Cardano MITHRIL - HOW TO SETUP/RUN

Hi,

First, if you wondering, below can you read more about Mithril, why we need it…

https://iohk.io/en/blog/posts/2023/07/20/mithril-nears-mainnet-release/

NOW:

You will need to install/run mithril-signer,
Can be run on BP or any other node (requested files operational certificate and hot.skey)

Also you will need to install/run mithril-relay (it will act as a squid/proxy for your BP or mithril signer node; this way the IP of mithril signer node will not be visible).

Lets begin!

MITHRIL - SIGNER setup

1. On signer node update rust (in case u don’t have rust installed you must install it)
rustup update

2. go to git folder and clone Mithril

cd $HOME/git
git clone https://github.com/input-output-hk/mithril.git

3. check the latest version (be sure is compatible with mainnet) here (at this time 2403.1 is the latest version):
Tags · input-output-hk/mithril · GitHub

cd $HOME/git/mithril
git checkout 2403.1

cd $HOME/git/mithril/mithril-signer

4. build the executable

make build

5. verify the build version
from folder $HOME/git/mithril/mithril-signer run

./mithril-signer -V

6. move executable (below path is for CNTOOLS setup; modify the path according to your setup)
bellow is the path where to mive the binari file; update the path if its the case

cd $HOME/git/mithril/mithril-signer/
sudo mv -f mithril-signer /home/username/.local/bin

7. update mithril.env file according to your setup (here he can modify the DB path, files path, etc)

cd /opt/cardano/cnode/mithril-singer
ls -l
nano mithril.env

8. download mithril-signer.sh script (in case you haven’t already)

cd /opt/cardano/cnode/scripts
ls -l | grep mithril

if you don’t have the script download it from here with the command
wget https://raw.githubusercontent.com/cardano-community/guild-operators/master/scripts/cnode-helper-scripts/mithril-signer.sh

9. run the script (-d it will set the service as systemd)

chmod 750 ./mithril-signer.sh
./mithril-signer.sh -d

set the IP and the port which you want to connect with mithril-relay server (usually its your relay)
!!! on relay you must have that port opened for your mithril-signer node
for example:
if your mithril signer node has 81.1.1.1 IP and your Relay has 92.1.1.2 and you choose the port 5000, on Relay open the port in case its not already:

sudo ufw status
sudo ufw allow proto tcp from 81.1.1.1 to any port 5000
sudo ufw reload
sudo ufw status

start/check the status:

sudo systemctl start cnode-mithril-signer.service
sudo systemctl status cnode-mithril-signer.service

you it should not work, we must set the the relay as well.

MITHRIL-RELAY setup

1. download and run the script (on relay) mithril-relay.sh from here

cd /opt/cardano/cnode/scripts
wget https://raw.githubusercontent.com/cardano-community/guild-operators/master/scripts/cnode-helper-scripts/mithril-relay.sh
chmod 750 mithril-relay.sh
./mithril-relay.sh -d

set the Mithril-signer IP (the IP of the device where Mithril signer is running)
check the status of the service

sudo systemctl status squid.service

Back on Mithril signer restart/check the status

sudo systemctl restart cnode-mithril-signer
sudo systemctl status cnode-mithril-signer

You must see REGISTERED.

Also you can check on explorer:

Mithril Explorer

Great article - we need more of these which give clear step by step instructions

Do we still have to run a mithril signer on the preprod before we setup on mainnet?

no, this setup is for mainnet (you don’t need to run in preprod)

Hi Alex,

Can you share how did you install/configure mithril-relay? There is no mention of how to install it in the Run a Mithril signer as an SPO | Mithril. A complete guide. official documentation. Thanks.

Hi,

Read till the end; I provided the info… remember that this setup is for cntools setup

I have cntools, but it looks like my cntools deployment is an older version that has no Mithril configuration. I’ll try the non-cntools way, then. Thanks

I don’t get it

You can update your guild-operators (cntools, etc.) scripts with the guild-deploy.sh tool. The master branch has the scripts as of November 29th, 2023. The Mithril relays are mostly discussed in the Mithril Documentation’s Run a Mithril Signer as an SPO page.

If you need support check the Telegram Koios groups #Support room. I wrote these scripts and usually can respond within a few hours if you have any questions. Others in the group are often able to answer questions on the various guild-operators tools as well.

I love to see that the scripts are helping to get SPOs signing Mithril snapshots quickly.

For those that use the Cardano Community Guild Operators scripts, and guild-deploy.sh the rustup or even rust installation may not be necessary as the mithril binaries can also be installed via guild-deploy.sh -s m. This will install the release binaries directly from input-output-hk (IOG).

		Usage: guild-deplpy.sh [-n <mainnet|guild|preprod|preview|sanchonet>] [-p path] [-t <name>] [-b <branch>] [-u] [-s [p][b][l][m][f][d][c][o][w][x]]
		Set up dependencies for building/using common tools across cardano ecosystem.
		The script will always update dynamic content from existing scripts retaining existing user variables
		
		-n    Connect to specified network instead of mainnet network (Default: connect to cardano mainnet network) eg: -n guild
		-p    Parent folder path underneath which the top-level folder will be created (Default: /opt/cardano)
		-t    Alternate name for top level folder - only alpha-numeric chars allowed (Default: cnode)
		-b    Use alternate branch of scripts to download - only recommended for testing/development (Default: master)
		-u    Skip update check for script itself
		-s    Selective Install, only deploy specific components as below:
		  p   Install common pre-requisite OS-level Dependencies for most tools on this repo (Default: skip)
		  b   Install OS level dependencies for tools required while building cardano-node/cardano-db-sync components (Default: skip)
		  l   Build and Install libsodium fork from IO repositories (Default: skip)
		  m   Download latest (released) binaries for mithril-signer, mithril-client (Default: skip)
		  f   Force overwrite entire content of scripts and config files (backups of existing ones will be created) (Default: skip)
		  d   Download latest (released) binaries for bech32, cardano-address, cardano-node, cardano-cli, cardano-db-sync and cardano-submit-api (Default: skip)
		  c   Install/Upgrade CNCLI binary (Default: skip)
		  o   Install/Upgrade Ogmios Server binary (Default: skip)
		  w   Install/Upgrade Cardano Hardware CLI (Default: skip)
		  x   Install/Upgrade Cardano Signer binary (Default: skip)

Thanks for posting this Alex. It was a big help for me to get Mithril registered on my BGOOD pool. Hope to be signing soon!

For reference, the below steps worked for me. As Trevor and Alex mentioned guild-deploy.sh script can do it automatically, but in case someone wants to follow the Mithril Guide, these steps are a summarized version of it.

Note: The relay node installation ONLY needs the proxy server, no need to install the mithril-relay.sh script.

## //Mithril Installation

# ===============
# //Relay server:
# ===============

# // Install squid proxy server:

sudo apt install squid
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

# // Configure squid proxy server:

sudo bash -c 'cat > /etc/squid/squid.conf << EOF
# Listening port (port 3132 is recommended)
http_port 3122

# ACL for internal IP of your block producer node
acl block_producer_internal_ip src 192.X.X.XXX

# ACL for aggregator endpoint
acl aggregator_domain dstdomain .mithril.network

# ACL for SSL port only
acl SSL_port port 443

# Allowed traffic
http_access allow block_producer_internal_ip aggregator_domain SSL_port

# Do not disclose block producer internal IP
forwarded_for delete

# Turn off via header
via off
 
# Deny request for original source of a request
follow_x_forwarded_for deny all
 
# Anonymize request headers
request_header_access Authorization allow all
request_header_access Proxy-Authorization allow all
request_header_access Cache-Control allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Connection allow all
request_header_access All deny all

# Disable cache
cache deny all

# Deny everything else
http_access deny all
EOF'

sudo systemctl restart squid

# // Add proxy port to the firewall (iptables)
sudo vi /etc/iptables/rules.v4
-A INPUT -p tcp -m tcp --dport 3132 -j ACCEPT
sudo netfilter-persistent reload

sudo systemctl status squid

# ================
# //Node producer:
# ================

rustup update
sudo apt apt install libssl-dev
sudo apt install jq

sudo mkdir -p /opt/mithril/stores
sudo chown node:node -R /opt/mithril

cd ~/tmp/

git clone https://github.com/input-output-hk/mithril.git

cd mithril/
git checkout 2403.1
cd mithril-signer/
make build
./mithril-signer -V
sudo mv -f mithril-signer ~/.local/bin
sudo cp -R config /opt/mithril/.

# // PREPROD Configuration: (cntools deployment)
sudo bash -c 'cat > /opt/mithril/mithril-signer.env << EOF
KES_SECRET_KEY_PATH=/opt/cardano/cnode/priv/pool/POOL/hot.skey
OPERATIONAL_CERTIFICATE_PATH=/opt/cardano/cnode/priv/pool/POOL/op.cert
NETWORK=preprod
AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator
RUN_INTERVAL=60000
DB_DIRECTORY=/opt/cardano/cnode/db
CARDANO_NODE_SOCKET_PATH=/opt/cardano/cnode/sockets/node0.socket
CARDANO_CLI_PATH=/home/node/.local/bin/cardano-cli
DATA_STORES_DIRECTORY=/opt/mithril/stores
STORE_RETENTION_LIMIT=5
ERA_READER_ADAPTER_TYPE=cardano-chain
ERA_READER_ADAPTER_PARAMS={"address": "addr_test1qpkyv2ws0deszm67t840sdnruqgr492n80g3y96xw3p2ksk6suj5musy6w8lsg3yjd09cnpgctc2qh386rtxphxt248qr0npnx", "verification_key": "5b35352c3232382c3134342c38372c3133382c3133362c34382c382c31342c3138372c38352c3134382c39372c3233322c3235352c3232392c33382c3234342c3234372c3230342c3139382c31332c33312c3232322c32352c3136342c35322c3130322c39312c3132302c3230382c3134375d"}
RELAY_ENDPOINT=http://192.168.X.XXX:3132
EOF'

# // Create a system service: (/etc/systemd/system/mithril-signer.service)

sudo bash -c 'cat > /etc/systemd/system/mithril-signer.service << EOF
[Unit]
Description=Mithril signer service
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=60
User=node
EnvironmentFile=/opt/mithril/mithril-signer.env
ExecStart=/home/node/.local/bin/mithril-signer -vvv

[Install]
WantedBy=multi-user.target
EOF'


sudo systemctl daemon-reload
sudo systemctl start mithril-signer
sudo systemctl enable mithril-signer


# // Monitor the status of the service:

systemctl status mithril-signer.service
journalctl -xeu mithril-signer

# // Logs when registered:
#Feb 29 19:39:10 ADA-NODE-TST1 mithril-signer[2676213]: {"msg":"STATE MACHINE: new cycle: Registered - 127","v":0,"name":"slog-rs","level":30,"time":"2024-02-29T19:39:10.659483075Z","hostnam>

# // Logs when signing:
#Feb 28 01:00:58 ADA-NODE-TST1 mithril-signer[2676213]: {"msg":"STATE MACHINE: new cycle: Signed - 127 - CardanoImmutableFilesFull(Beacon { network: \"preprod\", epoch: Epoch(127), immutable>

cd ~/tmp
wget https://mithril.network/doc/scripts/verify_signer_registration.sh
chmod +x verify_signer_registration.sh
PARTY_ID=pool1... AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator ./verify_signer_registration.sh

#  >> Congrats, your signer node is registered!

cd ~/tmp
wget https://mithril.network/doc/scripts/verify_signer_signature.sh
chmod +x verify_signer_signature.sh
PARTY_ID=pool1... AGGREGATOR_ENDPOINT=https://aggregator.release-preprod.api.mithril.network/aggregator ./verify_signer_signature.sh

# >> Congrats, ...

 

I set up Mithril on my nodes in the preview before going to mainnet, I don’t understand if I’m registered or not, this is what it tells me if I run

sudo systemctl status cnode-mithril-signer

i see “registered” but at the same time i see " ne pending certificate, waiting… "

it’s okay or i miss something?
because on explorer i can’t see my pool on preview network

Found my pool

image1465×85 5.87 KB

now mainnet

We’re now listed on Mithril Explorer as registered signers.

We join Mithril

Screen Shot 2024-05-18 at 6.13.42 PM1920×958 111 KB