Run a Mithril signer node
For more information about the Mithril protocol, see the About Mithril section.
Mithril signer deployment modelβ
In this guide, you will learn how to set up a Mithril signer within the stake pool operator (SPO) infrastructure both on Cardano mainnet
and testnet
environments:
- On
mainnet
, you must run the production deployment where the Mithril signer runs on the Cardano block producer machine and the Mithril relay runs on the Cardano relay machine. Note that you can run the production deployment ontestnet
. - You can also run naive deployment, where the Mithril signer runs on the Cardano relay machine. This is possible in the testnet environment only, and does not require setting up a Mithril relay.
In the current setup, you don't need to install a Mithril aggregator.
The production deployment model is currently in the beta version.
Here is the schema of the production deployment on mainnet:
and the schema of the naive deployment specifically for testnets
:
On mainnet
, you must never copy the KES secret key
from the Cardano block producer machine!
Mithril keys certificationβ
The Mithril signer uses your Cardano operational certificate
and KES secret key
files which enable:
- Automatic computation of the
PoolId
- Verification of your
PoolId
ownership and the associated stake used by the Mithril protocol - Verification of your Mithril
signer secret key
ownership, which allows you to participate in the multi-signature process for certificate production on the Mithril network.
Mithril signer footprintβ
The Mithril signer has been designed to have the lowest footprint possible in terms of CPU, memory, disk i/o and storage. Thus, there are no extra requirements on the recommended hardware for running a Cardano stake pool, as detailed in this guide.
Here are some figures about the Mithril signer node running on Cardano mainnet
:
- It is idle most of the time with a very low CPU usage of less than
5%
- It uses less than
200 MB
of resident memory - It sends a new signature to the aggregator roughly every
10 minutes
and a new registration every5 days
(<1 MB
per day) When launched for the first time, a pre-loading phase occurs, during which the Cardano transactions are imported with a spike of50-70%
CPU on one core for~5 hours
- When signing for the first time, the Cardano database digest cache needs to be built with a spike of
50-70%
CPU on one core for~1 hour
- Also, the full Cardano database files will be read from disk once during this cache building process
- Only stake distributions, Mithril keys, and some cache (for the Cardano database and Cardano transactions) are stored on the disk (
<200 MB
).
Cardano transactions certification footprintβ
Here is a detailed view of the impact of the signature of the Cardano transactions (the most resource-intensive part of Mithril) on the SPO infrastructure on the mainnet
:
CPUβ
Memoryβ
Diskβ
Prerequisitesβ
Note that this guide works on a Linux machine only.
-
To operate a Cardano node as a stake pool, you need:
- The pool's
operational certificate
- The pool's
KES secret key
- The pool's
-
To access the file system of the Cardano block producer node for production deployment (or of the Cardano relay node for naive deployment), you will need the following permissions:
- Read rights on the
Database
folder (specified by the--database-path
setting of the Cardano node) - Read and write rights on the
Inter Process Communication
file (typically defined by theCARDANO_NODE_SOCKET_PATH
environment variable used to launch the Cardano node)
- Read rights on the
-
Install a recent version of
cardano-cli
(version 8.9.1+) -
Install a correctly configured Rust toolchain (latest stable version); you can follow the instructions provided here
-
Install build tools
build-essential
andm4
; for example, on Ubuntu/Debian/Mint, runsudo apt install build-essential m4
-
Install OpenSSL development libraries; for example, on Ubuntu/Debian/Mint, run
apt install libssl-dev
-
Install a recent version of
jq
(version 1.6+) by runningapt install jq
-
Only for the production deployment, install a recent version of
squid-cache
(version 6.9+).
Set up the Mithril signer nodeβ
-
For production deployment, the Mithril signer setup is performed on the Cardano block producer machine
-
For naive deployment, the Mithril signer setup is performed on the Cardano relay machine.
Compare the version of your Cardano node with the minimum supported versions listed in the networks.json
file to verify its compatibility with the Mithril signer.
First, check the version of your Cardano node by running the following command:
cardano-node --version
Then, refer to the minimum supported versions listed in the the networks.json
file.
You can also fetch the minimum supported version for your network using the command below:
wget -q -O - https://raw.githubusercontent.com/input-output-hk/mithril/main/networks.json | jq -r '."**YOUR_CARDANO_NETWORK**"."cardano-minimum-version"."mithril-signer"'
Here is an example for preprod
:
wget -q -O - https://raw.githubusercontent.com/input-output-hk/mithril/main/networks.json | jq -r '."preprod"."cardano-minimum-version"."mithril-signer"'
Building your own executableβ
Download the source fileβ
To download the source from GitHub (HTTPS), run:
git clone https://github.com/input-output-hk/mithril.git
Or (SSH):
git clone git@github.com:input-output-hk/mithril.git
Build the Mithril signer binaryβ
First, switch to build a branch/tag:
# **YOUR_BUILD_BRANCH_OR_TAG** depends on the Mithril network you target,
# please refer to the **Build from** column of the **Mithril networks** section
git checkout **YOUR_BUILD_BRANCH_OR_TAG**
Then, change the directory:
cd mithril/mithril-signer
Run tests (optional):
make test
Finally, build the executable:
make build
Download the pre-built binaryβ
You can install a the latest released binary of the mithril-signer by running this one line command (replace YOUR_PATH with your installation path):
curl --proto '=https' --tlsv1.2 -sSf
https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh
| sh -s -- -c mithril-signer -d latest -p YOUR_PATH
You can also install the mithril-signer binary for other distributions:
- use
-d unstable
for the unstable version - use
-d **DISTRIBUTION_VERSION**
for a specific distribution (e.g.-d 2445.0
)
The Linux binaries target glibc
, and have a minimum requirement of glibc 2.31
(compatible with Ubuntu 20.04
or Debian Bullseye
).
Verifying the binaryβ
Verify the version of the binaryβ
You can check that the Mithril signer binary is running the correct version by running:
./mithril-signer -V
You should see something like:
mithril-signer 0.2.0
β οΈ Please verify that the displayed version matches the version described in the release/pre-release notes (refer to the Build from column in the Mithril networks section).
Verify the buildβ
Check that the Mithril signer binary is working correctly by running the help function:
./mithril-signer -h
You should see:
An implementation of a Mithril signer
Usage: mithril-signer [OPTIONS]
Options:
-r, --run-mode <RUN_MODE>
Run Mode [env: RUN_MODE=] [default: dev]
-v, --verbose...
Verbosity level, add more v to increase
-c, --configuration-dir <CONFIGURATION_DIR>
Directory where the configuration file is located [default: ./config]
--disable-digests-cache
Disable immutables digests cache
--reset-digests-cache
If set the existing immutables digests cache will be reset
-h, --help
Print help information (use `--help` for more detail)
-V, --version
Print version information
If you wish to delve deeper, you can access logs at various levels from the Mithril signer:
- Add
-v
for some logs (WARN) - Add
-vv
for more logs (INFO) - Add
-vvv
for even more logs (DEBUG) - Add
-vvvv
for all logs (TRACE).
Installing the serviceβ
Move the executableβ
To move the executable to /opt/mithril, run:
sudo mkdir -p /opt/mithril
sudo mv mithril-signer /opt/mithril
Set up the serviceβ
-
User=cardano
: Replace this value with the correct user. We assume that the user used to run the Cardano node iscardano
. The Mithril signer must imperatively run with the same user. -
In the
/opt/mithril/mithril-signer.env
env file:KES_SECRET_KEY_PATH=/cardano/keys/kes.skey
: replace/cardano/keys/kes.skey
with the path to your CardanoKES secret key
fileOPERATIONAL_CERTIFICATE_PATH=/cardano/cert/opcert.cert
: replace/cardano/cert/opcert.cert
with the path to your Cardanooperational certificate
fileDB_DIRECTORY=/cardano/db
: replace/cardano/db
with the path to the database folder of the Cardano node (the one in--database-path
)CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket
: replace with the path to the IPC file (CARDANO_NODE_SOCKET_PATH
env var)CARDANO_CLI_PATH=/app/bin/cardano-cli
: replace with the path to thecardano-cli
executableDATA_STORES_DIRECTORY=/opt/mithril/stores
: replace with the path to a folder where the Mithril signer will store its data (eg,/opt/mithril/stores
)STORE_RETENTION_LIMIT
: if set, this will limit the number of records in some internal stores (5 is a good fit)ERA_READER_ADAPTER_TYPE=cardano-chain
: replacecardano-chain
with the era reader adapter type used in your Mithril networkERA_READER_ADAPTER_PARAMS={"address": "...", "verification_key": "..."}
: replace{"address": "...", "verification_key": "..."}
with the era reader parameters that you need to compute by running the commandjq -nc --arg address $(wget -q -O - **YOUR_ERA_READER_ADDRESS**) --arg verification_key $(wget -q -O - **YOUR_ERA_READER_VERIFICATION_KEY**) '{"address": $address, "verification_key": $verification_key}'
RELAY_ENDPOINT=http://192.168.1.50:3132
(optional): this is the endpoint of the Mithril relay, which is required for production deployment only. For naive deployment, do not set this variable in your environment file.
Here is an example set of values for release-preprod that will be used in this guide in the tip boxes to illustrate some commands:
- YOUR_KES_SECRET_KEY_PATH:
/cardano/keys/kes.skey
- YOUR_OPERATIONAL_CERTIFICATE_PATH:
/cardano/keys/node.cert
- YOUR_CARDANO_NETWORK:
preprod
- YOUR_AGGREGATOR_ENDPOINT:
https://aggregator.release-preprod.api.mithril.network/aggregator
- YOUR_ERA_READER_ADAPTER_TYPE:
cardano-chain
- YOUR_ERA_READER_ADAPTER_PARAMS:
{"address": "addr_test1qpkyv2ws0deszm67t840sdnruqgr492n80g3y96xw3p2ksk6suj5musy6w8lsg3yjd09cnpgctc2qh386rtxphxt248qr0npnx", "verification_key": "5b35352c3232382c3134342c38372c3133382c3133362c34382c382c31342c3138372c38352c3134382c39372c3233322c3235352c3232392c33382c3234342c3234372c3230342c3139382c31332c33312c3232322c32352c3136342c35322c3130322c39312c3132302c3230382c3134375d"}
- YOUR_RELAY_ENDPOINT:
192.168.1.50
- YOUR_RELAY_LISTENING_PORT:
3132
- YOUR_BLOCK_PRODUCER_INTERNAL_IP:
192.168.1.75
- YOUR_SIGNER_LOGS_PATH:
/var/log/syslog
- YOUR_PARTY_ID:
pool1hp72sauk0g0yqm4dzllz0pz6j93gewhllkzphn4hykkfmne43y
First, create an environment file that the service will use:
- for production deployment:
sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
KES_SECRET_KEY_PATH=**YOUR_KES_SECRET_KEY_PATH**
OPERATIONAL_CERTIFICATE_PATH=**YOUR_OPERATIONAL_CERTIFICATE_PATH**
NETWORK=**YOUR_CARDANO_NETWORK**
AGGREGATOR_ENDPOINT=**YOUR_AGGREGATOR_ENDPOINT**
RUN_INTERVAL=60000
DB_DIRECTORY=/cardano/db
CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket
CARDANO_CLI_PATH=/app/bin/cardano-cli
DATA_STORES_DIRECTORY=/opt/mithril/stores
STORE_RETENTION_LIMIT=5
ERA_READER_ADAPTER_TYPE=**YOUR_ERA_READER_ADAPTER_TYPE**
ERA_READER_ADAPTER_PARAMS=**YOUR_ERA_READER_ADAPTER_PARAMS**
RELAY_ENDPOINT=**YOUR_RELAY_ENDPOINT**
EOF'
Here is an example of the aforementioned command created with the example set for release-preprod
:
sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
KES_SECRET_KEY_PATH=/cardano/keys/kes.skey
OPERATIONAL_CERTIFICATE_PATH=/cardano/keys/node.cert
NETWORK=preprod
AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator
RUN_INTERVAL=60000
DB_DIRECTORY=/cardano/db
CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket
CARDANO_CLI_PATH=/app/bin/cardano-cli
DATA_STORES_DIRECTORY=/opt/mithril/stores
STORE_RETENTION_LIMIT=5
ERA_READER_ADAPTER_TYPE=cardano-chain
ERA_READER_ADAPTER_PARAMS={"address": "addr_test1qpkyv2ws0deszm67t840sdnruqgr492n80g3y96xw3p2ksk6suj5musy6w8lsg3yjd09cnpgctc2qh386rtxphxt248qr0npnx", "verification_key": "5b35352c3232382c3134342c38372c3133382c3133362c34382c382c31342c3138372c38352c3134382c39372c3233322c3235352c3232392c33382c3234342c3234372c3230342c3139382c31332c33312c3232322c32352c3136342c35322c3130322c39312c3132302c3230382c3134375d"}
RELAY_ENDPOINT=http://192.168.1.50:3132
EOF'
- for naive deployment:
sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
KES_SECRET_KEY_PATH=**YOUR_KES_SECRET_KEY_PATH**
OPERATIONAL_CERTIFICATE_PATH=**YOUR_OPERATIONAL_CERTIFICATE_PATH**
NETWORK=**YOUR_CARDANO_NETWORK**
AGGREGATOR_ENDPOINT=**YOUR_AGGREGATOR_ENDPOINT**
RUN_INTERVAL=60000
DB_DIRECTORY=/cardano/db
CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket
CARDANO_CLI_PATH=/app/bin/cardano-cli
DATA_STORES_DIRECTORY=/opt/mithril/stores
STORE_RETENTION_LIMIT=5
ERA_READER_ADAPTER_TYPE=**YOUR_ERA_READER_ADAPTER_TYPE**
ERA_READER_ADAPTER_PARAMS=**YOUR_ERA_READER_ADAPTER_PARAMS**
EOF'
Here is an example of the aforementioned command created with the example set for release-preprod
:
sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
KES_SECRET_KEY_PATH=/cardano/keys/kes.skey
OPERATIONAL_CERTIFICATE_PATH=/cardano/keys/node.cert
NETWORK=preprod
AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator
RUN_INTERVAL=60000
DB_DIRECTORY=/cardano/db
CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket
CARDANO_CLI_PATH=/app/bin/cardano-cli
DATA_STORES_DIRECTORY=/opt/mithril/stores
STORE_RETENTION_LIMIT=5
ERA_READER_ADAPTER_TYPE=cardano-chain
ERA_READER_ADAPTER_PARAMS={"address": "addr_test1qpkyv2ws0deszm67t840sdnruqgr492n80g3y96xw3p2ksk6suj5musy6w8lsg3yjd09cnpgctc2qh386rtxphxt248qr0npnx", "verification_key": "5b35352c3232382c3134342c38372c3133382c3133362c34382c382c31342c3138372c38352c3134382c39372c3233322c3235352c3232392c33382c3234342c3234372c3230342c3139382c31332c33312c3232322c32352c3136342c35322c3130322c39312c3132302c3230382c3134375d"}
EOF'
Then, create a /etc/systemd/system/mithril-signer.service
description file for the service:
sudo bash -c 'cat > /etc/systemd/system/mithril-signer.service << EOF
[Unit]
Description=Mithril signer service
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=60
User=cardano
EnvironmentFile=/opt/mithril/mithril-signer.env
ExecStart=/opt/mithril/mithril-signer -vvv
[Install]
WantedBy=multi-user.target
EOF'
Reload the service configuration (optional):
sudo systemctl daemon-reload
Then, start the service:
sudo systemctl start mithril-signer
Register the service to start on boot:
sudo systemctl enable mithril-signer
Monitor the status of the service:
systemctl status mithril-signer.service
Finally, monitor the logs of the service:
tail -f /var/log/syslog | grep mithril-signer
Activate Prometheus endpointβ
The Mithril signer node can expose basic metrics on a Prometheus endpoint, which is not activated by default.
Metrics | Description |
---|---|
mithril_signer_signer_registration_success_since_startup | Number of successful signer registrations since startup on a Mithril signer node |
mithril_signer_signer_registration_total_since_startup | Number of signer registrations since startup on a Mithril signer node |
mithril_signer_signer_registration_success_last_epoch | Latest epoch at which signer successfully registered on a Mithril signer node |
mithril_signer_signature_registration_success_since_startup | Number of successful signature registrations since startup on a Mithril signer node |
mithril_signer_signature_registration_total_since_startup | Number of signature registrations since startup on a Mithril signer node |
mithril_signer_signature_registration_success_last_epoch | Latest epoch at which signature successfully registered on a Mithril signer node |
mithril_signer_runtime_cycle_success_since_startup | Number of successful runtime cycles since startup on a Mithril signer node |
mithril_signer_runtime_cycle_total_since_startup | Number of runtime cycles since startup on a Mithril signer node |
To expose metrics on the endpoint, append the following environment variable to your environment file. In that case, the metrics server will listen on the 9090
port:
sudo bash -c 'cat >> /opt/mithril/mithril-signer.env << EOF
ENABLE_METRICS_SERVER=true
EOF`
You can also specify a custom listen IP address and port for the metrics server:
sudo bash -c 'cat >> /opt/mithril/mithril-signer.env << EOF
ENABLE_METRICS_SERVER=true
METRICS_SERVER_IP=**YOUR_METRICS_SERVER_IP**
METRICS_SERVER_PORT=**YOUR_METRICS_SERVER_PORT**
EOF`
Here is an example that reproduces the default configuration for the Prometheus server:
sudo bash -c 'cat >> /opt/mithril/mithril-signer.env << EOF
ENABLE_METRICS_SERVER=true
METRICS_SERVER_IP=0.0.0.0
METRICS_SERVER_PORT=9090
EOF`
When activated, the metrics endpoint will be accessible to the http://**YOUR_METRICS_SERVER_IP**:**YOUR_METRICS_SERVER_PORT**/metrics
location, which translates to http://0.0.0.0:9090/metrics
with the default configuration.
Additionally, a Grafana template has been created to easily set up a dashboard for this Prometheus endpoint (ID 20776): https://grafana.com/grafana/dashboards/20776-mithril-signer/
Rotating the KES keysβ
When the KES keys expire, the Mithril signer cannot register with the Mithril protocol.
After rotating the KES keys on your Cardano block producer, we recommend following this upgrade procedure for your Mithril signer node:
- Update the
KES_SECRET_KEY_PATH
entry of your environment file to reflect the location of the new KES secret key file - Update the
OPERATIONAL_CERTIFICATE_PATH
entry of your environment file to reflect the location of the new operational certificate file - Restart your Mithril signer service with the following command:
sudo systemctl restart mithril-signer
- Check the logs of your signer node and make sure that it has successfully registered after restarting (the following log should be displayed:
STATE MACHINE: new cycle: Registered
).
Set up the Mithril relay nodeβ
-
For production deployment, the setup of the Mithril relay is performed on the Cardano relay machine
-
For naive deployment, this step is not necessary.
Building Squid from sourceβ
-
If you have already installed
Squid
viaapt
package manager, we recommend that you delete it before manually building it from source by running the following commands:sudo systemctl stop squid
sudo apt remove squid
sudo apt autoremove
.
-
The FAQ for compiling
Squid
is available here. -
You will need a C++ compiler that can be installed with the
sudo apt install build-essential
command.
On the Squid page listing released versions, identify the latest stable released version (currently 6.9
) and download it:
wget https://www.squid-cache.org/Versions/v6/squid-6.9.tar.gz
Uncompress the downloaded archive and change the directory:
tar xzf squid-6.9.tar.gz
cd squid-6.9
Then, configure the compilation:
./configure \
--prefix=/opt/squid \
--localstatedir=/opt/squid/var \
--libexecdir=/opt/squid/lib/squid \
--datadir=/opt/squid/share/squid \
--sysconfdir=/etc/squid \
--with-default-user=squid \
--with-logdir=/opt/squid/var/log/squid \
--with-pidfile=/opt/squid/var/run/squid.pid
Compile the sources:
make
And install squid
binary:
sudo make install
Optionally, verify that the version is correct:
/opt/squid/sbin/squid -v
You should see a result like this:
Squid Cache: Version 6.9
Service Name: squid
configure options: '--prefix=/opt/squid' '--localstatedir=/opt/squid/var' '--libexecdir=/opt/squid/lib/squid' '--datadir=/opt/squid/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=squid' '--with-logdir=/opt/squid/var/log/squid' '--with-pidfile=/opt/squid/var/run/squid.pid'
Configuring the Squid proxyβ
The Mithril relay node serves as a forward proxy, relaying traffic between the Mithril signer and the Mithril aggregator. When appropriately configured, it facilitates the security of the block-producing node. You can use squid
to operate this forward proxy, and this section presents a recommended configuration.
Make a copy of the original configuration:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
Prepare the forward proxy configuration file:
sudo bash -c 'cat > /etc/squid/squid.conf << EOF
# Listening port (port 3132 is recommended)
http_port **YOUR_RELAY_LISTENING_PORT**
# ACL for internal IP of your block producer node
acl block_producer_internal_ip src **YOUR_BLOCK_PRODUCER_INTERNAL_IP**
# ACL for aggregator endpoint
acl aggregator_domain dstdomain .mithril.network
# ACL for SSL port only
acl SSL_port port 443
# Allowed traffic
http_access allow block_producer_internal_ip aggregator_domain SSL_port
# Do not disclose block producer internal IP
forwarded_for delete
# Turn off via header
via off
# Deny request for original source of a request
follow_x_forwarded_for deny all
# Anonymize request headers
request_header_access Authorization allow all
request_header_access Proxy-Authorization allow all
request_header_access Cache-Control allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Connection allow all
request_header_access All deny all
# Disable cache
cache deny all
# Deny everything else
http_access deny all
EOF'
Here is an example of the aforementioned command created with the example set for release-preprod
:
sudo bash -c 'cat > /etc/squid/squid.conf << EOF
# Listening port (port 3132 is recommended)
http_port 3132
# ACL for internal IP of your block producer node
acl block_producer_internal_ip src 192.168.1.75
# ACL for aggregator endpoint
acl aggregator_domain dstdomain .mithril.network
# ACL for SSL port only
acl SSL_port port 443
# Allowed traffic
http_access allow block_producer_internal_ip aggregator_domain SSL_port
# Do not disclose block producer internal IP
forwarded_for delete
# Turn off via header
via off
# Deny request for original source of a request
follow_x_forwarded_for deny all
# Anonymize request headers
request_header_access Authorization allow all
request_header_access Proxy-Authorization allow all
request_header_access Cache-Control allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Connection allow all
request_header_access All deny all
# Disable cache
cache deny all
# Deny everything else
http_access deny all
EOF'
In case you are using the same Cardano relay for multiple Cardano block producers, you will need to add a new line per block producer to authorize its internal IP:
# ACL for internal IP of your block producer node
acl block_producer_internal_ip src **YOUR_BLOCK_PRODUCER_INTERNAL_IP_1**
acl block_producer_internal_ip src **YOUR_BLOCK_PRODUCER_INTERNAL_IP_2**
acl block_producer_internal_ip src **YOUR_BLOCK_PRODUCER_INTERNAL_IP_3**
With this configuration, the proxy will:
- accept incoming traffic originating from the internal IP of the block-producing machine
- accept incoming traffic directed to the listening port of the proxy
- accept incoming HTTPS traffic proxied to
mithril.network
domain hosts - anonymize the traffic completely and avoid disclosing any information about the block-producing machine
- deny all other traffic.
Installing the serviceβ
Create (or re-use) an unprivileged system user on the machine:
sudo adduser --system --no-create-home --group squid
Change ownership of /opt/squid/var
directory:
sudo chown squid -R /opt/squid/var/
sudo chgrp squid -R /opt/squid/var/
Create a /etc/systemd/system/squid.service
description file for the service:
sudo bash -c 'cat > /etc/systemd/system/squid.service << EOF
[Unit]
Description=Squid service
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=60
User=squid
Group=squid
ExecStart=/opt/squid/sbin/squid -f /etc/squid/squid.conf -d5
PIDFile=/opt/squid/var/run/squid.pid
[Install]
WantedBy=multi-user.target
EOF'
Reload the service configuration (optional):
sudo systemctl daemon-reload
Then, start the service:
sudo systemctl start squid
Register the service to start on boot:
sudo systemctl enable squid
Monitor the status of the service:
systemctl status squid
Finally, monitor the logs of the service:
tail -f /var/log/syslog | grep squid
And monitor squid access logs:
sudo tail -f /opt/squid/var/log/squid/access.log
If your Squid service does not start properly and you have the error message FATAL: /dev/null (13) Permission denied
in the logs of the service, it means that some permissions need to be fixed following the creation of the new squid
user by running the following commands:
sudo chmod 666 /dev/null
sudo systemctl restart squid
Firewall configurationβ
We assume that the Cardano relay machine is protected by a firewall. Therefore, it is necessary to allow the proxied traffic originating from the Cardano block producer through this firewall.
About the Cardano relay machineβ
You need to allow incoming traffic on the listening port of the Mithril relay on the Cardano relay machine, originating from the Cardano block producer machine.
Assuming you are using Uncomplicated Firewall
(0.36+
), the command to open that traffic is:
sudo ufw allow from **YOUR_BLOCK_PRODUCER_INTERNAL_IP** to any port **YOUR_RELAY_LISTENING_PORT** proto tcp
Here is an example of the aforementioned command created with the example set for release-preprod
:
sudo ufw allow from 192.168.1.75 to any port 3132 proto tcp
Assuming you are using Iptables
(1.8.7+
), the command to open that traffic is:
sudo iptables -A INPUT -s **YOUR_BLOCK_PRODUCER_INTERNAL_IP** -p tcp --dport **YOUR_RELAY_LISTENING_PORT** -j ACCEPT
sudo iptables -L -v
sudo service netfilter-persistent save
Here is an example of the aforementioned command created with the example set for release-preprod
:
sudo iptables -A INPUT -s 192.168.1.75 -p tcp --dport 3132 -j ACCEPT
sudo iptables -L -v
sudo service netfilter-persistent save
Verify the Mithril signer deploymentβ
There is a delay of 2
epochs between the signer node's registration and its ability to generate individual signatures. This delay is further explained in the Mithril certificate chain in depth documentation.
Once this delay has passed, you should be able to observe your PoolId
listed in some of the certificates accessible on the Mithril Explorer
.
Verify your signer is registeredβ
After installing the Mithril signer, you can verify that your node is registered.
First, download the script into the desired directory:
wget https://mithril.network/doc/scripts/verify_signer_registration.sh
Make the script executable:
chmod +x verify_signer_registration.sh
Finally, execute the script:
PARTY_ID=**YOUR_PARTY_ID** AGGREGATOR_ENDPOINT=**YOUR_AGGREGATOR_ENDPOINT** ./verify_signer_registration.sh
Here is an example command:
PARTY_ID=pool1hp72sauk0g0yqm4dzllz0pz6j93gewhllkzphn4hykkfmne43y AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator ./verify_signer_registration.sh
If your signer is registered, you should see this message:
>> Congrats, your signer node is registered!
Otherwise, you should see this error message:
>> Oops, your signer node is not registered. Party ID not found among the signers registered at epoch 430.
Verify your signer contributes with individual signaturesβ
After waiting for two epochs, you will be able to verify that your signer is contributing with individual signatures.
First, download the script into the desired directory:
wget https://mithril.network/doc/scripts/verify_signer_signature.sh
Make the script executable:
chmod +x verify_signer_signature.sh
Finally, execute the script:
PARTY_ID=**YOUR_PARTY_ID** AGGREGATOR_ENDPOINT=**YOUR_AGGREGATOR_ENDPOINT** ./verify_signer_signature.sh
Here is an example of the aforementioned command created with the example set for release-preprod
:
PARTY_ID=pool1hp72sauk0g0yqm4dzllz0pz6j93gewhllkzphn4hykkfmne43y AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator ./verify_signer_signature.sh
If your signer is contributing, you should see this message:
>> Congrats, you have signed this certificate: https://aggregator.release-preprod.api.mithril.network/aggregator/certificate/el3p289b03a223244285b2ls10839846ae7a69f1e8362824a383f376f93f723f !
Otherwise, you should see this error message:
>> Oops, your party id was not found in the last 20 certificates. Please try again later.