnets/kintsugi 321 | nano devnet_deposits.sh 322 | ``` 323 | 324 | Insert the following text into the devnet_deposits.sh file. Then save and close the file. 325 | 326 | ```bash 327 | #!/bin/bash 328 | 329 | echo "USE AT YOUR OWN RISK" 330 | read -p "Are you sure you've doubl e checked the values and want to make this deposit? " -n 1 -r 331 | echo 332 | if [[ ! $REPLY =~ ^[Yy]$ ]] 333 | then 334 | [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 335 | fi 336 | 337 | source secrets.env 338 | 339 | if [[ -z "${ETH1_FROM_ADDR}" ]]; then 340 | echo "need ETH1_FROM_ADDR environment var" 341 | exit 1 || return 1 342 | fi 343 | if [[ -z "${ETH1_FROM_PRIV}" ]]; then 344 | echo "need ETH1_FROM_PRIV environment var" 345 | exit 1 || return 1 346 | fi 347 | 348 | 349 | eth2-val-tools deposit-data \ 350 | --source-min=0 \ 351 | --source-max=1 \ 352 | --amount=$DEPOSIT_AMOUNT \ 353 | --fork-version=$FORK_VERSION \ 354 | --withdrawals-mnemonic="$WITHDRAWALS_MNEMONIC" \ 355 | --validators-mnemonic="$VALIDATORS_MNEMONIC" > $DEPOSIT_DATAS_FILE_LOCATION 356 | 357 | 358 | # Iterate through lines, each is a json of the deposit data and some metadata 359 | while read x; do 360 | account_name="$(echo "$x" | jq '.account')" 361 | pubkey="$(echo "$x" | jq '.pubkey')" 362 | echo "Sending deposit for validator $account_name $pubkey" 363 | ethereal beacon deposit \ 364 | --allow-unknown-contract=$FORCE_DEPOSIT \ 365 | --address="$DEPOSIT_CONTRACT_ADDRESS" \ 366 | --connection=$ETH1_RPC \ 367 | --data="$x" \ 368 | --value="$DEPOSIT_ACTUAL_VALUE" \ 369 | --from="$ETH1_FROM_ADDR" \ 370 | --privatekey="$ETH1_FROM_PRIV" 371 | echo "Sent deposit for validator $account_name $pubkey" 372 | sleep 3 373 | done < "$DEPOSIT_DATAS_FILE_LOCATION" 374 | ``` 375 | 376 | Reset permissions on the script so that it is executable. 377 | 378 | ```console 379 | chmod +x devnet_deposits.sh 380 | ``` 381 | 382 | Assuming you have sufficient Kintsugi ETH in your MetaMask account, run the deposit script. 383 | 384 | ```console 385 | ./devnet_deposit.sh 386 | ``` 387 | 388 | ### Generate Prysm Keys 389 | 390 | Use the validator mnemonic/pass phrase to generate Prysm keys. 391 | 392 | - When asked for your pass phrase, enter the validator pass phrase generated earlier and entered into the secrets.env file. 393 | - When asked for the director into which the keys should be stored, enter the following `~/merge-testnets/kintsugi/datadir-prysm/prysm-wallet-v2`. 394 | - When asked for the wallet password, enter the same password you added to the file at `~/merge-testnets/kintsugi/datadir-prysm/password.txt`. 395 | 396 | ### Start Beacon Chain and Validator 397 | 398 | Start and enable the validator service. 399 | 400 | ```console 401 | sudo systemctl daemon-reload 402 | sudo systemctl start beacon-chain validator 403 | sudo systemctl enable beacon-chain validator 404 | ``` 405 | 406 | ## Monitoring 407 | 408 | The following will set up prometheus for collecting data, grafana for displaying dashboards, node_exporter for providing system data to prometheus, and blackbox_exporter for providing ping data to prometheus. 409 | 410 | node_exporter and blackbox_exporter are optional, though some charts on the dashboard provided may need to be removed if those tools are not used. The prometheus configuration file may also need to be updated. 411 | 412 | ### Prometheus 413 | 414 | #### Create User Account 415 | 416 | ```console 417 | sudo adduser --system prometheus --group --no-create-home 418 | ``` 419 | 420 | #### Install Prometheus 421 | 422 | Find the URL to the latest amd64 version of Prometheus at https://prometheus.io/download/. In the commands below, replace any references to the version 2.23.0 to the latest version available. 423 | 424 | ```console 425 | cd 426 | wget https://github.com/prometheus/prometheus/releases/download/v2.32.1/prometheus-2.32.1.linux-amd64.tar.gz 427 | tar xzvf prometheus-2.32.1.linux-amd64.tar.gz 428 | cd prometheus-2.32.1.linux-amd64 429 | sudo cp promtool /usr/local/bin/ 430 | sudo cp prometheus /usr/local/bin/ 431 | sudo chown root:root /usr/local/bin/promtool /usr/local/bin/prometheus 432 | sudo chmod 755 /usr/local/bin/promtool /usr/local/bin/prometheus 433 | cd 434 | rm prometheus-2.32.1.linux-amd64.tar.gz 435 | ``` 436 | 437 | #### Configure Prometheus 438 | 439 | ```console 440 | sudo mkdir -p /etc/prometheus/console_libraries /etc/prometheus/consoles /etc/prometheus/files_sd /etc/prometheus/rules /etc/prometheus/rules.d 441 | ``` 442 | 443 | Copy and paste the following text into the prometheus.yml configuration file: 444 | 445 | ```console 446 | sudo nano /etc/prometheus/prometheus.yml 447 | ``` 448 | 449 | ``` 450 | global: 451 | scrape_interval: 15s 452 | 453 | scrape_configs: 454 | - job_name: 'prometheus' 455 | scrape_interval: 5s 456 | static_configs: 457 | - targets: ['127.0.0.1:9090'] 458 | - job_name: 'beacon node' 459 | scrape_interval: 5s 460 | static_configs: 461 | - targets: ['127.0.0.1:8080'] 462 | - job_name: 'node_exporter' 463 | scrape_interval: 5s 464 | static_configs: 465 | - targets: ['127.0.0.1:9100'] 466 | - job_name: 'validator' 467 | scrape_interval: 5s 468 | static_configs: 469 | - targets: ['127.0.0.1:8081'] 470 | - job_name: 'ping_google' 471 | metrics_path: /probe 472 | params: 473 | module: [icmp] 474 | static_configs: 475 | - targets: 476 | - 8.8.8.8 477 | relabel_configs: 478 | - source_labels: [__address__] 479 | target_label: __param_target 480 | - source_labels: [__param_target] 481 | target_label: instance 482 | - target_label: __address__ 483 | replacement: 127.0.0.1:9115 # The blackbox exporter's real hostname:port. 484 | - job_name: 'ping_cloudflare' 485 | metrics_path: /probe 486 | params: 487 | module: [icmp] 488 | static_configs: 489 | - targets: 490 | - 1.1.1.1 491 | relabel_configs: 492 | - source_labels: [__address__] 493 | target_label: __param_target 494 | - source_labels: [__param_target] 495 | target_label: instance 496 | - target_label: __address__ 497 | replacement: 127.0.0.1:9115 # The blackbox exporter's real hostname:port. 498 | - job_name: json_exporter 499 | static_configs: 500 | - targets: 501 | - 127.0.0.1:7979 502 | - job_name: json 503 | metrics_path: /probe 504 | static_configs: 505 | - targets: 506 | - https://api.coingecko.com/api/v3/simple/price?ids=ethereum&vs_currencies=usd 507 | relabel_configs: 508 | - source_labels: [__address__] 509 | target_label: __param_target 510 | - source_labels: [__param_target] 511 | target_label: instance 512 | - target_label: __address__ 513 | replacement: 127.0.0.1:7979 514 | ``` 515 | 516 | Change the ownership of the prometheus directory. 517 | 518 | ```console 519 | sudo chown -R prometheus:prometheus /etc/prometheus 520 | ``` 521 | 522 | #### Data Directory 523 | 524 | ```console 525 | sudo mkdir /var/lib/prometheus 526 | sudo chown prometheus:prometheus /var/lib/prometheus 527 | sudo chmod 755 /var/lib/prometheus 528 | ``` 529 | 530 | #### Set Up systemd Service 531 | 532 | ```console 533 | sudo nano /etc/systemd/system/prometheus.service 534 | ``` 535 | 536 | Copy and paste the following text into the prometheus.service file. 537 | 538 | ``` 539 | [Unit] 540 | Description=Prometheus 541 | Wants=network-online.target 542 | After=network-online.target 543 | 544 | [Service] 545 | User=prometheus 546 | Group=prometheus 547 | Type=simple 548 | Restart=always 549 | RestartSec=5 550 | ExecStart=/usr/local/bin/prometheus \ 551 | --config.file /etc/prometheus/prometheus.yml \ 552 | --storage.tsdb.path /var/lib/prometheus/ \ 553 | --storage.tsdb.retention.time=31d \ 554 | --web.console.templates=/etc/prometheus/consoles \ 555 | --web.console.libraries=/etc/prometheus/console_libraries 556 | 557 | [Install] 558 | WantedBy=multi-user.target 559 | ``` 560 | 561 | ```console 562 | sudo systemctl daemon-reload 563 | sudo systemctl start prometheus.service 564 | sudo systemctl enable prometheus.service 565 | ``` 566 | 567 | ### Grafana 568 | 569 | ```console 570 | cd 571 | sudo apt-get install -y apt-transport-https 572 | sudo apt-get install -y software-properties-common wget 573 | wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add - 574 | sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main" 575 | sudo apt-get update 576 | sudo apt-get install grafana 577 | ``` 578 | 579 | #### Setup systemd 580 | 581 | **Optional:** Edit the `grafana-server.service` file to add "grafana" as an alias to grafana server. I generally forget that the default name for this service is `grafana-server`. 582 | 583 | ``` 584 | sudo nano /lib/systemd/system/grafana-server.service 585 | ``` 586 | 587 | At the end of this file, in the `[Install]` section, add the following line: 588 | 589 | ``` 590 | Alias=grafana.service 591 | ``` 592 | 593 | Start the service. 594 | 595 | ```console 596 | sudo systemctl daemon-reload 597 | sudo systemctl start grafana-server 598 | sudo systemctl enable grafana-server 599 | ``` 600 | 601 | Login to grafana at http://XXX.XXX.XXX.XXX:3000/, replacing `XXX.XXX.XXX.XXX` with the IP address of your server. If you do not know the IP address, run `ifconfig`. 602 | 603 | Default username `admin`. Default password `admin`. Grafana will ask you to set a new password. 604 | 605 | #### Setup Prometheus Data Source 606 | 607 | 1. On the left-hand menu, hover over the gear menu and click on Data Sources. 608 | 2. Then click on the Add Data Source button. 609 | 3. Hover over the Prometheus card on screen, then click on the Select button. 610 | 4. Enter `http://127.0.0.1:9090/` into the URL field, then click Save & Test. 611 | 612 | #### Install Grafana Dashboard 613 | 614 | 1. Hover over the plus symbol icon in the left-hand menu, then click on Import. 615 | 2. Copy and paste the dashboard at [https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source-beacon_node.json](https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source-beacon_node.json) into the "Import via panel json" text box on the screen. If you used an older version of these instructions, where the Prometheus configuration file uses the beacon node job name of "beacon" instead of "beacon node", please (use this dashboard)[https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source.json] instead for backwards compatibility. 616 | 3. Then click the Load button. 617 | 4. Then click the Import button. 618 | 619 | Note: At this point in the process, any widgets showing details from the validator will show "N/A", because the validator still has no keys configured. As soon as keys are configured for the validator, the validator details should begin to show up. 620 | 621 | #### Final Grafana Dashboard Configuration 622 | 623 | A few of the queries driving the Grafana dashboard may need different settings, depending on your hardware. 624 | 625 | ##### Network Traffic Configuration 626 | 627 | To ensure that network traffic is correctly reflected on your Grafana dashboard, update the network interface in the Network Traffic widget. Run the following command to find your Linux network device. 628 | 629 | ```console 630 | ifconfig 631 | ``` 632 | 633 | Output of the command should look like the following: 634 | 635 | ``` 636 | eno1: flags=4163 mtu 1500 637 | inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255 638 | inet6 fe80::1e69:7aff:fe63:14b0 prefixlen 64 scopeid 0x20 639 | ether 1c:69:7a:63:14:b0 txqueuelen 1000 (Ethernet) 640 | RX packets 238936 bytes 78487335 (78.4 MB) 641 | RX errors 0 dropped 1819 overruns 0 frame 0 642 | TX packets 257824 bytes 112513038 (112.5 MB) 643 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 644 | device interrupt 16 memory 0x96300000-96320000 645 | 646 | lo: flags=73 mtu 65536 647 | inet 127.0.0.1 netmask 255.0.0.0 648 | inet6 ::1 prefixlen 128 scopeid 0x10 649 | loop txqueuelen 1000 (Local Loopback) 650 | RX packets 39805 bytes 29126770 (29.1 MB) 651 | RX errors 0 dropped 0 overruns 0 frame 0 652 | TX packets 39805 bytes 29126770 (29.1 MB) 653 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 654 | ``` 655 | 656 | Of the two entries shows above, the first lists my IP address on the second line, network interface `eno1`. Find the entry that represents the network connection you want to monitor and copy the device name, which is the part before the colon on the first line of each entry. In my case the value is `eno1`. 657 | 658 | 1. Go to the Grafana dashboard previously installed 659 | 2. Find the Network Traffic widget, and open the drop down that can be found by the Network Traffic title. 660 | 3. Click Edit. 661 | 4. There will be four references to `eno1` in the queries that appear. Replace all four with the name of the network interface you found in the `ifconfig` command. 662 | 663 | ### node_exporter 664 | 665 | #### Create User Account 666 | 667 | ```console 668 | sudo adduser --system node_exporter --group --no-create-home 669 | ``` 670 | 671 | #### Install node_exporter 672 | 673 | ```console 674 | cd 675 | wget https://github.com/prometheus/node_exporter/releases/download/v1.3.1/node_exporter-1.3.1.linux-amd64.tar.gz 676 | tar xzvf node_exporter-1.3.1.linux-amd64.tar.gz 677 | sudo cp node_exporter-1.3.1.linux-amd64/node_exporter /usr/local/bin/ 678 | sudo chown node_exporter:node_exporter /usr/local/bin/node_exporter 679 | rm node_exporter-1.3.1.linux-amd64.tar.gz 680 | ``` 681 | 682 | #### Set Up System Service 683 | 684 | ```console 685 | sudo nano /etc/systemd/system/node_exporter.service 686 | ``` 687 | 688 | Copy and paste the following text into the node_exporter.service file. 689 | 690 | ``` 691 | [Unit] 692 | Description=Node Exporter 693 | 694 | [Service] 695 | Type=simple 696 | Restart=always 697 | RestartSec=5 698 | User=node_exporter 699 | ExecStart=/usr/local/bin/node_exporter 700 | 701 | [Install] 702 | WantedBy=multi-user.target 703 | ``` 704 | 705 | ```console 706 | sudo systemctl daemon-reload 707 | sudo systemctl start node_exporter.service 708 | sudo systemctl enable node_exporter.service 709 | ``` 710 | 711 | ### json_exporter 712 | 713 | #### Create User Account 714 | 715 | ```console 716 | sudo adduser --system json_exporter --group --no-create-home 717 | ``` 718 | 719 | #### Install json_exporter 720 | 721 | ```console 722 | cd 723 | git clone https://github.com/prometheus-community/json_exporter.git 724 | cd json_exporter 725 | make build 726 | sudo cp json_exporter /usr/local/bin/ 727 | sudo chown json_exporter:json_exporter /usr/local/bin/json_exporter 728 | ``` 729 | 730 | #### Configure json_exporter 731 | 732 | ```console 733 | sudo mkdir /etc/json_exporter 734 | sudo chown json_exporter:json_exporter /etc/json_exporter 735 | ``` 736 | 737 | ```console 738 | sudo nano /etc/json_exporter/json_exporter.yml 739 | ``` 740 | 741 | Copy and paste the following text into the json_exporter.yml file. 742 | 743 | ``` 744 | metrics: 745 | - name: ethusd 746 | path: "{.ethereum.usd}" 747 | help: Ethereum (ETH) price in USD 748 | ``` 749 | 750 | Change ownership of the configuration file to the json_exporter account. 751 | 752 | ```console 753 | sudo chown json_exporter:json_exporter /etc/json_exporter/json_exporter.yml 754 | ``` 755 | 756 | #### Set Up System Service 757 | 758 | ```console 759 | sudo nano /etc/systemd/system/json_exporter.service 760 | ``` 761 | 762 | Copy and paste the following text into the node_exporter.service file. 763 | 764 | ``` 765 | [Unit] 766 | Description=JSON Exporter 767 | 768 | [Service] 769 | Type=simple 770 | Restart=always 771 | RestartSec=5 772 | User=json_exporter 773 | ExecStart=/usr/local/bin/json_exporter --config.file /etc/json_exporter/json_exporter.yml 774 | 775 | [Install] 776 | WantedBy=multi-user.target 777 | ``` 778 | 779 | ```console 780 | sudo systemctl daemon-reload 781 | sudo systemctl start json_exporter.service 782 | sudo systemctl enable json_exporter.service 783 | ``` 784 | 785 | 786 | ## Optional 787 | 788 | ### Install ntpd 789 | 790 | For now, I prefer to use ntpd over the default systemd-timesyncd for syncing my system clock to an official time source. 791 | 792 | From [this](https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04) tutorial on setting up time syncing on Ubuntu. 793 | 794 | > Though timesyncd is fine for most purposes, some applications that 795 | > are very sensitive to even the slightest perturbations in time may be 796 | > better served by ntpd, as it uses more sophisticated techniques to 797 | > constantly and gradually keep the system time on track. 798 | 799 | ```console 800 | sudo apt-get install ntp 801 | ``` 802 | 803 | Update the NTP pool time server configuration to those that are geographically close to you. See [http://support.ntp.org/bin/view/Servers/NTPPoolServers](http://support.ntp.org/bin/view/Servers/NTPPoolServers) to find servers near you. 804 | 805 | ```console 806 | sudo nano /etc/ntp.conf 807 | ``` 808 | 809 | Look for lines that begin with `server` and replace the current values with the values you identified from ntp.org. 810 | 811 | Restart ntp. This will automatically shut down systemd-timesyncd, the default Ubuntu time syncing solution. 812 | 813 | ```console 814 | sudo systemctl restart ntp 815 | ``` 816 | 817 | ### blackbox_exporter 818 | 819 | I have used blackbox_exporter to provide [ping](https://en.wikipedia.org/wiki/Ping_(networking_utility)) time data between my staking system and two DNS providers. Data is sent to Prometheus and on to Grafana. I have not found a practical use for this yet, though I have seen some interesting short-term shifts in ping times to Google. Therefore, blackbox_exporter is optional. 820 | 821 | The Grafana dashboard in these instructions includes a panel with a ping time graph. If you choose not to install blackbox_exporter, simply remove that panel from your Grafana dashboard. It will not show data. 822 | 823 | #### Create User Account 824 | 825 | ```console 826 | sudo adduser --system blackbox_exporter --group --no-create-home 827 | ``` 828 | 829 | #### Install blackbox_exporter 830 | 831 | ```console 832 | cd 833 | wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.19.0/blackbox_exporter-0.19.0.linux-amd64.tar.gz 834 | tar xvzf blackbox_exporter-0.19.0.linux-amd64.tar.gz 835 | sudo cp blackbox_exporter-0.19.0.linux-amd64/blackbox_exporter /usr/local/bin/ 836 | sudo chown blackbox_exporter:blackbox_exporter /usr/local/bin/blackbox_exporter 837 | sudo chmod 755 /usr/local/bin/blackbox_exporter 838 | ``` 839 | 840 | Allow blackbox_exporter to ping servers. 841 | 842 | ```console 843 | sudo setcap cap_net_raw+ep /usr/local/bin/blackbox_exporter 844 | ``` 845 | 846 | ```console 847 | rm blackbox_exporter-0.19.0.linux-amd64.tar.gz 848 | ``` 849 | 850 | #### Configure blackbox_exporter 851 | 852 | ```console 853 | sudo mkdir /etc/blackbox_exporter 854 | sudo chown blackbox_exporter:blackbox_exporter /etc/blackbox_exporter 855 | ``` 856 | 857 | ```console 858 | sudo nano /etc/blackbox_exporter/blackbox.yml 859 | ``` 860 | 861 | Copy and paste the following text into the blackbox.yml file. 862 | 863 | ``` 864 | modules: 865 | icmp: 866 | prober: icmp 867 | timeout: 10s 868 | icmp: 869 | preferred_ip_protocol: ipv4 870 | ``` 871 | 872 | Change ownership of the configuration file to the blackbox_exporter account. 873 | 874 | ```console 875 | sudo chown blackbox_exporter:blackbox_exporter /etc/blackbox_exporter/blackbox.yml 876 | ``` 877 | 878 | #### Set Up System Service 879 | 880 | `sudo nano /etc/systemd/system/blackbox_exporter.service` 881 | 882 | Copy and paste the following text into the blackbox_exporter.service file. 883 | 884 | ``` 885 | [Unit] 886 | Description=Blackbox Exporter 887 | 888 | [Service] 889 | Type=simple 890 | Restart=always 891 | RestartSec=5 892 | User=blackbox_exporter 893 | ExecStart=/usr/local/bin/blackbox_exporter --config.file /etc/blackbox_exporter/blackbox.yml 894 | 895 | [Install] 896 | WantedBy=multi-user.target 897 | ``` 898 | 899 | ```console 900 | sudo systemctl daemon-reload 901 | sudo systemctl start blackbox_exporter.service 902 | sudo systemctl enable blackbox_exporter.service 903 | ``` 904 | 905 | ## Router Configuration 906 | 907 | You may need to configure your router to forward the following ports to your staking system. See your router documentation for details. 908 | 909 | Prysm Beacon Chain: 12000/udp 910 | Prysm Beacon Chain: 13000/tcp 911 | geth: 30303/udp 912 | geth: 30303/tcp 913 | 914 | 915 | ## Security 916 | 917 | ### SSH 918 | 919 | The following changes can be made to increase the security of SSH, but are not required. 920 | 921 | ```console 922 | sudo nano /etc/ssh/sshd_config 923 | ``` 924 | 925 | Add the following lines, but replacing with your login. You are not logging in to ssh with root, right? If you are, you probably don't want to add the `AllowUsers` and `PermitRootLogin` lines below. 926 | 927 | ``` 928 | AllowUsers 929 | PermitEmptyPasswords no 930 | PermitRootLogin no 931 | Protocol 2 932 | ``` 933 | 934 | **Optional:** I prefer to change the default SSH port to a non-standard port. Do not forget what you change this to. Find the following line, uncomment it line by removing the "#", and replace "22" with your preferred port. 935 | 936 | ``` 937 | #Port 22 938 | ``` 939 | 940 | ```console 941 | sudo reboot 942 | ``` 943 | 944 | ### Firewall 945 | 946 | If your staking system is behind a router with a firewall, you may not want to add another level of firewall to your network security. This section may be skipped. 947 | 948 | The following commands set up the minimal firewall rules necessary to run the Prysm beacon-chain and geth 949 | 950 | ```console 951 | # beacon chain 952 | sudo ufw allow 12000/udp 953 | sudo ufw allow 13000/tcp 954 | 955 | # geth 956 | sudo ufw allow 30303/tcp 957 | sudo ufw allow 30303/udp 958 | 959 | # grafana 960 | sudo ufw allow 3000/tcp 961 | ``` 962 | 963 | Run the following command to set up firewalls rules for SSH. If you changed your default SSH port above, change the `22` in this command to the port you are using. 964 | 965 | ```console 966 | # ssh 967 | sudo ufw allow 22/tcp 968 | ``` 969 | 970 | Set up default firewall rules and enable the firewall. 971 | 972 | ```console 973 | # Defaults 974 | sudo ufw default deny incoming 975 | sudo ufw default allow outgoing 976 | sudo ufw enable 977 | ``` 978 | 979 | The following commands open up the remaining ports that are used by the software in this set of instructions. These ports are typically used only by other software internal to the staking system, and do not need to be opened on the firewall unless you would like direct access to some of the administrative/metrics pages, or if systems external to your staking system will be services on your staking system. 980 | 981 | ```console 982 | # beacon chain 983 | # - This only needs to be enabled if external validators will be accessing this beacon chain. 984 | sudo ufw allow 4000/tcp 985 | 986 | # node_exporter 987 | # - This only needs to be enabled if you want to access node_exporter stats directly. 988 | sudo ufw allow 9100/tcp 989 | 990 | #geth 991 | # - This only needs to be enabled if external beacon chains will be accessing this geth full node. 992 | sudo ufw allow 8545/tcp 993 | 994 | # beacon-chain metrics 995 | # - This only needs to be enabled if you want to access beacon-chain stats directly. 996 | sudo ufw allow 8080/tcp 997 | 998 | # blackbox_exporter 999 | # - This only needs to be enabled if you want to access blackbox_exporter stats directly. 1000 | sudo ufw allow 9115/tcp 1001 | 1002 | # prometheus 1003 | # - This only needs to be enabled if you want to access prometheus directly. 1004 | sudo ufw allow 9090/tcp 1005 | 1006 | # json_exporter 1007 | # - This only needs to be enabled if you want to access blackbox_exporter stats directly. 1008 | sudo ufw allow 7979/tcp 1009 | ``` 1010 | 1011 | ## Common Commands 1012 | 1013 | The following are some common commands you may want to use while running this setup. 1014 | 1015 | ### Service Statuses 1016 | 1017 | To see the status of system services: 1018 | 1019 | ```console 1020 | sudo systemctl status beacon-chain 1021 | sudo systemctl status validator 1022 | sudo systemctl status geth 1023 | sudo systemctl status prometheus 1024 | sudo systemctl status grafana-server 1025 | sudo systemctl status node_exporter 1026 | sudo systemctl status blackbox_exporter 1027 | sudo systemctl status json_exporter 1028 | ``` 1029 | 1030 | Or, to see the status of all at once: 1031 | 1032 | ```console 1033 | sudo systemctl status beacon-chain validator geth prometheus grafana-server node_exporter blackbox_exporter json_exporter 1034 | ``` 1035 | 1036 | ### Service Logs 1037 | 1038 | To watch the logs in real time: 1039 | 1040 | ```console 1041 | sudo journalctl -u beacon-chain -f 1042 | sudo journalctl -u validator -f 1043 | sudo journalctl -u geth -f 1044 | sudo journalctl -u prometheus -f 1045 | sudo journalctl -u grafana-server -f 1046 | sudo journalctl -u node_exporter -f 1047 | sudo journalctl -u blackbox_exporter -f 1048 | sudo journalctl -u json_exporter -f 1049 | ``` 1050 | 1051 | ### Restarting Services 1052 | 1053 | To restart a service: 1054 | 1055 | ```console 1056 | sudo systemctl restart beacon-chain 1057 | sudo systemctl restart validator 1058 | sudo systemctl restart geth 1059 | sudo systemctl restart prometheus 1060 | sudo systemctl restart grafana-server 1061 | sudo systemctl restart node_exporter 1062 | sudo systemctl restart blackbox_exporter 1063 | sudo systemctl restart json_exporter 1064 | ``` 1065 | 1066 | ### Stopping Services 1067 | 1068 | Stopping a service is separate from disabling a service. Stopping a service stops the current execution of the server, but does not prohibit the service from starting again after a system reboot. If you intend for the service to stop running and to not restart after a reboot, you will want to stop and disable a service. 1069 | 1070 | To stop a service: 1071 | 1072 | ```console 1073 | sudo systemctl stop beacon-chain 1074 | sudo systemctl stop validator 1075 | sudo systemctl stop geth 1076 | sudo systemctl stop prometheus 1077 | sudo systemctl stop grafana-server 1078 | sudo systemctl stop node_exporter 1079 | sudo systemctl stop blackbox_exporter 1080 | sudo systemctl stop json_exporter 1081 | ``` 1082 | 1083 | **Important:** If you intend to stop the beacon chain and validator in order to run these services on a different system, stop the services using the instructions in this section, and disable these services following the instructions in the next section. You will be at risk of losing funds through slashing if you accidentally validate the same keys on two different systems, and failing to disable the services may result in your beacon chain and validator running again after a system reboot. 1084 | 1085 | ### Disabling Services 1086 | 1087 | To disable a service so that it no longer starts automatically after a reboot: 1088 | 1089 | ```console 1090 | sudo systemctl disable beacon-chain 1091 | sudo systemctl disable validator 1092 | sudo systemctl disable geth 1093 | sudo systemctl disable prometheus 1094 | sudo systemctl disable grafana-server 1095 | sudo systemctl disable node_exporter 1096 | sudo systemctl disable blackbox_exporter 1097 | sudo systemctl disable json_exporter 1098 | ``` 1099 | 1100 | ### Enabling Services 1101 | 1102 | To re-enable a service that has been disabled: 1103 | 1104 | ```console 1105 | sudo systemctl enable beacon-chain 1106 | sudo systemctl enable validator 1107 | sudo systemctl enable geth 1108 | sudo systemctl enable prometheus 1109 | sudo systemctl enable grafana-server 1110 | sudo systemctl enable node_exporter 1111 | sudo systemctl enable blackbox_exporter 1112 | sudo systemctl enable json_exporter 1113 | ``` 1114 | 1115 | ### Starting Services 1116 | 1117 | Re-enabling a service will not necessarily start the service as well. To start a service that is stopped: 1118 | 1119 | ```console 1120 | sudo systemctl start beacon-chain 1121 | sudo systemctl start validator 1122 | sudo systemctl start geth 1123 | sudo systemctl start prometheus 1124 | sudo systemctl start grafana-server 1125 | sudo systemctl start node_exporter 1126 | sudo systemctl start blackbox_exporter 1127 | sudo systemctl start json_exporter 1128 | ``` 1129 | 1130 | ### Upgrading Prysm 1131 | 1132 | Upgrading the Prysm beacon chain and validator clients is as easy as restarting the service when running the prysm.sh script as we are in these instructions. To upgrade to the latest release, simple restart the services. Use the commands above to check the log files of both the beacon chain and validator. If any important command line flags have changed, a notice should appear in the logs. Even better, read the release notes in advance of an upgrade. 1133 | 1134 | ```console 1135 | sudo systemctl restart beacon-chain 1136 | sudo systemctl restart validator 1137 | ``` 1138 | 1139 | ### Changing systemd Service Files 1140 | 1141 | If you edit any of the systemd service files in `/etc/systemd/system` or another location, run the following command prior to restarting the affected service: 1142 | 1143 | ```console 1144 | sudo systemctl daemon-reload 1145 | ``` 1146 | 1147 | Then restart the affected service: 1148 | 1149 | ```console 1150 | sudo systemctl restart SERVICE_NAME 1151 | ``` 1152 | 1153 | - Replace SERVICE_NAME with the name of the service for which the service file was updated. For example, `sudo systemctl restart beacon-chain`. 1154 | 1155 | ### Updating Prysm Options 1156 | 1157 | To update the configuration options of the beacon chain or validator, edit the Prysm configuration file located in the home directories for the services. 1158 | 1159 | ```console 1160 | sudo nano /home/validator/prysm-validator.yaml 1161 | sudo nano /home/beacon/prysm-beacon.yaml 1162 | ``` 1163 | 1164 | Then restart the services: 1165 | 1166 | ```console 1167 | sudo systemctl restart validator 1168 | sudo systemctl restart beacon-chain 1169 | ``` 1170 | 1171 | ## Future Updates 1172 | 1173 | There are at least one area where I may expand on my system configuration or instructions, but I have not pursued it yet. 1174 | 1175 | - SSH Key-Based Login 1176 | - This seems to be a good security move, but it also seems to be the perfect way to get me locked out of my own system. I have never set this up before, but may look into it. 1177 | 1178 | 1179 | ## Sources/Inspiration 1180 | 1181 | Prysm: [https://docs.prylabs.network/docs/getting-started/](https://docs.prylabs.network/docs/getting-started/) 1182 | 1183 | Go: [https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/golang-1.14-go_1.14.2-1ubuntu1_arm64.deb.html](https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/golang-1.14-go_1.14.2-1ubuntu1_arm64.deb.html) 1184 | 1185 | Timezone: [https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/](https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/) 1186 | 1187 | Account creation and systemd setup: [https://github.com/attestantio/ubuntu-server](https://github.com/attestantio/ubuntu-server) 1188 | 1189 | blackbox_exporter: [https://github.com/prometheus/blackbox_exporter](https://github.com/prometheus/blackbox_exporter) 1190 | 1191 | node_exporter: [https://github.com/prometheus/node_exporter](https://github.com/prometheus/node_exporter) 1192 | 1193 | Prometheus: [https://prometheus.io/docs/prometheus/latest/getting_started/](https://prometheus.io/docs/prometheus/latest/getting_started/) 1194 | 1195 | Grafana: [https://grafana.com/docs/grafana/latest/installation/debian/](https://grafana.com/docs/grafana/latest/installation/debian/) 1196 | 1197 | Dashboard: [https://github.com/metanull-operator/eth2-grafana](https://github.com/metanull-operator/eth2-grafana) 1198 | 1199 | systemd: [https://www.freedesktop.org/software/systemd/man/systemd.unit.html](https://www.freedesktop.org/software/systemd/man/systemd.unit.html) 1200 | 1201 | geth: [https://geth.ethereum.org/docs/install-and-build/installing-geth](https://geth.ethereum.org/docs/install-and-build/installing-geth) 1202 | 1203 | sshd: [https://blog.devolutions.net/2017/04/10-steps-to-secure-open-ssh](https://blog.devolutions.net/2017/04/10-steps-to-secure-open-ssh) 1204 | 1205 | ufw: [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04) 1206 | 1207 | ufw: [https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands) 1208 | 1209 | ntpd: [https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04) 1210 | 1211 | kintsugi: https://hackmd.io/dFzKxB3ISWO8juUqPpJFfw 1212 | 1213 | eth2-val-tools: https://github.com/protolambda/eth2-val-tools 1214 | 1215 | ethereal: https://github.com/wealdtech/ethereal/ 1216 | 1217 | -------------------------------------------------------------------------------- /nut-multi-system.md: -------------------------------------------------------------------------------- 1 | # NUT Installation and Configuration 2 | 3 | ## NUT Master 4 | 5 | Update packages and install `nut` package. 6 | 7 | ```bash 8 | cd 9 | sudo apt-get update 10 | sudo apt-get install nut 11 | ``` 12 | 13 | Edit `/etc/nut/ups.conf` to add information about the UPS connected to the system. 14 | 15 | ```bash 16 | sudo vi /etc/nut/ups.conf 17 | ``` 18 | 19 | Copy-and-paste the following into the `ups.conf` file. 20 | 21 | - Replace `` with a short, descriptive name for the UPS. (I believe spaces are not allowed.) 22 | 23 | - Replace `` with a longer description of the UPS. (Spaces are allowed.) 24 | - Replace the value of `override.battery.runtime.low` to number of minutes of battery life left on the UPS when the NUT server will instruct all NUT clients to shut down. 25 | - If `usbhid-ups` does not automatically find your USB UPS, you may need a custom configuration here. See docs. 26 | 27 | ``` 28 | [] 29 | driver = usbhid-ups 30 | port = auto 31 | desc = "" 32 | ignorelb 33 | override.battery.runtime.low = 15 34 | ``` 35 | 36 | Save and close the file. 37 | 38 | Edit the upsd.users file to add a username and password for NUT client authentication. 39 | 40 | ```bash 41 | sudo vi /etc/nut/upsd.conf 42 | ``` 43 | 44 | Add the following section to the `upsd.users` file: 45 | 46 | - `upsmon` is the username here. You can change it, but you'd have to change it elsewhere too. 47 | - Change ` 52 | upsmon master 53 | ``` 54 | 55 | Save and close the file. 56 | 57 | Edit the `/etc/nut/nut.conf` file to set which type of NUT configuration we are setting up on this system. 58 | 59 | ```bash 60 | sudo vi /etc/nut/nut.conf 61 | ``` 62 | 63 | Set `netserver` mode for the primary (master) NUT instance. 64 | 65 | ``` 66 | MODE = netserver 67 | ``` 68 | 69 | Save and close the file. 70 | 71 | ```bash 72 | sudo vi /etc/nut/upsd.conf 73 | ``` 74 | 75 | Add `LISTEN` lines for each host that is allowed to talk to the NUT server. `0.0.0.0` should work for all, but you may want to specify specific IP addresses. 76 | 77 | - Change to the port number you want the NUT server to listen on. I am not aware of any default values for this. 78 | 79 | ``` 80 | LISTEN 0.0.0.0 81 | ``` 82 | 83 | Save and close the file. 84 | 85 | Edit the /etc/nut/upsmon.conf file to tell it which UPS to monitor. 86 | 87 | ```bash 88 | sudo vi /etc/nut/upsmon.conf 89 | ``` 90 | 91 | Add a MONITOR line: 92 | 93 | - Change to the same value set in ups.conf above. 94 | 95 | - Change to the IP address of the NUT server. For the master this should likely be 127.0.0.1. 96 | 97 | - Change to the port set in the upsd.conf file above. 98 | 99 | - Change to the password set in the 100 | 101 | ``` 102 | MONITOR @: 1 upsmon master 103 | ``` 104 | 105 | Save and close the file. 106 | 107 | Enable and start the following: 108 | 109 | - nut-driver - The driver that speaks directly to the UPS 110 | 111 | - nut-monitor - Monitors the UPS and decides when to take action. 112 | 113 | - nut-server - Communicates with NUT clients about UPS status. 114 | 115 | ```bash 116 | sudo systemctl enable --now nut-driver nut-server nut-monitor 117 | ``` 118 | 119 | See if the UPS is online: 120 | 121 | - Change to the same value set in ups.conf above. 122 | 123 | - Change to the IP address of the NUT server. For the master this should likely be 127.0.0.1. 124 | 125 | - Change to the port set in the upsd.conf file above. 126 | 127 | ```bash 128 | upsc @: 129 | ``` 130 | 131 | Your output should look similar to the following: 132 | 133 | ``` 134 | Init SSL without certificate database 135 | battery.charge: 74 136 | battery.runtime: 1167 137 | battery.runtime.low: 15 138 | battery.type: PbAC 139 | battery.voltage: 26.3 140 | battery.voltage.nominal: 24.0 141 | device.mfr: Tripp Lite 142 | device.model: Tripp Lite UPS 143 | device.type: ups 144 | driver.flag.ignorelb: enabled 145 | driver.name: usbhid-ups 146 | driver.parameter.pollfreq: 30 147 | driver.parameter.pollinterval: 2 148 | driver.parameter.port: auto 149 | driver.parameter.synchronous: no 150 | driver.version: 2.7.4 151 | driver.version.data: TrippLite HID 0.82 152 | driver.version.internal: 0.41 153 | input.frequency: 60.1 154 | input.voltage: 116.4 155 | output.frequency.nominal: 60 156 | output.voltage: 116.4 157 | output.voltage.nominal: 120 158 | ups.beeper.status: enabled 159 | ups.delay.shutdown: 20 160 | ups.load: 20 161 | ups.mfr: Tripp Lite 162 | ups.model: Tripp Lite UPS 163 | ups.power: 0.0 164 | ups.power.nominal: 1500 165 | ups.productid: 2012 166 | ups.status: OL CHRG 167 | ups.timer.reboot: 65535 168 | ups.timer.shutdown: 65535 169 | ups.vendorid: 09ae 170 | ups.watchdog.status: 0 171 | ``` 172 | 173 | ## NUT Client 174 | 175 | Update packages and install nut-client package. 176 | 177 | ```bash 178 | cd 179 | sudo apt-get update 180 | sudo apt-get install nut-client 181 | ``` 182 | 183 | Edit the /etc/nut/nut.conf file to set which type of NUT configuration we are setting up on this system. 184 | 185 | ```bash 186 | sudo vi /etc/nut/nut.conf 187 | ``` 188 | 189 | Set netclient mode for the secondary (slave) NUT instance. 190 | 191 | ``` 192 | MODE = netclient 193 | ``` 194 | 195 | Save and close the file. 196 | 197 | Edit the /etc/nut/upsmon.conf file to tell it which UPS to monitor. 198 | 199 | ```bash 200 | sudo vi /etc/nut/upsmon.conf 201 | ``` 202 | 203 | Add a MONITOR line: 204 | 205 | - Change to the same value set in ups.conf in the server section above. 206 | 207 | - Change to the IP address of the NUT server. For the slave this is likely a non-localhost IP address. 208 | 209 | - Change to the port set in the upsd.conf file in the server section above. 210 | 211 | - Change to the password set in the uspd.users file in the server section above. 212 | 213 | ``` 214 | MONITOR @: 1 upsmon slave 215 | ``` 216 | 217 | Save and close the file. 218 | 219 | Enable and start the following: 220 | 221 | - nut-client - Monitors the server instance for UPS information. FYI: Under the hood this is just running nut-monitor so systemctl status might not show the correct name. 222 | 223 | ```bash 224 | sudo systemctl enable --now nut-client 225 | ``` 226 | 227 | See if the UPS is online: 228 | 229 | - Change to the same value set in ups.conf in the server section above. 230 | 231 | - Change to the IP address of the NUT server. For the secondary instance this should be a non-localhost address. 232 | 233 | - Change to the port set in the upsd.conf file in the server section above. 234 | 235 | ```bash 236 | upsc @: 237 | ``` 238 | 239 | Your output should look similar to the following: 240 | 241 | ``` 242 | Init SSL without certificate database 243 | battery.charge: 74 244 | battery.runtime: 1167 245 | battery.runtime.low: 15 246 | battery.type: PbAC 247 | battery.voltage: 26.3 248 | battery.voltage.nominal: 24.0 249 | device.mfr: Tripp Lite 250 | device.model: Tripp Lite UPS 251 | device.type: ups 252 | driver.flag.ignorelb: enabled 253 | driver.name: usbhid-ups 254 | driver.parameter.pollfreq: 30 255 | driver.parameter.pollinterval: 2 256 | driver.parameter.port: auto 257 | driver.parameter.synchronous: no 258 | driver.version: 2.7.4 259 | driver.version.data: TrippLite HID 0.82 260 | driver.version.internal: 0.41 261 | input.frequency: 60.1 262 | input.voltage: 116.4 263 | output.frequency.nominal: 60 264 | output.voltage: 116.4 265 | output.voltage.nominal: 120 266 | ups.beeper.status: enabled 267 | ups.delay.shutdown: 20 268 | ups.load: 20 269 | ups.mfr: Tripp Lite 270 | ups.model: Tripp Lite UPS 271 | ups.power: 0.0 272 | ups.power.nominal: 1500 273 | ups.productid: 2012 274 | ups.status: OL CHRG 275 | ups.timer.reboot: 65535 276 | ups.timer.shutdown: 65535 277 | ups.vendorid: 09ae 278 | ups.watchdog.status: 0 279 | ``` 280 | 281 | -------------------------------------------------------------------------------- /prune_geth.md: -------------------------------------------------------------------------------- 1 | # Prune Geth 2 | 3 | **Instructions Compatibility: v1, v2** 4 | 5 | The following instructions apply to systems set up under both [v1](v1/) and [v2](v2/) of my installation instructions. 6 | 7 | ------ 8 | 9 | To prune the Geth database, use the following instructions. 10 | 11 | **Note:** Geth will be down while pruning. Prior to the merge, your validators will not be able to propose blocks while pruning. After the merge, your validator may be down entirely until the process is complete and Geth has been restarted. 12 | 13 | ```console 14 | sudo systemctl stop geth 15 | sudo -u geth /usr/bin/geth --datadir /home/geth/.ethereum snapshot prune-state 16 | ``` 17 | 18 | This will take a long time. After it is complete, restart Geth's normal operation. 19 | 20 | ```console 21 | sudo systemctl start geth 22 | ``` 23 | 24 | Review the logs looking for any problems at start-up. Geth will need to sync back yup to the head of the chain, which will also take some time. 25 | 26 | ```console 27 | sudo journalctl -fu geth 28 | ``` 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /prysm-medalla.md: -------------------------------------------------------------------------------- 1 | 2 | # Setup an Eth2 Validator System on Ubuntu 3 | These instructions represent my current process for setting up an Eth2 staking system on Ubuntu 20.04 LTS on an Intel NUC 10i5FNK with 512GB SSD and 16GB RAM. These instructions are primarily for my own purposes, so that I can recreate my environment if I need to. They are not intended to represent best practices and may not be applicable to your hardware, software, or network configuration. There are many other good sources for instructions on setting up these services, and those may be more generally written and applicable. 4 | 5 | Setup includes installation and configuration of the following services, including setting up systemd to automatically run services, where applicable: 6 | 7 | - Prysm Beacon Chain 8 | - Prysm Validator 9 | - geth 10 | - Prometheus 11 | - Grafana 12 | - node_exporter 13 | - blackbox_exporter 14 | - eth2stats 15 | 16 | Steps to install and configure all software have been copied from or inspired by a number of sources, which are cited at the end of this file. Discord discussions may have provided additional details or ideas. In addition, though I have never been a professional Linux administrator, I have many years experience running Linux servers for a variety of public and private hobby projects, which may have informed some of my decisions, for better or worse. 17 | 18 | This process assumes starting from first login on a clean Ubuntu 20.04 LTS installation, and were last tested on August 1, 2020. 19 | 20 | ## Prerequisities 21 | 22 | ### Software Update 23 | After an initial install, it is a good idea to update everything to the latest versions. 24 | ```console 25 | sudo apt-get update 26 | sudo apt-get upgrade 27 | sudo apt-get dist-upgrade 28 | sudo apt-get autoremove 29 | sudo reboot 30 | ``` 31 | 32 | ### Set Time Zone 33 | Run the following command to see the list of time zones, then copy the appropriate time zone to your clipboard. 34 | ```console 35 | timedatectl list-timezones 36 | ``` 37 | 38 | Run the following command, replacing `` with the time zone you have copied onto your clipboard. 39 | ```console 40 | sudo timedatectl set-timezone 41 | ``` 42 | 43 | ### net-tools 44 | Installing net-tools in order to determine network device via ifconfig. 45 | ```console 46 | sudo apt-get install net-tools 47 | ``` 48 | 49 | ### make 50 | ```console 51 | sudo apt-get install make 52 | ``` 53 | 54 | ## Prysm 55 | 56 | ### Create User Accounts 57 | ```console 58 | sudo adduser --home /home/beacon --disabled-password --gecos 'Ethereum 2 Beacon Chain' beacon 59 | sudo adduser --home /home/validator --disabled-password --gecos 'Ethereum 2 Validator' validator 60 | sudo -u beacon mkdir /home/beacon/bin 61 | sudo -u validator mkdir /home/validator/bin 62 | ``` 63 | 64 | ### Install prysm.sh 65 | 66 | ```console 67 | cd /home/validator/bin 68 | sudo -u validator curl https://raw.githubusercontent.com/prysmaticlabs/prysm/master/prysm.sh --output prysm.sh && sudo -u validator chmod +x prysm.sh 69 | cd /home/beacon/bin 70 | sudo -u beacon curl https://raw.githubusercontent.com/prysmaticlabs/prysm/master/prysm.sh --output prysm.sh && sudo -u beacon chmod +x prysm.sh 71 | ``` 72 | 73 | ### Set Up systemd Service File 74 | This sets up prysm.sh to automatically run on start. This file is slightly different than the version under the Building Prysm section. 75 | 76 | #### Beacon Chain 77 | ```console 78 | sudo nano /etc/systemd/system/beacon-chain.service 79 | ``` 80 | 81 | Copy and paste the following text into the beacon-chain.service file. 82 | 83 | ``` 84 | [Unit] 85 | Description=Ethereum 2 Beacon Chain 86 | After=network.target 87 | StartLimitIntervalSec=0 88 | 89 | [Service] 90 | Type=simple 91 | Restart=always 92 | RestartSec=5 93 | User=beacon 94 | ExecStart=/home/beacon/bin/prysm.sh beacon-chain --config-file /home/beacon/prysm-beacon.yaml 95 | 96 | [Install] 97 | WantedBy=multi-user.target 98 | Alias=beacon 99 | ``` 100 | 101 | #### Validator 102 | 103 | ```console 104 | sudo nano /etc/systemd/system/validator.service 105 | ``` 106 | 107 | Copy and paste the following text into the validator.service file. 108 | 109 | ``` 110 | [Unit] 111 | Description=Ethereum 2 Validator 112 | Wants=beacon-chain.service 113 | After=beacon-chain.service 114 | StartLimitIntervalSec=0 115 | 116 | [Service] 117 | Type=simple 118 | Restart=always 119 | RestartSec=5 120 | User=validator 121 | ExecStart=/home/validator/bin/prysm.sh validator --config-file /home/validator/prysm-validator.yaml 122 | 123 | [Install] 124 | WantedBy=multi-user.target 125 | ``` 126 | 127 | ### Create Prysm Configuration Files 128 | 129 | #### prysm-beacon.yaml 130 | 131 | ```console 132 | sudo -u beacon nano /home/beacon/prysm-beacon.yaml 133 | ``` 134 | 135 | Copy and paste the following text into the prysm-beacon.yaml configuration file. 136 | 137 | 138 | ``` 139 | datadir: "/home/beacon/prysm" 140 | p2p-host-ip: "XXX.XXX.XXX.XXX" 141 | http-web3provider: "http://YYY.YYY.YYY.YYY:8545" 142 | monitoring-host: "0.0.0.0" 143 | p2p-tcp-port: 13000 144 | p2p-udp-port: 12000 145 | medalla: true 146 | accept-terms-of-use: true 147 | ``` 148 | 149 | - If you have a dynamic IP address, remove the `p2p-host-ip` line. 150 | Otherwise, update `XXX.XXX.XXX.XXX` to your external IP address. 151 | - Update `YYY.YYY.YYY.YYY` to the IP address of your Eth1 node. 152 | - The `p2p-tcp-port` and `p2p-udp-port` lines are optional if you use the 153 | default values of 13000 and 12000, respectively. 154 | - `medalla` can be changed to a different testnet. Mainnet instructions to be determined. 155 | 156 | 157 | Change permissions of the file. 158 | 159 | ```console 160 | sudo -u beacon chmod 600 /home/beacon/prysm-beacon.yaml 161 | ``` 162 | 163 | #### prysm-validator.yaml 164 | 165 | ```console 166 | sudo -u validator nano /home/validator/prysm-validator.yaml 167 | ``` 168 | 169 | Copy and paste the following text into the prysm-beacon.yaml configuration file. 170 | 171 | ``` 172 | monitoring-host: "0.0.0.0" 173 | graffiti: "YOUR_GRAFFITI_HERE" 174 | beacon-rpc-provider: "127.0.0.1:4000" 175 | wallet-password-file: "/home/validator/.eth2validators/wallet-password.txt" 176 | medalla: true 177 | accept-terms-of-use: true 178 | ``` 179 | 180 | - `graffiti` can be changed to whatever text you would prefer. 181 | - `medalla` can be changed to a different testnet. Mainnet instructions to be determined. 182 | 183 | Change permissions of the file. 184 | 185 | ```console 186 | sudo -u validator chmod 600 /home/validator/prysm-validator.yaml 187 | ``` 188 | 189 | ### Make Validator Deposits and Install Keys 190 | 191 | Follow the latest instructions at [medalla.launchpad.ethereum.org](https://medalla.launchpad.ethereum.org) or the correct launch pad for the network to which you will be connecting. 192 | 193 | Look for the latest eth2.0-deposit-cli [here](https://github.com/ethereum/eth2.0-deposit-cli/releases/download/v0.4.1/eth2deposit-cli-3f4a79a-linux-amd64.tar.gz). 194 | 195 | ```console 196 | cd 197 | wget https://github.com/ethereum/eth2.0-deposit-cli/releases/download/v0.4.1/eth2deposit-cli-3f4a79a-linux-amd64.tar.gz 198 | tar xzvf eth2deposit-cli-3f4a79a-linux-amd64.tar.gz 199 | mv eth2deposit-cli-3f4a79a-linux-amd64 eth2deposit-cli 200 | cd eth2deposit-cli 201 | ./deposit --num_validators NUMBER_OF_VALIDATORS --chain medalla 202 | ``` 203 | 204 | Change the `NUMBER_OF_VALIDATORS` to the number of validators you want to create. Follow the prompts and instructions. 205 | 206 | **BACKUP YOUR MNEMONIC AND PASSWORD!** 207 | 208 | The next step is to upload your deposit data file to the launchpad site. If you are using Ubuntu Server, you can either open up the deposit data file and copy it to a file on your desktop computer with the same name, or you can use scp or an equivalent tool to copy the deposit data to your desktop computer. 209 | 210 | Follow the instructions by dragging and dropping the deposit file into the launchpad site. Then continue to follow the instructions until your deposit transaction is successful. 211 | 212 | ```console 213 | sudo -u validator /home/validator/bin/prysm.sh validator accounts-v2 import --keys-dir=$HOME/eth2deposit-cli/validator_keys 214 | ``` 215 | 216 | Follow the prompts. The default wallet directory should be `/home/validator/.eth2validators/prysm-wallet-v2`. Use the same password used when you were prompted for a password while running `./deposit.sh --num_validators NUMBER_OF_VALIDATORS --chain medalla`. 217 | 218 | Create a password file and make it readbable only to the validator account. 219 | 220 | ```console 221 | sudo -u validator touch /home/validator/.eth2validators/wallet-password.txt && sudo chmod 600 /home/validator/.eth2validators/wallet-password.txt 222 | ``` 223 | 224 | Edit the file and put the password you entered into the `deposit.sh` tool into the `wallet-password.txt` file. 225 | 226 | ```console 227 | sudo nano /home/validator/.eth2validators/wallet-password.txt 228 | ``` 229 | 230 | Enter the password into the first line and save the file. 231 | 232 | 233 | ### Start Beacon Chain and Validator 234 | 235 | Start and enable the validator service. 236 | 237 | ```console 238 | sudo systemctl daemon-reload 239 | sudo systemctl start beacon-chain validator 240 | sudo systemctl enable beacon-chain validator 241 | ``` 242 | 243 | ## geth 244 | It is recommended that you run your own geth full node. For testnets, a default node is provided by Prysmatic Labs, but this may not be available for the mainnet launch. 245 | 246 | ### Install geth 247 | 248 | ```console 249 | sudo add-apt-repository -y ppa:ethereum/ethereum 250 | sudo apt-get update 251 | sudo apt-get install ethereum 252 | ``` 253 | 254 | ### Create User Account 255 | 256 | ```console 257 | sudo adduser --home /home/geth --disabled-password --gecos 'Go Ethereum Client' geth 258 | ``` 259 | 260 | ### Set Up systemd Service File 261 | This sets up geth to automatically run on start. 262 | 263 | ```console 264 | sudo nano /etc/systemd/system/geth.service 265 | ``` 266 | 267 | Copy and paste the following text into the geth.service file. 268 | 269 | ``` 270 | [Unit] 271 | Description=Ethereum 1 Go Client 272 | StartLimitIntervalSec=0 273 | 274 | [Service] 275 | Type=simple 276 | Restart=always 277 | RestartSec=5 278 | User=geth 279 | WorkingDirectory=/home/geth 280 | ExecStart=/usr/bin/geth --goerli --http --http.addr 0.0.0.0 281 | 282 | [Install] 283 | WantedBy=multi-user.target 284 | ``` 285 | 286 | ### Start geth 287 | 288 | Start and enable the validator service. 289 | 290 | ```console 291 | sudo systemctl daemon-reload 292 | sudo systemctl start geth 293 | sudo systemctl enable geth 294 | ``` 295 | 296 | ## Monitoring 297 | The following will set up prometheus for collecting data, grafana for displaying dashboards, node_exporter for providing system data to prometheus, and blackbox_exporter for providing ping data to prometheus. 298 | 299 | node_exporter and blackbox_exporter are optional, though some charts on the dashboard provided may need to be removed if those tools are not used. The prometheus configuration file may also need to be updated. 300 | 301 | ### Prometheus 302 | #### Create User Account 303 | ```console 304 | sudo adduser --system prometheus --group --no-create-home 305 | ``` 306 | 307 | #### Install Prometheus 308 | 309 | Find the URL to the latest amd64 version of Prometheus at https://prometheus.io/download/. In the commands below, replace any references to the version 2.21.0 to the latest version available. 310 | 311 | ```console 312 | cd 313 | wget https://github.com/prometheus/prometheus/releases/download/v2.21.0/prometheus-2.21.0.linux-amd64.tar.gz 314 | tar xzvf prometheus-2.21.0.linux-amd64.tar.gz 315 | cd prometheus-2.21.0.linux-amd64 316 | sudo cp promtool /usr/local/bin/ 317 | sudo cp prometheus /usr/local/bin/ 318 | sudo chown root.root /usr/local/bin/promtool /usr/local/bin/prometheus 319 | sudo chmod 755 /usr/local/bin/promtool /usr/local/bin/prometheus 320 | cd 321 | rm prometheus-2.21.0.linux-amd64.tar.gz 322 | ``` 323 | 324 | #### Configure Prometheus 325 | ```console 326 | sudo mkdir -p /etc/prometheus/console_libraries /etc/prometheus/consoles /etc/prometheus/files_sd /etc/prometheus/rules /etc/prometheus/rules.d 327 | ``` 328 | 329 | Copy and paste the following text into the prometheus.yml configuration file: 330 | 331 | ```console 332 | sudo nano /etc/prometheus/prometheus.yml 333 | ``` 334 | 335 | ``` 336 | global: 337 | scrape_interval: 15s 338 | 339 | scrape_configs: 340 | - job_name: 'prometheus' 341 | scrape_interval: 5s 342 | static_configs: 343 | - targets: ['127.0.0.1:9090'] 344 | - job_name: 'beacon' 345 | scrape_interval: 5s 346 | static_configs: 347 | - targets: ['127.0.0.1:8080'] 348 | - job_name: 'node_exporter' 349 | scrape_interval: 5s 350 | static_configs: 351 | - targets: ['127.0.0.1:9100'] 352 | - job_name: 'validator' 353 | scrape_interval: 5s 354 | static_configs: 355 | - targets: ['127.0.0.1:8081'] 356 | - job_name: 'ping_google' 357 | metrics_path: /probe 358 | params: 359 | module: [icmp] 360 | static_configs: 361 | - targets: 362 | - 8.8.8.8 363 | relabel_configs: 364 | - source_labels: [__address__] 365 | target_label: __param_target 366 | - source_labels: [__param_target] 367 | target_label: instance 368 | - target_label: __address__ 369 | replacement: 127.0.0.1:9115 # The blackbox exporter's real hostname:port. 370 | - job_name: 'ping_cloudflare' 371 | metrics_path: /probe 372 | params: 373 | module: [icmp] 374 | static_configs: 375 | - targets: 376 | - 1.1.1.1 377 | relabel_configs: 378 | - source_labels: [__address__] 379 | target_label: __param_target 380 | - source_labels: [__param_target] 381 | target_label: instance 382 | - target_label: __address__ 383 | replacement: 127.0.0.1:9115 # The blackbox exporter's real hostname:port. 384 | ``` 385 | 386 | Change the ownership of the prometheus directory. 387 | 388 | ```console 389 | sudo chown -R prometheus.prometheus /etc/prometheus 390 | ``` 391 | 392 | #### Data Directory 393 | ```console 394 | sudo mkdir /var/lib/prometheus 395 | sudo chown prometheus.prometheus /var/lib/prometheus 396 | sudo chmod 755 /var/lib/prometheus 397 | ``` 398 | 399 | #### Set Up systemd Service 400 | ```console 401 | sudo nano /etc/systemd/system/prometheus.service 402 | ``` 403 | 404 | Copy and paste the following text into the prometheus.service file. 405 | ``` 406 | [Unit] 407 | Description=Prometheus 408 | Wants=network-online.target 409 | After=network-online.target 410 | 411 | [Service] 412 | User=prometheus 413 | Group=prometheus 414 | Type=simple 415 | Restart=always 416 | RestartSec=5 417 | ExecStart=/usr/local/bin/prometheus \ 418 | --config.file /etc/prometheus/prometheus.yml \ 419 | --storage.tsdb.path /var/lib/prometheus/ \ 420 | --web.console.templates=/etc/prometheus/consoles \ 421 | --web.console.libraries=/etc/prometheus/console_libraries 422 | 423 | [Install] 424 | WantedBy=multi-user.target 425 | ``` 426 | 427 | ```console 428 | sudo systemctl daemon-reload 429 | sudo systemctl start prometheus.service 430 | sudo systemctl enable prometheus.service 431 | ``` 432 | 433 | ### Grafana 434 | ```console 435 | cd 436 | sudo apt-get install -y apt-transport-https 437 | sudo apt-get install -y software-properties-common wget 438 | wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add - 439 | sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main" 440 | sudo apt-get update 441 | sudo apt-get install grafana-enterprise 442 | ``` 443 | 444 | #### Setup systemd 445 | 446 | **Optional:** Edit the `grafana-server.service` file to add "grafana" as an alias to grafana server. I generally forget that the default name for this service is `grafana-server`. 447 | 448 | ``` 449 | sudo nano /lib/systemd/system/grafana-server.service 450 | ``` 451 | 452 | At the end of this file, in the `[Install]` section, add the following line: 453 | 454 | ``` 455 | Alias=grafana.service 456 | ``` 457 | 458 | Start the service. 459 | 460 | ```console 461 | sudo systemctl daemon-reload 462 | sudo systemctl start grafana-server 463 | sudo systemctl enable grafana-server 464 | ``` 465 | 466 | Login to grafana at http://XXX.XXX.XXX.XXX:3000/, replacing `XXX.XXX.XXX.XXX` with the IP address of your server. If you do not know the IP address, run `ifconfig`. 467 | 468 | Default username `admin`. Default password `admin`. Grafana will ask you to set a new password. 469 | 470 | #### Setup Prometheus Data Source 471 | 1. On the left-hand menu, hover over the gear menu and click on Data Sources. 472 | 2. Then click on the Add Data Source button. 473 | 3. Hover over the Prometheus card on screen, then click on the Select button. 474 | 4. Enter `http://127.0.0.1:9090/` into the URL field, then click Save & Test. 475 | 476 | #### Install Grafana Dashboard 477 | 1. Hover over the plus symbol icon in the left-hand menu, then click on Import. 478 | 2. Copy and paste the dashboard at [https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source.json](https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source.json) into the "Import via panel json" text box on the screen. 479 | 3. Then click the Load button. 480 | 4. Then click the Import button. 481 | 482 | Note: At this point in the process, any widgets showing details from the validator will show "N/A", because the validator still has no keys configured. As soon as keys are configured for the validator, the validator details should begin to show up. 483 | 484 | #### Final Grafana Dashboard Configuration 485 | A few of the queries driving the Grafana dashboard may need different settings, depending on your hardware. 486 | 487 | ##### Network Traffic Configuration 488 | To ensure that network traffic is correctly reflected on your Grafana dashboard, update the network interface in the Network Traffic widget. Run the following command to find your Linux network device. 489 | 490 | ```console 491 | ifconfig 492 | ``` 493 | 494 | Output of the command should look like the following: 495 | ``` 496 | eno1: flags=4163 mtu 1500 497 | inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255 498 | inet6 fe80::1e69:7aff:fe63:14b0 prefixlen 64 scopeid 0x20 499 | ether 1c:69:7a:63:14:b0 txqueuelen 1000 (Ethernet) 500 | RX packets 238936 bytes 78487335 (78.4 MB) 501 | RX errors 0 dropped 1819 overruns 0 frame 0 502 | TX packets 257824 bytes 112513038 (112.5 MB) 503 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 504 | device interrupt 16 memory 0x96300000-96320000 505 | 506 | lo: flags=73 mtu 65536 507 | inet 127.0.0.1 netmask 255.0.0.0 508 | inet6 ::1 prefixlen 128 scopeid 0x10 509 | loop txqueuelen 1000 (Local Loopback) 510 | RX packets 39805 bytes 29126770 (29.1 MB) 511 | RX errors 0 dropped 0 overruns 0 frame 0 512 | TX packets 39805 bytes 29126770 (29.1 MB) 513 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 514 | ``` 515 | 516 | Of the two entries shows above, the first lists my IP address on the second line, network interface `eno1`. Find the entry that represents the network connection you want to monitor and copy the device name, which is the part before the colon on the first line of each entry. In my case the value is `eno1`. 517 | 518 | 1. Go to the Grafana dashboard previously installed 519 | 2. Find the Network Traffic widget, and open the drop down that can be found by the Network Traffic title. 520 | 3. Click Edit. 521 | 4. There will be four references to `eno1` in the queries that appear. Replace all four with the name of the network interface you found in the `ifconfig` command. 522 | 523 | ### node_exporter 524 | #### Create User Account 525 | ```console 526 | sudo adduser --system node_exporter --group --no-create-home 527 | ``` 528 | 529 | #### Install node_exporter 530 | ```console 531 | cd 532 | wget https://github.com/prometheus/node_exporter/releases/download/v1.0.1/node_exporter-1.0.1.linux-amd64.tar.gz 533 | tar xzvf node_exporter-1.0.1.linux-amd64.tar.gz 534 | sudo cp node_exporter-1.0.1.linux-amd64/node_exporter /usr/local/bin/ 535 | sudo chown node_exporter:node_exporter /usr/local/bin/node_exporter 536 | rm node_exporter-1.0.1.linux-amd64.tar.gz 537 | ``` 538 | 539 | #### Set Up System Service 540 | ```console 541 | sudo nano /etc/systemd/system/node_exporter.service 542 | ``` 543 | 544 | Copy and paste the following text into the node_exporter.service file. 545 | 546 | ``` 547 | [Unit] 548 | Description=Node Exporter 549 | 550 | [Service] 551 | Type=simple 552 | Restart=always 553 | RestartSec=5 554 | User=node_exporter 555 | ExecStart=/usr/local/bin/node_exporter 556 | 557 | [Install] 558 | WantedBy=multi-user.target 559 | ``` 560 | 561 | ```console 562 | sudo systemctl daemon-reload 563 | sudo systemctl start node_exporter.service 564 | sudo systemctl enable node_exporter.service 565 | ``` 566 | 567 | ## Optional 568 | 569 | ### Install ntpd 570 | For now, I prefer to use ntpd over the default systemd-timesyncd for syncing my system clock to an official time source. 571 | 572 | From [this](https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04) tutorial on setting up time syncing on Ubuntu. 573 | 574 | > Though timesyncd is fine for most purposes, some applications that 575 | > are very sensitive to even the slightest perturbations in time may be 576 | > better served by ntpd, as it uses more sophisticated techniques to 577 | > constantly and gradually keep the system time on track. 578 | 579 | ```console 580 | sudo apt-get install ntp 581 | ``` 582 | Update the NTP pool time server configuration to those that are geographically close to you. See [http://support.ntp.org/bin/view/Servers/NTPPoolServers](http://support.ntp.org/bin/view/Servers/NTPPoolServers) to find servers near you. 583 | 584 | ```console 585 | sudo nano /etc/ntp.conf 586 | ``` 587 | Look for lines that begin with `server` and replace the current values with the values you identified from ntp.org. 588 | 589 | Restart ntp. This will automatically shut down systemd-timesyncd, the default Ubuntu time syncing solution. 590 | 591 | ```console 592 | sudo systemctl restart ntp 593 | ``` 594 | 595 | ### blackbox_exporter 596 | I have used blackbox_exporter to provide [ping](https://en.wikipedia.org/wiki/Ping_(networking_utility)) time data between my staking system and two DNS providers. Data is sent to Prometheus and on to Grafana. I have not found a practical use for this yet, though I have seen some interesting short-term shifts in ping times to Google. Therefore, blackbox_exporter is optional. 597 | 598 | The Grafana dashboard in these instructions includes a panel with a ping time graph. If you choose not to install blackbox_exporter, simply remove that panel from your Grafana dashboard. It will not show data. 599 | 600 | #### Create User Account 601 | ```console 602 | sudo adduser --system blackbox_exporter --group --no-create-home 603 | ``` 604 | 605 | #### Install blackbox_exporter 606 | ```console 607 | wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.17.0/blackbox_exporter-0.17.0.linux-amd64.tar.gz 608 | tar xvzf blackbox_exporter-0.17.0.linux-amd64.tar.gz 609 | sudo cp blackbox_exporter-0.17.0.linux-amd64/blackbox_exporter /usr/local/bin/ 610 | sudo chown blackbox_exporter.blackbox_exporter /usr/local/bin/blackbox_exporter 611 | sudo chmod 755 /usr/local/bin/blackbox_exporter 612 | ``` 613 | 614 | Allow blackbox_exporter to ping servers. 615 | ```console 616 | sudo setcap cap_net_raw+ep /usr/local/bin/blackbox_exporter 617 | ``` 618 | 619 | ```console 620 | rm blackbox_exporter-0.17.0.linux-amd64.tar.gz 621 | ``` 622 | 623 | #### Configure blackbox_exporter 624 | 625 | ```console 626 | sudo mkdir /etc/blackbox_exporter 627 | sudo chown blackbox_exporter.blackbox_exporter /etc/blackbox_exporter 628 | ``` 629 | 630 | ```console 631 | sudo nano /etc/blackbox_exporter/blackbox.yml 632 | ``` 633 | 634 | Copy and paste the following text into the blackbox.yml file. 635 | 636 | ``` 637 | modules: 638 | icmp: 639 | prober: icmp 640 | timeout: 10s 641 | icmp: 642 | preferred_ip_protocol: ipv4 643 | ``` 644 | 645 | Change ownership of the configuration file to the blackbox_exporter account. 646 | 647 | ```console 648 | sudo chown blackbox_exporter.blackbox_exporter /etc/blackbox_exporter/blackbox.yml 649 | ``` 650 | 651 | #### Set Up System Service 652 | `sudo nano /etc/systemd/system/blackbox_exporter.service` 653 | 654 | Copy and paste the following text into the blackbox_exporter.service file. 655 | 656 | ``` 657 | [Unit] 658 | Description=Blackbox Exporter 659 | 660 | [Service] 661 | Type=simple 662 | Restart=always 663 | RestartSec=5 664 | User=blackbox_exporter 665 | ExecStart=/usr/local/bin/blackbox_exporter --config.file /etc/blackbox_exporter/blackbox.yml 666 | 667 | [Install] 668 | WantedBy=multi-user.target 669 | ``` 670 | 671 | ```console 672 | sudo systemctl daemon-reload 673 | sudo systemctl start blackbox_exporter.service 674 | sudo systemctl enable blackbox_exporter.service 675 | ``` 676 | 677 | ### eth2stats 678 | eth2stats reports some basic beacon chain statistics to eth2stats.io. This service may not be supported in the long term, but it can provide valuable information regarding the status of other staking systems. This can be helpful to determine whether a problem is isolated to your system or whether it is a network-wide problem. 679 | 680 | #### Create User Account 681 | ```console 682 | sudo adduser --system eth2stats --group --no-create-home 683 | ``` 684 | 685 | #### Install go 686 | ```console 687 | sudo apt-get install golang-1.14-go 688 | 689 | # Create a symlink from /usr/bin/go to the new go installation 690 | sudo ln -s /usr/lib/go-1.14/bin/go /usr/bin/go 691 | ``` 692 | 693 | #### Install eth2stats 694 | ```console 695 | cd 696 | git clone https://github.com/alethio/eth2stats-client 697 | cd ~/eth2stats-client 698 | make build 699 | sudo cp eth2stats-client /usr/local/bin 700 | sudo chown root.root /usr/local/bin/eth2stats-client 701 | sudo chmod 755 /usr/local/bin/eth2stats-client 702 | ``` 703 | 704 | #### Create Data Directory 705 | ```console 706 | sudo mkdir /var/lib/eth2stats 707 | sudo chown eth2stats.eth2stats /var/lib/eth2stats 708 | sudo chmod 755 /var/lib/eth2stats 709 | ``` 710 | 711 | #### Set Up System Service 712 | 713 | ```console 714 | sudo nano /etc/systemd/system/eth2stats.service 715 | ``` 716 | 717 | Copy and paste the following text into the validator.service file. 718 | 719 | ``` 720 | [Unit] 721 | Description=eth2stats 722 | After=beacon-chain.service 723 | StartLimitIntervalSec=0 724 | 725 | [Service] 726 | Type=simple 727 | Restart=always 728 | RestartSec=5 729 | WorkingDirectory=/var/lib/eth2stats/ 730 | User=eth2stats 731 | ExecStart=/usr/local/bin/eth2stats-client run --v --eth2stats.node-name="NODE_NAME" --eth2stats.addr="grpc.medalla.eth2stats.io:443" --beacon.metrics-addr="http://127.0.0.1:8080/metrics" --eth2stats.tls=true --beacon.type="prysm" --beacon.addr="127.0.0.1:4000" --data.folder=/var/lib/eth2stats 732 | 733 | [Install] 734 | WantedBy=multi-user.target 735 | ``` 736 | 737 | Replace `NODE_NAME` with the name you would like to appear on eth2stats.io. 738 | 739 | These instructions were written during the Medalla testnet. The command-line flag `--eth2stats.addr` may need to be updated to a new address for later testnets or the mainnet. 740 | 741 | ```console 742 | sudo systemctl daemon-reload 743 | sudo systemctl enable eth2stats.service 744 | sudo systemctl start eth2stats.service 745 | ``` 746 | 747 | ## Router Configuration 748 | You may need to configure your router to forward the following ports to your staking system. See your router documentation for details. 749 | 750 | Prysm Beacon Chain: 12000/udp 751 | Prysm Beacon Chain: 13000/tcp 752 | geth: 30303/udp 753 | geth: 30303/tcp 754 | 755 | 756 | ## Security 757 | ### SSH 758 | 759 | The following changes can be made to increase the security of SSH, but are not required. 760 | 761 | ```console 762 | sudo nano /etc/ssh/sshd_config 763 | ``` 764 | 765 | Add the following lines, but replacing with your login. You are not logging in to ssh with root, right? If you are, you probably don't want to add the `AllowUsers` and `PermitRootLogin` lines below. 766 | 767 | ``` 768 | AllowUsers 769 | PermitEmptyPasswords no 770 | PermitRootLogin no 771 | Protocol 2 772 | ``` 773 | 774 | **Optional:** I prefer to change the default SSH port to a non-standard port. Do not forget what you change this to. Find the following line, uncomment it line by removing the "#", and replace "22" with your preferred port. 775 | 776 | ``` 777 | #Port 22 778 | ``` 779 | 780 | ```console 781 | sudo reboot 782 | ``` 783 | 784 | ### Firewall 785 | If your staking system is behind a router with a firewall, you may not want to add another level of firewall to your network security. This section may be skipped. 786 | 787 | The following commands set up the minimal firewall rules necessary to run the Prysm beacon-chain and geth 788 | 789 | ```console 790 | # beacon chain 791 | sudo ufw allow 12000/udp 792 | sudo ufw allow 13000/tcp 793 | 794 | # geth 795 | sudo ufw allow 30303/tcp 796 | sudo ufw allow 30303/udp 797 | 798 | # grafana 799 | sudo ufw allow 3000/tcp 800 | ``` 801 | 802 | Run the following command to set up firewalls rules for SSH. If you changed your default SSH port above, change the `22` in this command to the port you are using. 803 | 804 | ```console 805 | # ssh 806 | sudo ufw allow 22/tcp 807 | ``` 808 | 809 | Set up default firewall rules and enable the firewall. 810 | 811 | ```console 812 | # Defaults 813 | sudo ufw default deny incoming 814 | sudo ufw default allow outgoing 815 | sudo ufw enable 816 | ``` 817 | 818 | The following commands open up the remaining ports that are used by the software in this set of instructions. These ports are typically used only by other software internal to the staking system, and do not need to be opened on the firewall unless you would like direct access to some of the administrative/metrics pages, or if systems external to your staking system will be services on your staking system. 819 | 820 | ```console 821 | # beacon chain 822 | # - This only needs to be enabled if external validators will be accessing this beacon chain. 823 | sudo ufw allow 4000/tcp 824 | 825 | # node_exporter 826 | # - This only needs to be enabled if you want to access node_exporter stats directly. 827 | sudo ufw allow 9100/tcp 828 | 829 | #geth 830 | # - This only needs to be enabled if external beacon chains will be accessing this geth full node. 831 | sudo ufw allow 8545/tcp 832 | 833 | # beacon-chain metrics 834 | # - This only needs to be enabled if you want to access beacon-chain stats directly. 835 | sudo ufw allow 8080/tcp 836 | 837 | # blackbox_exporter 838 | # - This only needs to be enabled if you want to access blackbox_exporter stats directly. 839 | sudo ufw allow 9115/tcp 840 | 841 | # prometheus 842 | # - This only needs to be enabled if you want to access prometheus directly. 843 | sudo ufw allow 9090/tcp 844 | ``` 845 | 846 | 847 | ## Future Updates 848 | 849 | There are at least one area where I may expand on my system configuration or instructions, but I have not pursued it yet. 850 | 851 | - SSH Key-Based Login 852 | - This seems to be a good security move, but it also seems to be the perfect way to get me locked out of my own system. I have never set this up before, but may look into it. 853 | 854 | 855 | ## Sources/Inspiration 856 | Prysm: [https://docs.prylabs.network/docs/getting-started/](https://docs.prylabs.network/docs/getting-started/) 857 | 858 | Go: [https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/golang-1.14-go_1.14.2-1ubuntu1_arm64.deb.html](https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/golang-1.14-go_1.14.2-1ubuntu1_arm64.deb.html) 859 | 860 | Timezone: [https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/](https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/) 861 | 862 | Account creation and systemd setup: [https://github.com/attestantio/ubuntu-server](https://github.com/attestantio/ubuntu-server) 863 | 864 | eth2stats: [https://eth2stats.io/](https://eth2stats.io/) 865 | 866 | blackbox_exporter: [https://github.com/prometheus/blackbox_exporter](https://github.com/prometheus/blackbox_exporter) 867 | 868 | node_exporter: [https://github.com/prometheus/node_exporter](https://github.com/prometheus/node_exporter) 869 | 870 | Prometheus: [https://prometheus.io/docs/prometheus/latest/getting_started/](https://prometheus.io/docs/prometheus/latest/getting_started/) 871 | 872 | Grafana: [https://grafana.com/docs/grafana/latest/installation/debian/](https://grafana.com/docs/grafana/latest/installation/debian/) 873 | 874 | Dashboard: [https://github.com/metanull-operator/eth2-grafana](https://github.com/metanull-operator/eth2-grafana) 875 | 876 | systemd: [https://www.freedesktop.org/software/systemd/man/systemd.unit.html](https://www.freedesktop.org/software/systemd/man/systemd.unit.html) 877 | 878 | geth: [https://geth.ethereum.org/docs/install-and-build/installing-geth](https://geth.ethereum.org/docs/install-and-build/installing-geth) 879 | 880 | sshd: [https://blog.devolutions.net/2017/04/10-steps-to-secure-open-ssh](https://blog.devolutions.net/2017/04/10-steps-to-secure-open-ssh) 881 | 882 | ufw: [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04) 883 | 884 | ufw: [https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands) 885 | 886 | ntpd: [https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04) 887 | -------------------------------------------------------------------------------- /v1/README.md: -------------------------------------------------------------------------------- 1 | # Setup an Ethereum Mainnet Staking System on Ubuntu 2 | 3 | **Instructions Compatibility: v1** 4 | 5 | The following links apply to v1 of my installation instructions. v1 instructions were written for Ubuntu 20.04 LTS and have some naming/configuration differences from [v2](../v2/) instructions. Systems installed before July 19, 2022, were likely set up using v1 instructions. 6 | 7 | ------ 8 | 9 | - [Setup an Ethereum Mainnet Staking System on Ubuntu](setup.md) - v1 of my setup instructions to install and configure an Ethereum mainnet staking system using Prysm and Geth. 10 | - [Merge Updates for v1 Installations](merge_updates.md) - Prepare your v1 Prysm/Geth installation for the merge. 11 | - [Prune Geth](../prune_geth.md) - How to prune Geth to reduce disk usage. 12 | - [MEV-Boost: Mainnet](mev-boost.md) - How to set up MEV-Boost for mainnet for v1 installations. 13 | 14 | -------------------------------------------------------------------------------- /v1/merge_updates.md: -------------------------------------------------------------------------------- 1 | 2 | # Prysm/Geth Merge Updates for v1 Installations 3 | 4 | **Instructions Compatibility: v1** 5 | 6 | The following instructions apply to systems set up under v1 of my installation instructions. v1 instructions were written for Ubuntu 20.04 LTS. Systems installed before July 19, 2022 were likely set up using v1 instructions. Instructions for v2 installations are available [here](../v2/). 7 | 8 | ------ 9 | 10 | These instructions are only directly applicable if you followed a pre-July 19, 2022 version of my instructions to set up a Prysm/Geth staking system. If you are configuring a new mainnet, merge-ready staking system from scratch, please use the [current version](../v2/) of my full staking instructions and not these merge update instructions. File locations, configuration locations, and service names may not match between the older versions of my instructions and the newer merge versions. 11 | 12 | The following changes are required to prepare Prysm/Geth for the merge: 13 | 14 | - Create a Shared Secret File for Prysm and Geth 15 | - After the merge, Prysm and Geth will use a secret to authenticate each other. 16 | - Update Geth Command Line Arguments 17 | - Add `authrpc.vhosts` to define the hosts allowed to connect 18 | - Add `authrpc.jwtsecret` to define the location of the secret 19 | - Update Prysm Configuration 20 | - Add `suggested-fee-recipient` to Prysm Beacon Chain configuration to provide a fallback address to which fees/tips should be sent. 21 | - Add `jwtsecret` to Prysm Beacon Chain configuration to define the location of the secret 22 | - Replace `http-web3provider` with `execution-endpoint` and port 8545 with port 8551 in the Prysm Beacon Chain configuration. 23 | - Add `suggested-fee-recipient` to Prysm Validator configuration to provide an address to which fees/tips should be sent. 24 | - Update and Restart Services 25 | - Monitor Clients for Additional Updates Prior to the Merge 26 | - Keep Geth and Prysm updated to the latest official releases 27 | 28 | ## Create a Shared Secret for Prysm and Geth 29 | 30 | After the merge, Consensus Layer and Execution Layer clients will authenticate with one another using a shared secret. 31 | 32 | First, we create a new user group called `ethereum`. We are going to add the `geth` and `beacon` user accounts as members of the `ethereum` group. 33 | 34 | ```console 35 | sudo groupadd ethereum 36 | sudo usermod -a -G ethereum beacon 37 | sudo usermod -a -G ethereum geth 38 | ``` 39 | 40 | Next, we will create a folder in which we will put the secret. 41 | 42 | ```console 43 | sudo mkdir -p /srv/ethereum/secrets 44 | ``` 45 | 46 | Then we make the the ethereum and secrets directories owned by the ethereum group with permissions to only be read by root or members of the ethereum group. 47 | 48 | ```console 49 | sudo chgrp -R ethereum /srv/ethereum/ /srv/ethereum/secrets 50 | sudo chmod 750 /srv/ethereum /srv/ethereum/secrets 51 | ``` 52 | 53 | Now create a secret. 54 | 55 | ```console 56 | sudo openssl rand -hex -out /srv/ethereum/secrets/jwtsecret 32 57 | ``` 58 | 59 | Change the `jwtsecret` file so that it owned by the ethereum group with permissions to only be read by root or members of the ethereum group. 60 | 61 | ```console 62 | sudo chown root:ethereum /srv/ethereum/secrets/jwtsecret 63 | sudo chmod 640 /srv/ethereum/secrets/jwtsecret 64 | ``` 65 | 66 | ## Update Geth Command Line Arguments 67 | 68 | Edit the Geth serviced file and add `--authrpc.jwtsecret=/srv/ethereum/secrets/jwtsecret --authrpc.vhosts="*"` to the command line arguments for Geth. 69 | 70 | ```console 71 | sudo nano /etc/systemd/system/geth.service 72 | ``` 73 | 74 | Add `--authrpc.jwtsecret=/srv/ethereum/secrets/jwtsecret --authrpc.vhosts="*"` to the end of the `ExecStart` line. Afterward, your `ExecStart` line might look like the following 75 | 76 | ```console 77 | ExecStart=/usr/bin/geth --http --http.addr 0.0.0.0 --authrpc.jwtsecret=/srv/ethereum/secrets/jwtsecret --authrpc.vhosts="*" 78 | ``` 79 | 80 | - The `authrpc.vhosts` value can be modified to suit your security needs. 81 | 82 | ## Update Prysm Configuration 83 | 84 | Edit the Prysm Beacon configuration file... 85 | 86 | ```console 87 | sudo nano /home/beacon/prysm-beacon.yaml 88 | ``` 89 | 90 | ...and add the following lines... 91 | 92 | 93 | ``` 94 | suggested-fee-recipient: "0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 95 | jwt-secret: "/srv/ethereum/secrets/jwtsecret" 96 | execution-endpoint: "http://127.0.0.1:8551/" 97 | ``` 98 | 99 | - Replace `0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` with an Ethereum address at which you will receive tips/fees. 100 | 101 | Remove the following line, because `http-web3provider` has been replaced with `execution-endpoint` inserted above, and port 8545 has been replaced with port 8551. 102 | 103 | ``` 104 | http-web3provider: "http://127.0.0.1:8545/" 105 | ``` 106 | 107 | Edit the Prysm Validator configuration file... 108 | 109 | ```console 110 | sudo nano /home/validator/prysm-validator.yaml 111 | ``` 112 | 113 | ...and add the following line... 114 | 115 | ``` 116 | suggested-fee-recipient: "0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 117 | ``` 118 | 119 | - Replace `0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` with an Ethereum address at which you will receive tips/fees. 120 | 121 | ## Update and Restart Services 122 | 123 | ### Update Prysm 124 | 125 | Your Prysm installation should update on its own after restarting using the following commands. Review logs for errors. 126 | 127 | ```console 128 | sudo systemctl daemon-reload 129 | sudo systemctl restart beacon-chain ; sudo journalctl -fu beacon-chain 130 | sudo systemctl restart validator ; sudo journalctl -fu validator 131 | ``` 132 | 133 | ### Update Geth 134 | 135 | To update Geth: 136 | 137 | ```console 138 | sudo apt-get update 139 | sudo systemctl stop geth 140 | sudo apt-get upgrade ethereum 141 | sudo systemctl start geth 142 | ``` 143 | 144 | Monitor Geth logs for errors and warnings: 145 | 146 | ```console 147 | sudo journalctl -fu geth 148 | ``` 149 | 150 | If you have completed all of these steps, you should be merge-ready! 151 | 152 | ## Monitor Clients for Additional Updates Prior to the Merge 153 | 154 | Please keep up to date on Geth and Prysm releases prior to the merge in case there are any bug releases. Use the following commands to update software as needed. 155 | 156 | ### Update Geth 157 | 158 | To update Geth: 159 | 160 | ```console 161 | sudo apt-get update 162 | sudo systemctl stop geth 163 | sudo apt-get upgrade ethereum 164 | sudo systemctl start geth 165 | ``` 166 | 167 | Monitor Geth logs for errors and warnings: 168 | 169 | ```console 170 | sudo journalctl -fu geth 171 | ``` 172 | 173 | ### Update Prysm 174 | 175 | To update Prysm and view the logs: 176 | 177 | ```console 178 | sudo systemctl restart beacon-chain ; sudo journalctl -fu beacon-chain 179 | sudo systemctl restart validator ; sudo journalctl -fu validator 180 | ``` 181 | 182 | Restart the Prysm beacon and monitor logs for any trouble connecting to Geth. 183 | 184 | -------------------------------------------------------------------------------- /v1/mev-boost.md: -------------------------------------------------------------------------------- 1 | ## MEV-Boost: Mainnet 2 | 3 | **Instructions Compatibility: v1** 4 | 5 | The following instructions apply to systems set up under v1 of my installation instructions. v1 instructions were written for Ubuntu 20.04 LTS. Systems installed before July 19, 2022 were likely set up using v1 instructions. Instructions for v2 installations are available [here](../v2/mev-boost.md). 6 | 7 | ------ 8 | 9 | These instructions will help you install and configure [MEV-Boost](https://github.com/flashbots/mev-boost) for a mainnet, merge-ready [Prysm](https://github.com/prysmaticlabs/prysm/) installation. 10 | 11 | ## Install Go 12 | 13 | Compiling MEV-Boost requires Go version 1.18 or higher. 14 | 15 | Run the following to check your current version. 16 | 17 | ```console 18 | go version 19 | ``` 20 | 21 | If Go is not at least version 1.18 or if Go is not installed... 22 | 23 | ```console 24 | cd 25 | wget https://go.dev/dl/go1.19.linux-amd64.tar.gz 26 | sudo rm -rf /usr/local/go 27 | sudo tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz 28 | sudo ln -s /usr/local/go/bin/go /usr/bin/go 29 | rm go1.19.linux-amd64.tar.gz 30 | ``` 31 | 32 | Verify that you are now running Go 1.18+ by running the following command. 33 | 34 | ```console 35 | go version 36 | ``` 37 | 38 | ## MEV-Boost Installation 39 | 40 | ### MEV-Boost User Account 41 | 42 | Create a user account in which to run MEV-Boost. 43 | 44 | ```console 45 | sudo adduser --home /home/mev-boost --disabled-password --gecos 'MEV-Boost Relay' mev-boost 46 | ``` 47 | 48 | Create a directory to store the `mev-boost` binary. 49 | 50 | - `-u mev-boost` runs the command as the mev-boost user so we don't have to change the directory permissions to the `mev-boost` user later on. 51 | 52 | ```console 53 | sudo -u mev-boost mkdir /home/mev-boost/bin 54 | ``` 55 | 56 | ### Install MEV-Boost 57 | 58 | Install the latest release of MEV-Boost using `go install`. This will install into your user directories. 59 | 60 | ```console 61 | cd 62 | go install github.com/flashbots/mev-boost@latest 63 | ``` 64 | 65 | ### Install MEV-Boost 66 | 67 | Copy the `mev-boost` binary to the `bin` directory of the `mev-boost` account, and change the ownership of the binary to the `mev-boost` account. 68 | 69 | ```console 70 | sudo cp ~/go/bin/mev-boost /home/mev-boost/bin 71 | sudo chown mev-boost:mev-boost /home/mev-boost/bin/mev-boost 72 | ``` 73 | 74 | ### Configure MEV-Boost to Run as System Service 75 | 76 | Create a systemd service file to start the MEV-Boost service. 77 | 78 | ```console 79 | sudo nano /etc/systemd/system/mev-boost.service 80 | ``` 81 | 82 | Add the following lines to the mev-boost service file. The `ExecStart` line includes two relays, Flashbots and bloXroute. You can remove one or the other to suit your ethical inclinations. 83 | 84 | ``` 85 | [Unit] 86 | Description=MEV-Boost Relay 87 | StartLimitIntervalSec=0 88 | Wants=network-online.target 89 | After=network-online.target 90 | 91 | [Service] 92 | Type=simple 93 | Restart=always 94 | RestartSec=5 95 | User=mev-boost 96 | WorkingDirectory=/home/mev-boost 97 | ExecStart=/home/mev-boost/bin/mev-boost \ 98 | -mainnet \ 99 | -relay-check \ 100 | -relays https://0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae@boost-relay.flashbots.net,https://0xad0a8bb54565c2211cee576363f3a347089d2f07cf72679d16911d740262694cadb62d7fd7483f27afd714ca0f1b9118@bloxroute.ethical.blxrbdn.com,https://0xa1559ace749633b997cb3fdacffb890aeebdb0f5a3b6aaa7eeeaf1a38af0a8fe88b9e4b1f61f236d2e64d95733327a62@relay.ultrasound.money 101 | 102 | [Install] 103 | WantedBy=multi-user.target 104 | ``` 105 | 106 | Enable MEV-Boost as a system service so that it automatically starts when the system boots, and start it now. 107 | 108 | ``` 109 | sudo systemctl enable --now mev-boost 110 | ``` 111 | 112 | Check the logs for success. 113 | 114 | ```console 115 | sudo journalctl -fu mev-boost.service 116 | ``` 117 | 118 | If successful, the logs should look something like the following. 119 | 120 | ``` 121 | Sep 05 23:38:56 nuc systemd[1]: Started MEV-Boost Relay. 122 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="mev-boost v0.8.2-5-ge9b82f5" module=cli 123 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="Using genesis fork version: 0x00000000" module=cli 124 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="using 2 relays" module=cli relays="[{0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae https://0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae@boost-relay.flashbots.net} {0xad0a8bb54565c2211cee576363f3a347089d2f07cf72679d16911d740262694cadb62d7fd7483f27afd714ca0f1b9118 https://0xad0a8bb54565c2211cee576363f3a347089d2f07cf72679d16911d740262694cadb62d7fd7483f27afd714ca0f1b9118@bloxroute.ethical.blxrbdn.com}]" 125 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="Checking relay" module=service relay="https://0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae@boost-relay.flashbots.net" 126 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="Checking relay" module=service relay="https://0xad0a8bb54565c2211cee576363f3a347089d2f07cf72679d16911d740262694cadb62d7fd7483f27afd714ca0f1b9118@bloxroute.ethical.blxrbdn.com" 127 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="listening on localhost:18550" module=cli 128 | ``` 129 | 130 | You can check the status of the MEV-Boost service with the `systemctl status` command. 131 | 132 | ```console 133 | sudo systemctl status mev-boost 134 | ``` 135 | 136 | The output will look similar to the following. 137 | 138 | ``` 139 | ● mev-boost.service - MEV-Boost Relay 140 | Loaded: loaded (/etc/systemd/system/mev-boost.service; enabled; vendor preset: enabled) 141 | Active: active (running) since Mon 2022-09-05 23:57:06 MDT; 20s ago 142 | Main PID: 59985 (mev-boost) 143 | Tasks: 10 (limit: 38085) 144 | Memory: 7.4M 145 | CGroup: /system.slice/mev-boost.service 146 | └─59985 /home/mev-boost/bin/mev-boost -mainnet -relay-check -relays https://0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae@boost-relay.flashbots.net,https://0xad0a8bb54565c2211cee576363f3> 147 | ``` 148 | 149 | This will be followed by the last few log lines. 150 | 151 | Be sure to look for the following: 152 | 153 | - The `Loaded` line says `enabled` instead of `disabled`. This means that the MEV-Boost service will start on system boot 154 | - The `Active` line says `active (running)` which means the MEV-Boost service appears to be running currently 155 | 156 | ## Update Prysm Configuration 157 | 158 | ### Beacon Chain 159 | 160 | Edit the Prysm Beacon Chain configuration file to configure communication with MEV-Boost. 161 | 162 | ```console 163 | sudo nano /home/beacon/prysm-beacon.yaml 164 | ``` 165 | 166 | Add the following line to that file. 167 | 168 | ```console 169 | http-mev-relay: "http://127.0.0.1:18550" 170 | ``` 171 | 172 | Restart the Prysm beacon chain client and review the logs. 173 | 174 | ```console 175 | sudo systemctl restart beacon-chain; sudo journalctl -fu beacon-chain 176 | ``` 177 | 178 | If successful, the logs should include lines similar to the following. 179 | 180 | ``` 181 | Sep 05 23:40:46 nuc beacon-chain-v3.0.0[59788]: time="2022-09-05 23:40:46" level=info msg="Builder has been configured" endpoint="http://127.0.0.1:18550" 182 | Sep 05 23:40:46 nuc beacon-chain-v3.0.0[59788]: time="2022-09-05 23:40:46" level=warning msg="Outsourcing block construction to external builders adds non-trivial delay to block propagation time. Builder-constructed blocks or fallback blocks may get orphaned. Use at your own risk!" 183 | ``` 184 | 185 | ### Validator 186 | 187 | Edit the Prysm Validator configuration file to configure registration of validators. 188 | 189 | ```console 190 | sudo nano /home/validator/prysm-validator.yaml 191 | ``` 192 | 193 | Add the following line to that file. 194 | 195 | ```console 196 | enable-builder: true 197 | ``` 198 | 199 | Restart the Prysm validator client and review the logs. 200 | 201 | ```console 202 | sudo systemctl restart validator; sudo journalctl -fu validator 203 | ``` 204 | 205 | If successful, the logs should include a line similar to the following: 206 | 207 | ```console 208 | Sep 13 16:11:55 nuc prysm.sh[67775]: time="2022-09-13 16:11:55" level=info msg="Submitted builder validator registration settings for custom builders" prefix=validator 209 | ``` 210 | 211 | ## Updating MEV-Boost 212 | 213 | Monitor MEV-Boost releases [here](https://github.com/flashbots/mev-boost/releases). When a new release is available. Use the following instructions to update. 214 | 215 | Download latest release. 216 | 217 | ```console 218 | cd 219 | go install github.com/flashbots/mev-boost@latest 220 | ``` 221 | 222 | Stop `mev-boost` service. 223 | 224 | ```console 225 | sudo systemctl stop mev-boost 226 | ``` 227 | 228 | Copy the `mev-boost` binary to the `bin` directory of the `mev-boost` account, and change the ownership of the binary to the `mev-boost` account. Changing ownership should not be necessary if you followed the original installation instructions. 229 | 230 | ```console 231 | sudo cp ~/go/bin/mev-boost /home/mev-boost/bin 232 | sudo chown mev-boost:mev-boost /home/mev-boost/bin/mev-boost 233 | ``` 234 | 235 | Start MEV-Boost and monitor logs. 236 | 237 | ```console 238 | sudo systemctl start mev-boost; sudo journalctl -fu mev-boost 239 | ``` 240 | 241 | See example of logs from the installation section above. 242 | -------------------------------------------------------------------------------- /v1/setup.md: -------------------------------------------------------------------------------- 1 | # Setup an Ethereum Mainnet Staking System on Ubuntu 2 | 3 | **Instruction Compatibility: v1** 4 | 5 | These are v1 of my installation instructions. v1 instructions were written for Ubuntu 20.04 LTS. Systems installed before July 19, 2022, were likely set up using v1 instructions. Instructions for v2 installations can be found [here](../v2/setup.md). 6 | 7 | # Setup an Eth2 Mainnet Validator System on Ubuntu 8 | 9 | This document contains instructions for setting up an Eth2 mainnet staking system. 10 | 11 | These instructions have been developed to configure an Eth2 mainnet staking system using Ubuntu 20.04 LTS on an Intel NUC 10i5FNK with 2TB SSD and 32GB RAM. These instructions are primarily for my own purposes, so that I can recreate my environment if I need to. They are not intended to represent best practices and may not be applicable to your hardware, software, or network configuration. There are many other good sources for instructions on setting up these services, and those may be more generally written and applicable. 12 | 13 | Setup includes installation and configuration of the following services, including setting up systemd to automatically run services, where applicable: 14 | 15 | - Prysm Beacon Chain 16 | - Prysm Validator 17 | - geth 18 | - Prometheus 19 | - Grafana 20 | - node_exporter 21 | - blackbox_exporter 22 | - json_exporter 23 | 24 | Steps to install and configure all software have been copied from or inspired by a number of sources, which are cited at the end of this file. Discord discussions may have provided additional details or ideas. In addition, though I have never been a professional Linux administrator, I have many years experience running Linux servers for a variety of public and private hobby projects, which may have informed some of my decisions, for better or worse. 25 | 26 | This process assumes starting from first login on a clean Ubuntu 20.04 LTS installation, and were last tested on August 1, 2020. 27 | 28 | ## Prerequisities 29 | 30 | ### BIOS Update 31 | If you have not updated the BIOS on your system, find and follow the manufacturer instructions for updating the BIOS. An updated BIOS may improve system performance or repair issues with your system. Instructions will vary dependent on the hardware you are using, but the following links should direct Intel NUC users to appropriate instructions. 32 | 33 | - [2018 and earlier NUC BIOS Update Instructions](https://www.intel.com/content/www/us/en/support/articles/000005636/intel-nuc.html) 34 | - [2019 and later NUC BIOS Update Instructions](https://www.intel.com/content/www/us/en/support/articles/000033291/intel-nuc.html) 35 | 36 | ### Configure Behavior After Power Failure 37 | After a power failure, you may want your staking system to automatically restart and resume staking. Unfortunately, this is not the default behavior of many systems. Please check your system documentation to determine how to change this behavior in the system BIOS. For an Intel NUC, please check the following instructions. 38 | 39 | - [Can Intel NUC Mini PCs turn on automatically as soon as a power source is connected?](https://www.intel.com/content/www/us/en/support/articles/000054773/intel-nuc.html) 40 | 41 | ### Software Update 42 | After an initial install, it is a good idea to update everything to the latest versions. 43 | ```console 44 | sudo apt-get update 45 | sudo apt-get upgrade 46 | sudo apt-get dist-upgrade 47 | sudo apt-get autoremove 48 | sudo reboot 49 | ``` 50 | 51 | ### Set Time Zone 52 | Run the following command to see the list of time zones, then copy the appropriate time zone to your clipboard. 53 | ```console 54 | timedatectl list-timezones 55 | ``` 56 | 57 | Run the following command, replacing `` with the time zone you have copied onto your clipboard. 58 | ```console 59 | sudo timedatectl set-timezone 60 | ``` 61 | 62 | ### net-tools 63 | Installing net-tools in order to determine network device via ifconfig. 64 | ```console 65 | sudo apt-get install net-tools 66 | ``` 67 | 68 | ### make 69 | ```console 70 | sudo apt-get install make 71 | ``` 72 | 73 | ### curl 74 | Ubuntu Desktop users may need to install curl to continue. 75 | ```console 76 | sudo apt-get install curl 77 | ``` 78 | 79 | ## geth 80 | A geth full node is required to provide access to deposits made to the deposit contract. It could take many days for geth to sync, so start this process immediately. 81 | 82 | ### Install geth 83 | 84 | ```console 85 | sudo add-apt-repository -y ppa:ethereum/ethereum 86 | sudo apt-get update 87 | sudo apt-get install ethereum 88 | ``` 89 | 90 | ### Create User Account 91 | 92 | ```console 93 | sudo adduser --home /home/geth --disabled-password --gecos 'Go Ethereum Client' geth 94 | ``` 95 | 96 | ### Set Up systemd Service File 97 | This sets up geth to automatically run on start. 98 | 99 | ```console 100 | sudo nano /etc/systemd/system/geth.service 101 | ``` 102 | 103 | Copy and paste the following text into the geth.service file. 104 | 105 | ``` 106 | [Unit] 107 | Description=Ethereum 1 Go Client 108 | StartLimitIntervalSec=0 109 | 110 | [Service] 111 | Type=simple 112 | Restart=always 113 | RestartSec=5 114 | User=geth 115 | WorkingDirectory=/home/geth 116 | ExecStart=/usr/bin/geth --http --http.addr 0.0.0.0 117 | 118 | [Install] 119 | WantedBy=multi-user.target 120 | ``` 121 | 122 | ### Start geth 123 | 124 | Start and enable the validator service. 125 | 126 | ```console 127 | sudo systemctl daemon-reload 128 | sudo systemctl start geth 129 | sudo systemctl enable geth 130 | ``` 131 | 132 | ## Prysm 133 | 134 | ### Create User Accounts 135 | ```console 136 | sudo adduser --home /home/beacon --disabled-password --gecos 'Ethereum 2 Beacon Chain' beacon 137 | sudo adduser --home /home/validator --disabled-password --gecos 'Ethereum 2 Validator' validator 138 | sudo -u beacon mkdir /home/beacon/bin 139 | sudo -u validator mkdir /home/validator/bin 140 | ``` 141 | 142 | ### Install prysm.sh 143 | 144 | ```console 145 | cd /home/validator/bin 146 | sudo -u validator curl https://raw.githubusercontent.com/prysmaticlabs/prysm/master/prysm.sh --output prysm.sh && sudo -u validator chmod +x prysm.sh 147 | cd /home/beacon/bin 148 | sudo -u beacon curl https://raw.githubusercontent.com/prysmaticlabs/prysm/master/prysm.sh --output prysm.sh && sudo -u beacon chmod +x prysm.sh 149 | ``` 150 | 151 | ### Set Up systemd Service File 152 | This sets up prysm.sh to automatically run on start. This file is slightly different than the version under the Building Prysm section. 153 | 154 | #### Beacon Chain 155 | ```console 156 | sudo nano /etc/systemd/system/beacon-chain.service 157 | ``` 158 | 159 | Copy and paste the following text into the beacon-chain.service file. 160 | 161 | ``` 162 | [Unit] 163 | Description=Ethereum 2 Beacon Chain 164 | After=network.target 165 | StartLimitIntervalSec=0 166 | 167 | [Service] 168 | Type=simple 169 | Restart=always 170 | RestartSec=5 171 | User=beacon 172 | ExecStart=/home/beacon/bin/prysm.sh beacon-chain --config-file /home/beacon/prysm-beacon.yaml 173 | 174 | [Install] 175 | WantedBy=multi-user.target 176 | Alias=beacon 177 | ``` 178 | 179 | #### Validator 180 | 181 | ```console 182 | sudo nano /etc/systemd/system/validator.service 183 | ``` 184 | 185 | Copy and paste the following text into the validator.service file. 186 | 187 | ``` 188 | [Unit] 189 | Description=Ethereum 2 Validator 190 | Wants=beacon-chain.service 191 | After=beacon-chain.service 192 | StartLimitIntervalSec=0 193 | 194 | [Service] 195 | Type=simple 196 | Restart=always 197 | RestartSec=5 198 | User=validator 199 | ExecStart=/home/validator/bin/prysm.sh validator --config-file /home/validator/prysm-validator.yaml 200 | 201 | [Install] 202 | WantedBy=multi-user.target 203 | ``` 204 | 205 | ### Create Prysm Configuration Files 206 | 207 | #### prysm-beacon.yaml 208 | 209 | ```console 210 | sudo -u beacon nano /home/beacon/prysm-beacon.yaml 211 | ``` 212 | 213 | Copy and paste the following text into the prysm-beacon.yaml configuration file. 214 | 215 | 216 | ``` 217 | datadir: "/home/beacon/prysm" 218 | p2p-host-ip: "XXX.XXX.XXX.XXX" 219 | http-web3provider: "http://YYY.YYY.YYY.YYY:8545" 220 | monitoring-host: "0.0.0.0" 221 | p2p-tcp-port: 13000 222 | p2p-udp-port: 12000 223 | accept-terms-of-use: true 224 | ``` 225 | 226 | - If you have a dynamic IP address, remove the `p2p-host-ip` line. 227 | Otherwise, update `XXX.XXX.XXX.XXX` to your external IP address. 228 | - Update `YYY.YYY.YYY.YYY` to the IP address of your Eth1 node. 229 | - The `p2p-tcp-port` and `p2p-udp-port` lines are optional if you use the 230 | default values of 13000 and 12000, respectively. 231 | 232 | Change permissions of the file. 233 | 234 | ```console 235 | sudo -u beacon chmod 600 /home/beacon/prysm-beacon.yaml 236 | ``` 237 | 238 | #### prysm-validator.yaml 239 | 240 | ```console 241 | sudo -u validator nano /home/validator/prysm-validator.yaml 242 | ``` 243 | 244 | Copy and paste the following text into the prysm-validator.yaml configuration file. 245 | 246 | ``` 247 | monitoring-host: "0.0.0.0" 248 | graffiti: "YOUR_GRAFFITI_HERE" 249 | beacon-rpc-provider: "127.0.0.1:4000" 250 | wallet-password-file: "/home/validator/.eth2validators/wallet-password.txt" 251 | accept-terms-of-use: true 252 | ``` 253 | 254 | - `graffiti` can be changed to whatever text you would prefer. 255 | 256 | Change permissions of the file. 257 | 258 | ```console 259 | sudo -u validator chmod 600 /home/validator/prysm-validator.yaml 260 | ``` 261 | 262 | ### Make Validator Deposits and Install Keys 263 | 264 | Follow the latest instructions at [launchpad.ethereum.org](https://launchpad.ethereum.org) or the correct launch pad for the network to which you will be connecting. 265 | 266 | Look for the latest eth2.0-deposit-cli [here](https://github.com/ethereum/eth2.0-deposit-cli/releases/). 267 | 268 | ```console 269 | cd 270 | wget https://github.com/ethereum/eth2.0-deposit-cli/releases/download/v1.0.0/eth2deposit-cli-9310de0-linux-amd64.tar.gz 271 | tar xzvf eth2deposit-cli-9310de0-linux-amd64.tar.gz 272 | mv eth2deposit-cli-9310de0-linux-amd64 eth2deposit-cli 273 | cd eth2deposit-cli 274 | ./deposit new-mnemonic --num_validators NUMBER_OF_VALIDATORS --chain mainnet 275 | ``` 276 | 277 | Change the `NUMBER_OF_VALIDATORS` to the number of validators you want to create. Follow the prompts and instructions. 278 | 279 | **BACKUP YOUR MNEMONIC AND PASSWORD!** 280 | 281 | The next step is to upload your deposit data file to the launchpad site. If you are using Ubuntu Server, you can either open up the deposit data file and copy it to a file on your desktop computer with the same name, or you can use scp or an equivalent tool to copy the deposit data to your desktop computer. 282 | 283 | Follow the instructions by dragging and dropping the deposit file into the launchpad site. Then continue to follow the instructions until your deposit transaction is successful. 284 | 285 | ```console 286 | sudo -u validator /home/validator/bin/prysm.sh validator accounts import --keys-dir=$HOME/eth2deposit-cli/validator_keys 287 | ``` 288 | 289 | Follow the prompts. The default wallet directory should be `/home/validator/.eth2validators/prysm-wallet-v2`. Use the same password used when you were prompted for a password while running `./deposit new-mnemonic --num_validators NUMBER_OF_VALIDATORS --chain mainnet`. 290 | 291 | Create a password file and make it readbable only to the validator account. 292 | 293 | ```console 294 | sudo -u validator touch /home/validator/.eth2validators/wallet-password.txt && sudo chmod 600 /home/validator/.eth2validators/wallet-password.txt 295 | ``` 296 | 297 | Edit the file and put the password you entered into the `deposit` tool into the `wallet-password.txt` file. 298 | 299 | ```console 300 | sudo nano /home/validator/.eth2validators/wallet-password.txt 301 | ``` 302 | 303 | Enter the password into the first line and save the file. 304 | 305 | 306 | ### Start Beacon Chain and Validator 307 | 308 | Start and enable the validator service. 309 | 310 | ```console 311 | sudo systemctl daemon-reload 312 | sudo systemctl start beacon-chain validator 313 | sudo systemctl enable beacon-chain validator 314 | ``` 315 | 316 | ## Monitoring 317 | The following will set up prometheus for collecting data, grafana for displaying dashboards, node_exporter for providing system data to prometheus, and blackbox_exporter for providing ping data to prometheus. 318 | 319 | node_exporter and blackbox_exporter are optional, though some charts on the dashboard provided may need to be removed if those tools are not used. The prometheus configuration file may also need to be updated. 320 | 321 | ### Prometheus 322 | #### Create User Account 323 | ```console 324 | sudo adduser --system prometheus --group --no-create-home 325 | ``` 326 | 327 | #### Install Prometheus 328 | 329 | Find the URL to the latest amd64 version of Prometheus at https://prometheus.io/download/. In the commands below, replace any references to the version 2.23.0 to the latest version available. 330 | 331 | ```console 332 | cd 333 | wget https://github.com/prometheus/prometheus/releases/download/v2.23.0/prometheus-2.23.0.linux-amd64.tar.gz 334 | tar xzvf prometheus-2.23.0.linux-amd64.tar.gz 335 | cd prometheus-2.23.0.linux-amd64 336 | sudo cp promtool /usr/local/bin/ 337 | sudo cp prometheus /usr/local/bin/ 338 | sudo chown root:root /usr/local/bin/promtool /usr/local/bin/prometheus 339 | sudo chmod 755 /usr/local/bin/promtool /usr/local/bin/prometheus 340 | cd 341 | rm prometheus-2.23.0.linux-amd64.tar.gz 342 | ``` 343 | 344 | #### Configure Prometheus 345 | ```console 346 | sudo mkdir -p /etc/prometheus/console_libraries /etc/prometheus/consoles /etc/prometheus/files_sd /etc/prometheus/rules /etc/prometheus/rules.d 347 | ``` 348 | 349 | Copy and paste the following text into the prometheus.yml configuration file: 350 | 351 | ```console 352 | sudo nano /etc/prometheus/prometheus.yml 353 | ``` 354 | 355 | ``` 356 | global: 357 | scrape_interval: 15s 358 | 359 | scrape_configs: 360 | - job_name: 'prometheus' 361 | scrape_interval: 5s 362 | static_configs: 363 | - targets: ['127.0.0.1:9090'] 364 | - job_name: 'beacon node' 365 | scrape_interval: 5s 366 | static_configs: 367 | - targets: ['127.0.0.1:8080'] 368 | - job_name: 'node_exporter' 369 | scrape_interval: 5s 370 | static_configs: 371 | - targets: ['127.0.0.1:9100'] 372 | - job_name: 'validator' 373 | scrape_interval: 5s 374 | static_configs: 375 | - targets: ['127.0.0.1:8081'] 376 | - job_name: 'ping_google' 377 | metrics_path: /probe 378 | params: 379 | module: [icmp] 380 | static_configs: 381 | - targets: 382 | - 8.8.8.8 383 | relabel_configs: 384 | - source_labels: [__address__] 385 | target_label: __param_target 386 | - source_labels: [__param_target] 387 | target_label: instance 388 | - target_label: __address__ 389 | replacement: 127.0.0.1:9115 # The blackbox exporter's real hostname:port. 390 | - job_name: 'ping_cloudflare' 391 | metrics_path: /probe 392 | params: 393 | module: [icmp] 394 | static_configs: 395 | - targets: 396 | - 1.1.1.1 397 | relabel_configs: 398 | - source_labels: [__address__] 399 | target_label: __param_target 400 | - source_labels: [__param_target] 401 | target_label: instance 402 | - target_label: __address__ 403 | replacement: 127.0.0.1:9115 # The blackbox exporter's real hostname:port. 404 | - job_name: json_exporter 405 | static_configs: 406 | - targets: 407 | - 127.0.0.1:7979 408 | - job_name: json 409 | metrics_path: /probe 410 | static_configs: 411 | - targets: 412 | - https://api.coingecko.com/api/v3/simple/price?ids=ethereum&vs_currencies=usd 413 | relabel_configs: 414 | - source_labels: [__address__] 415 | target_label: __param_target 416 | - source_labels: [__param_target] 417 | target_label: instance 418 | - target_label: __address__ 419 | replacement: 127.0.0.1:7979 420 | ``` 421 | 422 | Change the ownership of the prometheus directory. 423 | 424 | ```console 425 | sudo chown -R prometheus:prometheus /etc/prometheus 426 | ``` 427 | 428 | #### Data Directory 429 | ```console 430 | sudo mkdir /var/lib/prometheus 431 | sudo chown prometheus:prometheus /var/lib/prometheus 432 | sudo chmod 755 /var/lib/prometheus 433 | ``` 434 | 435 | #### Set Up systemd Service 436 | ```console 437 | sudo nano /etc/systemd/system/prometheus.service 438 | ``` 439 | 440 | Copy and paste the following text into the prometheus.service file. 441 | ``` 442 | [Unit] 443 | Description=Prometheus 444 | Wants=network-online.target 445 | After=network-online.target 446 | 447 | [Service] 448 | User=prometheus 449 | Group=prometheus 450 | Type=simple 451 | Restart=always 452 | RestartSec=5 453 | ExecStart=/usr/local/bin/prometheus \ 454 | --config.file /etc/prometheus/prometheus.yml \ 455 | --storage.tsdb.path /var/lib/prometheus/ \ 456 | --storage.tsdb.retention.time=31d \ 457 | --web.console.templates=/etc/prometheus/consoles \ 458 | --web.console.libraries=/etc/prometheus/console_libraries 459 | 460 | [Install] 461 | WantedBy=multi-user.target 462 | ``` 463 | 464 | ```console 465 | sudo systemctl daemon-reload 466 | sudo systemctl start prometheus.service 467 | sudo systemctl enable prometheus.service 468 | ``` 469 | 470 | ### Grafana 471 | ```console 472 | cd 473 | sudo apt-get install -y apt-transport-https 474 | sudo apt-get install -y software-properties-common wget 475 | wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add - 476 | sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main" 477 | sudo apt-get update 478 | sudo apt-get install grafana-enterprise 479 | ``` 480 | 481 | #### Setup systemd 482 | 483 | **Optional:** Edit the `grafana-server.service` file to add "grafana" as an alias to grafana server. I generally forget that the default name for this service is `grafana-server`. 484 | 485 | ``` 486 | sudo nano /lib/systemd/system/grafana-server.service 487 | ``` 488 | 489 | At the end of this file, in the `[Install]` section, add the following line: 490 | 491 | ``` 492 | Alias=grafana.service 493 | ``` 494 | 495 | Start the service. 496 | 497 | ```console 498 | sudo systemctl daemon-reload 499 | sudo systemctl start grafana-server 500 | sudo systemctl enable grafana-server 501 | ``` 502 | 503 | Login to grafana at http://XXX.XXX.XXX.XXX:3000/, replacing `XXX.XXX.XXX.XXX` with the IP address of your server. If you do not know the IP address, run `ifconfig`. 504 | 505 | Default username `admin`. Default password `admin`. Grafana will ask you to set a new password. 506 | 507 | #### Setup Prometheus Data Source 508 | 1. On the left-hand menu, hover over the gear menu and click on Data Sources. 509 | 2. Then click on the Add Data Source button. 510 | 3. Hover over the Prometheus card on screen, then click on the Select button. 511 | 4. Enter `http://127.0.0.1:9090/` into the URL field, then click Save & Test. 512 | 513 | #### Install Grafana Dashboard 514 | 1. Hover over the plus symbol icon in the left-hand menu, then click on Import. 515 | 2. Copy and paste the dashboard at [https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source-beacon_node.json](https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source-beacon_node.json) into the "Import via panel json" text box on the screen. If you used an older version of these instructions, where the Prometheus configuration file uses the beacon node job name of "beacon" instead of "beacon node", please (use this dashboard)[https://raw.githubusercontent.com/metanull-operator/eth2-grafana/master/eth2-grafana-dashboard-single-source.json] instead for backwards compatibility. 516 | 3. Then click the Load button. 517 | 4. Then click the Import button. 518 | 519 | Note: At this point in the process, any widgets showing details from the validator will show "N/A", because the validator still has no keys configured. As soon as keys are configured for the validator, the validator details should begin to show up. 520 | 521 | #### Final Grafana Dashboard Configuration 522 | A few of the queries driving the Grafana dashboard may need different settings, depending on your hardware. 523 | 524 | ##### Network Traffic Configuration 525 | To ensure that network traffic is correctly reflected on your Grafana dashboard, update the network interface in the Network Traffic widget. Run the following command to find your Linux network device. 526 | 527 | ```console 528 | ifconfig 529 | ``` 530 | 531 | Output of the command should look like the following: 532 | ``` 533 | eno1: flags=4163 mtu 1500 534 | inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255 535 | inet6 fe80::1e69:7aff:fe63:14b0 prefixlen 64 scopeid 0x20 536 | ether 1c:69:7a:63:14:b0 txqueuelen 1000 (Ethernet) 537 | RX packets 238936 bytes 78487335 (78.4 MB) 538 | RX errors 0 dropped 1819 overruns 0 frame 0 539 | TX packets 257824 bytes 112513038 (112.5 MB) 540 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 541 | device interrupt 16 memory 0x96300000-96320000 542 | 543 | lo: flags=73 mtu 65536 544 | inet 127.0.0.1 netmask 255.0.0.0 545 | inet6 ::1 prefixlen 128 scopeid 0x10 546 | loop txqueuelen 1000 (Local Loopback) 547 | RX packets 39805 bytes 29126770 (29.1 MB) 548 | RX errors 0 dropped 0 overruns 0 frame 0 549 | TX packets 39805 bytes 29126770 (29.1 MB) 550 | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 551 | ``` 552 | 553 | Of the two entries shows above, the first lists my IP address on the second line, network interface `eno1`. Find the entry that represents the network connection you want to monitor and copy the device name, which is the part before the colon on the first line of each entry. In my case the value is `eno1`. 554 | 555 | 1. Go to the Grafana dashboard previously installed 556 | 2. Find the Network Traffic widget, and open the drop down that can be found by the Network Traffic title. 557 | 3. Click Edit. 558 | 4. There will be four references to `eno1` in the queries that appear. Replace all four with the name of the network interface you found in the `ifconfig` command. 559 | 560 | ### node_exporter 561 | #### Create User Account 562 | ```console 563 | sudo adduser --system node_exporter --group --no-create-home 564 | ``` 565 | 566 | #### Install node_exporter 567 | ```console 568 | cd 569 | wget https://github.com/prometheus/node_exporter/releases/download/v1.0.1/node_exporter-1.0.1.linux-amd64.tar.gz 570 | tar xzvf node_exporter-1.0.1.linux-amd64.tar.gz 571 | sudo cp node_exporter-1.0.1.linux-amd64/node_exporter /usr/local/bin/ 572 | sudo chown node_exporter:node_exporter /usr/local/bin/node_exporter 573 | rm node_exporter-1.0.1.linux-amd64.tar.gz 574 | ``` 575 | 576 | #### Set Up System Service 577 | ```console 578 | sudo nano /etc/systemd/system/node_exporter.service 579 | ``` 580 | 581 | Copy and paste the following text into the node_exporter.service file. 582 | 583 | ``` 584 | [Unit] 585 | Description=Node Exporter 586 | 587 | [Service] 588 | Type=simple 589 | Restart=always 590 | RestartSec=5 591 | User=node_exporter 592 | ExecStart=/usr/local/bin/node_exporter 593 | 594 | [Install] 595 | WantedBy=multi-user.target 596 | ``` 597 | 598 | ```console 599 | sudo systemctl daemon-reload 600 | sudo systemctl start node_exporter.service 601 | sudo systemctl enable node_exporter.service 602 | ``` 603 | 604 | ### json_exporter 605 | 606 | #### Install go 607 | Install go, if you haven't already. 608 | 609 | ```console 610 | sudo apt-get install golang-1.14-go 611 | 612 | # Create a symlink from /usr/bin/go to the new go installation 613 | sudo ln -s /usr/lib/go-1.14/bin/go /usr/bin/go 614 | ``` 615 | 616 | #### Create User Account 617 | ```console 618 | sudo adduser --system json_exporter --group --no-create-home 619 | ``` 620 | 621 | #### Install json_exporter 622 | ```console 623 | cd 624 | git clone https://github.com/prometheus-community/json_exporter.git 625 | cd json_exporter 626 | make build 627 | sudo cp json_exporter /usr/local/bin/ 628 | sudo chown json_exporter:json_exporter /usr/local/bin/json_exporter 629 | ``` 630 | 631 | #### Configure json_exporter 632 | 633 | ```console 634 | sudo mkdir /etc/json_exporter 635 | sudo chown json_exporter:json_exporter /etc/json_exporter 636 | ``` 637 | 638 | ```console 639 | sudo nano /etc/json_exporter/json_exporter.yml 640 | ``` 641 | 642 | Copy and paste the following text into the json_exporter.yml file. 643 | 644 | ``` 645 | metrics: 646 | - name: ethusd 647 | path: "{.ethereum.usd}" 648 | help: Ethereum (ETH) price in USD 649 | ``` 650 | 651 | Change ownership of the configuration file to the json_exporter account. 652 | 653 | ```console 654 | sudo chown json_exporter:json_exporter /etc/json_exporter/json_exporter.yml 655 | ``` 656 | 657 | #### Set Up System Service 658 | ```console 659 | sudo nano /etc/systemd/system/json_exporter.service 660 | ``` 661 | 662 | Copy and paste the following text into the node_exporter.service file. 663 | 664 | ``` 665 | [Unit] 666 | Description=JSON Exporter 667 | 668 | [Service] 669 | Type=simple 670 | Restart=always 671 | RestartSec=5 672 | User=json_exporter 673 | ExecStart=/usr/local/bin/json_exporter --config.file /etc/json_exporter/json_exporter.yml 674 | 675 | [Install] 676 | WantedBy=multi-user.target 677 | ``` 678 | 679 | ```console 680 | sudo systemctl daemon-reload 681 | sudo systemctl start json_exporter.service 682 | sudo systemctl enable json_exporter.service 683 | ``` 684 | 685 | 686 | ## Optional 687 | 688 | ### Install ntpd 689 | For now, I prefer to use ntpd over the default systemd-timesyncd for syncing my system clock to an official time source. 690 | 691 | From [this](https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04) tutorial on setting up time syncing on Ubuntu. 692 | 693 | > Though timesyncd is fine for most purposes, some applications that 694 | > are very sensitive to even the slightest perturbations in time may be 695 | > better served by ntpd, as it uses more sophisticated techniques to 696 | > constantly and gradually keep the system time on track. 697 | 698 | ```console 699 | sudo apt-get install ntp 700 | ``` 701 | Update the NTP pool time server configuration to those that are geographically close to you. See [http://support.ntp.org/bin/view/Servers/NTPPoolServers](http://support.ntp.org/bin/view/Servers/NTPPoolServers) to find servers near you. 702 | 703 | ```console 704 | sudo nano /etc/ntp.conf 705 | ``` 706 | Look for lines that begin with `server` and replace the current values with the values you identified from ntp.org. 707 | 708 | Restart ntp. This will automatically shut down systemd-timesyncd, the default Ubuntu time syncing solution. 709 | 710 | ```console 711 | sudo systemctl restart ntp 712 | ``` 713 | 714 | ### blackbox_exporter 715 | I have used blackbox_exporter to provide [ping](https://en.wikipedia.org/wiki/Ping_(networking_utility)) time data between my staking system and two DNS providers. Data is sent to Prometheus and on to Grafana. I have not found a practical use for this yet, though I have seen some interesting short-term shifts in ping times to Google. Therefore, blackbox_exporter is optional. 716 | 717 | The Grafana dashboard in these instructions includes a panel with a ping time graph. If you choose not to install blackbox_exporter, simply remove that panel from your Grafana dashboard. It will not show data. 718 | 719 | #### Create User Account 720 | ```console 721 | sudo adduser --system blackbox_exporter --group --no-create-home 722 | ``` 723 | 724 | #### Install blackbox_exporter 725 | ```console 726 | cd 727 | wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.18.0/blackbox_exporter-0.18.0.linux-amd64.tar.gz 728 | tar xvzf blackbox_exporter-0.18.0.linux-amd64.tar.gz 729 | sudo cp blackbox_exporter-0.18.0.linux-amd64/blackbox_exporter /usr/local/bin/ 730 | sudo chown blackbox_exporter:blackbox_exporter /usr/local/bin/blackbox_exporter 731 | sudo chmod 755 /usr/local/bin/blackbox_exporter 732 | ``` 733 | 734 | Allow blackbox_exporter to ping servers. 735 | ```console 736 | sudo setcap cap_net_raw+ep /usr/local/bin/blackbox_exporter 737 | ``` 738 | 739 | ```console 740 | rm blackbox_exporter-0.18.0.linux-amd64.tar.gz 741 | ``` 742 | 743 | #### Configure blackbox_exporter 744 | 745 | ```console 746 | sudo mkdir /etc/blackbox_exporter 747 | sudo chown blackbox_exporter:blackbox_exporter /etc/blackbox_exporter 748 | ``` 749 | 750 | ```console 751 | sudo nano /etc/blackbox_exporter/blackbox.yml 752 | ``` 753 | 754 | Copy and paste the following text into the blackbox.yml file. 755 | 756 | ``` 757 | modules: 758 | icmp: 759 | prober: icmp 760 | timeout: 10s 761 | icmp: 762 | preferred_ip_protocol: ipv4 763 | ``` 764 | 765 | Change ownership of the configuration file to the blackbox_exporter account. 766 | 767 | ```console 768 | sudo chown blackbox_exporter:blackbox_exporter /etc/blackbox_exporter/blackbox.yml 769 | ``` 770 | 771 | #### Set Up System Service 772 | `sudo nano /etc/systemd/system/blackbox_exporter.service` 773 | 774 | Copy and paste the following text into the blackbox_exporter.service file. 775 | 776 | ``` 777 | [Unit] 778 | Description=Blackbox Exporter 779 | 780 | [Service] 781 | Type=simple 782 | Restart=always 783 | RestartSec=5 784 | User=blackbox_exporter 785 | ExecStart=/usr/local/bin/blackbox_exporter --config.file /etc/blackbox_exporter/blackbox.yml 786 | 787 | [Install] 788 | WantedBy=multi-user.target 789 | ``` 790 | 791 | ```console 792 | sudo systemctl daemon-reload 793 | sudo systemctl start blackbox_exporter.service 794 | sudo systemctl enable blackbox_exporter.service 795 | ``` 796 | 797 | ## Router Configuration 798 | You may need to configure your router to forward the following ports to your staking system. See your router documentation for details. 799 | 800 | Prysm Beacon Chain: 12000/udp 801 | Prysm Beacon Chain: 13000/tcp 802 | geth: 30303/udp 803 | geth: 30303/tcp 804 | 805 | 806 | ## Security 807 | ### SSH 808 | 809 | The following changes can be made to increase the security of SSH, but are not required. 810 | 811 | ```console 812 | sudo nano /etc/ssh/sshd_config 813 | ``` 814 | 815 | Add the following lines, but replacing with your login. You are not logging in to ssh with root, right? If you are, you probably don't want to add the `AllowUsers` and `PermitRootLogin` lines below. 816 | 817 | ``` 818 | AllowUsers 819 | PermitEmptyPasswords no 820 | PermitRootLogin no 821 | Protocol 2 822 | ``` 823 | 824 | **Optional:** I prefer to change the default SSH port to a non-standard port. Do not forget what you change this to. Find the following line, uncomment it line by removing the "#", and replace "22" with your preferred port. 825 | 826 | ``` 827 | #Port 22 828 | ``` 829 | 830 | ```console 831 | sudo reboot 832 | ``` 833 | 834 | ### Firewall 835 | If your staking system is behind a router with a firewall, you may not want to add another level of firewall to your network security. This section may be skipped. 836 | 837 | The following commands set up the minimal firewall rules necessary to run the Prysm beacon-chain and geth 838 | 839 | ```console 840 | # beacon chain 841 | sudo ufw allow 12000/udp 842 | sudo ufw allow 13000/tcp 843 | 844 | # geth 845 | sudo ufw allow 30303/tcp 846 | sudo ufw allow 30303/udp 847 | 848 | # grafana 849 | sudo ufw allow 3000/tcp 850 | ``` 851 | 852 | Run the following command to set up firewalls rules for SSH. If you changed your default SSH port above, change the `22` in this command to the port you are using. 853 | 854 | ```console 855 | # ssh 856 | sudo ufw allow 22/tcp 857 | ``` 858 | 859 | Set up default firewall rules and enable the firewall. 860 | 861 | ```console 862 | # Defaults 863 | sudo ufw default deny incoming 864 | sudo ufw default allow outgoing 865 | sudo ufw enable 866 | ``` 867 | 868 | The following commands open up the remaining ports that are used by the software in this set of instructions. These ports are typically used only by other software internal to the staking system, and do not need to be opened on the firewall unless you would like direct access to some of the administrative/metrics pages, or if systems external to your staking system will be services on your staking system. 869 | 870 | ```console 871 | # beacon chain 872 | # - This only needs to be enabled if external validators will be accessing this beacon chain. 873 | sudo ufw allow 4000/tcp 874 | 875 | # node_exporter 876 | # - This only needs to be enabled if you want to access node_exporter stats directly. 877 | sudo ufw allow 9100/tcp 878 | 879 | #geth 880 | # - This only needs to be enabled if external beacon chains will be accessing this geth full node. 881 | sudo ufw allow 8545/tcp 882 | 883 | # beacon-chain metrics 884 | # - This only needs to be enabled if you want to access beacon-chain stats directly. 885 | sudo ufw allow 8080/tcp 886 | 887 | # blackbox_exporter 888 | # - This only needs to be enabled if you want to access blackbox_exporter stats directly. 889 | sudo ufw allow 9115/tcp 890 | 891 | # prometheus 892 | # - This only needs to be enabled if you want to access prometheus directly. 893 | sudo ufw allow 9090/tcp 894 | 895 | # json_exporter 896 | # - This only needs to be enabled if you want to access blackbox_exporter stats directly. 897 | sudo ufw allow 7979/tcp 898 | ``` 899 | ## Common Commands 900 | The following are some common commands you may want to use while running this setup. 901 | 902 | ### Service Statuses 903 | To see the status of system services: 904 | 905 | ```console 906 | sudo systemctl status beacon-chain 907 | sudo systemctl status validator 908 | sudo systemctl status geth 909 | sudo systemctl status prometheus 910 | sudo systemctl status grafana-server 911 | sudo systemctl status node_exporter 912 | sudo systemctl status blackbox_exporter 913 | sudo systemctl status json_exporter 914 | ``` 915 | 916 | Or, to see the status of all at once: 917 | ```console 918 | sudo systemctl status beacon-chain validator geth prometheus grafana-server node_exporter blackbox_exporter json_exporter 919 | ``` 920 | ### Service Logs 921 | To watch the logs in real time: 922 | 923 | ```console 924 | sudo journalctl -u beacon-chain -f 925 | sudo journalctl -u validator -f 926 | sudo journalctl -u geth -f 927 | sudo journalctl -u prometheus -f 928 | sudo journalctl -u grafana-server -f 929 | sudo journalctl -u node_exporter -f 930 | sudo journalctl -u blackbox_exporter -f 931 | sudo journalctl -u json_exporter -f 932 | ``` 933 | ### Restarting Services 934 | To restart a service: 935 | 936 | ```console 937 | sudo systemctl restart beacon-chain 938 | sudo systemctl restart validator 939 | sudo systemctl restart geth 940 | sudo systemctl restart prometheus 941 | sudo systemctl restart grafana-server 942 | sudo systemctl restart node_exporter 943 | sudo systemctl restart blackbox_exporter 944 | sudo systemctl restart json_exporter 945 | ``` 946 | 947 | ### Stopping Services 948 | Stopping a service is separate from disabling a service. Stopping a service stops the current execution of the server, but does not prohibit the service from starting again after a system reboot. If you intend for the service to stop running and to not restart after a reboot, you will want to stop and disable a service. 949 | 950 | To stop a service: 951 | 952 | ```console 953 | sudo systemctl stop beacon-chain 954 | sudo systemctl stop validator 955 | sudo systemctl stop geth 956 | sudo systemctl stop prometheus 957 | sudo systemctl stop grafana-server 958 | sudo systemctl stop node_exporter 959 | sudo systemctl stop blackbox_exporter 960 | sudo systemctl stop json_exporter 961 | ``` 962 | 963 | **Important:** If you intend to stop the beacon chain and validator in order to run these services on a different system, stop the services using the instructions in this section, and disable these services following the instructions in the next section. You will be at risk of losing funds through slashing if you accidentally validate the same keys on two different systems, and failing to disable the services may result in your beacon chain and validator running again after a system reboot. 964 | 965 | ### Disabling Services 966 | To disable a service so that it no longer starts automatically after a reboot: 967 | 968 | ```console 969 | sudo systemctl disable beacon-chain 970 | sudo systemctl disable validator 971 | sudo systemctl disable geth 972 | sudo systemctl disable prometheus 973 | sudo systemctl disable grafana-server 974 | sudo systemctl disable node_exporter 975 | sudo systemctl disable blackbox_exporter 976 | sudo systemctl disable json_exporter 977 | ``` 978 | 979 | ### Enabling Services 980 | To re-enable a service that has been disabled: 981 | 982 | ```console 983 | sudo systemctl enable beacon-chain 984 | sudo systemctl enable validator 985 | sudo systemctl enable geth 986 | sudo systemctl enable prometheus 987 | sudo systemctl enable grafana-server 988 | sudo systemctl enable node_exporter 989 | sudo systemctl enable blackbox_exporter 990 | sudo systemctl enable json_exporter 991 | ``` 992 | ### Starting Services 993 | Re-enabling a service will not necessarily start the service as well. To start a service that is stopped: 994 | 995 | ```console 996 | sudo systemctl start beacon-chain 997 | sudo systemctl start validator 998 | sudo systemctl start geth 999 | sudo systemctl start prometheus 1000 | sudo systemctl start grafana-server 1001 | sudo systemctl start node_exporter 1002 | sudo systemctl start blackbox_exporter 1003 | sudo systemctl start json_exporter 1004 | ``` 1005 | 1006 | ### Upgrading Prysm 1007 | Upgrading the Prysm beacon chain and validator clients is as easy as restarting the service when running the prysm.sh script as we are in these instructions. To upgrade to the latest release, simple restart the services. Use the commands above to check the log files of both the beacon chain and validator. If any important command line flags have changed, a notice should appear in the logs. Even better, read the release notes in advance of an upgrade. 1008 | 1009 | ```console 1010 | sudo systemctl restart beacon-chain 1011 | sudo systemctl restart validator 1012 | ``` 1013 | 1014 | ### Changing systemd Service Files 1015 | If you edit any of the systemd service files in `/etc/systemd/system` or another location, run the following command prior to restarting the affected service: 1016 | 1017 | ```console 1018 | sudo systemctl daemon-reload 1019 | ``` 1020 | Then restart the affected service: 1021 | ```console 1022 | sudo systemctl restart SERVICE_NAME 1023 | ``` 1024 | 1025 | - Replace SERVICE_NAME with the name of the service for which the service file was updated. For example, `sudo systemctl restart beacon-chain`. 1026 | 1027 | ### Updating Prysm Options 1028 | To update the configuration options of the beacon chain or validator, edit the Prysm configuration file located in the home directories for the services. 1029 | 1030 | ```console 1031 | sudo nano /home/validator/prysm-validator.yaml 1032 | sudo nano /home/beacon/prysm-beacon.yaml 1033 | ``` 1034 | 1035 | Then restart the services: 1036 | 1037 | ```console 1038 | sudo systemctl restart validator 1039 | sudo systemctl restart beacon-chain 1040 | ``` 1041 | 1042 | ## Future Updates 1043 | 1044 | There are at least one area where I may expand on my system configuration or instructions, but I have not pursued it yet. 1045 | 1046 | - SSH Key-Based Login 1047 | - This seems to be a good security move, but it also seems to be the perfect way to get me locked out of my own system. I have never set this up before, but may look into it. 1048 | 1049 | 1050 | ## Sources/Inspiration 1051 | Prysm: [https://docs.prylabs.network/docs/getting-started/](https://docs.prylabs.network/docs/getting-started/) 1052 | 1053 | Go: [https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/golang-1.14-go_1.14.2-1ubuntu1_arm64.deb.html](https://ubuntu.pkgs.org/20.04/ubuntu-main-arm64/golang-1.14-go_1.14.2-1ubuntu1_arm64.deb.html) 1054 | 1055 | Timezone: [https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/](https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/) 1056 | 1057 | Account creation and systemd setup: [https://github.com/attestantio/ubuntu-server](https://github.com/attestantio/ubuntu-server) 1058 | 1059 | blackbox_exporter: [https://github.com/prometheus/blackbox_exporter](https://github.com/prometheus/blackbox_exporter) 1060 | 1061 | node_exporter: [https://github.com/prometheus/node_exporter](https://github.com/prometheus/node_exporter) 1062 | 1063 | Prometheus: [https://prometheus.io/docs/prometheus/latest/getting_started/](https://prometheus.io/docs/prometheus/latest/getting_started/) 1064 | 1065 | Grafana: [https://grafana.com/docs/grafana/latest/installation/debian/](https://grafana.com/docs/grafana/latest/installation/debian/) 1066 | 1067 | Dashboard: [https://github.com/metanull-operator/eth2-grafana](https://github.com/metanull-operator/eth2-grafana) 1068 | 1069 | systemd: [https://www.freedesktop.org/software/systemd/man/systemd.unit.html](https://www.freedesktop.org/software/systemd/man/systemd.unit.html) 1070 | 1071 | geth: [https://geth.ethereum.org/docs/install-and-build/installing-geth](https://geth.ethereum.org/docs/install-and-build/installing-geth) 1072 | 1073 | sshd: [https://blog.devolutions.net/2017/04/10-steps-to-secure-open-ssh](https://blog.devolutions.net/2017/04/10-steps-to-secure-open-ssh) 1074 | 1075 | ufw: [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04) 1076 | 1077 | ufw: [https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands) 1078 | 1079 | ntpd: [https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04) -------------------------------------------------------------------------------- /v2/README.md: -------------------------------------------------------------------------------- 1 | # Setup an Ethereum Mainnet Staking System on Ubuntu 2 | 3 | **Instructions Compatibility: v2** 4 | 5 | The following links apply to v2 of my installation instructions. v2 instructions were written for Ubuntu 22.04 LTS and have some naming/configuration differences from [v1](../v1/) instructions. Systems installed on or after July 19, 2022, were likely set up using v2 instructions. 6 | 7 | ------ 8 | 9 | - [Setup an Ethereum Mainnet Staking System on Ubuntu](setup.md) - v2 of my setup instructions to install and configure an Ethereum mainnet staking system using Prysm and Geth. 10 | - [Prune Geth](../prune_geth.md) - How to prune Geth to reduce disk usage. 11 | - [MEV-Boost: Mainnet](mev-boost.md) - How to set up MEV-Boost for mainnet for v2 installations. -------------------------------------------------------------------------------- /v2/mev-boost.md: -------------------------------------------------------------------------------- 1 | ## MEV-Boost: Mainnet 2 | 3 | **Instructions Compatibility: v2** 4 | 5 | The following instructions apply to systems set up under v2 of my installation instructions. v2 instructions were written for Ubuntu 22.04 LTS. Systems installed on or after July 19, 2022 were likely set up using v2 instructions. Instructions for v1 installations are available [here](../v1/mev-boost.md). 6 | 7 | ------ 8 | 9 | These instructions will help you install and configure [MEV-Boost](https://github.com/flashbots/mev-boost) for a mainnet, merge-ready [Prysm](https://github.com/prysmaticlabs/prysm/) installation. 10 | 11 | ## Install Go 12 | 13 | Compiling MEV-Boost requires Go version 1.18 or higher. 14 | 15 | Run the following to check your current version. 16 | 17 | ```console 18 | go version 19 | ``` 20 | 21 | If Go is not at least version 1.18 or if Go is not installed... 22 | 23 | ```console 24 | cd 25 | wget https://go.dev/dl/go1.19.linux-amd64.tar.gz 26 | sudo rm -rf /usr/local/go 27 | sudo tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz 28 | sudo ln -s /usr/local/go/bin/go /usr/bin/go 29 | rm go1.19.linux-amd64.tar.gz 30 | ``` 31 | 32 | Verify that you are now running Go 1.18+ by running the following command. 33 | 34 | ```console 35 | go version 36 | ``` 37 | 38 | ## MEV-Boost Installation 39 | 40 | ### MEV-Boost User Account 41 | 42 | Create a user account in which to run MEV-Boost. 43 | 44 | ```console 45 | sudo adduser --home /home/mev-boost --disabled-password --gecos 'MEV-Boost Relay' mev-boost 46 | ``` 47 | 48 | Create a directory to store the `mev-boost` binary. 49 | 50 | - `-u mev-boost` runs the command as the mev-boost user so we don't have to change the directory permissions to the `mev-boost` user later on. 51 | 52 | ```console 53 | sudo -u mev-boost mkdir /home/mev-boost/bin 54 | ``` 55 | 56 | ### Install MEV-Boost 57 | 58 | Install the latest release of MEV-Boost using `go install`. This will install into your user directories. 59 | 60 | ```console 61 | cd 62 | go install github.com/flashbots/mev-boost@latest 63 | ``` 64 | 65 | ### Install MEV-Boost 66 | 67 | Copy the `mev-boost` binary to the `bin` directory of the `mev-boost` account, and change the ownership of the binary to the `mev-boost` account. 68 | 69 | ```console 70 | sudo cp ~/go/bin/mev-boost /home/mev-boost/bin 71 | sudo chown mev-boost:mev-boost /home/mev-boost/bin/mev-boost 72 | ``` 73 | 74 | ### Configure MEV-Boost to Run as System Service 75 | 76 | Create a systemd service file to start the MEV-Boost service. 77 | 78 | ```console 79 | sudo nano /etc/systemd/system/mev-boost.service 80 | ``` 81 | 82 | Add the following lines to the mev-boost service file. The `ExecStart` line includes two relays, Flashbots and bloXroute. You can remove one or the other to suit your ethical inclinations. 83 | 84 | ``` 85 | [Unit] 86 | Description=MEV-Boost Relay 87 | StartLimitIntervalSec=0 88 | Wants=network-online.target 89 | After=network-online.target 90 | 91 | [Service] 92 | Type=simple 93 | Restart=always 94 | RestartSec=5 95 | User=mev-boost 96 | WorkingDirectory=/home/mev-boost 97 | ExecStart=/home/mev-boost/bin/mev-boost \ 98 | -mainnet \ 99 | -relay-check \ 100 | -relays https://0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae@boost-relay.flashbots.net,https://0xad0a8bb54565c2211cee576363f3a347089d2f07cf72679d16911d740262694cadb62d7fd7483f27afd714ca0f1b9118@bloxroute.ethical.blxrbdn.com 101 | 102 | [Install] 103 | WantedBy=multi-user.target 104 | ``` 105 | 106 | Enable MEV-Boost as a system service so that it automatically starts when the system boots, and start it now. 107 | 108 | ``` 109 | sudo systemctl enable --now mev-boost 110 | ``` 111 | 112 | Check the logs for success. 113 | 114 | ```console 115 | sudo journalctl -fu mev-boost.service 116 | ``` 117 | 118 | If successful, the logs should look something like the following. 119 | 120 | ``` 121 | Sep 05 23:38:56 nuc systemd[1]: Started MEV-Boost Relay. 122 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="mev-boost v0.8.2-5-ge9b82f5" module=cli 123 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="Using genesis fork version: 0x00000000" module=cli 124 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="using 2 relays" module=cli relays="[{0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae https://0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae@boost-relay.flashbots.net} {0xad0a8bb54565c2211cee576363f3a347089d2f07cf72679d16911d740262694cadb62d7fd7483f27afd714ca0f1b9118 https://0xad0a8bb54565c2211cee576363f3a347089d2f07cf72679d16911d740262694cadb62d7fd7483f27afd714ca0f1b9118@bloxroute.ethical.blxrbdn.com}]" 125 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="Checking relay" module=service relay="https://0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae@boost-relay.flashbots.net" 126 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="Checking relay" module=service relay="https://0xad0a8bb54565c2211cee576363f3a347089d2f07cf72679d16911d740262694cadb62d7fd7483f27afd714ca0f1b9118@bloxroute.ethical.blxrbdn.com" 127 | Sep 05 23:38:56 nuc mev-boost[59746]: time="2022-09-05T23:38:56-06:00" level=info msg="listening on localhost:18550" module=cli 128 | ``` 129 | 130 | You can check the status of the MEV-Boost service with the `systemctl status` command. 131 | 132 | ```console 133 | sudo systemctl status mev-boost 134 | ``` 135 | 136 | The output will look similar to the following. 137 | 138 | ``` 139 | ● mev-boost.service - MEV-Boost Relay 140 | Loaded: loaded (/etc/systemd/system/mev-boost.service; enabled; vendor preset: enabled) 141 | Active: active (running) since Mon 2022-09-05 23:57:06 MDT; 20s ago 142 | Main PID: 59985 (mev-boost) 143 | Tasks: 10 (limit: 38085) 144 | Memory: 7.4M 145 | CGroup: /system.slice/mev-boost.service 146 | └─59985 /home/mev-boost/bin/mev-boost -mainnet -relay-check -relays https://0xac6e77dfe25ecd6110b8e780608cce0dab71fdd5ebea22a16c0205200f2f8e2e3ad3b71d3499c54ad14d6c21b41a37ae@boost-relay.flashbots.net,https://0xad0a8bb54565c2211cee576363f3> 147 | ``` 148 | 149 | This will be followed by the last few log lines. 150 | 151 | Be sure to look for the following: 152 | 153 | - The `Loaded` line says `enabled` instead of `disabled`. This means that the MEV-Boost service will start on system boot 154 | - The `Active` line says `active (running)` which means the MEV-Boost service appears to be running currently 155 | 156 | ## Update Prysm Configuration 157 | 158 | ### Beacon Chain 159 | 160 | Edit the Prysm Beacon Chain configuration file to configure communication with MEV-Boost. 161 | 162 | ```console 163 | sudo nano /home/prysm-beacon/prysm-beacon.yaml 164 | ``` 165 | 166 | Add the following line to that file. 167 | 168 | ```console 169 | http-mev-relay: "http://127.0.0.1:18550" 170 | ``` 171 | 172 | Restart the Prysm beacon chain client and review the logs. 173 | 174 | ```console 175 | sudo systemctl restart prysm-beacon; sudo journalctl -fu prysm-beacon 176 | ``` 177 | 178 | If successful, the logs should include lines similar to the following. 179 | 180 | ``` 181 | Sep 05 23:40:46 nuc beacon-chain-v3.0.0[59788]: time="2022-09-05 23:40:46" level=info msg="Builder has been configured" endpoint="http://127.0.0.1:18550" 182 | Sep 05 23:40:46 nuc beacon-chain-v3.0.0[59788]: time="2022-09-05 23:40:46" level=warning msg="Outsourcing block construction to external builders adds non-trivial delay to block propagation time. Builder-constructed blocks or fallback blocks may get orphaned. Use at your own risk!" 183 | ``` 184 | 185 | ### Validator 186 | 187 | Edit the Prysm Validator configuration file to configure registration of validators. 188 | 189 | ```console 190 | sudo nano /home/prysm-validator/prysm-validator.yaml 191 | ``` 192 | 193 | Add the following line to that file. 194 | 195 | ```console 196 | enable-builder: true 197 | ``` 198 | 199 | Restart the Prysm validator client and review the logs. 200 | 201 | ```console 202 | sudo systemctl restart prysm-validator; sudo journalctl -fu prysm-validator 203 | ``` 204 | 205 | If successful, the logs should include a line similar to the following: 206 | 207 | ```console 208 | Sep 13 16:11:55 nuc prysm.sh[67775]: time="2022-09-13 16:11:55" level=info msg="Submitted builder validator registration settings for custom builders" prefix=validator 209 | ``` 210 | 211 | ## Updating MEV-Boost 212 | 213 | Monitor MEV-Boost releases [here](https://github.com/flashbots/mev-boost/releases). When a new release is available. Use the following instructions to update. 214 | 215 | Download latest release. 216 | 217 | ```console 218 | cd 219 | go install github.com/flashbots/mev-boost@latest 220 | ``` 221 | 222 | Stop `mev-boost` service. 223 | 224 | ```console 225 | sudo systemctl stop mev-boost 226 | ``` 227 | 228 | Copy the `mev-boost` binary to the `bin` directory of the `mev-boost` account, and change the ownership of the binary to the `mev-boost` account. Changing ownership should not be necessary if you followed the original installation instructions. 229 | 230 | ```console 231 | sudo cp ~/go/bin/mev-boost /home/mev-boost/bin 232 | sudo chown mev-boost:mev-boost /home/mev-boost/bin/mev-boost 233 | ``` 234 | 235 | Start MEV-Boost and monitor logs. 236 | 237 | ```console 238 | sudo systemctl start mev-boost; sudo journalctl -fu mev-boost 239 | ``` 240 | 241 | See example of logs from the installation section above. 242 | --------------------------------------------------------------------------------