Run a Validator Node Using Systemd¶

Introduction¶

One of Tanssi's core propositions for builders is that it provides Ethereum-grade economic security to every Tanssi-powered network, regardless of its TVL, userbase, or the specifics of the use case. Tanssi's design offers developers a shared security model, alleviating them from having to source enough economic security or negotiate with operators to run nodes opting in for their networks.

The Tanssi protocol achieves this by integrating with external security providers, such as Symbiotic. In this model, different vaults associated with Tanssi provide economic security, and reliable operators provide validation services to the Tanssi network.

In every session, the Tanssi protocol determines how many validators are required to support the entire ecosystem. With the number of validators, the protocol picks those with the higher delegated stake from the allow-listed ones.

In this guide, you'll learn how to spin up a Tanssi validator using the latest stable binary file release and manage the service using Systemd on Linux systems.

The article follows the good practice of running the service with its own non-root account and granting that account write access to a specific directory. However, you can adapt this article's steps and instructions to your infrastructure configuration, preferences, and security policies.

Checking Prerequisites¶

To get started, you'll need access to a computer running an Ubuntu Linux OS with Landlock enabled and root privileges. You will also need:

• Node binary files - a validator requires three binary files: tanssi-relay, tanssi-relay-execute-worker, and tanssi-relay-prepare-worker.

The instructions in this guide execute the latest official stable release. However, you can build your own file compiling the source code.

Check Landlock Support¶

Tanssi validators use the Linux kernel's Landlock feature as a security measure to restrict its own access to system resources, limiting the damage if the application is compromised.

Check the Landlock feature support in your system running the following command:

sudo dmesg | grep landlock || journalctl -kg landlock

The output should look like:

If Landlock is disabled in your system, upgrade the kernel to version 5.13 or above.

Download the Latest Release¶

To get started, download the latest binary release and make it executable by running the following command:

wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay && \
wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay-execute-worker && \
wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay-prepare-worker && \
chmod +x ./tanssi-relay*

wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay-skylake -O tanssi-relay && \
wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay-execute-worker-skylake -O tanssi-relay && \
wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay-prepare-worker-skylake -O tanssi-relay && \
chmod +x ./tanssi-relay*

wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay-znver3 -O tanssi-node && \
wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay-execute-worker-znver3 -O tanssi-node && \
wget https://github.com/moondance-labs/tanssi/releases/download/v0.12.0/tanssi-relay-prepare-worker-znver3 -O tanssi-node && \
chmod +x ./tanssi-relay*

Set Up the Systemd Service¶

Systemd is a management system for Linux systems that manages services (daemons in Unix-like systems jargon), starting them automatically when the computer starts or reboots, or restarting them upon unexpected failures.

The following commands configure a new account, create the directory, and move the previously downloaded files to the right location.

1. Create a new account to run the service:

   adduser tanssi_service --system --no-create-home
   

2. Create a directory to store the required files and data:

   mkdir /var/lib/tanssi-data
   

3. Set the folder's ownership to the account that will run the service to ensure writing permission:

   chown -R tanssi_service /var/lib/tanssi-data
   

4. Move the binaries to the folder:

   mv ./tanssi-relay* /var/lib/tanssi-data
   

Generate the Node Key¶

To generate and store on disk the session keys that will be referenced on the start-up command, run the following command:

/var/lib/tanssi-data/tanssi-relay key generate-node-key --file /var/lib/tanssi-data/node-key

Create the Systemd Service Configuration File¶

The next step is to create the Systemd configuration file.

You can create the file by running the following command:

sudo touch /etc/systemd/system/tanssi.service

Now you can open the file using your favorite text editor (vim, emacs, nano, etc) and add the configuration for the service, replacing the INSERT_YOUR_TANSSI_NODE_NAME tag with a human-readable name and YOUR_IP_ADDRESS with your public IP address. The name will come in handy for connecting the log entries and metrics with the node that generates them.

[Unit]
Description="Tanssi systemd service"
After=network.target
StartLimitIntervalSec=0

[Service]
User=tanssi_service
Type=simple
Restart=always
RestartSec=10
SyslogIdentifier=tanssi
SyslogFacility=local7
KillSignal=SIGHUP
LimitNOFILE=100000
ExecStart=/var/lib/tanssi-data/tanssi-relay --chain=dancelight \
  --base-path=/var/lib/tanssi-data/ \
  --node-key-file /var/lib/tanssi-data/node-key \
  --database=paritydb \
  --rpc-port=9944 \
  --prometheus-port=9615 \
  --prometheus-external \
  --name=INSERT_YOUR_TANSSI_NODE_NAME \
  --listen-addr=/ip4/0.0.0.0/tcp/30333 \
  --public-addr=/ip4/YOUR_IP_ADDRESS/tcp/30333 \
  --state-pruning=archive \
  --blocks-pruning=archive \
  --rpc-cors=all \
  --rpc-methods=safe \
  --unsafe-rpc-external \
  --rpc-max-connections=100 \
  --validator

[Install]
WantedBy=multi-user.target

Run Flags¶

The flags used in the ExecStart command can be adjusted according to your preferences and hardware configuration. The following ones are some of the most note-worthy:

• --name INSERT_NAME - a human-readable name for this node
• --rpc-port INSERT_PORT - specifies the JSON-RPC TCP port the node listens on
• --unsafe-rpc-external - exposes the RPC service on all the interfaces
• --state-pruning INSERT_STATE_PRUNING_TYPE - specifies when the Tanssi-powered network state should be removed from the database. The pruning type can be either archive (which makes the node behave as a full node keeping all the state), archive-canonical (which keeps only the state of finalized blocks), or any number (representing the number of blocks whose states are kept)
• --blocks-pruning INSERT_BLOCKS_PRUNING_TYPE - specifies how many blocks should be kept in the database. The pruning type can be either archive (which makes the node behave as a full node keeping all the blocks), archive-canonical (which keeps only finalized blocks), or any number (representing the amount of finalized blocks to keep)
• --detailed-log-output - enables detailed log output

For a complete list of available flags, their description, and possible values, run the following command:

/var/lib/tanssi-data/tanssi-relay  --help

Run the Service¶

Finally, enable the service and start it for the first time:

systemctl enable tanssi.service && \
systemctl start tanssi.service

You can verify that the service is up and running correctly running:

systemctl status tanssi.service

Check the logs, if needed, with the following command:

journalctl -f -u tanssi.service