This guide will instruct you how to set up a validator node on the Phala Network.
Running a Gatekeeper on a live network is a lot of responsibility! You will be accountable for not only your own stake, but also the stake of your current nominators. If you make a mistake and get slashed, your money and your reputation will be at risk. However, running a Gatekeeper can also be very rewarding, knowing that you contribute to the security of a decentralized network while growing your stash.
Since security is so important to running a successful Gatekeeper, you should take a look at Phala Network’s the secure validator information to make you understand the factors to consider when constructing your infrastructure. The Web3 Foundation also maintains a reference implementation for a secure validator set-up that you can use by deploying yourself (video walkthrough is available here). As you progress in your journey as a Gatekeeper, you will likely want to use this repository as a starting point for your own modifications and customizations.
If you need help, please reach out on the Phala Network Group on Telegram. The team and other Gatekeepers are there to help answer questions and provide experience.
You can have a rough estimate on that by using the methods listed here. Gatekeepers are elected based on Phragmen’s algorithm. To be elected into the set, you need a minimum stake behind your Gatekeeper. This stake can come from yourself or from nominators. This means that as a minimum, you will need enough PHA to set up Stash and Controller accounts with the existential deposit, plus a little extra for transaction fees. The rest can come from nominators.
Warning: Any PHA that you stake for your Gatekeeper is liable to be slashed, meaning that an insecure or improper setup may result in loss of PHA tokens! If you are not confident in your ability to run a Gatekeeper node, it is recommended to nominate your PHA to a trusted Gatekeeper node instead.
You will likely run your Gatekeeper on a server with TEE hardware running Linux. For this guide we will be using Ubuntu 18.04, but the instructions should be similar for other platforms.
The transactions weights in Phala Network were benchmarked on standard hardware. It is recommended that Gatekeepers run at least the standard hardware in order to ensure they are able to process all blocks in time. The following are not minimum requirements but if you decide to run with less than this beware that you might have performance issue.
For the full details of the standard hardware please see here.
The specs posted above are by no means the minimum specs that you could use when running a Gatekeeper, however you should be aware that if you are using less you may need to toggle some extra optimizations in order to be equal to other Gatekeepers that are running the standard.
You can find the latest Linux SGX driver from the official download page. Make sure to install:
/opt
)The dockerfile offered by Teaclave SGX SDK is a good reference of how to install the SGX SDK and platform software. Though it’s possible to run SGX apps inside Docker, we don’t have a guide for it so far. The driver must be installed on host machine natively.
phala-node
BinaryDownload the latest Phala Network binary from the Github release page.
You can also build the phala-node
binary from the
Phala-Network/phala-blockchain repository on GitHub using the source
code available in the master branch. You will need to prepare the rust build environment described in the Run a Full Node tutorial.
Note: If you prefer to use SSH rather than HTTPS, you can replace the first line of the below with
git clone git@github.com/Phala-Network/phala-blockchain.git
.
git clone https://github.com/Phala-Network/phala-blockchain
cd phala-blockchain
./scripts/init.sh
git submodule update --init
cargo build --release
This step will take a while (generally 10 - 40 minutes, depending on your hardware).
Note if you run into compile errors, you may have to switch to a less recent nightly. This can be done by running:
rustup install nightly-2020-05-15 rustup override set nightly-2020-05-15 rustup target add wasm32-unknown-unknown --toolchain nightly-2020-05-15
If you are interested in generating keys locally, you can also install subkey
from the same
directory. You may then take the generated subkey
executable and transfer it to an air-gapped
machine for extra security.
cargo install --force --git https://github.com/paritytech/substrate subkey
Note: By default, Gatekeeper nodes are in archive mode. If you’ve already synced the chain not in archive mode, you must first remove the database with
phala-node purge-chain
and then ensure that you run Phala Network with the--pruning=archive
option.You may run a Gatekeeper node in non-archive mode by adding the following flags:
-unsafe-pruning --pruning OF BLOCKS>
, but note that an archive node and non-archive node’s databases are not compatible with each other, and to switch you will need to purge the chain data.
You can begin syncing your node by running the following command:
./phala-node --pruning=archive
if you do not want to start in Gatekeeper mode right away.
The --pruning=archive
flag is implied by the --validator
and --sentry
flags, so it is only
required explicitly if you start your node without one of these two options. If you do not set your
pruning to archive node, even when not running in Gatekeeper and sentry mode, you will need to
re-sync your database when you switch.
Note: Gatekeepers should sync using the RocksDb backend. This is implicit by default, but can be explicit by passing the
--database RocksDb
flag. In the future, it is recommended to switch to using the faster and more efficient ParityDb option. Switching between database backends will require a resync.If you want to test out ParityDB you can add the flag
--database paritydb
.
Depending on the size of the chain when you do this, this step may take anywhere from a few minutes to a few hours.
If you are interested in determining how much longer you have to go, your server logs (printed to
STDOUT from the phala-node
process) will tell you the latest block your node has processed and
verified. You can then compare that to the current highest block via
Telemetry or the
Phala Web App.
Note: If you do not already have PHA, this is as far as you will be able to go until the end of the soft launch period. You can still run a node, but you will need to have a minimal amount of PHA to continue, as balance transfers are disabled during the soft launch. Please keep in mind that even for those with PHA, they will only be indicating their intent to validate; they will also not be able to run a Gatekeeper until the NPoS phase starts.
It is highly recommended that you make your controller and stash accounts be two separate accounts. For this, you will create two accounts and make sure each of them have at least enough funds to pay the fees for making transactions. Keep most of your funds in the stash account since it is meant to be the custodian of your staking funds.
Make sure not to bond all your PHA balance since you will be unable to pay transaction fees from your bonded balance.
It is now time to set up our Gatekeeper. We will do the following:
First, go to the Staking section. Click on “Account Actions”, and then the “Stash” button.
Once everything is filled in properly, click Bond
and sign the transaction with your Stash
account.
After a few seconds, you should see an “ExtrinsicSuccess” message. You should now see a new card with all your accounts (note: you may need to refresh the screen). The bonded amount on the right corresponds to the funds bonded by the Stash account.
Note: The session keys are consensus critical, so if you are not sure if your node has the current session keys that you made the
setKeys
transaction then you can use one of the two available RPC methods to query your node: hasKey to check for a specific key or hasSessionKeys to check the full session key public key string.
Once your node is fully synced, stop the process by pressing Ctrl-C. At your terminal prompt, you will now start running the node in validator mode with a flag allowing unsafe RPC calls, needed for some advanced operations.
./phala-node --validator --name "name on telemetry"
You can give your Gatekeeper any name that you like, but note that others will be able to see it, and it will be included in the list of all servers using the same telemetry server. Since numerous people are using telemetry, it is recommended that you choose something likely to be unique.
You need to tell the chain your Session keys by signing and submitting an extrinsic. This is what associates your Gatekeeper node with your Controller account on Phala Network.
You can generate your Session keys in the client via the apps RPC. If you are doing this, make sure that you have the PolkadotJS-Apps explorer attached to your Gatekeeper node. You can configure the apps dashboard to connect to the endpoint of your Gatekeeper in the Settings tab. If you are connected to a default endpoint hosted by Parity of Web3 Foundation, you will not be able to use this method since making RPC requests to this node would effect the local keystore hosted on a public node and you want to make sure you are interacting with the keystore for your node.
Once ensuring that you have connected to your node, the easiest way to set session keys for your
node is by calling the author_rotateKeys
RPC request to create new keys in your Gatekeeper’s
keystore. Navigate to Toolbox tab and select RPC Calls then select the author > rotateKeys() option
and remember to save the output that you get back for a later step.
If you are on a remote server, it is easier to run this command on the same machine (while the node is running with the default HTTP RPC port configured):
curl -H "Content-Type: application/json" -d '{"id":1, "jsonrpc":"2.0", "method": "author_rotateKeys", "params":[]}' http://localhost:9933
The output will have a hex-encoded “result” field. The result is the concatenation of the four public keys. Save this result for a later step.
You can restart your node at this point, omitting the --unsafe-rpc-expose
flag as it is no longer
needed.
setKeys
TransactionYou need to tell the chain your Session keys by signing and submitting an extrinsic. This is what associates your validator with your Controller account.
Go to Staking > Account Actions, and click “Set
Session Key” on the bonding account you generated earlier. Enter the output from author_rotateKeys
in the field and click “Set Session Key”.
Submit this extrinsic and you are now ready to start validating.
Gatekeepers utilize TEE to manage the secret keys in Phala Network. Before starting validating, you need to attach the TEE hardware to your Gatekeeper accounts. As long as the Gatekeeper is running and validating the blockchain, the TEE worker is always connected to the blockchain and support the network.
The TEE worker is handled by two components: pHost
and pRuntime
. The latest prebuilt binaries can be found from the Github release page in tee-release.zip
. Instead, you can also compile it on your own.
Assuming you have extracted the prebuilt binares in a directory and have a running and fully synced phala-node
, you can take the following steps to attach the TEE components to the blockchain:
./app
./phost \
--mnemonic '<the-mnenomic-of-your-controller-account>' \
--no-sync \
--no-write-back \
--remote-attestation \
--substrate-ws-endpoint 'ws://localhost:9944'
The mnenomic of your controller account is needed because phost
will send transactions to register your TEE hardware on behalve of your controller account.
The prebuilt release also includes bridge.sh
, a convinient script to bring up phost
in the same way described above. With the script file, you can save the mnemonic permanently, avoding typing it everytime you run it.
Note: In Phala Network Testnet PoC-2, the TEE worker registration is an one-shot job.
phost
will exit right after a successful registeration. However in future version, since TEE supports the TEE network in the full life-time of a Gatekeeper, it must be always up and running until the Gatekeeper is retired.
To verify that your node is live and synchronized, head to Telemetry and find your node. Note that this will show all nodes on the Phala Network, which is why it is important to select a unique name!
If everything looks good, go ahead and click on “Validate” in Phala Network UI.
Click “Validate”.
Note: This step will fail if you haven’t successfully registered a TEE worker on your controller account. Please double check Register TEE worker to make sure your TEE hardware is registered.
If you go to the “Staking” tab, you will see a list of active Gatekeepers currently running on the network. At the top of the page, it shows the number of Gatekeeper slots that are available as well as the number of nodes that have signaled their intention to be a Gatekeeper. You can go to the “Waiting” tab to double check to see whether your node is listed there.
The Gatekeeper set is refreshed every era. In the next era, if there is a slot available and your node is selected to join the Gatekeeper set, your node will become an active Gatekeeper. Until then, it will remain in the waiting queue. If your Gatekeeper is not selected to become part of the Gatekeeper set, it will remain in the waiting queue until it is. There is no need to re-start if you are not selected for the Gatekeeper set in a particular era. However, it may be necessary to increase the number of PHA staked or seek out nominators for your Gatekeeper in order to join the Gatekeeper set.
Congratulations! If you have followed all of these steps, and been selected to be a part of the Gatekeeper set, you are now running a Phala Network Gatekeeper! If you need help, reach out on the Phala Network Telegram group.
To participate the PoC-2 events, it’s required to set your node name in the format below:
./phala-node --name "Name | Controller account address" <...other arguments>
Please see the chapter with the same name in Run a Full Node for more details.
Make sure to enable 30333
libp2p port. Eventually, it will take a little bit of time to discover
other peers over the network.
./phala-node purge-chain