From 97e6b13a17880a06706e546f47a58f63f1b750b4 Mon Sep 17 00:00:00 2001 From: Raul-Constantin Racotea Date: Mon, 10 Jun 2024 12:00:14 +0200 Subject: [PATCH 1/6] added tutorial for multikey --- .../key-management/multikey-nodes.md | 217 +++++++++++++++++- 1 file changed, 210 insertions(+), 7 deletions(-) diff --git a/docs/validators/key-management/multikey-nodes.md b/docs/validators/key-management/multikey-nodes.md index 4af6bc3a1..763d3eda5 100644 --- a/docs/validators/key-management/multikey-nodes.md +++ b/docs/validators/key-management/multikey-nodes.md @@ -322,16 +322,219 @@ We strongly suggest to practice this process first on the public testnet. You sh ::: Whenever deciding to switch from single-key operation to multikey, the following steps on how to execute this process can be considered: -1. create your `allValidatorsKeys.pem` by manually (or through a text tool) concatenate all your `validatorKey.pem` files; -2. start a multikey group, **configure it as a backup group**, provide the `allValidatorsKeys.pem` file to all the nodes forming the group; -3. let this backup multikey group nodes sync and go the next step **after all these nodes are synced**; -4. switch off your single-key backup nodes (if you previously had ones); -5. create a new multikey group, configure it as main group and let it sync. **Do not provide the `allValidatorsKeys.pem` keys yet!**. Go the next step **after all these nodes are synced**; -6. after the main group nodes are synced, copy the `allValidatorsKeys.pem` file to all nodes from the main group, switch off the main single-key nodes and restart the multikey nodes from the main group, so they will load the `allValidatorsKeys.pem` file; -7. closely monitor all your nodes in the explorer, should be online and with their rating status increasing/at 100%. Repeat this step for a few times at 10 minutes interval. +1. Create your `allValidatorsKeys.pem` by manually (or through a text tool) concatenate all your `validatorKey.pem` files; +2. Start a multikey group, **configure it as a backup group**, provide the `allValidatorsKeys.pem` file to all the nodes forming the group; +3. Let this backup multikey group nodes sync and go the next step **after all these nodes are synced**; +4. Switch off your single-key backup nodes (if you previously had ones); +5. Create a new multikey group, configure it as main group and let it sync. **Do not provide the `allValidatorsKeys.pem` keys yet!**. Go the next step **after all these nodes are synced**; +6. After the main group nodes are synced, copy the `allValidatorsKeys.pem` file to all nodes from the main group, switch off the main single-key nodes and restart the multikey nodes from the main group, so they will load the `allValidatorsKeys.pem` file; +7. Closely monitor all your nodes in the explorer, should be online and with their rating status increasing/at 100%. Repeat this step for a few times at 10 minutes interval. Make sure that all operations from step 6 are made as quickly as possible. In case this step takes a long time, the backup multikey group should take over. :::caution Always attempt this process while closely monitor your nodes. If done correctly, your nodes might experience a brief rating drop (until the backup group takes over - if necessary) ::: + +### Setup a multikey node + +**1. Login as root & update/upgrade the machine** + +``` +bash +apt-get update +apt-get upgrade +apt autoremove +``` + +**2. Add and configure the ubuntu user** + +``` +adduser ubuntu +``` + +Set a long password + +``` +usermod -aG sudo ubuntu +echo 'StrictHostKeyChecking=no' >> /etc/ssh/ssh_config +visudo +``` + +Add this line: + +``` +ubuntu ALL=(ALL) NOPASSWD:ALL +``` + +Save & exit + +``` +sudo su ubuntu +sudo visudo -f /etc/sudoers.d/myOverrides +``` + +Add this line: + +``` +ubuntu ALL=(ALL) NOPASSWD:ALL +``` + +Save & exit + +**3. Configure ssh service:** + +``` +cd +mkdir .ssh && chmod 700 .ssh && cd .ssh/ +nano authorized_keys +``` + +Paste your pubkey & save & exit +The pubkey can be obtained by typing `cat ~/.ssh/id_rsa.pub` (or the name of your key) + +``` +chmod 600 authorized_keys +``` + +ssh config + +``` +sudo nano /etc/ssh/sshd_config +``` + +Uncomment & change this line to match your desired port: + +``` +Port 1024> # example: 7728 +``` + +Set the following fields to their respective values: + +``` +# PermitRootLogin -> no +# PubkeyAuthentication -> yes +# PasswordAuthentication -> no +``` + +Save & exit + +``` +sudo systemctl restart sshd +``` + +At this time a snapshot/image of the host could be generated using the provider’s accepted method. This snapshot/image could later be used to create/spin up further machines with all the initial setup already completed. + + +**4. Configure your local ssh config file** + +``` +nano ~/.ssh/config +``` + +Add: + +``` +Host host-0 + Hostname xxx.yyy.zzz.ttt + User ubuntu + Port 7728 + IdentityFile ~/.ssh/id_rsa +``` + +Save & exit + + +**5. Keys Setup** + +``` +cd ~ +mkdir VALIDATOR_KEYS +``` + +Copy your validator(s) .pem file either by using scp: + +``` +scp allValidatorsKeys.pem ubuntu@xxx.yyy.zzz.xxx:/home/ubuntu/VALIDATOR_KEYS +``` + +Or by using nautilius file explorer: + +``` +sftp://host-0 +``` + + +**6. Node Setup** + +``` +git clone https://github.com/multiversx/mx-chain-scripts +cd mx-chain-scripts/config/ +nano variables.cfg +``` + +Set the following: + +``` +# ENVIRONMENT="mainnet" +# GITHUBTOKEN="" +# NODE_EXTRA_FLAGS="" # optional for extra flags (example: `-log-save -profile-mode`) +# OVERRIDE_CONFIGVER="" # optional for a particulare release (example: `rc-v1.6.0`) +``` + +Save & exit + +``` +cd .. +./script.sh install +``` + +Install your node(s) +You can tweak several binary flags settings by typing + +``` +sudo nano /etc/systemd/system/elrond-node-0.service +``` + +Save & exit +Reload the service file: + +``` +sudo systemctl daemon-reload +``` + +For additional `prefs.toml` file settings adjustments, can use this: + +``` +nano ~/elrond-nodes/node-0/config/prefs.toml +``` + +Set the following: + +``` +# DestinationShardAsObserver = "" +# NodeDisplayName = "node" +# Identity = "identity" +# RedundancyLevel = +``` + +``` +cp ~/VALIDATOR_KEYS/allValidatorsKeys.pem ~/elrond-nodes/node-0/config/ +cd ~/mx-chain-scripts +./script.sh start +``` + + +**7. Node Checkup** + +The running node can be monitored using the termui console + +``` +~/elrond-utils/termui -address 127.0.0.1:8080 +``` + +If the node does not start in a reasonable time frame (5 minutes), we can check the log output by using this command: + +``` +sudo journalctl -f -u elrond-node-0.service +``` \ No newline at end of file From d2d33c313705cde64d7af6badc7a9d3b441594e0 Mon Sep 17 00:00:00 2001 From: Raul-Constantin Racotea Date: Mon, 10 Jun 2024 16:02:24 +0200 Subject: [PATCH 2/6] removed # comments in a few sections --- .../key-management/multikey-nodes.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/validators/key-management/multikey-nodes.md b/docs/validators/key-management/multikey-nodes.md index 763d3eda5..a88eb7626 100644 --- a/docs/validators/key-management/multikey-nodes.md +++ b/docs/validators/key-management/multikey-nodes.md @@ -412,9 +412,9 @@ Port 1024> # example: 7728 Set the following fields to their respective values: ``` -# PermitRootLogin -> no -# PubkeyAuthentication -> yes -# PasswordAuthentication -> no + PermitRootLogin -> no + PubkeyAuthentication -> yes + PasswordAuthentication -> no ``` Save & exit @@ -476,10 +476,10 @@ nano variables.cfg Set the following: ``` -# ENVIRONMENT="mainnet" -# GITHUBTOKEN="" -# NODE_EXTRA_FLAGS="" # optional for extra flags (example: `-log-save -profile-mode`) -# OVERRIDE_CONFIGVER="" # optional for a particulare release (example: `rc-v1.6.0`) + ENVIRONMENT="mainnet" + GITHUBTOKEN="" + NODE_EXTRA_FLAGS="" # optional for extra flags (example: `-log-save -profile-mode`) + OVERRIDE_CONFIGVER="" # optional for a particulare release (example: `rc-v1.6.0`) ``` Save & exit @@ -512,10 +512,10 @@ nano ~/elrond-nodes/node-0/config/prefs.toml Set the following: ``` -# DestinationShardAsObserver = "" -# NodeDisplayName = "node" -# Identity = "identity" -# RedundancyLevel = + DestinationShardAsObserver = "" + NodeDisplayName = "node" + Identity = "identity" + RedundancyLevel = ``` ``` From 49887a257b51ec2a4d3baddadd5332deaa1bb3f4 Mon Sep 17 00:00:00 2001 From: Raul-Constantin Racotea Date: Mon, 10 Jun 2024 16:16:09 +0200 Subject: [PATCH 3/6] corected some mistakes --- docs/validators/key-management/multikey-nodes.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/validators/key-management/multikey-nodes.md b/docs/validators/key-management/multikey-nodes.md index a88eb7626..97706c1a5 100644 --- a/docs/validators/key-management/multikey-nodes.md +++ b/docs/validators/key-management/multikey-nodes.md @@ -403,13 +403,13 @@ ssh config sudo nano /etc/ssh/sshd_config ``` -Uncomment & change this line to match your desired port: +Uncomment and change this line to match your desired port: ``` Port 1024> # example: 7728 ``` -Set the following fields to their respective values: +Uncomment and set the following fields to their respective values: ``` PermitRootLogin -> no @@ -511,7 +511,7 @@ nano ~/elrond-nodes/node-0/config/prefs.toml Set the following: -``` +```toml DestinationShardAsObserver = "" NodeDisplayName = "node" Identity = "identity" From 73ad3c73a74ba9cc217f3e95bef64759bd49a95d Mon Sep 17 00:00:00 2001 From: Raul-Constantin Racotea Date: Mon, 10 Jun 2024 16:26:22 +0200 Subject: [PATCH 4/6] added bash view --- .../key-management/multikey-nodes.md | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/docs/validators/key-management/multikey-nodes.md b/docs/validators/key-management/multikey-nodes.md index 97706c1a5..eeb5cd7d1 100644 --- a/docs/validators/key-management/multikey-nodes.md +++ b/docs/validators/key-management/multikey-nodes.md @@ -340,8 +340,7 @@ Always attempt this process while closely monitor your nodes. If done correctly, **1. Login as root & update/upgrade the machine** -``` -bash +```bash apt-get update apt-get upgrade apt autoremove @@ -349,13 +348,13 @@ apt autoremove **2. Add and configure the ubuntu user** -``` +```bash adduser ubuntu ``` Set a long password -``` +```bash usermod -aG sudo ubuntu echo 'StrictHostKeyChecking=no' >> /etc/ssh/ssh_config visudo @@ -369,7 +368,7 @@ ubuntu ALL=(ALL) NOPASSWD:ALL Save & exit -``` +```bash sudo su ubuntu sudo visudo -f /etc/sudoers.d/myOverrides ``` @@ -384,7 +383,7 @@ Save & exit **3. Configure ssh service:** -``` +```bash cd mkdir .ssh && chmod 700 .ssh && cd .ssh/ nano authorized_keys @@ -393,13 +392,13 @@ nano authorized_keys Paste your pubkey & save & exit The pubkey can be obtained by typing `cat ~/.ssh/id_rsa.pub` (or the name of your key) -``` +```bash chmod 600 authorized_keys ``` ssh config -``` +```bash sudo nano /etc/ssh/sshd_config ``` @@ -419,7 +418,7 @@ Uncomment and set the following fields to their respective values: Save & exit -``` +```bash sudo systemctl restart sshd ``` @@ -428,7 +427,7 @@ At this time a snapshot/image of the host could be generated using the provider **4. Configure your local ssh config file** -``` +```bash nano ~/.ssh/config ``` @@ -447,14 +446,14 @@ Save & exit **5. Keys Setup** -``` +```bash cd ~ mkdir VALIDATOR_KEYS ``` Copy your validator(s) .pem file either by using scp: -``` +```bash scp allValidatorsKeys.pem ubuntu@xxx.yyy.zzz.xxx:/home/ubuntu/VALIDATOR_KEYS ``` @@ -467,7 +466,7 @@ sftp://host-0 **6. Node Setup** -``` +```bash git clone https://github.com/multiversx/mx-chain-scripts cd mx-chain-scripts/config/ nano variables.cfg @@ -484,7 +483,7 @@ Set the following: Save & exit -``` +```bash cd .. ./script.sh install ``` @@ -492,20 +491,20 @@ cd .. Install your node(s) You can tweak several binary flags settings by typing -``` +```bash sudo nano /etc/systemd/system/elrond-node-0.service ``` Save & exit Reload the service file: -``` +```bash sudo systemctl daemon-reload ``` For additional `prefs.toml` file settings adjustments, can use this: -``` +```bash nano ~/elrond-nodes/node-0/config/prefs.toml ``` @@ -518,7 +517,7 @@ Set the following: RedundancyLevel = ``` -``` +```bash cp ~/VALIDATOR_KEYS/allValidatorsKeys.pem ~/elrond-nodes/node-0/config/ cd ~/mx-chain-scripts ./script.sh start @@ -529,12 +528,12 @@ cd ~/mx-chain-scripts The running node can be monitored using the termui console -``` +```bash ~/elrond-utils/termui -address 127.0.0.1:8080 ``` If the node does not start in a reasonable time frame (5 minutes), we can check the log output by using this command: -``` +```bash sudo journalctl -f -u elrond-node-0.service ``` \ No newline at end of file From 9f04fcde89def3f1c3f2b05ce46b8ffa312cc28a Mon Sep 17 00:00:00 2001 From: Raul-Constantin Racotea Date: Mon, 10 Jun 2024 16:28:58 +0200 Subject: [PATCH 5/6] ubuntu user --- docs/validators/key-management/multikey-nodes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/validators/key-management/multikey-nodes.md b/docs/validators/key-management/multikey-nodes.md index eeb5cd7d1..68d0c6188 100644 --- a/docs/validators/key-management/multikey-nodes.md +++ b/docs/validators/key-management/multikey-nodes.md @@ -346,7 +346,7 @@ apt-get upgrade apt autoremove ``` -**2. Add and configure the ubuntu user** +**2. Add and configure the `ubuntu` user** ```bash adduser ubuntu From 5ba30bd79a290d7cdacbabde4c81a1404446106a Mon Sep 17 00:00:00 2001 From: Raul-Constantin Racotea Date: Mon, 10 Jun 2024 17:22:28 +0200 Subject: [PATCH 6/6] resolved comments from Iulian --- docs/validators/key-management/multikey-nodes.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/validators/key-management/multikey-nodes.md b/docs/validators/key-management/multikey-nodes.md index 68d0c6188..5adf0191f 100644 --- a/docs/validators/key-management/multikey-nodes.md +++ b/docs/validators/key-management/multikey-nodes.md @@ -315,12 +315,6 @@ The BLS keys' identities, on the other hand will have the following names & iden ### Migration guide from single-key operation to multikey -:::warning -This guide can lead to potential node jailing if done incorrectly. Make sure that you understand completely all the steps involved. - -We strongly suggest to practice this process first on the public testnet. You should gather invaluable experience and know how. -::: - Whenever deciding to switch from single-key operation to multikey, the following steps on how to execute this process can be considered: 1. Create your `allValidatorsKeys.pem` by manually (or through a text tool) concatenate all your `validatorKey.pem` files; 2. Start a multikey group, **configure it as a backup group**, provide the `allValidatorsKeys.pem` file to all the nodes forming the group; @@ -332,6 +326,12 @@ Whenever deciding to switch from single-key operation to multikey, the following Make sure that all operations from step 6 are made as quickly as possible. In case this step takes a long time, the backup multikey group should take over. +:::warning +This guide can lead to potential node jailing if done incorrectly. Make sure that you understand completely all the steps involved. + +We strongly suggest to practice this process first on the public testnet. You should gather invaluable experience and know how. +::: + :::caution Always attempt this process while closely monitor your nodes. If done correctly, your nodes might experience a brief rating drop (until the backup group takes over - if necessary) ::: @@ -389,8 +389,8 @@ mkdir .ssh && chmod 700 .ssh && cd .ssh/ nano authorized_keys ``` -Paste your pubkey & save & exit -The pubkey can be obtained by typing `cat ~/.ssh/id_rsa.pub` (or the name of your key) +Paste your pubkey, save & exit +The pubkey can be obtained by typing `cat ~/.ssh/id_rsa.pub` (or the name of your key) on the machine that will be used to connect to this host ```bash chmod 600 authorized_keys