Difference between revisions of "Operating System Installation and Configuration"
LordVetinari (talk | contribs) (→Hosted) |
|||
(48 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
Before installing any xx network software, a Node or Gateway must have the operating system (OS) correctly installed and configured. This process must be done twice, once for each machine. | |||
These instructions assume that you have a working machine that meets to exceeds the [[Hardware Requirements]], has an active internet connection, and an empty storage drive or a drive that can be | These instructions assume that you have a working machine that meets to exceeds the [[Hardware Requirements]], has an active internet connection, and an empty storage drive or a drive that can be formatted. | ||
== Some Tips for Inexperienced Users == | == Some Tips for Inexperienced Users == | ||
Line 7: | Line 7: | ||
If this is your first time using a command line interface or you do not remember how to use it, the following are some tips to make using the interface a little easier. | If this is your first time using a command line interface or you do not remember how to use it, the following are some tips to make using the interface a little easier. | ||
* In this document, anytime code is presented in a {{font color|#BBB|#000|{{mono|black box with monospaced font}}}} it means that it is command line input or output. Commands prefixed by a <code>'''$'''</code> are commands | * In this document, anytime code is presented in a {{font color|#BBB|#000|{{mono|black box with a monospaced font}}}}, it means that it is command line input or output. Commands prefixed by a <code>'''$'''</code> are commands to enter into your command prompt (do not include <code>'''$'''</code> in the command). Any lines without that prefix are output from the system. | ||
* The <code>sudo</code> command is often prepended to commands found in these instructions. | * The <code>sudo</code> command is often prepended to commands found in these instructions. It enables commands to be run with elevated privileges. When used, the system will ask for your password to continue running the command. | ||
{{block indent|left=1|text= | {{block indent|left=1|text= | ||
Line 15: | Line 15: | ||
[sudo] password for user: <span class="blink" style="color:lime;">█</span>}}}} | [sudo] password for user: <span class="blink" style="color:lime;">█</span>}}}} | ||
* Whenever the system asks for a password to continue, no characters will appear when typing, but type in your password | * Whenever the system asks for a password to continue, no characters will appear when typing, but type in your password, press {{key press|enter}}, and it will work. | ||
* When typing a command or path, use the {{key press|tab}} key to auto complete a partially written statement. | * When typing a command or path, use the {{key press|tab}} key to auto-complete a partially written statement. | ||
== Installing the Operating System == | == Installing the Operating System == | ||
The xx network software has been tested only on Ubuntu Server 20.04 and instructions are only provided for that OS. | The xx network software has been tested only on Ubuntu Server 20.04 and instructions are only provided for that OS. Therefore, support cannot be guaranteed if a different operating system version is used, although no decisions have been made to preclude any operating systems specifically. | ||
If you have direct access to your hardware and can install the operating system yourself, then go to the [[#Local Hardware|Local Hardware]] section. If your machine is hosted and you do not have physical access, then go to the [[#Hosted|Hosted]] section. | |||
=== Local Hardware === | === Local Hardware === | ||
If you have physical access to the machine and can install | If you have physical access to the machine and can install an operating system, then follow the instructions below. If you are using a VPS or hosting service, | ||
It is recommended that your machine be connected to the internet via ethernet cable | It is recommended that your machine be connected to the internet via ethernet cable before installation. | ||
<ol style="list-style-type: decimal;"> | <ol style="list-style-type: decimal;"> | ||
<li><p>Download Ubuntu Server install image from the [https://releases.ubuntu.com/20.04/ Official Ubuntu website].</p> | <li><p>Download the Ubuntu Server install image from the [https://releases.ubuntu.com/20.04/ Official Ubuntu website].</p> | ||
{{Note|inline=1|small=1|Make sure to select the ''Server install image'', not the ''Desktop image''. The desktop version of Ubuntu can work, but it includes extra programs and processes that are unneeded and take up resources.}} | {{Note|inline=1|small=1|Make sure to select the ''Server install image'', not the ''Desktop image''. The desktop version of Ubuntu can work, but it includes extra programs and processes that are unneeded and take up resources.}} | ||
[[File:Download Ubuntu Server.png|800px|center|alt=Click on the link "64-bit PC (AMD64) server install image" to download the Ubuntu Server image.]] | [[File:Download Ubuntu Server.png|800px|center|alt=Click on the link "64-bit PC (AMD64) server install image" to download the Ubuntu Server image.]] | ||
</li> | </li> | ||
<li><p>Next, a bootable disk with Linux needs to be created. This can be done by writing it to a DVD or more commonly, a flash drive. Follow one of the following tutorials on how to do so depending on your current operating system and chosen media.</p> | <li><p>Next, a bootable disk with Linux needs to be created. This can be done by writing it to a DVD or, more commonly, a flash drive. Follow one of the following tutorials on how to do so depending on your current operating system and chosen media.</p> | ||
{{Note|inline=1|small=1|The resources linked below are provided by a third party source. The instructions may be out of date but should generally be correct.}} | {{Note|inline=1|small=1|The resources linked below are provided by a third-party source. The instructions may be out of date but should generally be correct.}} | ||
{{div col}} | {{div col}} | ||
<ul> | <ul> | ||
Line 52: | Line 54: | ||
<li><p>In step 6, make sure you select the first option <code>Install Ubuntu</code>.</p></li> | <li><p>In step 6, make sure you select the first option <code>Install Ubuntu</code>.</p></li> | ||
<li><p>In step 7, make sure to configure your internet connection and get an IP address.</p></li> | <li><p>In step 7, make sure to configure your internet connection and get an IP address.</p></li> | ||
<li><p>In step 8, ensure that you select <code>Use an Entire Disk</code>.</p></li> | <li><p>In step 8, ensure that you select <code>Use an Entire Disk</code>.</p> | ||
<li><p>In step 12, pick a server name that does not have any personal identifying information and | {{Note|inline=1|small=1|Please be sure the full amount of available space is formatted if selecting to use LVM. See [https://xxnetwork.wiki/Check_root_Disk_Space Check root Disk Space]|warn}}</li> | ||
<li><p>In step 12, pick a server name that does not have any personal identifying information and create a strong password.</p> | |||
{{Note|inline=1|small=1|Create a strong but memorable password. It is recommended that it is longer than 12 characters. Store this password in a safe and secure location. Never share this password with anyone.|warn}} | {{Note|inline=1|small=1|Create a strong but memorable password. It is recommended that it is longer than 12 characters. Store this password in a safe and secure location. Never share this password with anyone.|warn}} | ||
Line 59: | Line 62: | ||
</ol> | </ol> | ||
</li> | </li> | ||
<li><p> | <li><p>Ensure the machine has turned back on and then log in using the credentials created in the previous step. Sometimes extra text is printed to the console and you will not see the login prompt. The prompt should still be there; just type your username and press {{key press|enter}} to continue.</p></li></ol> | ||
==== Check Internet Connection ==== | ==== Check Internet Connection ==== | ||
Line 68: | Line 71: | ||
<li><p>Check your current local connection status and local IP address.</p> | <li><p>Check your current local connection status and local IP address.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>ip addr}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>ip addr}} | ||
<p>This should result in a similar output to below. The machine should have a valid local IP address.</p> | <p>This should result in a similar output to the below. The machine should have a valid local IP address.</p> | ||
{{terminal|skin=noborder|text= | {{terminal|skin=noborder|text= | ||
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 | 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 | ||
Line 103: | Line 106: | ||
=== Hosted === | === Hosted === | ||
If your machine is hosted then it will usually be delivered to you with the operating system preinstalled or you can select an OS to install. If you have the option, select Ubuntu 20.04. | If your machine is hosted, then it will usually be delivered to you with the operating system preinstalled or you can select an OS to install. If you have the option, select Ubuntu 20.04. | ||
Some hosting services deliver the server to you with access to the root account. The root account has broad permissions to modify the Linux environment and should be disabled to avoid destructive changes. If your user is not a root, then you can skip this section. | Some hosting services deliver the server to you with access to the root account. The root account has broad permissions to modify the Linux environment and should be disabled to avoid destructive changes. These instructions will detail how to add a new non-root user account to be used as the primary account when accessing your machine. | ||
If your user is not a root, then you can skip this section and go to [[#Updating Software and Installing Dependencies|Updating Software and Installing Dependencies]]. | |||
<ol style="list-style-type: decimal;"> | <ol style="list-style-type: decimal;"> | ||
Line 116: | Line 121: | ||
<li><p>Once logged in, create a new user with a username of your choice. The username {{mono|ubuntu}} is used as an example.</p> | <li><p>Once logged in, create a new user with a username of your choice. The username {{mono|ubuntu}} is used as an example.</p> | ||
{{terminal|icon=|text=<span class="noselect">'''$''' </span>adduser {{highlight|ubuntu|#595935}}}} | {{terminal|icon=|text=<span class="noselect">'''$''' </span>adduser {{highlight|ubuntu|#595935}}}} | ||
<p>It will print | <p>It will print output similar to the following.</p> | ||
{{terminal|icon=|text= | {{terminal|icon=|text= | ||
Adding user `{{highlight|ubuntu|#595935}}' ... | Adding user `{{highlight|ubuntu|#595935}}' ... | ||
Line 132: | Line 137: | ||
{{terminal|icon=|text=passwd: password updated successfully}} | {{terminal|icon=|text=passwd: password updated successfully}} | ||
</li> | </li> | ||
<li><p>You will then be asked a series of questions. Answering them is optional. At the end confirm that the information entered is correct.</p> | <li><p>You will then be asked a series of questions. Press {{key press|Enter}} after every answer. Answering them is optional. At the end, confirm that the information entered is correct by pressing {{key press|Y}} and then {{key press|Enter}}.</p> | ||
{{terminal|icon=|text= | {{terminal|icon=|text= | ||
Changing the user information for {{highlight|ubuntu|#595935}} | Changing the user information for {{highlight|ubuntu|#595935}} | ||
Line 141: | Line 146: | ||
Home Phone []: | Home Phone []: | ||
Other []: | Other []: | ||
Is the information correct? [Y/n]}} | Is the information correct? [Y/n] {{highlight|y|#595935}}}} | ||
</li> | </li> | ||
<li><p>To allow the new user to perform actions with superuser privileges using {{mono|sudo}}, add them to the sudo group.</p> | <li><p>To allow the new user to perform actions with superuser privileges using {{mono|sudo}}, add them to the sudo group.</p> | ||
{{terminal|icon=|text=usermod -aG sudo {{highlight|ubuntu|#595935}}}} | {{terminal|icon=|text=usermod -aG sudo {{highlight|ubuntu|#595935}}}} | ||
</li> | </li> | ||
<li><p>In the future, use this new account to | <li><p>In the future, use this new account to log in to your server. Connecting to your server via SSH with the root account will be disabled in future steps.</p></li> | ||
{{Note|inline=1|small=1|At this point, you need to logout of the root account and login with the newly created user account otherwise some dependencies will not be installed as the correct user.|warn}} | |||
</ol> | </ol> | ||
Line 161: | Line 167: | ||
</li> | </li> | ||
<li><p>Reboot the machine to ensure all updates are installed fully.</p> | <li><p>Reboot the machine to ensure all updates are installed fully.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo shutdown -r now}} | ||
</li> | </li> | ||
<li><p>Once the machine starts up, log back in.</p></li> | <li><p>Once the machine starts up, log back in.</p></li> | ||
Line 182: | Line 188: | ||
}} | }} | ||
</li> | </li> | ||
<li><p>Install the {{inline-code|lang=text|boto3}}, {{inline-code|lang=text|pyOpenSSL}}, {{inline-code|lang=text|substrate-interface}} and {{inline-code|lang=text|packaging}} dependencies. The Wrapper Script uses the first package to read commands and send logs to xx network through AWS and the second is used to authenticate them. The third, {{inline-code|lang=text|substrate-interface}}, is used to interact with the Substrate node. {{inline-code|lang=text|packaging}} is a dependency of {{inline-code|lang=text|substrate-interface}}.</p> | <li><p>Install the {{inline-code|lang=text|boto3}}, {{inline-code|lang=text|pyOpenSSL}}, {{inline-code|lang=text|substrate-interface}}, and {{inline-code|lang=text|packaging}} dependencies. The Wrapper Script uses the first package to read commands and send logs to xx network through AWS, and the second is used to authenticate them. The third, {{inline-code|lang=text|substrate-interface}}, is used to interact with the Substrate node. {{inline-code|lang=text|packaging}} is a dependency of {{inline-code|lang=text|substrate-interface}}.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>pip3 install --user -U boto3 pyOpenSSL substrate-interface packaging}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>pip3 install --user -U boto3 pyOpenSSL substrate-interface packaging requests}} | ||
<p>The output should look similar to the following.</p> | <p>The output should look similar to the following.</p> | ||
{{terminal|skin=noborder|height=10em|text= | {{terminal|skin=noborder|height=10em|text= | ||
Line 262: | Line 268: | ||
== Configuring Local Network (Port Forwarding) == | == Configuring Local Network (Port Forwarding) == | ||
To ensure that the machine can be accessed from outside the local network, the local network gateway must be configured to allow external access to the machine on ports configured above. Three main pieces of information are needed for this part: (1) the port numbers to forward (the defaults are {{mono|11420}} for cMix, {{mono|22840}} for Gateway, {{mono| | To ensure that the machine can be accessed from outside the local network, the local network gateway must be configured to allow external access to the machine on ports configured above. Three main pieces of information are needed for this part: (1) the port numbers to forward (the defaults are {{mono|11420}} for cMix, {{mono|22840}} for Gateway, {{mono|15974}} for xx chain), and (optionally) 22 for SSH, (2) the protocol to use (TCP), and (3) the local IP address of the machine, which is retrieved below. | ||
{{Note|If your machine is hosted for you, then the port may already be open or you need to configure it with your hosting provider.}} | {{Note|If your machine is hosted for you, then the port may already be open, or you need to configure it with your hosting provider.}} | ||
<ol style="list-style-type: decimal;"> | <ol style="list-style-type: decimal;"> | ||
<li id="Configuring_Local_Network_step01"><p>Get the local IP address of the machine.</p> | <li id="Configuring_Local_Network_step01"><p>Get the local IP address of the machine.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>hostname -I}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>hostname -I}} | ||
<p>The local IP address will be printed; it will be in the form of {{mono|0.0.0.0}}. Make sure to make note of this for the later steps.</p> | <p>The local IP address will be printed; it will be in the form of {{mono|0.0.0.0}}. Make sure to make a note of this for the later steps.</p> | ||
{{terminal|skin=noborder|text=<span style="background:#595935;position:relative;">[your internal IP address]<span style="position:absolute;font-family:sans-serif;color:#fff;white-space:nowrap;padding:0 0.45em;line-height:1.5em;font-size:85%;font-weight:bold;"><span style="padding:0 0.5em;vertical-align:middle;overflow:hidden;">[[File:Straight Arrow 1.svg|none|link=]]</span><span style="vertical-align:middle;">Make note of this address.</span></span></span>}} | {{terminal|skin=noborder|text=<span style="background:#595935;position:relative;">[your internal IP address]<span style="position:absolute;font-family:sans-serif;color:#fff;white-space:nowrap;padding:0 0.45em;line-height:1.5em;font-size:85%;font-weight:bold;"><span style="padding:0 0.5em;vertical-align:middle;overflow:hidden;">[[File:Straight Arrow 1.svg|none|link=]]</span><span style="vertical-align:middle;">Make note of this address.</span></span></span>}} | ||
{{Note|inline=1|small=1|If the machine has multiple network interfaces or an IPv6 address, they will also appear in this list. Ensure that only the correct internal IPv4 address is used.}} | {{Note|inline=1|small=1|If the machine has multiple network interfaces or an IPv6 address, they will also appear in this list. Ensure that only the correct internal IPv4 address is used.}} | ||
Line 276: | Line 282: | ||
: {{Note|The following section describes how to configure the networking equipment on your network. Because of the varying | : {{Note|The following section describes how to configure the networking equipment on your network. Because of the varying equipment configurations, these instructions are generic and may not be accurate for your hardware. Please refer to the manufacturer’s instructions for more detailed and accurate information. Configuration of the network will most likely occur from a different machine on the network.}} | ||
<ol start="2" style="list-style-type: decimal;"> | <ol start="2" style="list-style-type: decimal;"> | ||
Line 284: | Line 290: | ||
{{terminal|skin=noborder|text=default via {{highlight|192.168.1.1|#595935}} dev enp1s0 proto dhcp src 192.168.1.37 metric 100}} | {{terminal|skin=noborder|text=default via {{highlight|192.168.1.1|#595935}} dev enp1s0 proto dhcp src 192.168.1.37 metric 100}} | ||
</li> | </li> | ||
<li><p>Go to this IP address in a browser (on a different machine) and | <li><p>Go to this IP address in a browser (on a different machine) and log in using the gateway credentials. These credentials are either set up by the network administrator or are the default credentials located on the gateway or found online.</p></li> | ||
<li id="Configuring_Local_Network_step04"><p>It is highly recommended to provide your machine a static local IP address or port forwarding may need to be reconfigured if your machine changes local IP addresses. Instructions for | <li id="Configuring_Local_Network_step04"><p>It is highly recommended to provide your machine a static local IP address or port forwarding may need to be reconfigured if your machine changes local IP addresses. Instructions for doing so are dependent on your network hardware and outside of the scope of these instructions.</p></li> | ||
<li><p>Locate the ''port forwarding'' options (occasionally called ''virtual server''). These options are sometimes found under the advanced section.</p></li> | <li><p>Locate the ''port forwarding'' options (occasionally called ''virtual server''). These options are sometimes found under the advanced section.</p></li> | ||
<li><p>Forward the port for xx chain ({{mono| | <li><p>Forward the port for xx chain ({{mono|15974}}) and the port for either cMix ({{mono|11420}}) or Gateway ({{mono|22840}}). For each, create a new entry and enter the IP address found in [[#Configuring_Local_Network_step01|step 1]] or the one set in [[#Configuring_Local_Network_step04|step 4]], set the port to the chosen ports, and select the TCP protocol.</p></li> | ||
<li><p>If you plan on using SSH to access your machine remotely from ''outside'' your local network, make sure to forward port {{mono|22}}. If you do not know if you need to access your machine outside the local network, | <li><p>If you plan on using SSH to access your machine remotely from ''outside'' your local network, make sure to forward port {{mono|22}}. If you do not know if you need to access your machine outside the local network, skip this step.</p> | ||
{{Note|small=1|inline=1|Enabling SSH access from the internet can expose your machine to unwanted access by outside parties. If you forward port {{mono|22}}, then make sure you follow all the security features for SSH outlined in later steps. However, if you do not need outside access to your machine, then it is recommended that you do not forward this port.|warn}} | {{Note|small=1|inline=1|Enabling SSH access from the internet can expose your machine to unwanted access by outside parties. If you forward port {{mono|22}}, then make sure you follow all the security features for SSH outlined in later steps. However, if you do not need outside access to your machine, then it is recommended that you do not forward this port.|warn}} | ||
</li> | </li> | ||
Line 296: | Line 302: | ||
== Setting Up UFW == | == Setting Up UFW == | ||
Uncomplicated Firewall (UFW) is the default firewall configuration tool for Ubuntu. UFW | Uncomplicated Firewall (UFW) is the default firewall configuration tool for Ubuntu. The operating system should come with UFW already installed; the following instructions will describe how to configure and enable it. | ||
<ol style="list-style-type: decimal;"> | <ol style="list-style-type: decimal;"> | ||
Line 322: | Line 328: | ||
{{Note|inline=1|small=1|Port {{mono|22840}} is the default port in the provided Gateway configuration file. A different port may be used, but it must be configured in <code>gateway.yaml</code>, which is downloaded in a future step.}} | {{Note|inline=1|small=1|Port {{mono|22840}} is the default port in the provided Gateway configuration file. A different port may be used, but it must be configured in <code>gateway.yaml</code>, which is downloaded in a future step.}} | ||
</li> | </li> | ||
<li><p>{{abbr|Secure Shell Protocol|SSH}} is an internet protocol that allows you to | <li><p>{{abbr|Secure Shell Protocol|SSH}} is an internet protocol that allows you to access your server from your personal computer remotely. It is recommended that you set up SSH to make steps later in the software setup easier. But note that SSH should only be enabled with key authentication and rate-limiting to prevent unwanted parties from accessing your server. Key authentication is set up in the next section [[#Setting Up SSH|Setting Up SSH]]. If you do not want to use SSH, then skip this step.</p> | ||
<p>To enable SSH with rate limiting, limit port {{mono|22}} over TCP. UFW will prevent access if someone attempts to connect six or more times within 30 seconds.</p> | <p>To enable SSH with rate limiting, limit port {{mono|22}} over TCP. UFW will prevent access if someone attempts to connect six or more times within 30 seconds.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo ufw limit 22/tcp comment "SSH" | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo ufw limit 22/tcp comment "SSH" | ||
Rules updated | Rules updated | ||
Rules updated (v6)}} | Rules updated (v6)}} | ||
{{Note|inline=1|small=1|Enabling SSH access without the proper security can result in unwanted access. Make sure to enable rate limiting and key authentication.|warn}} | {{Note|inline=1|small=1|Enabling SSH access without the proper security can result in unwanted access. Make sure to enable rate-limiting and key authentication.|warn}} | ||
</li> | </li> | ||
<li><p>Finally, enable UFW.</p> | <li><p>Finally, enable UFW.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo ufw enable}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo ufw enable}} | ||
<p>If you are connected over SSH, you may be prompted to continue, press {{key press|Y}} then {{key press|Enter}}. Note that you may be disconnected when doing so.</p> | <p>If you are connected over SSH, you may be prompted to continue, press {{key press|Y}}, and then {{key press|Enter}}. Note that you may be disconnected when doing so.</p> | ||
{{terminal|skin=noborder|text=Command may disrupt existing ssh connections. Proceed with operation (y<nowiki>|</nowiki>n)? {{highlight|y|#595935}}}} | {{terminal|skin=noborder|text=Command may disrupt existing ssh connections. Proceed with operation (y<nowiki>|</nowiki>n)? {{highlight|y|#595935}}}} | ||
<p>If successful, then it will print the following.</p> | <p>If successful, then it will print the following.</p> | ||
Line 339: | Line 345: | ||
=== Verify Firewall Configuration === | === Verify Firewall Configuration === | ||
This section describes how to check if the firewall is active and if the ports are | This section describes how to check if the firewall is active and if the ports are correctly configured. | ||
Print the status of UFW. | Print the status of UFW. | ||
Line 376: | Line 382: | ||
== Setting Up SSH == | == Setting Up SSH == | ||
SSH or Secure Shell Protocol, is a network protocol that allows you to | SSH, or Secure Shell Protocol, is a network protocol that allows you to access your machine remotely. It is helpful so that you can set up and configure your machine from your personal computer. It also makes setup easier because you can copy and paste commands into your console instead of having to manually type everything. | ||
It is recommended that you enable SSH access as it will make some steps easier to accomplish later in this manual. But note that SSH opens up a possible attack vector on your Node. If you | It is recommended that you enable SSH access as it will make some steps easier to accomplish later in this manual. But note that SSH opens up a possible attack vector on your Node. If you enable SSH, then it must be rate-limited (described above in [[#Setting Up UFW|Setting Up UFW]]) and only accept key authentication, as explained below. If you do not want to use SSH, then skip this section. | ||
=== Rate Limiting === | === Rate Limiting === | ||
<ol style="list-style-type: decimal;"> | <ol style="list-style-type: decimal;"> | ||
<li><p>If you have not yet done so, | <li><p>If you have not yet done so, enable rate-limiting on port {{mono|22}} as described in [[#Setting Up UFW|Setting Up UFW]].</p></li> | ||
<li><p>Ensure that UFW is | <li><p>Ensure that UFW is correctly configured for SSH by printing its status for port {{mono|22}}.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo ufw status | grep 22/tcp}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo ufw status | grep 22/tcp}} | ||
<p>This should print | <p>This should print all the UFW rules. Make sure that you see the two rules below in your list.</p> | ||
{{terminal|skin=noborder|text= | {{terminal|skin=noborder|text= | ||
22/tcp {{highlight|LIMIT|#595935}} Anywhere # SSH | 22/tcp {{highlight|LIMIT|#595935}} Anywhere # SSH | ||
22/tcp (v6) {{highlight|LIMIT|#595935}} Anywhere (v6) # SSH | 22/tcp (v6) {{highlight|LIMIT|#595935}} Anywhere (v6) # SSH | ||
}} | }} | ||
{{Note|inline=1|small=2|Make sure that the action is set to {{inline-code|lang=text|LIMIT}} not {{inline-code|lang=text|ALLOW}}|warn}}. | {{Note|inline=1|small=2|Make sure that the action is set to {{inline-code|lang=text|LIMIT}}, not {{inline-code|lang=text|ALLOW}}|warn}}. | ||
</li> | </li> | ||
</ol> | </ol> | ||
Line 403: | Line 409: | ||
<li><p>Make sure that the SSH server is running.</p> | <li><p>Make sure that the SSH server is running.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo systemctl status ssh}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo systemctl status ssh}} | ||
<p>This will print the status of the service. It should say {{mono|active}} as shown below.</p> | <p>This will print the status of the service. It should say {{mono|active}}, as shown below.</p> | ||
{{terminal|skin=noborder|text= | {{terminal|skin=noborder|text= | ||
{{font color|#55FF55|●}} ssh.service - OpenBSD Secure Shell server | {{font color|#55FF55|●}} ssh.service - OpenBSD Secure Shell server | ||
Line 421: | Line 427: | ||
=== Generating Key Pair === | === Generating Key Pair === | ||
{{Note|If you have already generated a key pair | {{Note|If you have already generated a SSH key pair, then you can use the same key pair again. Skip to [[#Copying Public Key to Serve|Copying Public Key to Server]].}} | ||
By default, SSH has password authentication enabled, which allows you to connect to your machine using only your username, password, and your machine's IP address. SSH also offers key authentication, which involves generating an RSA key pair and is generally more secure. These instructions | By default, SSH has password authentication enabled, which allows you to connect to your machine using only your username, password, and your machine's IP address. SSH also offers key authentication, which involves generating an RSA key pair and is generally more secure. These instructions detail how to set up an SSH key pair between your machine and your personal machine. Note that these instructions assume that you have an OpenSSH client on your personal computer. If you are on a Linux or macOS machine, SSH is available by default. On Windows, you need to either [https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse install the native OpenSSH Client], download a third-party client such as [https://www.putty.org/ PuTTY], or use {{abbr|Windows Subsystem for Linux|WSL}}. | ||
{{Note|inline=1|small=1|The instructions supplied below are for Ubuntu 20.04. For other operating systems, the processes should be similar.}} | {{Note|inline=1|small=1|The instructions supplied below are for Ubuntu 20.04. For other operating systems, the processes should be similar.}} | ||
Line 429: | Line 435: | ||
<li><p>First, on your personal computer, open up the terminal and generate a 4096-bit key pair using {{inline-code|lang=text|ssh-keygen}}</p> | <li><p>First, on your personal computer, open up the terminal and generate a 4096-bit key pair using {{inline-code|lang=text|ssh-keygen}}</p> | ||
{{terminal|icon=|text=<span class="noselect">'''$''' </span>ssh-keygen -b 4096}} | {{terminal|icon=|text=<span class="noselect">'''$''' </span>ssh-keygen -b 4096}} | ||
{{Note|inline=1|small=1|By default, {{inline-code|lang=text|ssh-keygen}} creates a 3072-bit key pair. We suggest you use 4096 bits as it is stronger and the same size as the keys used in the xx network.}} | {{Note|inline=1|small=1|By default, {{inline-code|lang=text|ssh-keygen}} creates a 3072-bit key pair. We suggest you use 4096 bits as it is stronger than the default and the same size as the keys used in the xx network.}} | ||
<p>This should print the following output.</p> | <p>This should print the following output.</p> | ||
{{terminal|icon=|text= | {{terminal|icon=|text= | ||
Line 441: | Line 447: | ||
Overwrite (y/n)? {{highlight|n|#595935}}}} | Overwrite (y/n)? {{highlight|n|#595935}}}} | ||
</li> | </li> | ||
<li><p>If you do not already have an SSH key pair, then you will be prompted to create a passphrase. You must set a strong passphrase | <li><p>If you do not already have an SSH key pair, then you will be prompted to create a passphrase. You must set a strong passphrase; it will be used every time you use the key when connecting over SSH.</p> | ||
{{terminal|icon=|text= | {{terminal|icon=|text= | ||
Enter passphrase (empty for no passphrase): | Enter passphrase (empty for no passphrase): | ||
Enter same passphrase again:}} | Enter same passphrase again:}} | ||
{{Note|inline=1|small=1|Create a strong but memorable password. It is recommended that it is longer than 12 characters. Store this password in a safe and secure location. Never share this password with anyone.|warn}} | {{Note|inline=1|small=1|Create a strong but memorable password. It is recommended that it is longer than 12 characters. Store this password in a safe and secure location. Never share this password with anyone.|warn}} | ||
<p>This will result in a similar output to below</p> | <p>This will result in a similar output to below.</p> | ||
{{terminal|icon=|text= | {{terminal|icon=|text= | ||
Your identification has been saved in /home/[''your home'']/.ssh/id_rsa | Your identification has been saved in /home/[''your home'']/.ssh/id_rsa | ||
Line 492: | Line 498: | ||
<span class="noselect">'''$''' </span>whoami | <span class="noselect">'''$''' </span>whoami | ||
{{highlight|[username]|#595935}}}} | {{highlight|[username]|#595935}}}} | ||
{{Note|inline=1|small=1|This should be done on the Node or Gateway machine.|reminder}}</li> | {{Note|inline=1|small=1|This command should be done on the Node or Gateway machine.|reminder}}</li> | ||
<li><p>Next, get the ECDSA key fingerprint for the machine. | <li><p>Next, get the ECDSA key fingerprint for the machine. The fingerprint is used to verify the Node or Gateway machine in the following steps.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub}} | ||
{{Note|inline=1|small=1|This should be done on the Node or Gateway machine.|reminder}} | {{Note|inline=1|small=1|This should be done on the Node or Gateway machine.|reminder}} | ||
<p>This will print the ECDSA key fingerprint for your machine. Make note of it for a later step</p> | <p>This will print the ECDSA key fingerprint for your machine. Make a note of it for a later step.</p> | ||
{{terminal|skin=noborder|text=256 SHA256:{{highlight|/1GV895hT6mnEarM9vaXb3HgaOVgySp57OJ5pEmvdKk|#595935}} root@xx-test-node2 (ECDSA)}} | {{terminal|skin=noborder|text=256 SHA256:{{highlight|/1GV895hT6mnEarM9vaXb3HgaOVgySp57OJ5pEmvdKk|#595935}} root@xx-test-node2 (ECDSA)}} | ||
</li> | </li> | ||
<li><p>Use {{inline-code|lang=text|ssh-copy-id}} to | <li><p>Use {{inline-code|lang=text|ssh-copy-id}} to copy your public key remotely. Enter in the username and host address found above.</p> | ||
{{terminal|icon=|text=<span class="noselect">'''$''' </span>ssh-copy-id {{highlight|[username]|#595935}}@{{highlight|[IP address]|#595935}}}} | {{terminal|icon=|text=<span class="noselect">'''$''' </span>ssh-copy-id {{highlight|[username]|#595935}}@{{highlight|[IP address]|#595935}}}} | ||
{{Note|inline=1|small=1|This is back on your personal computer.|reminder}} | {{Note|inline=1|small=1|This is back on your personal computer.|reminder}} | ||
</li> | </li> | ||
<li><p>If this is your first time connecting to the machine, you will see the following message. Check that the ECDSA key fingerprint matches the fingerprint found above, type {{mono|yes}}, and press {{key press|Enter}}. If the fingerprints do not match, then you may be connecting to the wrong system or | <li><p>If this is your first time connecting to the machine, you will see the following message. Check that the ECDSA key fingerprint matches the fingerprint found above, type {{mono|yes}}, and press {{key press|Enter}}. If the fingerprints do not match, then you may be connecting to the wrong system, or a malicious actor is intercepting the connection. In either case, do not attempt to continue.</p> | ||
{{terminal|icon=|text= | {{terminal|icon=|text= | ||
The authenticity of host '{{highlight|[IP address]|#595935}} ({{highlight|[IP address]|#595935}})' can't be established. | The authenticity of host '{{highlight|[IP address]|#595935}} ({{highlight|[IP address]|#595935}})' can't be established. | ||
Line 509: | Line 515: | ||
Are you sure you want to continue connecting (yes/no/[fingerprint])? {{highlight|yes|#595935}} | Are you sure you want to continue connecting (yes/no/[fingerprint])? {{highlight|yes|#595935}} | ||
}} | }} | ||
<p>The host will then be added to the list of known hosts</p> | <p>The host will then be added to the list of known hosts.</p> | ||
{{terminal|icon=|text=Warning: Permanently added '{{highlight|[IP address]|#595935}}' (ECDSA) to the list of known hosts.}} | {{terminal|icon=|text=Warning: Permanently added '{{highlight|[IP address]|#595935}}' (ECDSA) to the list of known hosts.}} | ||
</li> | </li> | ||
Line 543: | Line 549: | ||
=== Configure SSH Security Options === | === Configure SSH Security Options === | ||
OpenSSH server comes preconfigured to work without modification; however, | OpenSSH server comes preconfigured to work without modification; however, several options can be configured to harden the SSH server to prevent malicious attacks. You should configure all the settings as described to ensure your machine is secure. | ||
<ol style="list-style-type: decimal;"> | <ol style="list-style-type: decimal;"> | ||
Line 550: | Line 556: | ||
<li><p>On the Node or Gateway machine, open {{mono|/etc/ssh/sshd_config}} in nano or your favorite text editor.</p> | <li><p>On the Node or Gateway machine, open {{mono|/etc/ssh/sshd_config}} in nano or your favorite text editor.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo nano /etc/ssh/sshd_config}}</li> | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo nano /etc/ssh/sshd_config}}</li> | ||
<li><p>Once the file is open, use the down arrow key {{key press|down}} to go to {{inline-code|lang=text|#Authentication}}. Uncomment the line for {{inline-code|lang=text|#LoginGraceTime}} by deleting the {{inline-code|lang=text|#}} and set the value to {{inline-code|lang=text|30}}. On the next line, uncomment {{inline-code|lang=text|#PermitRootLogin}} and set to {{inline-code|lang=text|no}}</p> | <li><p>Once the file is open, use the down arrow key {{key press|down}} to go to {{inline-code|lang=text|#Authentication}}. Uncomment the line for {{inline-code|lang=text|#LoginGraceTime}} by deleting the {{inline-code|lang=text|#}} and set the value to {{inline-code|lang=text|30}}. On the next line, uncomment {{inline-code|lang=text|#PermitRootLogin}} and set to {{inline-code|lang=text|no}}.</p> | ||
{{terminal|skin=noborder|text= | {{terminal|skin=noborder|text= | ||
<div style="column-count: 3; background:#BBB; color:#000;">{{left| GNU nano 4.8}}<br />{{center|etc/security/limits.conf}}{{right|Modified }}<br /></div> | <div style="column-count: 3; background:#BBB; color:#000;">{{left| GNU nano 4.8}}<br />{{center|etc/security/limits.conf}}{{right|Modified }}<br /></div> | ||
Line 596: | Line 602: | ||
<p>Setting {{inline-code|lang=text|PasswordAuthentication}} to {{inline-code|lang=text|no}} makes it so that you cannot connect using a password; a key is required. Setting {{inline-code|lang=text|PermitEmptyPasswords}} to {{inline-code|lang=text|no}} only allows users to connect with accounts that have passwords set.</p> | <p>Setting {{inline-code|lang=text|PasswordAuthentication}} to {{inline-code|lang=text|no}} makes it so that you cannot connect using a password; a key is required. Setting {{inline-code|lang=text|PermitEmptyPasswords}} to {{inline-code|lang=text|no}} only allows users to connect with accounts that have passwords set.</p> | ||
</li> | </li> | ||
<li><p>Once the change is made, save the file by pressing {{key press|Ctrl|X}} and when prompted to save the buffer, press {{key press|Y}}. Finally, when prompted with the file name, press {{key press|Enter}}.</p></li> | <li><p>Once the change is made, save the file by pressing {{key press|Ctrl|X}}, and when prompted to save the buffer, press {{key press|Y}}. Finally, when prompted with the file name, press {{key press|Enter}}.</p></li> | ||
<li><p>To activate the change, restart the {{mono|ssh}} service.</p> | <li><p>To activate the change, restart the {{mono|ssh}} service.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo systemctl restart ssh}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo systemctl restart ssh}} | ||
</li> | </li> | ||
<li><p>To test that the SSH service is functioning | <li><p>To test that the SSH service is functioning correctly, open a new terminal session and log in.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>ssh {{highlight|[username]|#595935}}@{{highlight|[IP address]|#595935}}}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>ssh {{highlight|[username]|#595935}}@{{highlight|[IP address]|#595935}}}} | ||
</li> | </li> | ||
Line 608: | Line 614: | ||
== Clock Synchronization (NTP) == | == Clock Synchronization (NTP) == | ||
Commands received from the Scheduling server are time-stamped and a synchronized clock is important to | Commands received from the Scheduling server are time-stamped and a synchronized clock is important to interpret them properly. To do so, NTP (Network Time Protocol) must be set up and synchronized. | ||
In Ubuntu Server 20.04, this is done through {{inline-code|timedatectl}}. In most installations, it is already running and Node operators only need to check that it is correctly configured. However, the process for other operating systems may be different and it will need to be enabled. | In Ubuntu Server 20.04, this is done through {{inline-code|timedatectl}}. In most installations, it is already running and Node operators only need to check that it is correctly configured. However, the process for other operating systems may be different and it will need to be enabled. | ||
Line 645: | Line 651: | ||
<li id="Clock_Synchronization_.28NTP.29_step02"><p>Enter in the following command to get a list of time zones.</p> | <li id="Clock_Synchronization_.28NTP.29_step02"><p>Enter in the following command to get a list of time zones.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>timedatectl list-timezones}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>timedatectl list-timezones}} | ||
<p>This will print a list of time zones. Use the up key {{key press|up}} and down key {{key press|down}} to navigate the list and find the time zone | <p>This will print a list of time zones. Use the up key {{key press|up}} and down key {{key press|down}} to navigate the list and find the time zone of where the machine is located. Once found, make a note of the time zone, and press {{key press|Q}} to exit.</p> | ||
{{terminal|skin=noborder|text=America/Kentucky/Louisville | {{terminal|skin=noborder|text=America/Kentucky/Louisville | ||
Line 695: | Line 701: | ||
{{Note|inline=1|small=1|The following process of using the nano text editor to modify a file is used elsewhere in this document. Refer back here for detailed steps on how to use it.}} | {{Note|inline=1|small=1|The following process of using the nano text editor to modify a file is used elsewhere in this document. Refer back here for detailed steps on how to use it.}} | ||
</li> | </li> | ||
<li><p>Once the file is open, use the down arrow key {{key press|down}} to go to the second to last line above where it says {{inline-code|lang=text|# End of file}}. | <li><p>Once the file is open, use the down arrow key {{key press|down}} to go to the second to last line above where it says {{inline-code|lang=text|# End of file}}. Then, add the following four lines above that line.</p> | ||
{{terminal|skin=noborder|text= | {{terminal|skin=noborder|text= | ||
<div style="column-count: 3; background:#BBB; color:#000;">{{left| GNU nano 4.8}}<br />{{center|etc/security/limits.conf}}{{right|Modified }}<br /></div> | <div style="column-count: 3; background:#BBB; color:#000;">{{left| GNU nano 4.8}}<br />{{center|etc/security/limits.conf}}{{right|Modified }}<br /></div> | ||
Line 716: | Line 722: | ||
{{font color|#000|#BBB|^C}} Cur Pos | {{font color|#000|#BBB|^C}} Cur Pos | ||
{{font color|#000|#BBB|^_}} Go To Line</span>}}</li> | {{font color|#000|#BBB|^_}} Go To Line</span>}}</li> | ||
<li><p>Once the change is made, save the file by pressing {{key press|Ctrl|X}} and when prompted to save the buffer, press {{key press|Y}}. Finally, when prompted with the file name, press {{key press|Enter}}.</p></li> | <li><p>Once the change is made, save the file by pressing {{key press|Ctrl|X}}, and when prompted to save the buffer, press {{key press|Y}}. Finally, when prompted with the file name, press {{key press|Enter}}.</p></li> | ||
<li><p>Once the change has been made, reboot the system.</p> | <li><p>Once the change has been made, reboot the system.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo shutdown -r now}} | ||
</li></ol> | </li></ol> | ||
Line 725: | Line 731: | ||
The TCP congestion window size limits the maximum amount of data sent out to a network after a time of little operation. The default size needs to be increased to remove a bottleneck in the xx network. | The TCP congestion window size limits the maximum amount of data sent out to a network after a time of little operation. The default size needs to be increased to remove a bottleneck in the xx network. | ||
This change is necessary for the xx network because the cMix protocol transmits in short bursts. As a result, the congestion windows contract between transmissions, causing them | This change is necessary for the xx network because the cMix protocol transmits in short bursts. As a result, the congestion windows contract between transmissions, causing them to reopen on every transmission, significantly slowing down the network in high latency environments. | ||
<ol style="list-style-type: decimal;"> | <ol style="list-style-type: decimal;"> | ||
<li><p>First, to prevent the congestion windows from shrinking unnecessarily when the connection is idle, disable {{inline-code|tcp_slow_start_after_idle}}.</p> | <li><p>First, to prevent the congestion windows from shrinking unnecessarily when the connection is idle, disable {{inline-code|tcp_slow_start_after_idle}}.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo sysctl -w net.ipv4.tcp_slow_start_after_idle=0}} | ||
</li> | </li> | ||
<li><p>To make these settings persist across reboots, store them in the sysctl configuration file.</p> | <li><p>To make these settings persist across reboots, store them in the sysctl configuration file.</p> | ||
Line 746: | Line 752: | ||
{{terminal|skin=noborder|text=net.core.default_qdisc = fq}} | {{terminal|skin=noborder|text=net.core.default_qdisc = fq}} | ||
</li> | </li> | ||
<li><p>Apply these two options to {{mono|sysctl.conf}} so they persist on reboot.</p> | <li><p>Apply these two options to {{mono|sysctl.conf}} so that they persist on reboot.</p> | ||
{{terminal|skin=noborder|textstyle=line-height: 2em;|text= | {{terminal|skin=noborder|textstyle=line-height: 2em;|text= | ||
Line 760: | Line 766: | ||
net.core.default_qdisc=fq | net.core.default_qdisc=fq | ||
}} | }} | ||
</li></ol> | </li></ol> | ||
== GPU Drivers == | == GPU Drivers == | ||
{{Note|These steps are only required for Nodes with a GPU. If setting up a Gateway, skip this step.}} | {{Note|These steps are only required for Nodes with a GPU. If setting up a Gateway, skip this step.}} | ||
The cMix software requires | The cMix software requires an Nvidia RTX graphic processor and the installation of its drivers. | ||
<ol style="list-style-type: decimal;"> | <ol style="list-style-type: decimal;"> | ||
<li><p>Install the Nvidia driver.</p> | <li><p>Install the Nvidia driver.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo apt install -y nvidia-driver- | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo apt install -y nvidia-driver-510}} | ||
</li> | </li> | ||
<li><p>The driver relies on a dependency that enables the {{abbr|Graphical User Interface|GUI}}, which can unnecessarily consume computer resources. Once the installation is complete, disable the | <li><p>The driver relies on a dependency that enables the {{abbr|Graphical User Interface|GUI}}, which can unnecessarily consume computer resources. Once the installation is complete, disable the GUI using the following command.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo systemctl set-default multi-user.target}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo systemctl set-default multi-user.target}} | ||
<p>The command should result in the following output.</p> | |||
{{terminal|skin=noborder|text=Created symlink /etc/systemd/system/default.target → /lib/systemd/system/multi-user.target.}} | |||
</li> | </li> | ||
<li><p>Reboot the system.</p> | <li><p>Reboot the system.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>sudo shutdown -r now}} | ||
</li> | </li> | ||
<li><p>Once the system reboots, log back into the computer.</p></li></ol> | <li><p>Once the system reboots, log back into the computer.</p></li></ol> | ||
Line 807: | Line 797: | ||
<nowiki> *-display | <nowiki> *-display | ||
description: VGA compatible controller | description: VGA compatible controller | ||
product: TU106 [GeForce RTX 2070 | product: TU106 [GeForce RTX 2070] | ||
vendor: NVIDIA Corporation | vendor: NVIDIA Corporation | ||
physical id: 0 | physical id: 0 | ||
bus info: pci@0000: | bus info: pci@0000:1f:00.0 | ||
version: a1 | version: a1 | ||
width: 64 bits | width: 64 bits | ||
clock: 33MHz | clock: 33MHz | ||
capabilities: pm msi pciexpress vga_controller bus_master cap_list rom | capabilities: pm msi pciexpress vga_controller bus_master cap_list rom | ||
configuration: | configuration: driver=nvidia latency=0 | ||
resources: | resources: irq:101 memory:f6000000-f6ffffff memory:e0000000-efffffff memory:f0000000-f1ffffff ioport:e000(size=128) memory:c0000-dffff</nowiki>}} | ||
</li> | </li> | ||
<li><p>Next, check the driver and state information.</p> | <li><p>Next, check the driver and state information.</p> | ||
{{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>nvidia-smi}} | {{terminal|skin=noborder|text=<span class="noselect">'''$''' </span>nvidia-smi}} | ||
This should result in a similar output to the following. | This should result in a similar output (version numbers may differ) to the following. | ||
{{terminal|skin=noborder|text= | {{terminal|skin=noborder|text= | ||
<nowiki>+-----------------------------------------------------------------------------+ | <nowiki>+-----------------------------------------------------------------------------+ | ||
| NVIDIA-SMI | | NVIDIA-SMI 470.82.01 Driver Version: 470.82.01 CUDA Version: 11.4 | | ||
|-------------------------------+----------------------+----------------------+ | |-------------------------------+----------------------+----------------------+ | ||
| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | | | GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC | | ||
Line 832: | Line 821: | ||
| | | MIG M. | | | | | MIG M. | | ||
|===============================+======================+======================| | |===============================+======================+======================| | ||
| 0 GeForce | | 0 NVIDIA GeForce ... Off | 00000000:1F:00.0 Off | N/A | | ||
| | | 31% 31C P0 29W / 175W | 0MiB / 7979MiB | 0% Default | | ||
| | | N/A | | | | | N/A | | ||
+-------------------------------+----------------------+----------------------+ | +-------------------------------+----------------------+----------------------+ | ||
Line 851: | Line 840: | ||
| type = notice | | type = notice | ||
| image = [[File:Blue check.svg|30px|link=]] | | image = [[File:Blue check.svg|30px|link=]] | ||
| text = Your machine is now | | text = Your machine is now correctly configured to install the Node or Gateway software! | ||
If you are setting up a Node with cMix and xx chain, proceed to the [[Node Set Up]]. | If you are setting up a Node with cMix and xx chain, proceed to the [[Node Set Up]]. | ||
If you are setting up a Gateway, proceed to the [[Gateway Set Up]]. | If you are setting up a Gateway, proceed to the [[Gateway Set Up]]. | ||
}} | }} | ||
{{Node Handbook Navbox}} |
Revision as of 01:11, 22 December 2022
Before installing any xx network software, a Node or Gateway must have the operating system (OS) correctly installed and configured. This process must be done twice, once for each machine.
These instructions assume that you have a working machine that meets to exceeds the Hardware Requirements, has an active internet connection, and an empty storage drive or a drive that can be formatted.
Some Tips for Inexperienced Users
If this is your first time using a command line interface or you do not remember how to use it, the following are some tips to make using the interface a little easier.
- In this document, anytime code is presented in a black box with a monospaced font, it means that it is command line input or output. Commands prefixed by a
$
are commands to enter into your command prompt (do not include$
in the command). Any lines without that prefix are output from the system. - The
sudo
command is often prepended to commands found in these instructions. It enables commands to be run with elevated privileges. When used, the system will ask for your password to continue running the command.
- Whenever the system asks for a password to continue, no characters will appear when typing, but type in your password, press ↵ Enter, and it will work.
- When typing a command or path, use the Tab ↹ key to auto-complete a partially written statement.
Installing the Operating System
The xx network software has been tested only on Ubuntu Server 20.04 and instructions are only provided for that OS. Therefore, support cannot be guaranteed if a different operating system version is used, although no decisions have been made to preclude any operating systems specifically.
If you have direct access to your hardware and can install the operating system yourself, then go to the Local Hardware section. If your machine is hosted and you do not have physical access, then go to the Hosted section.
Local Hardware
If you have physical access to the machine and can install an operating system, then follow the instructions below. If you are using a VPS or hosting service,
It is recommended that your machine be connected to the internet via ethernet cable before installation.
Download the Ubuntu Server install image from the Official Ubuntu website.
Make sure to select the Server install image, not the Desktop image. The desktop version of Ubuntu can work, but it includes extra programs and processes that are unneeded and take up resources.Next, a bootable disk with Linux needs to be created. This can be done by writing it to a DVD or, more commonly, a flash drive. Follow one of the following tutorials on how to do so depending on your current operating system and chosen media.
The resources linked below are provided by a third-party source. The instructions may be out of date but should generally be correct.Once your flash drive or DVD is ready, follow the Tutorial on Installing Ubuntu Server.
In step 6, make sure you select the first option
Install Ubuntu
.In step 7, make sure to configure your internet connection and get an IP address.
In step 8, ensure that you select
Use an Entire Disk
.Please be sure the full amount of available space is formatted if selecting to use LVM. See Check root Disk SpaceIn step 12, pick a server name that does not have any personal identifying information and create a strong password.
Create a strong but memorable password. It is recommended that it is longer than 12 characters. Store this password in a safe and secure location. Never share this password with anyone.
Ensure the machine has turned back on and then log in using the credentials created in the previous step. Sometimes extra text is printed to the console and you will not see the login prompt. The prompt should still be there; just type your username and press ↵ Enter to continue.
Check Internet Connection
The rest of the instructions require internet access. Follow these steps to ensure the machine is connected.
Check your current local connection status and local IP address.
This should result in a similar output to the below. The machine should have a valid local IP address.
Finally, check that the machine has access to the internet by pinging another server. We chose to use xx.network, but you can use any domain.
If the machine is connected to the internet, the output should look similar to the following example.
If not all packets were received or packet loss is greater than 0%, then you may have internet connectivity problems.
Hosted
If your machine is hosted, then it will usually be delivered to you with the operating system preinstalled or you can select an OS to install. If you have the option, select Ubuntu 20.04.
Some hosting services deliver the server to you with access to the root account. The root account has broad permissions to modify the Linux environment and should be disabled to avoid destructive changes. These instructions will detail how to add a new non-root user account to be used as the primary account when accessing your machine.
If your user is not a root, then you can skip this section and go to Updating Software and Installing Dependencies.
Open the terminal on your computer.
SSH into your server using the root account.
The IP address is provided to you by your hosting service.You will either authenticate using the SSH key you provided to the host or using a password.
Once logged in, create a new user with a username of your choice. The username ubuntu is used as an example.
It will print output similar to the following.
It will then prompt you for a new password. Select a strong and secure password.
Create a strong but memorable password. It is recommended that it is longer than 12 characters. Store this password in a safe and secure location. Never share this password with anyone.It will then confirm that the password has been updated.
You will then be asked a series of questions. Press ↵ Enter after every answer. Answering them is optional. At the end, confirm that the information entered is correct by pressing Y and then ↵ Enter.
To allow the new user to perform actions with superuser privileges using sudo, add them to the sudo group.
In the future, use this new account to log in to your server. Connecting to your server via SSH with the root account will be disabled in future steps.
Updating Software and Installing Dependencies
To ensure all the software works correctly, the system needs to be updated. In addition, an additional dependency for the Wrapper Script to function.
Before continuing, check for updates. This will print many lines about what software is being checked.
Once the check is done, install the updates.
Reboot the machine to ensure all updates are installed fully.
Once the machine starts up, log back in.
Install the Python package installer.
Update the package installer.
The output should look similar to the following.
Install the
boto3
,pyOpenSSL
,substrate-interface
, andpackaging
dependencies. The Wrapper Script uses the first package to read commands and send logs to xx network through AWS, and the second is used to authenticate them. The third,substrate-interface
, is used to interact with the Substrate node.packaging
is a dependency ofsubstrate-interface
.The output should look similar to the following.
Configuring Local Network (Port Forwarding)
To ensure that the machine can be accessed from outside the local network, the local network gateway must be configured to allow external access to the machine on ports configured above. Three main pieces of information are needed for this part: (1) the port numbers to forward (the defaults are 11420 for cMix, 22840 for Gateway, 15974 for xx chain), and (optionally) 22 for SSH, (2) the protocol to use (TCP), and (3) the local IP address of the machine, which is retrieved below.
Get the local IP address of the machine.
The local IP address will be printed; it will be in the form of 0.0.0.0. Make sure to make a note of this for the later steps.
If the machine has multiple network interfaces or an IPv6 address, they will also appear in this list. Ensure that only the correct internal IPv4 address is used.
- The following section describes how to configure the networking equipment on your network. Because of the varying equipment configurations, these instructions are generic and may not be accurate for your hardware. Please refer to the manufacturer’s instructions for more detailed and accurate information. Configuration of the network will most likely occur from a different machine on the network.
To access the network gateway, get its IP address.
This will output the following line, where the first address printed is the router IP address.
Go to this IP address in a browser (on a different machine) and log in using the gateway credentials. These credentials are either set up by the network administrator or are the default credentials located on the gateway or found online.
It is highly recommended to provide your machine a static local IP address or port forwarding may need to be reconfigured if your machine changes local IP addresses. Instructions for doing so are dependent on your network hardware and outside of the scope of these instructions.
Locate the port forwarding options (occasionally called virtual server). These options are sometimes found under the advanced section.
Forward the port for xx chain (15974) and the port for either cMix (11420) or Gateway (22840). For each, create a new entry and enter the IP address found in step 1 or the one set in step 4, set the port to the chosen ports, and select the TCP protocol.
If you plan on using SSH to access your machine remotely from outside your local network, make sure to forward port 22. If you do not know if you need to access your machine outside the local network, skip this step.
Enabling SSH access from the internet can expose your machine to unwanted access by outside parties. If you forward port 22, then make sure you follow all the security features for SSH outlined in later steps. However, if you do not need outside access to your machine, then it is recommended that you do not forward this port.Save or apply the changes.
Setting Up UFW
Uncomplicated Firewall (UFW) is the default firewall configuration tool for Ubuntu. The operating system should come with UFW already installed; the following instructions will describe how to configure and enable it.
First, ensure that UFW is disabled so that it can be configured.
This should result in the following output.
Allow the port that xx chain will use to communicate over TCP. When setting a rule in UFW, you can optionally set a comment so that the rule is labeled when looking at the status of UFW.
Port 15974 is the default port in the provided xx chain service file. A different port may be used, but it must be configured inxxnetwork-chain.service
, which is downloaded in a future step.Allow the port that cMix will use to communicate over TCP. Only do this for machines running the cMix software.
Port 11420 is the default port in the provided cMix configuration file. A different port may be used, but it must be configured incmix.yaml
, which is downloaded in a future step.Allow the port that the Gateway will use to communicate over TCP. Only do this for machines running the Gateway software.
Port 22840 is the default port in the provided Gateway configuration file. A different port may be used, but it must be configured ingateway.yaml
, which is downloaded in a future step.SSH is an internet protocol that allows you to access your server from your personal computer remotely. It is recommended that you set up SSH to make steps later in the software setup easier. But note that SSH should only be enabled with key authentication and rate-limiting to prevent unwanted parties from accessing your server. Key authentication is set up in the next section Setting Up SSH. If you do not want to use SSH, then skip this step.
To enable SSH with rate limiting, limit port 22 over TCP. UFW will prevent access if someone attempts to connect six or more times within 30 seconds.
Enabling SSH access without the proper security can result in unwanted access. Make sure to enable rate-limiting and key authentication.Finally, enable UFW.
If you are connected over SSH, you may be prompted to continue, press Y, and then ↵ Enter. Note that you may be disconnected when doing so.
If successful, then it will print the following.
Verify Firewall Configuration
This section describes how to check if the firewall is active and if the ports are correctly configured.
Print the status of UFW.
On the Node machine, the output should match the following.
On the Gateway machine, the output should match the following.
Setting Up SSH
SSH, or Secure Shell Protocol, is a network protocol that allows you to access your machine remotely. It is helpful so that you can set up and configure your machine from your personal computer. It also makes setup easier because you can copy and paste commands into your console instead of having to manually type everything.
It is recommended that you enable SSH access as it will make some steps easier to accomplish later in this manual. But note that SSH opens up a possible attack vector on your Node. If you enable SSH, then it must be rate-limited (described above in Setting Up UFW) and only accept key authentication, as explained below. If you do not want to use SSH, then skip this section.
Rate Limiting
If you have not yet done so, enable rate-limiting on port 22 as described in Setting Up UFW.
Ensure that UFW is correctly configured for SSH by printing its status for port 22.
This should print all the UFW rules. Make sure that you see the two rules below in your list.
Make sure that the action is set to.LIMIT
, notALLOW
Installing OpenSSH Server
Next, install OpenSSH Server.
OpenSSH may have already been installed during operating system installation. If it has, then OpenSSH Server will not install. Continue with the next step.Make sure that the SSH server is running.
This will print the status of the service. It should say active, as shown below.
Generating Key Pair
By default, SSH has password authentication enabled, which allows you to connect to your machine using only your username, password, and your machine's IP address. SSH also offers key authentication, which involves generating an RSA key pair and is generally more secure. These instructions detail how to set up an SSH key pair between your machine and your personal machine. Note that these instructions assume that you have an OpenSSH client on your personal computer. If you are on a Linux or macOS machine, SSH is available by default. On Windows, you need to either install the native OpenSSH Client, download a third-party client such as PuTTY, or use WSL.
First, on your personal computer, open up the terminal and generate a 4096-bit key pair using
ssh-keygen
By default,ssh-keygen
creates a 3072-bit key pair. We suggest you use 4096 bits as it is stronger than the default and the same size as the keys used in the xx network.This should print the following output.
Press ↵ Enter to save the key pair to the .ssh/ directory in your home directory.
If you already have an SSH key pair with the name id_rsa, you will see the following prompt. Enter
n
and press ↵ Enter. Then, skip the rest of this section and go to Copying Public Key to Server. Otherwise, continue to the next step.If you do not already have an SSH key pair, then you will be prompted to create a passphrase. You must set a strong passphrase; it will be used every time you use the key when connecting over SSH.
Create a strong but memorable password. It is recommended that it is longer than 12 characters. Store this password in a safe and secure location. Never share this password with anyone.This will result in a similar output to below.
Copying Public Key to Server
Now that you have generated a public/private key pair, the public key needs to be copied to your Node/Gateway machine.
These instructions use ssh-copy-id
to copy the public key. ssh-copy-id
is available on many operating systems.
First, get the address for the Node or Gateway machine.
If you are on the same local network as your machine, then this will be the machine's local IP address. Get the local IP address of the machine with the following command.
If the machine has multiple network interfaces or an IPv6 address, they will also appear in this list. Ensure that only the correct internal IPv4 address is used.If you are not on the same network as your machine, then you will need to get the machine’s public IP address by running the following command.
ipinfo.io is a third-party service. You can use any valid IP lookup service.
Next, get the username of your account on the machine. This is the username you made when installing the operating system. If you do not remember the username, use
whoami
to get it.This command should be done on the Node or Gateway machine.Next, get the ECDSA key fingerprint for the machine. The fingerprint is used to verify the Node or Gateway machine in the following steps.
This should be done on the Node or Gateway machine.This will print the ECDSA key fingerprint for your machine. Make a note of it for a later step.
Use
ssh-copy-id
to copy your public key remotely. Enter in the username and host address found above.This is back on your personal computer.If this is your first time connecting to the machine, you will see the following message. Check that the ECDSA key fingerprint matches the fingerprint found above, type yes, and press ↵ Enter. If the fingerprints do not match, then you may be connecting to the wrong system, or a malicious actor is intercepting the connection. In either case, do not attempt to continue.
The host will then be added to the list of known hosts.
Once connected,
ssh-copy-id
will look for the public key id_rsa.pub created above.When the public key is found, you will be prompted to enter the password for the user account on the remote machine (this is the password you created when installing the operating system).
ssh-copy-id
will then copy the public to the .ssh directory in the user's home folder on the remote machine and print the following message.
Testing SSH Authentication Using Keys
Once the key pair has been generated and the public key copied to the remote machine, the connection needs to be tested.
From the terminal on your personal machine, connect to the Node or Gateway machine.
If you connected without needing to put in your password for the remote user, then key authentication is working.
Configure SSH Security Options
OpenSSH server comes preconfigured to work without modification; however, several options can be configured to harden the SSH server to prevent malicious attacks. You should configure all the settings as described to ensure your machine is secure.
First, create a backup of the configuration file sshd_config so that it can be restored if something goes wrong.
On the Node or Gateway machine, open /etc/ssh/sshd_config in nano or your favorite text editor.
Once the file is open, use the down arrow key ↓ to go to
#Authentication
. Uncomment the line for#LoginGraceTime
by deleting the#
and set the value to30
. On the next line, uncomment#PermitRootLogin
and set tono
.Setting
LoginGraceTime
to30
makes unsuccessful connections close after 20 seconds. SettingPermitRootLogin
tono
disallows the root user from logging in over SSH.Next, go to
#PasswordAuthentication
. Uncomment the line by deleting the#
and make sure the value is set tono
. On the next line, uncomment#PermitEmptyPasswords
and set tono
Setting
PasswordAuthentication
tono
makes it so that you cannot connect using a password; a key is required. SettingPermitEmptyPasswords
tono
only allows users to connect with accounts that have passwords set.Once the change is made, save the file by pressing Ctrl+X, and when prompted to save the buffer, press Y. Finally, when prompted with the file name, press ↵ Enter.
To activate the change, restart the ssh service.
To test that the SSH service is functioning correctly, open a new terminal session and log in.
If you can successfully connect using your key, then SSH setup has been successful and you can close any extra terminal windows.
Clock Synchronization (NTP)
Commands received from the Scheduling server are time-stamped and a synchronized clock is important to interpret them properly. To do so, NTP (Network Time Protocol) must be set up and synchronized.
In Ubuntu Server 20.04, this is done through timedatectl
. In most installations, it is already running and Node operators only need to check that it is correctly configured. However, the process for other operating systems may be different and it will need to be enabled.
Check if the time synchronization service is running and that the clock is synchronized by entering the following command.
This will print the following output.
If
System clock synchronized
is set toyes
andNTP service
is set toactive
, then no further action is needed. Skip to the next section Modifying Max Number of Processes and Files. Otherwise, continue to the next step.If
System clock synchronized
is set tono
andNTP service
is set toactive
, then the service has had insufficient time to synchronize the clock. Skip to the next section Modifying Max Number of Processes and Files but make sure to check that the clock is synchronized before starting the Node or Gateway software. Otherwise, continue to the next step.Ensure the time is synchronized before starting the software in the System Services section.If
System clock synchronized
is set tono
andNTP service
is set toinactive
, then the service must be manually started in the next step.
Enter in the following command to get a list of time zones.
This will print a list of time zones. Use the up key ↑ and down key ↓ to navigate the list and find the time zone of where the machine is located. Once found, make a note of the time zone, and press Q to exit.
Once the correct time zone for the machine is found, use the following command to set it.
Using the date command, ensure that the correct time zone was selected. If the printed time is incorrect, return to step 2 to select a new time zone.
Begin the clock synchronization service by entering the following command.
Ensure that the service is running by calling
timedatectl
again.If
NTP service
is set toactive
, then it has been successful. IfSystem clock synchronized
is set toyes
, then this section is done. If it is set tono
, then it may take up to 30 minutes for the clock to synchronize. You can continue to the following section, but make sure to check that the clock is synchronized before starting the Node or Gateway software.
Modifying Max Number of Processes and Files
By default, there is a maximum number of processes and files that can be opened at once. To prevent the Node and Gateway from encountering this limit, it must be removed for all users.
To remove this limit for users, open the limits configuration file using nano or your favorite text editor.
The following process of using the nano text editor to modify a file is used elsewhere in this document. Refer back here for detailed steps on how to use it.Once the file is open, use the down arrow key ↓ to go to the second to last line above where it says
# End of file
. Then, add the following four lines above that line.Once the change is made, save the file by pressing Ctrl+X, and when prompted to save the buffer, press Y. Finally, when prompted with the file name, press ↵ Enter.
Once the change has been made, reboot the system.
Configuring TCP Networking Options
The TCP congestion window size limits the maximum amount of data sent out to a network after a time of little operation. The default size needs to be increased to remove a bottleneck in the xx network.
This change is necessary for the xx network because the cMix protocol transmits in short bursts. As a result, the congestion windows contract between transmissions, causing them to reopen on every transmission, significantly slowing down the network in high latency environments.
First, to prevent the congestion windows from shrinking unnecessarily when the connection is idle, disable
tcp_slow_start_after_idle
.To make these settings persist across reboots, store them in the sysctl configuration file.
Modify the TCP congestion control algorithm (CCA) to use TCP Bottleneck Bandwidth and RRT (BBR).
This should output the following.
Modify the default queuing discipline to be
fq
; this is required to use BBR.This should output the following.
Apply these two options to sysctl.conf so that they persist on reboot.
Optional: If you want to verify that the correct values were added to /etc/sysctl.conf, then print it to the console.
This will print the entire file to the terminal. The last three lines should match the following.
GPU Drivers
The cMix software requires an Nvidia RTX graphic processor and the installation of its drivers.
Install the Nvidia driver.
The driver relies on a dependency that enables the GUI, which can unnecessarily consume computer resources. Once the installation is complete, disable the GUI using the following command.
The command should result in the following output.
Reboot the system.
Once the system reboots, log back into the computer.
Verifying the Driver Installation
Check that the system has claimed the device.
This should result in a similar output to the following.
Next, check the driver and state information.
This should result in a similar output (version numbers may differ) to the following.
The name of the GPU and its details should match the GPU installed in your machine.
Your machine is now correctly configured to install the Node or Gateway software!
If you are setting up a Node with cMix and xx chain, proceed to the Node Set Up. If you are setting up a Gateway, proceed to the Gateway Set Up. |