Lisa

mrcisme
Lisa
Acknowledgements
Thank you Somer Esat for the comprehensive guide. Thanks EthStaker Admins and Educators for being super responsive and helpful in Discord. Thanks Ethereum execution and consensus client teams, core devs, reasearchers, and staking community for the amazing work.
Overview
Lisa is a *very* minimal ETH2 Validator running Geth (execution client) and Prysm (consensus client) for the Goerli Test Network.
  • This is great practice for running a validator on the Ethereum Mainnet. Although, you will need to run it on a VM or custom build with way stronger specs than a Raspberry Pi 4 - like a Netcup rs8000.
  • The goal of this post is to satisfy requirements for Adv Blockchain 565 midterm and help out teammates/anyone interested in learning.
  • Eth Docker is a great automation option for running a validator and is effectively a wrapper around the client teams code. You can get everything up and running way faster than this blog post - I was constrained by the rpi specs.
    • Specs
    I have a Raspberry Pi 4 Model B version. I found this out because the RAM Chip reads 'D9ZCL'. If you don't know what model you have, no worries, there are various ways to find out here!
    • 8GB of RAM
    • 1 TB SSD (Samsung Portable SSD T5)
    • Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
    Environment Setup
    We need to boot from SSD, not microSD. Therefore, open the raspberry pi imager:
    • Choose os > misc utility images > Bootloader > USB Boot Choose storage > Select your MicroSD card and click 'Write'
    Remove the microSD card, insert into the rpi, turn the power on and the usb bootloader will flash automatically, the green light should blink steadily once the bootloader has flashed successfully. If you have a monitor you should see a green screen once the firmware is flashed.
    • Launch the Pi Imager and click Choose OS Other General Purpose OS >Ubuntu > Ubuntu 22.04.1 LTS 64-bit server OS for arm 64 architectures. Choose the SSD Card for Storage and Click Write
    • Launch the Pi imager and click Choose OS Raspberry Pi OS (32 bit) Choose storage > select micro sd card > write
    Your Raspberry Pi should now boot from the SSD which is running Ubuntu. Connect your Rpi to a monitor and enable ssh (usually openssh is pre-installed) 'sudo apt update' 'sudo apt install openssh-server' verify it is enabled with: 'sudo systemctl status ssh'
    • Connect your Rpi to internet router and find the IP address with fing, angry ip scanner, or Spectrum/Comcast app
    • Open terminal on your computer
    • ssh ubuntu@IPADDRESS
  • Enter password 'ubuntu'
    • Logging into the root user is risky so we need to create a user level account
    • sudo adduser USERNAME
    • sudo usermod -aG sudo USERNAME
    • id USERNAME (check if USERNAME is in the sudo group)
    • sudo rsync --archive --chown=USERNAME:USERNAME ~/.ssh /home/USERNAME
    • su - USERNAME
    Cool we're now logged into the new user!
    Updates and Security
    • sudo apt -y update && sudo apt -y upgrade
    • sudo apt dist-upgrade && sudo apt autoremove
    • sudo reboot
    Now we need to secure the server
    • ssh USERNAME@IPADDRESS
    Port 22 is a common attack vector so choose a port between 1024 and 65535 check if there port 6673 is in use with:
    • sudo ss -tulpn | grep ':6673'
    If blank response the port is not in use otherwise a red text indicates it is in use
    • sudo nano /etc/ssh/sshd_config
    change port 22 to port 6673 remove the '#' in front of the line ctrl + x then Y then enter to save
    • sudo systemctl restart sshd
    • logout
    • ssh USERNAME@IPADDRESS -p 6673
    Now, we need to configure the firewall:
    • sudo apt install ufw (should already be installed)
    • sudo ufw default deny incoming
    • sudo ufw default allow outgoing
    Then allow inbound traffic on whatever port you chose for ssh:
    • sudo ufw allow 6673/tcp
    Deny port 22:
    • sudo ufw deny 22/tcp
    We need to allow Port 30303 for P2P connections with execution client peers
    • sudo ufw allow 30303
    Allow Prysm
    • sudo ufw allow 13000/tcp
    • sudo ufw allow 12000/udp
    *Optional* Allow Grafana
    • sudo ufw allow 3000/tcp
    Enable the firewall and check over the rules:
    • sudo ufw enable
    • sudo ufw status numbered
    Logout and log back in
    • logout
    • ssh USERNAME@IPADDRESS -p 6673
    Create Swap Space
    This is used in case mem gets low and it will guard against mem errors
    • free -h
    You should see the mem available if you have 8gb the reccommended is swap space is 3gb
    • df -h
    Check the mounted on column and locate "/" the swap file will be created here
    • sudo fallocate -l 3G /swapfile
    • sudo chmod 600 /swapfile
    • sudo mkswap /swapfile
    • sudo swapon /swapfile
    Verify the changes
    • free -h
    Cool we have 3gb of swap space, enable the swap file on boot
    • sudo cp /etc/fstab /etc/fstab.bak
    • echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
    Config the Swappiness
    • sudo sysctl vm.swappiness=10
    • sudo sysctl vm.vfs_cache_pressure=50
    Open the sysctl config file to make the changes permanent
    • sudo nano /etc/sysctl.conf
    Add the following lines to the end of the file
    • vm.swappiness=10
    • vm.vfs_cache_pressure = 50
    The swap file is now configured, check the mem usage and you should see the swap file in use
    • htop
    F10 to exit - Now we have to config timekeeping so the validator works properly - this will ensure proper synchronization with the blockchain network
    • timedatectl
    The NTP service should be active - if not run the following command
    • sudo timedatectl set-ntp on
    Generate the client authentication secret
    On our server, communication between the execution and consensus clients is secured using JSON Web Tokens authentication scheme. The JWT is represented by a file that contains a randomly generated 32-byte hex string. This file is used for message Auth - create a directory on the server to store the JWT file
    • sudo mkdir -p /var/lib/jwtsecret
    Generate the JWT file using the openssl cryptographic software library
    • openssl rand -hex 32 | sudo tee /var/lib/jwtsecret/jwt.hex >/dev/null
    Inspect the file
    • sudo nano /var/lib/jwtsecret/jwt.hex
    Generate staking data
    • cd ~
    • curl -LO https://github.com/ethereum/staking-deposit-cli/releases/download/v2.3.0/staking_deposit-cli-76ed782-linux-arm64.tar.gz
    • tar -xvf staking_deposit-cli-76ed782-linux-arm64.tar.gz
    • rm staking_deposit-cli-76ed782-linux-arm64.tar.gz
    • cd staking_deposit-cli-76ed782-linux-arm64
    • ls
    You should see "deposit"
    • sudo ./deposit new-mnemonic --num_validators 1 --chain goerli
    Write down your Mnemonic, enter it, 3 for english, 4 for english, create a password
    Install the Execution Client (Geth)
    You can choose any client you would like, but I am going to use Geth because I am familiar with it
    • cd ~
    • curl -LO https://gethstore.blob.core.windows.net/builds/geth-linux-arm64-1.10.25-69568c55.tar.gz
    Remember we do not have a amd processor so we need to use the arm64 version, upack the archive:
    • tar -xvf geth-linux-arm64-1.10.25-69568c55.tar.gz
    • rm geth-linux-arm64-1.10.25-69568c55.tar.gz
    • cd geth-linux-arm64-1.10.25-69568c55/
    Get it on the path:
    • sudo cp geth /usr/local/bin
    Create an account for the service to run under:
    • sudo useradd --no-create-home --shell /bin/false geth
    Create the data dir for the Ethereum blockchain data
    • sudo mkdir -p /var/lib/geth
    Set the permissions
    • sudo chown -R geth:geth /var/lib/geth
    Create a systemd service config file to configure the service
    • sudo nano /etc/systemd/system/geth.service
    Paste this
    [Unit] Description=Geth Execution Client (Goerli Test Network) After=network.target Wants=network.target [Service] User=geth Group=geth Type=simple Restart=always RestartSec=5 ExecStart=/usr/local/bin/geth \ --goerli \ --datadir /var/lib/geth \ --authrpc.jwtsecret /var/lib/jwtsecret/jwt.hex \ --metrics \ --metrics.addr 127.0.0.1 [Install] WantedBy=default.target
    Notes
    • The path to the JWT file ( authrpc.jwtsecret /var/lib/jwtsecret/jwt.hex ) is required for authenticated communication between the Execution and Consensus clients. It enables the Engine API RPC endpoint. Setting this will expose an authenticated HTTP endpoint (http://127.0.0.1:8551). Also "metrics.addr 127.0.0.1" enables the metrics HTTP server.
    Reload Systemd to reflect the changes
    • sudo systemctl daemon-reload
    • sudo systemctl start geth
    • sudo systemctl status geth
    You should see "Active" and "running" use the journal to check the logs:
    • sudo journalctl -fu geth
    • ^c to exit
    Enable the service to start on boot
    • sudo systemctl enable geth
    Install the Consensus Client (Prysm)
    The Prysm Consensus Client is made up of two binaries that provide the functionality of the beacon node and validator, respectively. This step will download and prepare the Prysm binaries. Make sure to copy the arm64 version, the beacon chain and the validator file like so:
    • curl -LO https://github.com/prysmaticlabs/prysm/releases/download/v3.1.1/beacon-chain-v3.1.1-linux-arm64
    • curl -LO https://github.com/prysmaticlabs/prysm/releases/download/v3.1.1/validator-v3.1.1-linux-arm64
    Rename the files:
    • mv beacon-chain-v3.1.1-linux-arm64 beacon-chain
    • mv validator-v3.1.1-linux-arm64 validator
    Make the files executable:
    • chmod +x beacon-chain
    • chmod +x validator
    Copy the files to the path
    • sudo cp beacon-chain /usr/local/bin
    • sudo cp validator /usr/local/bin
    Import the Validator Keys
    Configure the Prysm validator client to use the validator keys that were generated earlier We need to import the keys we generated in step 8 into the validator client- the validator will use these keys to sign blocks and attestations on the beacon chain.
    • sudo mkdir -p /var/lib/prysm/validator
    • sudo chown -R yourusername:yourusername /var/lib/prysm/validator
    Run the validator import process
    • /usr/local/bin/validator accounts import --keys-dir=$HOME/staking-deposit-cli/validator_keys --wallet-dir=/var/lib/prysm/validator --goerli
    Type: 'accept'
    • sudo /usr/local/bin/validator accounts import --keys-dir=$HOME/staking-deposit-cli/validator_keys --wallet-dir=/var/lib/prysm/validator --goerli
    Save the password in a file
    • sudo nano /var/lib/prysm/validator/password.txt
    Configure the Beacon node service
    In this step you will configure and run the Prysm beacon node as a service so if the system restarts the process will automatically start back up again.
    • sudo useradd --no-create-home --shell /bin/false prysmbeacon
    • sudo mkdir -p /var/lib/prysm/beacon
    • sudo chown -R prysmbeacon:prysmbeacon /var/lib/prysm/beacon
    Create and configure the service:
    • sudo nano /etc/systemd/system/prysmbeacon.service
    Paste this:
    [Unit] Description=Prysm Consensus Client BN (Goerli Test Network) Wants=network-online.target After=network-online.target [Service] User=prysmbeacon Group=prysmbeacon Type=simple Restart=always RestartSec=5 ExecStart=/usr/local/bin/beacon-chain \ --goerli \ --datadir=/var/lib/prysm/beacon \ --http-web3provider=http://127.0.0.1:8551 \ --jwt-secret=/var/lib/jwtsecret/jwt.hex \ --suggested-fee-recipient=FeeRecipientAddress \ --enable-debug-rpc-endpoints \ --grpc-max-msg-size=65568081 \ --checkpoint-sync-url=https://goerli.checkpoint-sync.ethdevops.io \ --genesis-beacon-api-url=https://goerli.checkpoint-sync.ethdevops.io \ --accept-terms-of-use [Install] WantedBy=multi-user.target
    ⚠️Make sure to replace FeeRecipientAddress ⚠️
  • Notable flags:
    • 'http-web3provider=http://127.0.0.1:8551' The address of the Execution Client. Should be the same for all Execution Clients detailed in this guide. 'jwt-secret=/var/lib/jwtsecret/jwt.hex'. The path to the JWT file that is required for authenticated communication between the Execution and Consensus clients. 'suggested-fee-recipient=FeeRecipientAddress'- Validators can receive tips from user transactions. Provide an Ethereum address within your control to specify where the tips should go.
  • Enables the Checkpoint Sync feature to greatly speed up the Beacon Chain Node sync:
    • --enable-debug-rpc-endpoints --grpc-max-msg-size=6568081 --checkpoint-sync-url=https://goerli.checkpoint-sync.ethdevops.io --genesis-beacon-api-url=https://goerli.checkpoint-sync.ethdevops.io
  • Reload Systemd to reflect the changes:
    • sudo systemctl daemon-reload
    • sudo systemctl start prysmbeacon
    • sudo systemctl status prysmbeacon
    NOTE: In order to be able to stake both the execution client and the consensus client must be fully synced. Use the journal output to follow the progress or check for errors by running:
    • sudo journalctl -fu prysmbeacon
    Enable the service to start on boot:
    • sudo systemctl enable prysmbeacon
    Check if the geth (the execution client) and prysm (the consensus client) are synced by running:
    • sudo geth attach --datadir /var/lib/geth
    • eth.syncing
    If you get "false" then you are synced!
    Configure the Validator Service
    Create an account for the validator node to run under. This type of account can't log into the server.
    • sudo useradd --no-create-home --shell /bin/false prysmvalidator
    • sudo chown -R prysmvalidator:prysmvalidator /var/lib/prysm/validator
    The validator import process created the following directory: /var/lib/prysm/validator. Set directory permissions so the prysmvalidator account can modify that directory.
    • sudo chown -R prysmvalidator:prysmvalidator /var/lib/prysm/validator
    Create a systemd service file to store the service config
    • sudo nano /etc/systemd/system/prysmvalidator.service
    Paste this
    [Unit] Description=Prysm Consensus Client VC (Goerli Test Network) Wants=network-online.target After=network-online.target [Service] User=prysmvalidator Group=prysmvalidator Type=simple Restart=always RestartSec=5 ExecStart=/usr/local/bin/validator \ --datadir=/var/lib/prysm/validator \ --wallet-dir=/var/lib/prysm/validator \ --wallet-password-file=/var/lib/prysm/validator /password.txt \ --graffiti="yourgraffiti" \ --accept-terms-of-use [Install] WantedBy=multi-user.target
  • Noteable Flags:
    • --graffiti "yourgraffiti" Replace with your own graffiti string. For security and privacy reasons avoid information that can uniquely identify you. E.g. --graffiti="Rpi Validatooor".
  • Reload systemd to reflect the changes and start the service. Check the status to make sure it's running correctly
    • sudo systemctl daemon-reload
    • sudo systemctl start prysmvalidator
    • sudo systemctl status prysmvalidator
    Press q to exit and use the journal output to follow progress
    • sudo journalctl -fu prysmvalidator
    Enable the systemd service to start on boot:
    • sudo systemctl enable prysmvalidator
    Fund the Validator Keys
    I decided to run the deposit cli on my ubuntu server and then SFTP using filezilla to transfer the deposit data to my mac. IF you have never done this - read this. Also your permissions for /staking-deposit-cli/validator_keys/ may be wrong so:
    • sudo chown USERNAME /path/to/validator_keys
    Now you should be able to SFTP transfer the deposit data to your mac
  • Go here: https://goerli.launchpad.ethereum.org/
  • Click through the steps and upload your depost data
  • Connect your wallet with 32 Goerli ETH
  • Send the deposit!
  • This will take 15 hours so we'll check tomorrow
    • Congrats 🎉
    Helpful Links
    Guide to Staking on Ethereum (Ubuntu/Goerli/Prysm)
    Spin up your own Eth 2.0 test node on Linux - EthDocker
    EthStaker Discord