Skip to main content

Setup

Setup Beacon Node and Execution Node​

In order to run a validator, you will need to run an Execution Layer client, a Consensus Layer client, and the validator software.

note

Puffer is live on Mainnet! If you wish to setup a testnet validator, we're using the 🦁 Holesky testnet, so make sure to set the network to holesky, otherwise use mainnet

Easy Mode​

There are some great open-source projects that make it easy to run an Ethereum full node and a validator. Here are some of the popular ones:

Manual Installation​

You may want to run the clients separately, in which case you can follow the installation instructions for each client below.

Execution Clients​

Consensus Clients​

Setup Coral-CLI​

The Coral-CLI is used to generate validator keys, prepare registration payloads, and sign voluntary exit messages.

Pre-built binary​

Download the Coral-CLI binary

Docker​

Run using Docker

Build from source​

  • Dependencies: Rust
git clone https://github.com/PufferFinance/coral
cd coral
cargo build --release

Setup Validator Enclave (optional)​

Follow along to setup your enclave to run a validator with a 1 ETH bond.

TEE Registrations are not yet supported on mainnet 🚧

As part of our ongoing commitment to security and operational excellence, we are taking a phased approach to implementing enclave-based registrations. Due to recent changes in Intel’s support for certain enclave hardware, access to the necessary hardware has become more challenging. To ensure the highest standards of security, enclave-registrations will not be available during the initial phase of our mainnet launch.

caution

Secure-Signer requires Ubuntu 20.04!

Prepare a Docker Volume​

By default, any data created within a Docker container is lost if the container is removed. Secure-Signer maintains our keys and slashing protection databases, so we want this data to persist should anything happen to the container. To do so, we will create a Docker volume called Puffer-Validator-Backup.

docker volume create Puffer-Validator-Backup

We can verify the volume exists and inspect it with the following:

docker volume inspect Puffer-Validator-Backup

Output:

        $ docker volume inspect Puffer-Validator-Backup
        [
            {
                "CreatedAt": "2023-11-30T20:31:46Z",
                "Driver": "local",
                "Labels": {},
                "Mountpoint": "/var/lib/docker/volumes/Puffer-Validator-Backup/_data",
                "Name": "Puffer-Validator-Backup",
                "Options": {},
                "Scope": "local"
            }
        ]

Install SGX Drivers​

Via Scripts​

note

The following commands should be run from coral directory, unless otherwise stated.

Run commands:

git clone https://github.com/PufferFinance/coral
cd scripts
./install_enclave_dependencies.sh

Output:

puffer@Puffer-Dev:~/coral/scripts$ ./install_enclave_dependencies.sh
[SUCCESS] CPU supports SGX1/SGX2.
[SUCCESS] CPU supports Flexible Launch Control (FLC).
[SUCCESS] Kernel version (5.15.0) is up-to-date.
[NOTICE] Docker already installed!
[NOTICE] Docker is already running!
[NOTICE] ben-secure-signer is already in the docker group.
[NOTICE] SGX packages are already installed.
[SUCCESS] SGX service is running!

Run commands:

./install_secure_signer_docker.sh

Example Output (assumes Docker image tag 1.1.0, check for latest Docker image release here):

puffer@Puffer-Dev:~/coral/scripts$ ./install_secure_signer_docker.sh
[WARNING] Docker volume Puffer-Validator-Backup already exists.
Do you want to create another volume? (yes/no) no
[INFO] User chose not to create another volume.
[INFO] Verifying the existence of Puffer-Validator-Backup volume...
[SUCCESS] Puffer-Validator-Backup volume exists!
[INFO] Inspecting Puffer-Validator-Backup volume...
[INFO] Volume details:
[
    {
        "CreatedAt": "2024-03-26T02:58:40Z",
        "Driver": "local",
        "Labels": {},
        "Mountpoint": "/var/lib/docker/volumes/Puffer-Validator-Backup/_data",
        "Name": "Puffer-Validator-Backup",
        "Options": {},
        "Scope": "local"
    }
]
Enter the version of the Puffer validator image you want to use (default 1.0.0): 1.0.0
1.0.0: Pulling from pufferfi/validator
Digest: sha256:47af33f8634799734b3818a992adaad146b53245dba22ebef2542d36f61e05fd
Status: Image is up to date for pufferfi/validator:1.1.0
docker.io/pufferfi/validator:1.1.0
[SUCCESS] Docker image validator:1.0.0 pulled successfully!
f3b600f2d50b4c1cc42495f6c4f20bdb0c9a1dd17d5923de83d2723c2d1cab04
[SUCCESS] Container deployed successfully!
[SUCCESS] Container puffer_secure_signer_container is running successfully!

Start the Container​

The following command run a container with the name puffer_secure_signer_container built from the pulled puffer_validator image. Notice we are mounting our volume Puffer-Validator-Backup to the /Validator enclave directory so any changes to the /Validator enclave directory persist if the container is removed:

caution

Ensure image tag matches latest version described on here before running the next command! (Here image tag is 1.1.0)

docker run -itd --network host --mount type=volume,source=Puffer-Validator-Backup,destination=/Validator -v /var/run/aesmd:/var/run/aesmd --device /dev/sgx/enclave --device /dev/sgx/provision --name puffer_secure_signer_container pufferfi/validator:1.0.0

Output:

puffer@Puffer-Dev:~/coral/scripts$ docker run -itd --network host --mount type=volume,source=Puffer-Validator-Backup,destination=/Validator -v /var/run/aesmd:/var/run/aesmd --device /dev/sgx/enclave --device /dev/sgx/provision --name puffer_secure_signer_container pufferfi/validator:1.0.0
d72c2f398f9823b91073b92d608e02bfe3fbebb113fbb3e46b2ebfaa74712d9e

Verify that the container is running:

docker container ls

Output:

puffer@Puffer-Dev:~/coral/scripts$ docker container ls
CONTAINER ID   IMAGE                                  COMMAND                  CREATED         STATUS         PORTS     NAMES
d72c2f398f98   pufferfi/validator:1.0.0   "/bin/bash"              2 minutes ago   Up 2 minutes             puffer_secure_signer_container

Run Secure-Signer​

The Puffer Secure-Signer enclave is built using the Occlum LibOS. To start Puffer Secure-Signer we will use the occlum run command and point to the validator binary stored within the Occlum enclave image and specify port 9001.

You can simply run the Puffer Secure-Signer enclave without attaching to the container by running the following. This method is more robust than the subsequent method because even if your terminal crashes or exits the command will still proceed:

docker exec puffer_secure_signer_container /bin/bash -c "cd /Validator && occlum run /bin/validator 9001"

Output:

puffer@Puffer-Dev:~/coral/scripts$ docker exec puffer_secure_signer_container /bin/bash -c "cd /Validator && occlum run /bin/validator 9001"

2024-03-26T03:12:54.806960Z  INFO validator: Starting SGX Validator: localhost:9001, using genesis_fork_version: [0, 0, 0, 0]

Alternative: Run Secure-Signer via Attaching to the Container​

Attach to the container using its name secure_signer_container. Notice the username is now root, indicating we are now inside the container.

docker exec -it puffer_secure_signer_container bash

Output:

puffer@Puffer-Dev:~/coral/scripts$ docker exec -it puffer_secure_signer_container bash
root@Puffer-Dev:/# cd /Validator/

Change into directory

cd /Validator

Run Secure-Signer

occlum run /bin/validator 9001

Output:

root@Puffer-Dev:/Validator# occlum run /bin/validator 9001
2024-03-26T03:18:01.292913Z  INFO validator: Starting SGX Validator: localhost:9001, using genesis_fork_version: [0, 0, 0, 0]