Run a ParaTime Node

This page describes how to run a ParaTime node on the Oasis Network.

These instructions are for setting up a ParaTime node. If you want to run a validator node instead, see the instructions for running a validator node. Similarly, if you want to run a non-validator node instead, see the instructions for running a non-validator node.

If you are looking for some concrete ParaTimes that you can run, see the list of ParaTimes and their parameters.

This guide will cover setting up your ParaTime compute node for the Oasis Network. This guide assumes some basic knowledge on the use of command line tools.

Prerequisites

Before following this guide, make sure you've followed the Prerequisites and Run a Non-validator Node sections and have the Oasis Node binary installed and configured on your systems. In addition to the basic non-validator configuration you will also need to create and register your own entity. Reading the rest of the validator node setup instructions may also be useful.

Stake Requirements

To be able to register as a ParaTime node on the Oasis Network, you need to have enough tokens staked in your escrow account. For more details, see the Stake requirements section of Run a Validator Node doc. Note that stake requirements may differ from ParaTime to ParaTime.

The ParaTime Identifier and Binary

In order to run a ParaTime node you need to obtain the following pieces of information first, both of these need to come from a trusted source:

  • The ParaTime Identifier is a 256-bit unique identifier of a ParaTime on the Oasis Network. It provides a unique identity to the ParaTime and together with the genesis document's hash serves as a domain separation context for ParaTime transaction and cryptographic commitments. It is usually represented in hexadecimal form, for example: 8000000000000000000000000000000000000000000000000000000000000000

  • The ParaTime Binary contains the executable code that implements the ParaTime itself. It is executed in a sandboxed environment by Oasis Node and its format depends on whether the ParaTime is running in a Trusted Execution Environment (TEE) or not. In the non-TEE case this will be a regular Linux executable (an ELF binary, usually without an extension) and in the TEE case this will be an SGXS binary (usually with a .sgxs extension) that describes a secure enclave. The rest of this guide assumes that the binary is available at /node/bin/paratime.sgxs.

Like the genesis document, make sure you obtain these from a trusted source.

Compiling the ParaTime Binary from Source Code

In case you decide to build the ParaTime binary from source yourself, make sure that you follow our guidelines for deterministic compilation to ensure that you receive the exact same binary.

When the ParaTime is running in a TEE, a different binary to what is registered in the consensus layer will not work and will be rejected by the network.

Trusted Execution Environment (TEE)

If the ParaTime is configured to run in a TEE (currently only Intel SGX), you must make sure that your system supports running SGX enclaves. This requires that your hardware has SGX support, that SGX support is enabled and that the additional driver and software components are properly installed and running.

Install SGX Driver

On Intel's website, find the latest "Intel SGX Linux Release" (not "Intel SGX DCAP Linux Release") and download the "Intel (R) SGX Installers" for your platform. The package will have driver in the name.

After installing the driver and restarting your system, make sure that the /dev/isgx device exists.

Install AESM Service

The easiest way to install and run the AESM service is by using a Docker container provided by Fortanix as follows (this will keep the container running and it will be automatically started on boot):

docker run \
--detach \
--restart always \
--device /dev/isgx \
--volume /var/run/aesmd:/var/run/aesmd \
--name aesmd \
fortanix/aesmd

Check SGX Setup

In order to make sure that your SGX setup is working, you can install the Fortanix SGX utilities by doing the following (assuming you have Rust installed):

cargo install sgxs-tools

After the installation completes run sgx-detect to make sure that everything is set up correctly. In case you encounter errors, see the list of common SGX installation issues for help.

Configuration

In order to configure the node create the /node/etc/config.yml file with the following content:

datadir: /node/data
log:
level:
default: info
tendermint: info
tendermint/context: error
format: JSON
genesis:
file: /node/etc/genesis.json
consensus:
tendermint:
core:
listen_address: tcp://0.0.0.0:26656
# The external IP that is used when registering this node to the network.
# NOTE: If you are using the Sentry node setup, this option should be
# omitted.
external_address: tcp://{{ external_address }}:26656
p2p:
# List of seed nodes to connect to.
# NOTE: You can add additional seed nodes to this list if you want.
seed:
- "{{ seed_node_address }}"
runtime:
supported:
- "{{ runtime_id }}"
paths:
"{{ runtime_id }}": /node/bin/paratime.sgxs
worker:
registration:
# In order for the node to register itself, the entity.json of the entity
# used to provision the node must be available on the node.
entity: /node/entity/entity.json
storage:
enabled: true
compute:
enabled: true
client:
port: 30001
addresses:
- "{{ external_address }}:30001"
p2p:
enabled: true
port: 30002
addresses:
- "{{ external_address }}:30002"
ias:
proxy:
address:
# List of IAS proxies to connect to.
# NOTE: You can add additional IAS proxies to this list if you want.
- "{{ ias_proxy_address }}"

Before using this configuration you should collect the following information to replace the variables present in the configuration file:

  • {{ external_address }}: The external IP you used when registering this node.

  • {{ seed_node_address }}: The seed node address in the form [email protected]:port.

    You can find the current Oasis Seed Node address in the Network Parameters.

  • {{ runtime_id }}: The Runtime identifier.

  • {{ ias_proxy_address }}: The IAS proxy address in the form [email protected]:port. You can find the current Oasis IAS proxy address in the Network Parameters. If you want you can also run your own IAS proxy.

Starting the Oasis Node

You can start the node by running the following command:

oasis-node --config /node/etc/config.yml

Checking Node Status

To ensure that your node is properly connected with the network, you can run the following command after the node has started:

oasis-node control status -a unix:/node/data/internal.sock