Run a ParaTime Node
This page describes how to run a ParaTime node on the Oasis Network.
These instructions are for setting up a ParaTime node which participates in one or more ParaTime compute committees. If you want to run a ParaTime client node instead, see the instructions for running a ParaTime client node. If you want to run a validator node instead, see the instructions for running a validator node. Similarly, if you want to run a non-validator node instead, see the instructions for running a non-validator node.
For a production setup, we recommend running the ParaTime compute/storage node separately from the validator node (if you run one).
Running ParaTime and validator nodes as separate Oasis nodes will prevent configuration mistakes and/or (security) issues affecting one node type from affecting the other one.
If you are looking for some concrete ParaTimes that you can run, see the list of ParaTimes and their parameters.
Oasis Core refers to ParaTimes as runtimes internally, so all configuration options will have runtime in their name.
This guide will cover setting up your ParaTime compute node for the Oasis Network. This guide assumes some basic knowledge on the use of command line tools.

Prerequisites

Before following this guide, make sure you've followed the Prerequisites and Run a Non-validator Node sections and have:
  • Oasis Node binary installed and configured on your system.
  • The chosen top-level /node/ working directory prepared. In addition to etc and data directories, also prepare the following directories:
    • bin: This will store binaries needed by Oasis Node for running the ParaTimes.
    • runtimes: This will store the ParaTime binaries and their corresponding signatures (if they are running in a Trusted Execution Environment).
Feel free to name your working directory as you wish, e.g. /srv/oasis/.
Just make sure to use the correct working directory path in the instructions below.
  • Genesis file copied to /node/etc/genesis.json.
Reading the rest of the validator node setup instructions may also be useful.
To speed up bootstraping your new node, we recommend copying node's state from your existing node or syncing it using state sync.

Stake Requirements

To be able to register as a ParaTime node on the Oasis Network, you need to have enough tokens staked in your entity's escrow account.
To see the staking requirements for different node roles, use the Oasis CLI tools as described in Common Staking Info.
Currently, both the Mainnet and the Testnet require 100 ROSE/TEST for each role type:
1
Staking threshold (entity): ROSE 100.0
2
Staking threshold (node-validator): ROSE 100.0
3
Staking threshold (node-compute): ROSE 100.0
4
Staking threshold (node-storage): ROSE 100.0
5
Staking threshold (node-keymanager): ROSE 100.0
6
Staking threshold (runtime-compute): ROSE 100.0
7
Staking threshold (runtime-keymanager): ROSE 100.0
Copied!
To register a node that is both a validator and a ParaTime node, the entity for which the node is registered would need to satisfy the following:
  • Entity registration staking threshold (currently 100 tokens),
  • Validator node staking threshold (currently 100 tokens),
  • Compute node staking threshold (currently 100 tokens),
  • Storage node staking threshold (currently 100 tokens).
All together, there would need to be at least 400 tokens staked in your entity's escrow account.
To stake the tokens, use our Oasis CLI tools.
If everything was set up correctly, you should see something like below when running Oasis Node Stake Account Info command for your entity's account (this is an example for the Testnet):
1
Balance:
2
Total: 0.0 TEST
3
Available: 0.0 TEST
4
5
Active Delegations to this Account:
6
Total: 20000.0 TEST (20000000000000 shares)
7
Delegations:
8
- From: oasis1qrwdwxutpyr9d2m84zh55rzcf99aw0hkts7myvv9
9
Amount: 20000.0 TEST (20000000000000 shares)
10
11
Stake Accumulator:
12
Claims:
13
- Name: registry.RegisterEntity
14
Staking Thresholds:
15
- Global: entity
16
- Name: registry.RegisterNode.HG5TB3dbY8gtYBBw/R/cHfPaOpe0vT7W1wu/2rtpk/A=
17
Staking Thresholds:
18
- Global: node-compute
19
Staking Thresholds:
20
- Global: node-storage
21
22
Nonce: 1
Copied!
The stake requirements may differ from ParaTime to ParaTime and are subject to change in the future.

Register a New Entity or Update Your Entity Registration

If you don't have an entity yet, create a new one by following the Creating Your Entity instructions.
Everything in this section should be done on the localhost as there are sensitive items that will be created.
If you will be running the ParaTime on a new Oasis Node, initialize a new node by following the Initializing a Node instructions.
Then update your entity descriptor by enumerating paths to all your node's descriptors (existing and new ones) in the --entity.node.descriptor flag. For example:
1
oasis-node registry entity update \
2
... various signer flags ... \
3
--entity.node.descriptor /localhost/node1/node_genesis.json,/localhost/node2/node_genesis.json
Copied!
To confirm all nodes are added to your entity descriptor, run:
1
cat <PATH-TO-entity.json>
Copied!
and ensure you see all your nodes' IDs under the "nodes" list.
For example:
1
{
2
"v": 2,
3
"id": "QTg+ZjubD/36egwByAIGC6lMVBKgqo7xnZPgHVoIKzc=",
4
"nodes": [
5
"yT1h8/eN0VInQxn3YKcHxvSgGcsjsTSYmdTLZZMBTWI=",
6
"HG5TB3dbY8gtYBBw/R/cHfPaOpe0vT7W1wu/2rtpk/A="
7
]
8
}
Copied!
Then generate and submit the new/updated entity descriptor via the entity registration transaction by following the Generating Entity Registration Transaction instructions.
Make sure your entity descriptor (i.e. entity.json) is copied to your online server and saved as /node/entity/entity.json to ensure the node's configuration will find it.
You will configure the node to automatically register for the roles it has enabled (i.e. storage and compute roles) via the worker.registration.entity configuration flag.
No manual node registration is necessary.

The ParaTime Identifier and Binary

In order to run a ParaTime node you need to obtain the following pieces of information first, both of these need to come from a trusted source:
  • The ParaTime Identifier is a 256-bit unique identifier of a ParaTime on the Oasis Network. It provides a unique identity to the ParaTime and together with the genesis document's hash serves as a domain separation context for ParaTime transaction and cryptographic commitments. It is usually represented in hexadecimal form, for example: 8000000000000000000000000000000000000000000000000000000000000000
  • The ParaTime Binary contains the executable code that implements the ParaTime itself. It is executed in a sandboxed environment by Oasis Node and its format depends on whether the ParaTime is running in a Trusted Execution Environment (TEE) or not. In the non-TEE case this will be a regular Linux executable (an ELF binary, usually without an extension) and in the TEE case this will be an SGXS binary (usually with a .sgxs extension) that describes a secure enclave together with a detached signature of the binary (usually with a .sigextension).
Like the genesis document, make sure you obtain these from a trusted source.

Compiling the ParaTime Binary from Source Code

In case you decide to build the ParaTime binary from source yourself, make sure that you follow our guidelines for deterministic compilation to ensure that you receive the exact same binary.
When the ParaTime is running in a TEE, a different binary to what is registered in the consensus layer will not work and will be rejected by the network.

Install Oasis Core Runtime Loader

For ParaTimes running inside Intel SGX Trusted Execution Environment, you will need to install the Oasis Core Runtime Loader.
The Oasis Core Runtime Loader binary (oasis-core-runtime-loader) is part of Oasis Core binary releases, so make sure you download the appropriate version specified the Network Parameters page.
Install it to bin subdirectory of your node's working directory, e.g. /node/bin/oasis-core-runtime-loader.

Install ParaTime Binary

For each ParaTime, you need to obtain its binary and install it to runtimes subdirectory of your node's working directory.
For ParaTimes running inside a Trusted Execution Environment, you also need to obtain and install the binary's detached signature to this directory.
For example, for the Cipher ParaTime, you would have to obtain the cipher-paratime.sgxs binary and the cipher-paratime.sig detached signature and install them to /node/runtimes/cipher-paratime.sgxsand /node/runtimes/cipher-paratime.sig.

Install Bubblewrap Sandbox (at least version 0.3.3)

ParaTime compute nodes execute ParaTime binaries inside a sandboxed environment provided by Bubblewrap. In order to install it, please follow these instructions, depending on your distribution:
Ubuntu 18.10+
Fedora
Other Distributions
1
sudo apt install bubblewrap
Copied!
1
sudo dnf install bubblewrap
Copied!
On other systems, you can download the latest source release provided by the Bubblewrap project and build it yourself.
Make sure you have the necessary development tools installed on your system and the libcap development headers. On Ubuntu, you can install them with:
1
sudo apt install build-essential libcap-dev
Copied!
After obtaining the Bubblewrap source tarball, e.g. bubblewrap-0.4.1.tar.xz, run:
1
tar -xf bubblewrap-0.4.1.tar.xz
2
cd bubblewrap-0.4.1
3
./configure --prefix=/usr
4
make
5
sudo make install
Copied!
Note that Oasis Node expects Bubblewrap to be installed under /usr/bin/bwrap by default.
Ensure you have a new enough version by running:
1
bwrap --version
Copied!
Ubuntu 18.04 LTS (and earlier) provide overly-old bubblewrap. Follow Other Distributions section on those systems.

Setting up Trusted Execution Environment (TEE)

If a ParaTime requires the use of a TEE, then make sure you set up TEE as instructed in the Set up Trusted Execution Environment (TEE) doc.

Configuration

In order to configure the node create the /node/etc/config.yml file with the following content:
1
datadir: /node/data
2
3
log:
4
level:
5
default: info
6
tendermint: info
7
tendermint/context: error
8
format: JSON
9
10
genesis:
11
file: /node/etc/genesis.json
12
13
consensus:
14
tendermint:
15
core:
16
listen_address: tcp://0.0.0.0:26656
17
18
# The external IP that is used when registering this node to the network.
19
# NOTE: If you are using the Sentry node setup, this option should be
20
# omitted.
21
external_address: tcp://{{ external_address }}:26656
22
23
p2p:
24
# List of seed nodes to connect to.
25
# NOTE: You can add additional seed nodes to this list if you want.
26
seed:
27
- "{{ seed_node_address }}"
28
29
runtime:
30
supported:
31
# List of ParaTimes that the node should support.
32
- "{{ runtime_id }}"
33
34
paths:
35
# Paths to ParaTime binaries for all of the supported ParaTimes.
36
"{{ runtime_id }}": {{ runtime_bin_path }}
37
38
# The following section is required for ParaTimes which are running inside the
39
# Intel SGX Trusted Execution Environment.
40
sgx:
41
loader: /node/bin/oasis-core-runtime-loader
42
signatures:
43
# Paths to ParaTime signatures.
44
"{{ runtime_id }}": {{ runtime_sig_path }}
45
46
worker:
47
registration:
48
# In order for the node to register itself, the entity.json of the entity
49
# used to provision the node must be available on the node.
50
entity: /node/entity/entity.json
51
52
storage:
53
enabled: true
54
55
compute:
56
enabled: true
57
58
client:
59
# External gRPC configuration.
60
port: 30001
61
addresses:
62
# The external IP that is used when registering this node to the network.
63
- "{{ external_address }}:30001"
64
65
p2p:
66
# External P2P configuration.
67
enabled: true
68
port: 30002
69
addresses:
70
# The external IP that is used when registering this node to the network.
71
- "{{ external_address }}:30002"
72
73
# The following section is required for ParaTimes which are running inside the
74
# Intel SGX Trusted Execution Environment.
75
ias:
76
proxy:
77
address:
78
# List of IAS proxies to connect to.
79
# NOTE: You can add additional IAS proxies to this list if you want.
80
- "{{ ias_proxy_address }}"
Copied!
Before using this configuration you should collect the following information to replace the variables present in the configuration file:
Make sure theworker.client.port (default: 9100) and worker.p2p.port (default: 9200) ports are exposed and publicly accessible on the internet (forTCPtraffic).

Starting the Oasis Node

You can start the node by running the following command:
1
oasis-node --config /node/etc/config.yml
Copied!

Checking Node Status

To ensure that your node is properly connected with the network, you can run the following command after the node has started:
1
oasis-node control status -a unix:/node/data/internal.sock
Copied!

Troubleshooting

See the general Node troubleshooting and Set up TEE troubleshooting sections before proceeding with ParaTime node-specific troubleshooting.

Too Old Bubblewrap Version

Double check your installed bubblewrap version, and ensure is at least of version 0.3.3. Previous versions of this guide did not explicitly mention the required version. For details see the Install Bubblewrap Sandbox section.

Stake Requirement

Double check your node entity satisfies the staking requirements for a ParaTime node. For details see the Stake Requirements section.

Runtime Worker Ports

Make sure the worker.client.port (default: 30001) and worker.p2p.port (default: 30002) ports are exposed and publicly accessible on the internet (for TCP traffic). Previous versions of this guide did not explicitly mention this requirement.
Last modified 13d ago