Cardano MITHRIL - HOW TO SETUP/RUN

Hi,

First, if you wondering, below can you read more about Mithril, why we need it…

https://iohk.io/en/blog/posts/2023/07/20/mithril-nears-mainnet-release/

NOW:

You will need to install/run mithril-signer,
Can be run on BP or any other node (requested files operational certificate and hot.skey)

Also you will need to install/run mithril-relay (it will act as a squid/proxy for your BP or mithril signer node; this way the IP of mithril signer node will not be visible).

Lets begin!

MITHRIL - SIGNER setup

1. On signer node update rust (in case u don’t have rust installed you must install it)
rustup update

2. go to git folder and clone Mithril

cd $HOME/git
git clone https://github.com/input-output-hk/mithril.git

3. check the latest version (be sure is compatible with mainnet) here (at this time 2403.1 is the latest version):
Tags · input-output-hk/mithril · GitHub

cd $HOME/git/mithril
git checkout 2403.1
cd $HOME/git/mithril/mithril-signer

4. build the executable

make build

5. verify the build version
from folder $HOME/git/mithril/mithril-signer run

./mithril-signer -V

6. move executable (below path is for CNTOOLS setup; modify the path according to your setup)
bellow is the path where to mive the binari file; update the path if its the case

cd $HOME/git/mithril/mithril-signer/
sudo mv -f mithril-signer /home/username/.local/bin

7. update mithril.env file according to your setup (here he can modify the DB path, files path, etc)

cd /opt/cardano/cnode/mithril-singer
ls -l
nano mithril.env

8. download mithril-signer.sh script (in case you haven’t already)

cd /opt/cardano/cnode/scripts
ls -l | grep mithril

if you don’t have the script download it from here with the command
wget https://raw.githubusercontent.com/cardano-community/guild-operators/master/scripts/cnode-helper-scripts/mithril-signer.sh

9. run the script (-d it will set the service as systemd)

chmod 750 ./mithril-signer.sh
./mithril-signer.sh -d

set the IP and the port which you want to connect with mithril-relay server (usually its your relay)
!!! on relay you must have that port opened for your mithril-signer node
for example:
if your mithril signer node has 81.1.1.1 IP and your Relay has 92.1.1.2 and you choose the port 5000, on Relay open the port in case its not already:

sudo ufw status
sudo ufw allow proto tcp from 81.1.1.1 to any port 5000
sudo ufw reload
sudo ufw status

start/check the status:

sudo systemctl start cnode-mithril-signer.service
sudo systemctl status cnode-mithril-signer.service

you it should not work, we must set the the relay as well.

MITHRIL-RELAY setup

1. download and run the script (on relay) mithril-relay.sh from here

cd /opt/cardano/cnode/scripts
wget https://raw.githubusercontent.com/cardano-community/guild-operators/master/scripts/cnode-helper-scripts/mithril-relay.sh
chmod 750 mithril-relay.sh
./mithril-relay.sh -d

set the Mithril-signer IP (the IP of the device where Mithril signer is running)
check the status of the service

sudo systemctl status squid.service

Back on Mithril signer restart/check the status

sudo systemctl restart cnode-mithril-signer
sudo systemctl status cnode-mithril-signer

You must see REGISTERED.

Also you can check on explorer:

Mithril Explorer

10 Likes

Great article - we need more of these which give clear step by step instructions

2 Likes

Do we still have to run a mithril signer on the preprod before we setup on mainnet?

1 Like

no, this setup is for mainnet (you don’t need to run in preprod)

Hi Alex,

Can you share how did you install/configure mithril-relay? There is no mention of how to install it in the Run a Mithril signer as an SPO | Mithril. A complete guide. official documentation. Thanks.

Hi,

Read till the end; I provided the info… remember that this setup is for cntools setup

I have cntools, but it looks like my cntools deployment is an older version that has no Mithril configuration. I’ll try the non-cntools way, then. Thanks

I don’t get it

You can update your guild-operators (cntools, etc.) scripts with the guild-deploy.sh tool. The master branch has the scripts as of November 29th, 2023. The Mithril relays are mostly discussed in the Mithril Documentation’s Run a Mithril Signer as an SPO page.

If you need support check the Telegram Koios groups #Support room. I wrote these scripts and usually can respond within a few hours if you have any questions. Others in the group are often able to answer questions on the various guild-operators tools as well.

1 Like

I love to see that the scripts are helping to get SPOs signing Mithril snapshots quickly.

For those that use the Cardano Community Guild Operators scripts, and guild-deploy.sh the rustup or even rust installation may not be necessary as the mithril binaries can also be installed via guild-deploy.sh -s m. This will install the release binaries directly from input-output-hk (IOG).

		Usage: guild-deplpy.sh [-n <mainnet|guild|preprod|preview|sanchonet>] [-p path] [-t <name>] [-b <branch>] [-u] [-s [p][b][l][m][f][d][c][o][w][x]]
		Set up dependencies for building/using common tools across cardano ecosystem.
		The script will always update dynamic content from existing scripts retaining existing user variables
		
		-n    Connect to specified network instead of mainnet network (Default: connect to cardano mainnet network) eg: -n guild
		-p    Parent folder path underneath which the top-level folder will be created (Default: /opt/cardano)
		-t    Alternate name for top level folder - only alpha-numeric chars allowed (Default: cnode)
		-b    Use alternate branch of scripts to download - only recommended for testing/development (Default: master)
		-u    Skip update check for script itself
		-s    Selective Install, only deploy specific components as below:
		  p   Install common pre-requisite OS-level Dependencies for most tools on this repo (Default: skip)
		  b   Install OS level dependencies for tools required while building cardano-node/cardano-db-sync components (Default: skip)
		  l   Build and Install libsodium fork from IO repositories (Default: skip)
		  m   Download latest (released) binaries for mithril-signer, mithril-client (Default: skip)
		  f   Force overwrite entire content of scripts and config files (backups of existing ones will be created) (Default: skip)
		  d   Download latest (released) binaries for bech32, cardano-address, cardano-node, cardano-cli, cardano-db-sync and cardano-submit-api (Default: skip)
		  c   Install/Upgrade CNCLI binary (Default: skip)
		  o   Install/Upgrade Ogmios Server binary (Default: skip)
		  w   Install/Upgrade Cardano Hardware CLI (Default: skip)
		  x   Install/Upgrade Cardano Signer binary (Default: skip)
1 Like

Thanks for posting this Alex. It was a big help for me to get Mithril registered on my BGOOD pool. Hope to be signing soon!

1 Like

For reference, the below steps worked for me. As Trevor and Alex mentioned guild-deploy.sh script can do it automatically, but in case someone wants to follow the Mithril Guide, these steps are a summarized version of it.

Note: The relay node installation ONLY needs the proxy server, no need to install the mithril-relay.sh script.

## //Mithril Installation

# ===============
# //Relay server:
# ===============

# // Install squid proxy server:

sudo apt install squid
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

# // Configure squid proxy server:

sudo bash -c 'cat > /etc/squid/squid.conf << EOF
# Listening port (port 3132 is recommended)
http_port 3122

# ACL for internal IP of your block producer node
acl block_producer_internal_ip src 192.X.X.XXX

# ACL for aggregator endpoint
acl aggregator_domain dstdomain .mithril.network

# ACL for SSL port only
acl SSL_port port 443

# Allowed traffic
http_access allow block_producer_internal_ip aggregator_domain SSL_port

# Do not disclose block producer internal IP
forwarded_for delete

# Turn off via header
via off
 
# Deny request for original source of a request
follow_x_forwarded_for deny all
 
# Anonymize request headers
request_header_access Authorization allow all
request_header_access Proxy-Authorization allow all
request_header_access Cache-Control allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Connection allow all
request_header_access All deny all

# Disable cache
cache deny all

# Deny everything else
http_access deny all
EOF'

sudo systemctl restart squid

# // Add proxy port to the firewall (iptables)
sudo vi /etc/iptables/rules.v4
-A INPUT -p tcp -m tcp --dport 3132 -j ACCEPT
sudo netfilter-persistent reload

sudo systemctl status squid

# ================
# //Node producer:
# ================

rustup update
sudo apt apt install libssl-dev
sudo apt install jq

sudo mkdir -p /opt/mithril/stores
sudo chown node:node -R /opt/mithril

cd ~/tmp/

git clone https://github.com/input-output-hk/mithril.git

cd mithril/
git checkout 2403.1
cd mithril-signer/
make build
./mithril-signer -V
sudo mv -f mithril-signer ~/.local/bin
sudo cp -R config /opt/mithril/.

# // PREPROD Configuration: (cntools deployment)
sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
KES_SECRET_KEY_PATH=/opt/cardano/cnode/priv/pool/POOL/hot.skey
OPERATIONAL_CERTIFICATE_PATH=/opt/cardano/cnode/priv/pool/POOL/op.cert
NETWORK=preprod
AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator
RUN_INTERVAL=60000
DB_DIRECTORY=/opt/cardano/cnode/db
CARDANO_NODE_SOCKET_PATH=/opt/cardano/cnode/sockets/node0.socket
CARDANO_CLI_PATH=/home/node/.local/bin/cardano-cli
DATA_STORES_DIRECTORY=/opt/mithril/stores
STORE_RETENTION_LIMIT=5
ERA_READER_ADAPTER_TYPE=cardano-chain
ERA_READER_ADAPTER_PARAMS={"address": "addr_test1qpkyv2ws0deszm67t840sdnruqgr492n80g3y96xw3p2ksk6suj5musy6w8lsg3yjd09cnpgctc2qh386rtxphxt248qr0npnx", "verification_key": "5b35352c3232382c3134342c38372c3133382c3133362c34382c382c31342c3138372c38352c3134382c39372c3233322c3235352c3232392c33382c3234342c3234372c3230342c3139382c31332c33312c3232322c32352c3136342c35322c3130322c39312c3132302c3230382c3134375d"}
RELAY_ENDPOINT=http://192.168.X.XXX:3132
EOF'

# // Create a system service: (/etc/systemd/system/mithril-signer.service)

sudo bash -c 'cat > /etc/systemd/system/mithril-signer.service << EOF
[Unit]
Description=Mithril signer service
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=60
User=node
EnvironmentFile=/opt/mithril/mithril-signer.env
ExecStart=/home/node/.local/bin/mithril-signer -vvv

[Install]
WantedBy=multi-user.target
EOF'


sudo systemctl daemon-reload
sudo systemctl start mithril-signer
sudo systemctl enable mithril-signer


# // Monitor the status of the service:

systemctl status mithril-signer.service
journalctl -xeu mithril-signer

# // Logs when registered:
#Feb 29 19:39:10 ADA-NODE-TST1 mithril-signer[2676213]: {"msg":"STATE MACHINE: new cycle: Registered - 127","v":0,"name":"slog-rs","level":30,"time":"2024-02-29T19:39:10.659483075Z","hostnam>

# // Logs when signing:
#Feb 28 01:00:58 ADA-NODE-TST1 mithril-signer[2676213]: {"msg":"STATE MACHINE: new cycle: Signed - 127 - CardanoImmutableFilesFull(Beacon { network: \"preprod\", epoch: Epoch(127), immutable>

cd ~/tmp
wget https://mithril.network/doc/scripts/verify_signer_registration.sh
chmod +x verify_signer_registration.sh
PARTY_ID=pool1... AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator ./verify_signer_registration.sh

#  >> Congrats, your signer node is registered!

cd ~/tmp
wget https://mithril.network/doc/scripts/verify_signer_signature.sh
chmod +x verify_signer_signature.sh
PARTY_ID=pool1... AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator ./verify_signer_signature.sh

# >> Congrats, ...

 
2 Likes

I set up Mithril on my nodes in the preview before going to mainnet, I don’t understand if I’m registered or not, this is what it tells me if I run

sudo systemctl status cnode-mithril-signer

image
i see “registered” but at the same time i see " ne pending certificate, waiting… "

it’s okay or i miss something?
because on explorer i can’t see my pool on preview network

Found my pool :sunglasses:

now mainnet

2 Likes

We’re now listed on Mithril Explorer as registered signers. :grinning:
Cattura44

3 Likes

We join Mithril

1 Like