Need 2 users set in Ubuntu for node0.socket

I need sudo users set for owner for node0.socket every time the node restarts or is turned on.

Does anyone know how I can configure this? I have 2 pool operators. 1 for managing the node and 1 for managing minting.

I may not be understanding your question properly but this may help:

I have configured my systemd service file to run cardano-node as an unprivileged user (“cardano”):

[Unit]
Description=Cardano Node
Requires=network.target

[Service]
Type=simple
SyslogIdentifier=cardano-node
Restart=always
RestartSec=5
TimeoutStopSec=300
Nice=-15
IOSchedulingClass=realtime
IOSchedulingPriority=1
RuntimeDirectory=cardano
User=cardano
Group=cardano
KillSignal=SIGINT
LimitNOFILE=32768
Environment="PORT=2700"
ExecStart=cardano-node +RTS -N -RTS run \
  --host-addr "0.0.0.0" \
  --port "${PORT}" \
  --socket-path '/run/cardano/mainnet-node.socket' \
  --config "/etc/cardano/mainnet-config.json" \
  --topology "/etc/cardano/mainnet-topology.json" \
  --shelley-kes-key "/etc/cardano/private/kes.skey" \
  --shelley-vrf-key "/etc/cardano/private/vrf.skey" \
  --shelley-operational-certificate "/etc/cardano/private/node.cert" \
  --database-path "/var/lib/cardano"

[Install]
WantedBy=multi-user.target

Note:

• RuntimeDirectory=cardano
• User=cardano
• Group=cardano
• –socket-path ‘/run/cardano/mainnet-node.socket’ \

When started, the socket /run/cardano/mainnet-node.socket has owner and group “cardano”.

ls -al /run/cardano/
total 0
drwxr-xr-x  2 cardano cardano  60 Sep 14 23:51 .
drwxr-xr-x 20 root    root    640 Sep 15 06:34 ..
srwxr-xr-x  1 cardano cardano   0 Sep 14 23:51 mainnet-node.socket

I also have the directory and file permissions for config files and keys as follows:

ls -al /etc/cardano/
total 1060
drwxr-x--- 1 root cardano     310 Jul  7 20:23 .
drwxr-xr-x 1 root root       2388 Sep 12 06:17 ..
-rw-r--r-- 1 root root       9459 Aug 13 07:21 mainnet-alonzo-genesis.json
-rw-r--r-- 1 root root    1056360 Aug 13 07:21 mainnet-byron-genesis.json
-rw-r----- 1 root cardano    3008 Jul  7 18:45 mainnet-config.json
-rw-r--r-- 1 root root       2486 Aug 13 07:21 mainnet-shelley-genesis.json
-rw-r----- 1 root cardano     314 Jul  7 18:45 mainnet-topology.json
-rw-r----- 1 root cardano     435 Jul  7 19:23 my-cardano-node-config.json
drwxr-x--- 1 root cardano      82 Jul  7 18:46 private

ls -al /etc/cardano/private/
total 20
drwxr-x--- 1 root    cardano   82 Jul  7 18:46 .
drwxr-x--- 1 root    cardano  310 Jul  7 20:23 ..
-r-------- 1 cardano cardano 1327 Jul  7 18:46 kes.skey
-r-------- 1 cardano cardano  183 Jul  7 18:46 kes.vkey
-r-------- 1 cardano cardano  367 Jul  7 18:46 node.cert
-r-------- 1 cardano cardano  230 Jul  7 18:46 vrf.skey
-r-------- 1 cardano cardano  176 Jul  7 18:46 vrf.vkey

This way I can run cardano-cli commands as unprivileged user cardano.

cardano@bprod:~$ CARDANO_NODE_SOCKET_PATH='/run/cardano/mainnet-node.socket' cardano-cli query tip --mainnet
{
    "block": 7758543,
    "epoch": 363,
    "era": "Alonzo",
    "hash": "ab4f0158b51f04f11e092d8d84435e11e63df2c53403889928db9a530647b3b1",
    "slot": 71640832,
    "syncProgress": "100.00"
}

Is that the sort of thing you were trying to enable? If so, you could also add particular login user accounts to group “cardano” to give these users access to read the socket.

I created the group “cardano”.

I don’t see the Group=cardano line in your service file. If you add that then you should get the node creating its socket with cardano group read and executable permissions. Then add the users you want to have access to the cardano group.

i did add it in there just not in photo

image1208×188 6.57 KB

It seems you have something already binding to port 12788.

Use ss command to see what application is binding that port (most likely another version of cardano-node is still running). Here is what my machine says:

ss -4nlp

tcp LISTEN 0 150 127.0.0.1:12788 0.0.0.0:* users:((“cardano-node”,pid=571059,fd=24))

In my case pid is 571059. Killing this process would fix the binding problem. However, be careful because if you send this process the default TERM signal this may then require your cardano-node to re-validate its entire chain data which might take a couple of hours. Send it the SIGINT signal instead.

Eg for my case:

kill -s SIGINT 571059

Try killing that cardano-submit- process 1955.

First try:

kill -s SIGINT 1955

If that doesn’t get rid of it after a minute or so then try:

kill 1955

The underling problem is this:

Checking for script updates…
ERROR: You specified 12788 as your EKG port, but it looks like the cardano-node … is not listening on this port.
ERROR: gLiveView failed to load common env file
Please verify set values in ‘User Variables’ section in env file …

There is likely something in this script you are running that is causing a conflict.

If you are going to run an automation script, you need to understand absolutely everything that script is doing? If not then don’t use it. It could be automatically starting a copy of your cardano-node executable or something else with different settings to what you want.

You don’t need this script to run your stake pool and you don’t need gLiveView to monitor it either.

Also, maybe you still need to tell systemd to reload the service file after you edited it?

systemctl daemon-reload

I would strongly recommend getting rid of any non-essential software off your secure system and not running any scripts you haven’t audited or written yourself. Particularly ones that automatically build and install things. Spend some time cutting your software stack back to bare essentials and then installing only what you need piece by piece.

Run a well configured firewall and audit every single service displayed by:

ss -4nlp

Why each service is necessary and how it is firewalled. Then remove any that you don’t absolutely require.

Im just the pool operator not the person running the script. Last time what fixed it is setting myself (user) to the folder where socket is and it fixed this same error.

and I have to save money this is why I have the scripts on this relay. But it has no access to my block.

GLive is important to help know when something is wrong with the node.

I would raise the paranoia level if I was you. The only way to log into my block producer or any of my relays is using ssh key based authentication and the only authorised key is mine which resides within a hardware smartcard. I wouldn’t let any noob user access my system.

If the noob user wants to play around with the blockchain, why not set up a separate virtual machine running cardano-node that he can break and fix himself?

What does it provide that you can’t already see with:

curl -s -H 'Accept: application/json' http:/localhost:12788 | jq '.'

And you can see all your incoming and outgoing connections with:

ss -4Htnp state established

If there is anything else the script provides for you then maybe it is better to dig this feature out and do it manually yourself. I don’t use gLiveView so I don’t know what else it provides.

Seems I fixed it by going into .bashrc and removing the socket line that wasnt in there on my other relay.

Gives you a lot of information like KES time, incoming / out going peers / block information , etc.

But how is the gLiveView script gathering that information. I believe it gets most of the data from:

curl -s -H 'Accept: application/json' http:/localhost:12788 | jq '.'

If you want eye-candy then what about prometheus + grafana to process the data from cardano-node EKG port 12788?

We are also working on a project to help node operators keep an eye on the back end, called CodaEA. With CodaEA, you set up a cron job to scan the cardano-node logs, and it checks anything marked as an “Error” against a knowledge base, and emails you if there are issues identified as severe. It also lets you post your own solutions and comments to help each other, and easily research the errors by providing a single link to CodaEA and Cardano Forum. If you are interested, https://www.codaea.io