Setup

Setup Beacon Node and Execution Node

note

Puffer is using the 🦁 Holesky testnet, so make sure to set the network to holesky

Execution Clients

• Nethermind installation documentation ↗
• Geth installation documentation ↗
• Besu installation documentation ↗
• Erigon installation documentation ↗️

Consensus Clients

• Nimbus installation documentation ↗
• Teku installation documentation ↗
• Lodestar installation documentation ↗️
• Lighthouse installation documentation ↗
• Prysm installation documentation ↗

Setup Coral-CLI

The Coral-CLI is used to generate validator keys, prepare registration payloads, and sign voluntary exit messages.

Pre-built binary

Download the Coral-CLI binary

Docker

Run using Docker

Build from source

• Dependencies: Rust

git clone https://github.com/PufferFinance/coral
cargo build --release

Setup Validator Enclave (optional)

Follow along to setup your enclave to run a validator with a 1 ETH bond.

caution

Secure-Signer requires Ubuntu 20.04!

Prepare a Docker Volume

By default, any data created within a Docker container is lost if the container is removed. Secure-Signer maintains our keys and slashing protection databases, so we want this data to persist should anything happen to the container. To do so, we will create a Docker volume called Puffer-Validator-Backup.

docker volume create Puffer-Validator-Backup

We can verify the volume exists and inspect it with the following:

docker volume inspect Puffer-Validator-Backup

Output:

    $ docker volume inspect Puffer-Validator-Backup
    [
        {
            "CreatedAt": "2023-11-30T20:31:46Z",
            "Driver": "local",
            "Labels": {},
            "Mountpoint": "/var/lib/docker/volumes/Puffer-Validator-Backup/_data",
            "Name": "Puffer-Validator-Backup",
            "Options": {},
            "Scope": "local"
        }
    ]

Install SGX Drivers

Via Scripts

note

The following commands should be run from coral directory, unless otherwise stated.

Run commands:

git clone https://github.com/PufferFinance/coral
cd scripts
./install_enclave_dependencies.sh

Output:

puffer@Puffer-Dev:~/coral/scripts$ ./install_enclave_dependencies.sh
[SUCCESS] CPU supports SGX1/SGX2.
[SUCCESS] CPU supports Flexible Launch Control (FLC).
[SUCCESS] Kernel version (5.15.0) is up-to-date.
[NOTICE] Docker already installed!
[NOTICE] Docker is already running!
[NOTICE] ben-secure-signer is already in the docker group.
[NOTICE] SGX packages are already installed.
[SUCCESS] SGX service is running!

Run commands:

./install_secure_signer_docker.sh

Example Output (assumes Docker image tag 1.1.3, check for latest Docker image release here ):

puffer@Puffer-Dev:~/coral/scripts$ ./install_secure_signer_docker.sh
[WARNING] Docker volume Puffer-Validator-Backup already exists.
Do you want to create another volume? (yes/no) no
[INFO] User chose not to create another volume.
[INFO] Verifying the existence of Puffer-Validator-Backup volume...
[SUCCESS] Puffer-Validator-Backup volume exists!
[INFO] Inspecting Puffer-Validator-Backup volume...
[INFO] Volume details:
[
    {
        "CreatedAt": "2024-03-26T02:58:40Z",
        "Driver": "local",
        "Labels": {},
        "Mountpoint": "/var/lib/docker/volumes/Puffer-Validator-Backup/_data",
        "Name": "Puffer-Validator-Backup",
        "Options": {},
        "Scope": "local"
    }
]
Enter the version of the Puffer validator image you want to use (default 1.1.3): 1.1.3
1.1.3: Pulling from pufferfinance/puffer_validator
Digest: sha256:47af33f8634799734b3818a992adaad146b53245dba22ebef2542d36f61e05fd
Status: Image is up to date for pufferfinance/puffer_validator:1.1.3
docker.io/pufferfinance/puffer_validator:1.1.3
[SUCCESS] Docker image puffer_validator:1.1.3 pulled successfully!
f3b600f2d50b4c1cc42495f6c4f20bdb0c9a1dd17d5923de83d2723c2d1cab04
[SUCCESS] Container deployed successfully!
[SUCCESS] Container puffer_secure_signer_container is running successfully!

Start the Container

The following command run a container with the name puffer_secure_signer_container built from the pulled puffer_validator image. Notice we are mounting our volume Puffer-Validator-Backup to the /Validator enclave directory so any changes to the /Validator enclave directory persist if the container is removed:

caution

Ensure image tag matches latest version described on testnet repository before running the next command! (Here image tag is 1.1.3)

docker run -itd --network host --mount type=volume,source=Puffer-Validator-Backup,destination=/Validator -v /var/run/aesmd:/var/run/aesmd --device /dev/sgx/enclave --device /dev/sgx/provision --name puffer_secure_signer_container pufferfinance/puffer_validator:1.1.3

Output:

puffer@Puffer-Dev:~/coral/scripts$ docker run -itd --network host --mount type=volume,source=Puffer-Validator-Backup,destination=/Validator -v /var/run/aesmd:/var/run/aesmd --device /dev/sgx/enclave --device /dev/sgx/provision --name puffer_secure_signer_container pufferfinance/puffer_validator:1.1.3
d72c2f398f9823b91073b92d608e02bfe3fbebb113fbb3e46b2ebfaa74712d9e

Verify that the container is running:

docker container ls

Output:

puffer@Puffer-Dev:~/coral/scripts$ docker container ls
CONTAINER ID   IMAGE                                  COMMAND                  CREATED         STATUS         PORTS     NAMES
d72c2f398f98   pufferfinance/puffer_validator:1.1.3   "/bin/bash"              2 minutes ago   Up 2 minutes             puffer_secure_signer_container

Run Secure-Signer

The Puffer Secure-Signer enclave is built using the Occlum LibOS. To start Puffer Secure-Signer we will use the occlum run command and point to the validator binary stored within the Occlum enclave image and specify port 9001.

You can simply run the Puffer Secure-Signer enclave without attaching to the container by running the following. This method is more robust than the subsequent method because even if your terminal crashes or exits the command will still proceed:

docker exec puffer_secure_signer_container /bin/bash -c "cd /Validator && occlum run /bin/validator 9001"

Output:

puffer@Puffer-Dev:~/coral/scripts$ docker exec puffer_secure_signer_container /bin/bash -c "cd /Validator && occlum run /bin/validator 9001"

2024-03-26T03:12:54.806960Z  INFO validator: Starting SGX Validator: localhost:9001, using genesis_fork_version: [0, 0, 0, 0]

Alternative: Run Secure-Signer via Attaching to the Container

Attach to the container using its name secure_signer_container. Notice the username is now root, indicating we are now inside the container.

docker exec -it puffer_secure_signer_container bash

Output:

puffer@Puffer-Dev:~/coral/scripts$ docker exec -it puffer_secure_signer_container bash
root@Puffer-Dev:/# cd /Validator/

Change into directory

cd /Validator

Run Secure-Signer

occlum run /bin/validator 9001

Output:

root@Puffer-Dev:/Validator# occlum run /bin/validator 9001
2024-03-26T03:18:01.292913Z  INFO validator: Starting SGX Validator: localhost:9001, using genesis_fork_version: [0, 0, 0, 0]