Setup
Setup Beacon Node and Execution Node
Puffer is using the 🦁 Holesky testnet, so make sure to set the network to holesky
Execution Clients
- Nethermind installation documentation ↗
- Geth installation documentation ↗
- Besu installation documentation ↗
- Erigon installation documentation ↗️
Consensus Clients
- Nimbus installation documentation ↗
- Teku installation documentation ↗
- Lodestar installation documentation ↗️
- Lighthouse installation documentation ↗
- Prysm installation documentation ↗
Setup Coral-CLI
The Coral-CLI is used to generate validator keys, prepare registration payloads, and sign voluntary exit messages.
Pre-built binary
Docker
Build from source
- Dependencies: Rust
git clone https://github.com/PufferFinance/coral
cargo build --release
Setup Validator Enclave (optional)
Follow along to setup your enclave to run a validator with a 1 ETH bond.
Secure-Signer requires Ubuntu 20.04!
Prepare a Docker Volume
By default, any data created within a Docker container is lost if the container is removed. Secure-Signer maintains our keys and slashing protection databases, so we want this data to persist should anything happen to the container. To do so, we will create a Docker volume called Puffer-Validator-Backup.
docker volume create Puffer-Validator-Backup
We can verify the volume exists and inspect it with the following:
docker volume inspect Puffer-Validator-Backup
Output:
$ docker volume inspect Puffer-Validator-Backup
[
{
"CreatedAt": "2023-11-30T20:31:46Z",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/Puffer-Validator-Backup/_data",
"Name": "Puffer-Validator-Backup",
"Options": {},
"Scope": "local"
}
]
Install SGX Drivers
Via Scripts
The following commands should be run from coral
directory, unless otherwise stated.
Run commands:
git clone https://github.com/PufferFinance/coral
cd scripts
./install_enclave_dependencies.sh
Output:
puffer@Puffer-Dev:~/coral/scripts$ ./install_enclave_dependencies.sh
[SUCCESS] CPU supports SGX1/SGX2.
[SUCCESS] CPU supports Flexible Launch Control (FLC).
[SUCCESS] Kernel version (5.15.0) is up-to-date.
[NOTICE] Docker already installed!
[NOTICE] Docker is already running!
[NOTICE] ben-secure-signer is already in the docker group.
[NOTICE] SGX packages are already installed.
[SUCCESS] SGX service is running!
Run commands:
./install_secure_signer_docker.sh
Example Output (assumes Docker image tag 1.1.3
, check for latest Docker image release here ):
puffer@Puffer-Dev:~/coral/scripts$ ./install_secure_signer_docker.sh
[WARNING] Docker volume Puffer-Validator-Backup already exists.
Do you want to create another volume? (yes/no) no
[INFO] User chose not to create another volume.
[INFO] Verifying the existence of Puffer-Validator-Backup volume...
[SUCCESS] Puffer-Validator-Backup volume exists!
[INFO] Inspecting Puffer-Validator-Backup volume...
[INFO] Volume details:
[
{
"CreatedAt": "2024-03-26T02:58:40Z",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/Puffer-Validator-Backup/_data",
"Name": "Puffer-Validator-Backup",
"Options": {},
"Scope": "local"
}
]
Enter the version of the Puffer validator image you want to use (default 1.1.3): 1.1.3
1.1.3: Pulling from pufferfinance/puffer_validator
Digest: sha256:47af33f8634799734b3818a992adaad146b53245dba22ebef2542d36f61e05fd
Status: Image is up to date for pufferfinance/puffer_validator:1.1.3
docker.io/pufferfinance/puffer_validator:1.1.3
[SUCCESS] Docker image puffer_validator:1.1.3 pulled successfully!
f3b600f2d50b4c1cc42495f6c4f20bdb0c9a1dd17d5923de83d2723c2d1cab04
[SUCCESS] Container deployed successfully!
[SUCCESS] Container puffer_secure_signer_container is running successfully!
Start the Container
The following command run a container with the name puffer_secure_signer_container
built from the pulled puffer_validator
image. Notice we are mounting our volume Puffer-Validator-Backup
to the /Validator
enclave directory so any changes to the /Validator
enclave directory persist if the container is removed:
Ensure image tag matches latest version described on testnet repository before running the next command! (Here image tag is 1.1.3)
docker run -itd --network host --mount type=volume,source=Puffer-Validator-Backup,destination=/Validator -v /var/run/aesmd:/var/run/aesmd --device /dev/sgx/enclave --device /dev/sgx/provision --name puffer_secure_signer_container pufferfinance/puffer_validator:1.1.3
Output:
puffer@Puffer-Dev:~/coral/scripts$ docker run -itd --network host --mount type=volume,source=Puffer-Validator-Backup,destination=/Validator -v /var/run/aesmd:/var/run/aesmd --device /dev/sgx/enclave --device /dev/sgx/provision --name puffer_secure_signer_container pufferfinance/puffer_validator:1.1.3
d72c2f398f9823b91073b92d608e02bfe3fbebb113fbb3e46b2ebfaa74712d9e
Verify that the container is running:
docker container ls
Output:
puffer@Puffer-Dev:~/coral/scripts$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d72c2f398f98 pufferfinance/puffer_validator:1.1.3 "/bin/bash" 2 minutes ago Up 2 minutes puffer_secure_signer_container
Run Secure-Signer
The Puffer Secure-Signer enclave is built using the Occlum LibOS. To start Puffer Secure-Signer we will use the occlum run command and point to the validator
binary stored within the Occlum enclave image and specify port 9001
.
You can simply run the Puffer Secure-Signer enclave without attaching to the container by running the following. This method is more robust than the subsequent method because even if your terminal crashes or exits the command will still proceed:
docker exec puffer_secure_signer_container /bin/bash -c "cd /Validator && occlum run /bin/validator 9001"
Output:
puffer@Puffer-Dev:~/coral/scripts$ docker exec puffer_secure_signer_container /bin/bash -c "cd /Validator && occlum run /bin/validator 9001"
2024-03-26T03:12:54.806960Z INFO validator: Starting SGX Validator: localhost:9001, using genesis_fork_version: [0, 0, 0, 0]
Alternative: Run Secure-Signer via Attaching to the Container
Attach to the container using its name secure_signer_container. Notice the username is now root, indicating we are now inside the container.
docker exec -it puffer_secure_signer_container bash
Output:
puffer@Puffer-Dev:~/coral/scripts$ docker exec -it puffer_secure_signer_container bash
root@Puffer-Dev:/# cd /Validator/
Change into directory
cd /Validator
Run Secure-Signer
occlum run /bin/validator 9001
Output:
root@Puffer-Dev:/Validator# occlum run /bin/validator 9001
2024-03-26T03:18:01.292913Z INFO validator: Starting SGX Validator: localhost:9001, using genesis_fork_version: [0, 0, 0, 0]