Enhance Run a Mithril Signer as an SPO guide

dlachaume · dlachaume · commit 2e5e2c5a9fa6 · 2023-07-20T15:40:41.000+02:00
diff --git a/docs/root/manual/getting-started/run-signer-node.md b/docs/root/manual/getting-started/run-signer-node.md
@@ -27,6 +27,7 @@ In this guide, you will learn how to set up a **Mithril Signer** within the stak
 - On `mainnet`, you **must** run the **production** deployment where the **Mithril Signer** runs on the **Cardano block producer** machine and the **Mithril relay** runs on the **Cardano relay** machine. **Note** that you can run the **production** deployment on `testnet`.
 - You can also run **naive** deployment, where the **Mithril Signer** runs on the **Cardano relay** machine. This is possible in the testnet environment only, and does not require setting up a **Mithril relay**.
 
+In the current setup, you don't need to install a Mithril Aggregator.
 :::
 
 :::caution
@@ -231,6 +232,23 @@ Replace this value with the correct user. We assume that the user used to run th
   * `RELAY_ENDPOINT=http://192.168.1.50:3128` **(optional)**: this is the endpoint of the **Mithril relay**, which is required for **production** deployment only. For **naive** deployment, do not set this variable in your environment file.
 :::
 
+:::tip
+
+You can find below the `ERA_READER_ADAPTER_TYPE` and `ERA_READER_ADAPTER_PARAMS` values for **release-preprod**. Other values must be replaced as explained in the caution box above.
+
+* In the `/opt/mithril/mithril-signer/service.env` env file:
+  * `KES_SECRET_KEY_PATH=/cardano/keys/kes.skey`
+  * `OPERATIONAL_CERTIFICATE_PATH=/cardano/cert/opcert.cert`
+  * `DB_DIRECTORY=/cardano/db`
+  * `CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket`
+  * `CARDANO_CLI_PATH=/app/bin/cardano-cli`
+  * `DATA_STORES_DIRECTORY=/opt/mithril/stores`
+  * `STORE_RETENTION_LIMIT=5`
+  * `ERA_READER_ADAPTER_TYPE=cardano-chain`
+  * `ERA_READER_ADAPTER_PARAMS={"address": "addr_test1qpkyv2ws0deszm67t840sdnruqgr492n80g3y96xw3p2ksk6suj5musy6w8lsg3yjd09cnpgctc2qh386rtxphxt248qr0npnx", "verification_key": "5b35352c3232382c3134342c38372c3133382c3133362c34382c382c31342c3138372c38352c3134382c39372c3233322c3235352c3232392c33382c3234342c3234372c3230342c3139382c31332c33312c3232322c32352c3136342c35322c3130322c39312c3132302c3230382c3134375d"}`
+  * `RELAY_ENDPOINT=http://192.168.1.50:3128`
+:::
+
 First, create an environment file that will be used by the service:
 
 - for **production** deployment:
@@ -270,6 +288,28 @@ ERA_READER_ADAPTER_PARAMS=**YOUR_ERA_READER_ADAPTER_PARAMS**
 EOF'
 ```
 
+:::tip
+Here is an example of the env file for **release-preprod** :
+
+```bash
+sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
+KES_SECRET_KEY_PATH=/cardano/keys/kes.skey
+OPERATIONAL_CERTIFICATE_PATH=/cardano/keys/node.cert
+NETWORK=preprod
+AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator
+RUN_INTERVAL=60000
+DB_DIRECTORY=/cardano/db
+CARDANO_NODE_SOCKET_PATH=/cardano/ipc/node.socket
+CARDANO_CLI_PATH=/app/bin/cardano-cli
+DATA_STORES_DIRECTORY=/opt/mithril/stores
+STORE_RETENTION_LIMIT=5
+ERA_READER_ADAPTER_TYPE=cardano-chain
+ERA_READER_ADAPTER_PARAMS={"address": "addr_test1qpkyv2ws0deszm67t840sdnruqgr492n80g3y96xw3p2ksk6suj5musy6w8lsg3yjd09cnpgctc2qh386rtxphxt248qr0npnx", "verification_key": "5b35352c3232382c3134342c38372c3133382c3133362c34382c382c31342c3138372c38352c3134382c39372c3233322c3235352c3232392c33382c3234342c3234372c3230342c3139382c31332c33312c3232322c32352c3136342c35322c3130322c39312c3132302c3230382c3134375d"}
+RELAY_ENDPOINT=http://192.168.1.50:3128
+EOF'
+```
+:::
+
 Then, create a `/etc/systemd/system/mithril-signer.service` description file for the service:
 
 ```bash
@@ -416,6 +456,14 @@ Assuming you are using [`Uncomplicated Firewall`](https://en.wikipedia.org/wiki/
 sudo ufw allow from **YOUR_BLOCK_PRODUCER_INTERNAL_IP** to any port **YOUR_RELAY_LISTENING_PORT** proto tcp
 ```
 
+:::tip
+Here is a example of the command to run :
+
+```bash
+sudo ufw allow from 123.123.123.123 to any port 3128 proto tcp
+```
+:::
+
 Assuming you are using [`Iptables`](https://en.wikipedia.org/wiki/Iptables) (`1.8.7+`), the command to open that traffic is:
 
 ```bash
@@ -424,10 +472,58 @@ sudo iptables -L -v
 sudo service netfilter-persistent save
 ```
 
+:::tip
+Here is a example of the command to run :
+
+```bash
+sudo iptables -A INPUT -s 123.123.123.123 -p tcp --dport 3128 -j ACCEPT
+sudo iptables -L -v
+sudo service netfilter-persistent save
+```
+:::
+
 ## Verify the Mithril Signer deployment
 
 :::tip
+You can verify that your signer node is correctly configured and registered by checking your signer node logs or by running this command :
+
+```bash
+if grep -q "STATE MACHINE: new cycle: Registered" **YOUR_SIGNER_NODE_LOGS_PATH**; then
+    echo ">> Your signer node is registered"
+else
+    echo ">> Your signer node is not registered"
+fi
+```
+
 There is a delay of `2` epochs between the registration of the signer node and its ability to generate individual signatures. This delay is further explained in the [Mithril certificate chain in depth](https://mithril.network/doc/mithril/mithril-protocol/certificates) documentation.
 
-Once this delay has passed, you should be able to observe your `PoolId` listed in some of the certificates accessible on the [`Mithril Explorer`](https://mithril.network/explorer).
+Once this delay has passed, you should be able to observe your `PoolId` listed in some of the certificates accessible on the [`Mithril Explorer`](https://mithril.network/explorer) or by running the following command : 
+
+```bash
+party_id=**YOUR_POOL_ID**
+aggregator_endpoint=**YOUR_AGGREGATOR_ENDPOINT**
+found=false
+
+curl -s "$aggregator_endpoint/certificates" -H 'accept: application/json' | jq -r '.[] | .hash' | while read -r hash; do
+    response=$(curl -s "$aggregator_endpoint/certificate/$hash" -H 'accept: application/json')
+    signer_count=$(echo "$response" | jq '.metadata.signers | length')
+    for (( i=0; i < signer_count; i++ )); do
+        party_id_response=$(echo "$response" | jq -r ".metadata.signers[$i].party_id")
+        if [[ "$party_id_response" == "$party_id" ]]; then
+            echo ">> You have signed this certificate : $hash"
+            found=true
+            break
+        fi
+    done
+
+    if [ "$found" = true ]; then
+        break
+    fi
+done
+
+if [ "$found" = false ]; then
+    echo ">> Your party id was not found in the last certificates"
+fi
+```
+
 :::
