This guide is built with a combination of information from:
- https://www.coincashew.com/coins/overview-eth/guide-or-how-to-setup-a-validator-on-eth2-testnet-prater
- https://www.coincashew.com/coins/overview-eth/guide-or-security-best-practices-for-a-eth2-validator-beaconchain-node
- https://www.coincashew.com/coins/overview-eth/guide-or-how-to-setup-a-validator-on-eth2-mainnet/monitoring-your-validator-with-grafana-and-prometheus
- https://someresat.medium.com/guide-to-staking-on-ethereum-2-0-ubuntu-prater-teku-3249f1922385
- https://docs.teku.consensys.net/en/stable/
- https://ethereum.org/en/eth2/staking/
- https://launchpad.ethereum.org/en/
This guide has references to "Prater," an Ethereum Testnet. Mainnet setup is nearly identical with only a few configurations and parameters changed. Make sure any external interactions through Metamask, Launchpad, beaconcha.in, etc. match your network expectations.
- Set BIOS to power-on on power restore
- Disable Intel® TurboBoost1 in BIOS (Performance -> Power Settings)
- Install Ubuntu from USB: https://ubuntu.com/download/server
- SFTP and SSH clients for remote administration
- Additional USB to transfer files from key-generating machine to staking machine if not using local network
- Goerli Testnet ETH
- Validator keys and deposit files - Steps 1 and 2 OR you can skip all the hard stuff and use the Wagyu GUI. No matter what process you pick, please generate these validator keys on a secure machine.
- Assign a static IP to your staking machine on either your local network or your WAN if possible.
- Open ports on router for SSH access (default port 22) (optional if not managing locally), p2p (9000), and eth1 (30303)
This is personal thing, – no one else needs this.
git clone https://github.com/jaseg/lolcat.git
cd lolcat
sudo apt install make
sudo apt install gcc
make
sudo make install
cd ..
rm -rf lolcat
Running this command for the first time after a new install is always smart. It will be necessary to update your machine regularly (and manually, repeating these steps) to keep abreast of security and critical package updates.
sudo apt-get update -y && sudo apt dist-upgrade -y
sudo apt-get autoremove && sudo apt-get autoclean
sudo passwd -l root
By default, deny all incoming and outgoing traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow ssh access
sudo ufw allow ssh #22/tcp
Allow p2p ports
sudo ufw allow 9000/tcp comment p2p
sudo ufw allow 9000/udp comment p2p
Allow eth1 port
sudo ufw allow 30303/tcp comment eth1
sudo ufw allow 30303/udp comment eth1
Allow grafana web server port
sudo ufw allow 3000/tcp comment grafana
Enable prometheus endpoint port
sudo ufw allow 9090/tcp comment prometheus
Enable teku api
sudo ufw allow 5051 comment teku-rest-api
Enable firewall
sudo ufw enable
Check firewall status:
sudo ufw status numbered
Output should look like:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 9000/tcp ALLOW IN Anywhere # p2p
[ 3] 9000/udp ALLOW IN Anywhere # p2p
[ 4] 30303/tcp ALLOW IN Anywhere # eth1
[ 5] 30303/udp ALLOW IN Anywhere # eth1
[ 6] 3000/tcp ALLOW IN Anywhere # grafana
[ 7] 9090/tcp ALLOW IN Anywhere # prometheus
[ 8] 5051 ALLOW IN Anywhere # teku-rest-api
[ 9] 22/tcp (v6) ALLOW IN Anywhere (v6)
[10] 9000/tcp (v6) ALLOW IN Anywhere (v6) # p2p
[11] 9000/udp (v6) ALLOW IN Anywhere (v6) # p2p
[12] 30303/tcp (v6) ALLOW IN Anywhere (v6) # eth1
[13] 30303/udp (v6) ALLOW IN Anywhere (v6) # eth1
[14] 3000/tcp (v6) ALLOW IN Anywhere (v6) # grafana
[15] 9090/tcp (v6) ALLOW IN Anywhere (v6) # prometheus
[16] 5051 (v6) ALLOW IN Anywhere (v6) # teku-rest-api
Check current configuration:
df -h #
sudo lvdisplay #
Change configuration:
sudo lvm
lvm> lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv
lvm> lvextend -l +100%FREE -r /dev/ubuntu-vg/ubuntu-lv
lvm> exit
sudo resize2fs /dev/ubuntu-vg/ubuntu-lv
Check new configuration:
df -h #
sudo lvdisplay #
nano
, a command you will see referenced from here on out, is a text editor. Here are some basics you will need to know:
- The bottom bar once you launch nano shows possible commands, based on context. The carrot symbol (
^
) means the "Control" key on your keyboard. So,^X
means press theControl
key and thex
key at the same time to exit. - To save a file, or as nano calls it, "Write Out",
^O
(Control + O). - Navigation is accomplished with the arrow keys, or
^Y
for page-up,^V
for page-down. - To search, press
^W
("Where Is"), then type in your search and hit Enter. - To exit nano,
^X
. If changes have been made, but not yet saved, nano will prompt to confirm changes, or if you want to discard or cancel the exit operation altogether.
Install apcupsd (optional for UPS backups - requires USB cable)
If you do not have a UPS skip this step.
If your UPS does not have a USB connection to allow it to be plugged into the staking machine, skip this step.
sudo apt-get install apcupsd
Edit the name and device in apcupsd.conf
configuration:
sudo nano /etc/apcupsd/apcupsd.conf
Reboot the machine:
sudo reboot
sudo nano /etc/ssh/sshd_config
Edit sshd_config
:
KbdInteractiveAuthentication no
PasswordAuthentication no
PermitRootLogin prohibit-password
PermitEmptyPasswords no
Confirm sshd
's configuration is error-free (there should be no output from this command):
sudo sshd -t
sudo nano /etc/fstab
Add the following line to fstab
:
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
Reboot the machine:
sudo reboot
This helps provide more legible log output
sudo apt install ccze
sudo apt-get install fail2ban -y
sudo nano /etc/fail2ban/jail.local
Add the following to jail.local
:
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
ignoreip = 127.0.0.0/8 10.0.0.0/8 192.168.0.0/16
sudo systemctl restart fail2ban
This is Two-Factor Authentication for use with an app like Google Authenticator or Authy for an added layer of security to access the machine. The first layer, is, of course, SSH keys – a process not explained in this guide. Supplemental information about this process can be found here.
sudo apt install libpam-google-authenticator -y
Edit the sshd
file:
sudo nano /etc/pam.d/sshd
Add the following to the sshd
file:
auth required pam_google_authenticator.so
Find and comment out the below line by adding # in front of it:
#@include common-auth
Restart the sshd
service:
sudo systemctl restart sshd
Edit the sshd_config
file:
sudo nano /etc/ssh/sshd_config
Find and set the following within the sshd_config
file:
KbdInteractiveAuthentication yes
UsePAM yes
Add the following to the sshd_config
file:
AuthenticationMethods publickey,keyboard-interactive
Confirm sshd
's configuration is error-free (there should be no output from this command):
sudo sshd -t
Set up 2FA:
google-authenticator
Answers to google-authenticator
setup:
- yes
- yes
- yes
- no
- yes
Restart the sshd
service:
sudo systemctl restart sshd
Log out of the server:
exit
Log back in to server via SSH to see 2FA in action.
Synchronized time management is important. Chrony handles that better than the in-built system service.
sudo apt install chrony
Now, we need to edit the chrony service file to use a better time server.
sudo nano /etc/chrony/chrony.conf
# replacing original ubuntu servers by Google servers
# pool ntp.ubuntu.com iburst maxsources 4
# pool 0.ubuntu.pool.ntp.org iburst maxsources 1
# pool 1.ubuntu.pool.ntp.org iburst maxsources 1
# pool 2.ubuntu.pool.ntp.org iburst maxsources 2
server time1.google.com iburst minpoll 4 maxpoll 6 polltarget 16
server time2.google.com iburst minpoll 4 maxpoll 6 polltarget 16
server time3.google.com iburst minpoll 4 maxpoll 6 polltarget 16
server time4.google.com iburst minpoll 4 maxpoll 6 polltarget 16
# rest of the doc ...
# leapsectz right/UTC
Finally, restart the chrony service:
sudo systemctl restart chrony.service
Since we are running Teku (and possibly Besu) we need to install Java:
sudo apt install openjdk-17-jdk
Determine the latest release version by visiting: https://github.com/prometheus/prometheus/releases
As of this writing, the latest release is v2.32.1
Replace any occurance of an incorrect release version below with the latest.
sudo useradd --no-create-home --shell /bin/false prometheus
sudo useradd --no-create-home --shell /bin/false node_exporter
sudo mkdir /etc/prometheus
sudo mkdir /var/lib/prometheus
sudo chown -R prometheus:prometheus /etc/prometheus
sudo chown -R prometheus:prometheus /var/lib/prometheus
cd ~
curl -LO https://github.com/prometheus/prometheus/releases/download/v2.32.1/prometheus-2.32.1.linux-amd64.tar.gz
tar xvf prometheus-2.32.1.linux-amd64.tar.gz
sudo cp prometheus-2.32.1.linux-amd64/prometheus /usr/local/bin/
sudo cp prometheus-2.32.1.linux-amd64/promtool /usr/local/bin/
sudo cp -r prometheus-2.32.1.linux-amd64/consoles /etc/prometheus
sudo cp -r prometheus-2.32.1.linux-amd64/console_libraries /etc/prometheus
sudo chown -R prometheus:prometheus /etc/prometheus/consoles
sudo chown -R prometheus:prometheus /etc/prometheus/console_libraries
rm -rf prometheus-2.32.1.linux-amd64
rm prometheus-2.32.1.linux-amd64.tar.gz
Edit the prometheus.yml
file:
sudo nano /etc/prometheus/prometheus.yml
Make sure the prometheus.yml
file includes the below configuration. Pay special attention to spacing. Two spaces are required for each indentation.
Optionally, change scrape_interval: 5s
and scape_timeout: 3s
for faster metrics updating at the expense of CPU load.
Also note, you probably aren't running geth
and besu
. Both configurations are included here as an example, however.
global:
scrape_interval: 15s
scrape_configs:
- job_name: "prometheus"
static_configs:
- targets: ["localhost:9090"]
- job_name: "node_exporter"
static_configs:
- targets: ["localhost:9100"]
- job_name: "geth"
scrape_timeout: 3s
metrics_path: /debug/metrics/prometheus
scheme: http
static_configs:
- targets: ['localhost:6060']
- job_name: "besu"
scrape_timeout: 3s
metrics_path: /metrics
scheme: http
static_configs:
- targets: ["localhost:9545"]
- job_name: "teku"
scrape_timeout: 3s
metrics_path: /metrics
scheme: http
static_configs:
- targets: ["localhost:8008"]
Change permissions on the prometheus.yml
file:
sudo chown -R prometheus:prometheus /etc/prometheus/prometheus.yml
Edit the prometheus.service
file:
sudo nano /etc/systemd/system/prometheus.service
Add the following to the prometheus.service
file:
[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=prometheus
Group=prometheus
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/prometheus \
--config.file /etc/prometheus/prometheus.yml \
--storage.tsdb.path /var/lib/prometheus/ \
--web.console.templates=/etc/prometheus/consoles \
--web.console.libraries=/etc/prometheus/console_libraries
[Install]
WantedBy=multi-user.target
Reload prometheus:
sudo systemctl daemon-reload
sudo systemctl start prometheus
Check the status. There should be a green active
in the output:
sudo systemctl status prometheus
Enable the service:
sudo systemctl enable prometheus
Determine the latest release version by visiting: https://github.com/prometheus/node_exporter/releases
As of this writing, the latest release is v1.3.1
Replace any occurance of an incorrect release version below with the latest.
cd ~
curl -LO https://github.com/prometheus/node_exporter/releases/download/v1.3.1/node_exporter-1.3.1.linux-amd64.tar.gz
tar xvf node_exporter-1.3.1.linux-amd64.tar.gz
sudo cp node_exporter-1.3.1.linux-amd64/node_exporter /usr/local/bin
sudo chown -R node_exporter:node_exporter /usr/local/bin/node_exporter
rm -rf node_exporter-1.3.1.linux-amd64
rm node_exporter-1.3.1.linux-amd64.tar.gz
sudo nano /etc/systemd/system/node_exporter.service
Add the following to the node_exporter.service
file:
[Unit]
Description=Node Exporter
Wants=network-online.target
After=network-online.target
[Service]
User=node_exporter
Group=node_exporter
Type=simple
ExecStart=/usr/local/bin/node_exporter
[Install]
WantedBy=multi-user.target
Reload node exporter:
sudo systemctl daemon-reload
sudo systemctl start node_exporter
Check the status. There should be a green active
in the output:
sudo systemctl status node_exporter
Enable the service:
sudo systemctl enable node_exporter
curl -s -0 https://packages.grafana.com/gpg.key | sudo apt-key add -
sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main"
sudo apt update
sudo apt install grafana
sudo systemctl start grafana-server
Check the status. There should be a green active
in the output:
sudo systemctl status grafana-server
Enable the service:
sudo systemctl enable grafana-server
sudo nano /etc/grafana/grafana.ini
;min_refresh_interval = 1s
sudo systemctl restart grafana-server
- Open
http://localhost:3000
orhttp://<your validator's ip address or name>:3000
in your local browser. - Login with
admin
/admin
- Change password
- Click the
configuration gear
icon, thenAdd Data Source
- Select
Prometheus
- Set Name to "Prometheus"
- Set URL to
http://localhost:9090
- Click
Save & Test
- Download and save your consensus client's json file: Teku
- Download and save your execution client's json file: Geth
- Download and save a node-exporter dashboard for general system monitoring.
- Click Create
+
icon >Import
- Add the consensus client dashboard via
Upload JSON file
- If needed, select Prometheus as
Data Source
. - Click the
Import
button. - Repeat steps 12-15 for the execution client dashboard.
- Repeat steps 12-15 for the node-exporter dashboard.
sudo mkdir -p /var/lib/ethereum
openssl rand -hex 32 | tr -d "\n" | sudo tee /var/lib/ethereum/jwttoken
sudo chmod +r /var/lib/ethereum/jwttoken
Warning Only install Geth or Besu or Nethermind. Not each.
sudo add-apt-repository -y ppa:ethereum/ethereum
sudo apt-get update -y
sudo apt dist-upgrade -y
sudo apt install geth -y
Set permissions for geth:
sudo useradd --no-create-home --shell /bin/false goeth
sudo mkdir -p /var/lib/goethereum
sudo chown -R goeth:goeth /var/lib/goethereum
Configure geth:
sudo nano /etc/systemd/system/geth.service
Add the following to the geth.service
file:
[Unit]
Description=Ethereum go client
After=network.target
Wants=network.target
[Service]
User=goeth
Group=goeth
Type=simple
Restart=always
RestartSec=5
ExecStart=geth --goerli --http --datadir /var/lib/goethereum --metrics --pprof
[Install]
WantedBy=default.target
Reload geth:
sudo systemctl daemon-reload
sudo systemctl start geth
Check the status. There should be a green active
in the output:
sudo systemctl status geth
Enable the service:
sudo systemctl enable geth
Wait for Geth to sync and monitor with:
sudo journalctl -fu geth -o cat | ccze -A
Monitoring of the sync process which must be complete before proceeding can also be performed with the following commmands and looking for a return value of false
. Anything else means syncing is still in progress
geth attach http://127.0.0.1:8545
> eth.syncing
Download the latest version of Besu and extract:
cd ~
wget https://hyperledger.jfrog.io/artifactory/besu-binaries/besu/22.7.0/besu-22.7.0.tar.gz
tar xvf besu-22.7.0.tar.gz
rm besu-22.7.0.tar.gz
sudo cp -a besu-22.7.0/. /usr/local/bin/besu
rm -rf ./besu-22.7.0
Create a user for besu:
sudo useradd --no-create-home --shell /bin/false besu
sudo mkdir -p /var/lib/besu
sudo mkdir -p /etc/besu
sudo chown -R besu:besu /var/lib/besu
sudo chown -R besu:besu /etc/besu
Create the Besu service configuration:
sudo nano /etc/besu/besu.toml
Add the following to besu.toml
:
network="mainnet"
sync-mode="X_CHECKPOINT"
rpc-ws-enabled=true
rpc-http-enabled=true
rpc-http-port="8545"
rpc-http-host="0.0.0.0"
rpc-http-api=["TXPOOL"]
engine-rpc-port="8551"
engine-host-allowlist=["localhost","127.0.0.1"]
data-path="/var/lib/besu"
data-storage-format="BONSAI"
metrics-enabled=true
engine-jwt-secret="/var/lib/ethereum/jwttoken"
Create the Besu service:
sudo nano /etc/systemd/system/besu.service
Add the following to the besu.service
definition:
[Unit]
Description=Besu Ethereum Client
After=network.target
Wants=network.target
[Service]
User=besu
Group=besu
Type=simple
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/besu/bin/besu \
--config-file=/etc/besu/besu.toml
[Install]
WantedBy=default.target
Re/Start Besu:
sudo systemctl daemon-reload
sudo systemctl start besu
Check the status. There should be a green active
in the output:
sudo systemctl status besu
Enable the service:
sudo systemctl enable besu
Monitor Beacon Chain syncing progress, peers, and other information:
sudo journalctl -fu besu -o cat | ccze -A
Coming Soon
cd ~
git clone https://github.com/Consensys/teku.git
cd teku
sudo ./gradlew installDist
cd ~
sudo cp -a teku/build/install/teku/. /usr/local/bin/teku
sudo useradd --no-create-home --shell /bin/false teku
sudo mkdir -p /var/lib/teku
sudo mkdir -p /etc/teku
sudo chown $(whoami):$(whoami) /var/lib/teku
- Generate Validator keys and deposit files - Steps 1 and 2 OR you can skip all the hard stuff and use the Wagyu GUI. No matter what process you pick, please generate these validator keys on a secure machine.
- Create password files for validator keys:
- Copy every
keystore-m*.json
file and rename the copies to have.txt
as the file extension - Open each file and replace all contents with the keystore password created in Step 1.
- Copy every
- Use an SFTP program or a USB key to move files to the NUC in your home folder
Move validator keys from your home folder to Teku:
sudo cp -r $HOME/validator_keys /var/lib/teku
sudo rm /var/lib/teku/validator_keys/deposit_data*
Set permissions for keys:
sudo chown -R teku:teku /var/lib/teku
sudo chown -R teku:teku /etc/teku
sudo chmod -R 700 /var/lib/teku/validator_keys
👉 You will need to sign up for a free Infura (https://www.infura.io) account and create a new ETH1 project and a new ETH2 project.
Create the Teku configuration:
sudo nano /etc/teku/teku.yaml
Add the following to teku.yaml
:
# EXAMPLE FILE - DO NOT CUT AND PASTE WITHOUT CHANGES
data-base-path: "/var/lib/teku"
network: "prater"
# if quick-sync is desired, replace the state URL with your information from Infura
initial-state: "https://XXX:[email protected]/eth/v1/debug/beacon/states/finalized"
validator-keys: "/var/lib/teku/validator_keys:/var/lib/teku/validator_keys"
# change this to your Ethereum withdrawal address (or any other address you'd like proposal fees to go
validators-proposer-default-fee-recipient: "0x..."
validators-graffiti: "XXX"
# optionally use a file for graffiti, but make sure it is world-readable
# validators-graffiti-file: "/home/USERDIR/graffiti.txt"
p2p-port: 9000
p2p-peer-upper-bound: 100
log-destination: "CONSOLE"
metrics-enabled: true
metrics-port: 8008
# if you are using beaconcha.in to monitor your machine, include the appropriate URL below
metrics-publish-endpoint: "https://beaconcha.in/api/v1/client/metrics?apikey=APIKEY&machine=MACHINENAME"
# replace hostname with the name of your staking machine
rest-api-host-allowlist: ["localhost", "127.0.0.1", "hostname"]
rest-api-enabled: true
rest-api-docs-enabled: true
# we're testing or post-merge, so the following two lines are required. Be sure to comment out/remove the eth1-endpoint line above
ee-endpoint: "http://localhost:8551"
ee-jwt-secret-file: "/var/lib/ethereum/jwttoken"
Create the Teku service definition:
sudo nano /etc/systemd/system/teku.service
Add the following to teku.service
:
[Unit]
Description=Teku Client
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=teku
Group=teku
Restart=always
RestartSec=5
Environment="JAVA_OPTS=-Xmx5g"
ExecStart=/usr/local/bin/teku/bin/teku --config-file=/etc/teku/teku.yaml
[Install]
WantedBy=multi-user.target
Re/Start Teku:
sudo systemctl daemon-reload
sudo systemctl start teku
Check the status. There should be a green active
in the output:
sudo systemctl status teku
Enable the service:
sudo systemctl enable teku
Monitor Beacon Chain syncing progress, peers, and other information:
sudo journalctl -fu teku -o cat | ccze -A
Teku needs to sync to the Beacon Chain before proceeding with the funding of validators.
If an initial-state
is set in the teku.yaml
configuration file, syncing should happen very rapidly.
This is an external process describe in various referenced guides. Please follow directions at https://www.coincashew.com/coins/overview-eth/guide-or-how-to-setup-a-validator-on-eth2-testnet-prater#2.-signup-to-be-a-validator-at-the-launchpad, steps 3-6.
Watch prater.beachoncha.in and wait for deposits to clear.
The staking machine requires regular manual maintanence.
https://gist.github.com/yorickdowne/3323759b4cbf2022e191ab058a4276b2
https://github.com/ethereum/go-ethereum/releases
Just in case, update the installed geth package to make sure it sees the latest stable version:
sudo apt update
Now, update and restart geth!
sudo apt upgrade -y && sudo apt autoremove && sudo apt autoclean && sudo systemctl restart geth
Make sure geth is ok (should see a green "active" message):
sudo systemctl status geth
https://github.com/ConsenSys/teku/releases
Pull the latest source and build it.
cd ~/teku
git pull
./gradlew distTar installDist
Verify the build completed by checking the new version number.
cd ~/teku/build/install/teku/bin
./teku --version
Restart beacon chain and validator as per normal operating procedures.
Make sure the validators are in an acceptable state to be stopped before proceeding2
cd ~
sudo systemctl stop teku && sudo cp -a teku/build/install/teku/. /usr/local/bin/teku && sudo systemctl start teku
Download the latest release from https://github.com/hyperledger/besu/releases
Change any URL or filename below with the appropriate release number/file
cd ~
wget https://hyperledger.jfrog.io/artifactory/besu-binaries/besu/22.7.1/besu-22.7.1.tar.gz
Unzip:
tar xvf besu-22.7.1.tar.gz
Stop the existing client, copy the new release to the appropriate location, start the client:
sudo systemctl stop besu && sudo cp -a besu-22.7.1/. /usr/local/bin/besu && sudo systemctl start besu
Clean up:
rm besu-22.7.1.tar.gz
rm -rf ./besu-22.7.1
Download the latest release from https://github.com/NethermindEth/nethermind/releases
Change any URL or filename below with the appropriate release number/file
sudo su -l nethermind
wget https://github.com/NethermindEth/nethermind/releases/download/1.25.0/nethermind-1.25.0-db6ecc76-linux-x64.zip
unzip nethermind-1.25.0-db6ecc76-linux-x64.zip -d ./build/
rm nethermind-1.25.0-db6ecc76-linux-x64.zip
exit
sudo systemctl restart nethermind
Make sure the validators are in an acceptable state to be stopped before proceeding2
sudo apt update -y && sudo apt upgrade -y
sudo apt autoremove && sudo apt autoclean
A reboot may be necessary: sudo reboot
CGO_CFLAGS="-O -D__BLST_PORTABLE__" go install github.com/flashbots/mev-boost@latest
sudo systemctl stop mevboost && sudo cp ~/go/bin/mev-boost /usr/local/bin && sudo chown mevboost:mevboost /usr/local/bin/mev-boost && sudo systemctl start mevboost
Footnotes
-
TurboBoost seems unnecessary and will make your NUC run hot and loud. ↩
-
Install ethdo and then use the status script to make sure timing is ok for a restart or update. ↩ ↩2