Node Operator
This article provides a guide to deploying the node operator components of Confidential Computing. It provides guidance on how to:
1. Configuring Genesis Block
Confidential Computing requires that a specific set of smart contracts are deployed on the blockchain. The deployment of these smart contracts is specified in a genesis block, which the blockchain nodes use when initializing the blockchain.
Create a genesis block using our genesis creator docker image:
docker run \
--name cc-genesis-creator \
-e NODE_ADDRESSES='["NODE_ADDRESS_1", "NODE_ADDRESS_2"]'
-v .:/ \
registry.gitlab.com/secata/pbc/core/execution-container/cc-genesis-creator:latest
This creates a genesis.zip
file, in the working directory.
Make sure to run the command in the blockchain-node/conf/
directory
created in the storage configuration step.
The NODE_ADDRESSES
environment variable must be filled out with the blockchain addresses of the nodes
participating in the system. If there are more than two nodes deployed, add additional entries as needed.
2. Blockchain Node
Warning
Before deploying any component make sure you have followed the node operator sections in the getting started guide
The blockchain node is the core component required to operate a blockchain within the Partisia Platform. In the context of Confidential Computing, the blockchain coordinates the execution of analyses and maintains an immutable audit trail of related activities. For additional information about blockchain nodes, see here.
Populating the Configuration File
We recommend using in the following configuration in the blockchain-node/conf/server.json
file created in
the storage configuration step:
{
"blockchain": { // (1)!
"externalListenerPort": 9111, // (2)!
"externalListenerKey:" "EXTERNAL_LISTENER_KEY", // (3)!
"floodingPort": 8999, // (4)!
"storage": "STORAGE_PATH", // (5)!
"peers": ["BLOCKCHAIN_PEER_HOST"] // (6)!
},
"enableReaderNode": true,
"restPort": 8041, // (7)!
"genesisFile": "GENESIS_FILE_PATH", // (8)!
"producer": { // (9)!
"roundRobinConfig": { // (10)!
"producerKey": "BLOCK_PRODUCER_PRIVATE_KEY", // (11)!
"timeout": 20000
}
}
}
- Configuration of the node related to the Blockchain.
- Port to listen for TCP traffic. Used by all Execution Containers of the platform.
- ECDSA private key of the TLS connection of the reader node.
- It should be the key in the
externalListenerKey.pk
file from the getting started guide.
- It should be the key in the
- The open port to flood transactions to on this node.
- Path to the storage folder inside the Docker container.
- List of TCP hosts to flood transactions to. It should include all peer nodes deployed by other organizations.
- REST endpoint port for users to interact with the blockchain.
- Path to the generated genesis block file as seen from within the Docker container.
- Configuration for producing blocks on the chain.
- Configuration for Round-Robin block producer selection.
-
ECDSA private key of the node, used to sign blocks.
-
It should be the key in the
blockProducerKey.pk
file from the getting started guide.
In-depth configuration of the blockchain node image can be found here.
Configure the Docker Image
In addition, you must configure the blockchain node docker image
by adding the following to your docker-compose.yml
file:
Click here to view: Blockchain Node - Example Docker Configuration
services:
confidential-computing-node:
container_name: cc-blockchain-node
image: registry.gitlab.com/secata/platform/platform-blockchain/blockchain-node:latest
restart: unless-stopped
ports:
- "8041:8041"
- "8999:8999"
- "9111:9111"
environment:
PREPROCESSING_KEEP_FILES: "true"
volumes:
- /path/to/blockchain-node/conf:/conf
- /path/to/blockchain-node/logs:/logs
- /path/to/blockchain-node/storage:/storage
The bound ports are where other services will communicate with the blockchain node. These ports should match the
ports specified in the server.json
configuration file, and
the network configuration.
The path of the three mapped volumes must correspond to the node operator folders created in the storage configuration step.
Deploy the Component
- Open your terminal and navigate to the directory containing your
docker-compose.yml
file. -
Execute the following Docker Compose command to start the blockchain node container:
docker-compose up -d confidential-computing-node
-
Check the logs of the authentication container to ensure it is running without errors:
docker logs -f cc-blockchain-node
3. Execution Container
The execution container is a component of the blockchain system responsible for handling off-chain operations. It supports computational tasks that do not need to occur on-chain.
In the context of Confidential Computing, the execution container generates preprocessing material and performs the required analysis computations.
Populating the Configuration File
We recommend using in the following configuration in the execution-container/conf/server.json
file created in
the storage configuration step:
{
"restEndpointPort": 8071, // (1)!
"engineNetworkTcpAddress": "EXECUTION_ENGINE_TCP_HOST", // (2)!
"readerNodeEndpoint": "BLOCKCHAIN_NODE_REST_URL",
"tcpReaderAddresses": ["BLOCKCHAIN_NODE_TCP_HOST"], // (3)!
"blockchainShards": 0,
"storagePath": "STORAGE_PATH", // (4)!
"transactionPrivateKey": "TRANSACTION_PRIVATE_KEY", // (5)!
"tcpNetworkPrivateKey": "TCP_PRIVATE_KEY", // (6)!
"globalOffChainConfig": { // (7)!
"PREPROCESSING_KEYSHARE_HEX": "PREPROCESSING_KEY" // (8)!
}
}
- Port for the execution container REST endpoint. Used by other non execution container components.
- Publicly reachable hostname or IP address and port for this execution container's TCP communication. This address must be accessible by other Execution Containers across all organizations.
- List of blockchain node TCP hosts. At a minimum, it should include the address of the node you
are deploying. Should be on the form
publickey:domain:port
.- The public key is the base64 encoded public part of the external listener key used by the blockchain node.
- For your own node, you can get the public key by
cargo pbc account publickey externalListenerKey.pk
- Path to the folder used for persistent storage. The path is specified inside the Docker container.
- ECDSA Private key identifying the Execution Container when sending transactions to the
on-chain nodes.
- It should be the key in the
transactionPrivateKey.pk
file from the getting started guide.
- It should be the key in the
- ECDSA private key identifying the Execution Container when communicating with the other
Execution Containers.
- It should be the key in the
tcpPrivateKey.pk
file from the getting started guide.
- It should be the key in the
- Configuration related to off-chain nodes.
- ECDSA private key for loading pre-processing material.
- It should be the key in the
preprocessingKey.pk
file from the getting started guide.
- It should be the key in the
Configure the Docker Image
In addition, you must configure the execution container docker image
by adding the following to your docker-compose.yml
file:
Click to expand: Execution Container - Example Docker Configuration
services:
confidential-computing-execution-container:
container_name: cc-execution-container
image: registry.gitlab.com/secata/pbc/core/execution-container/execution-container-standalone:latest
restart: unless-stopped
ports:
- "8071:8071"
- "9000:9000"
volumes:
- /path/to/execution-container/conf:/conf
- /path/to/execution-container/logs:/logs
- /path/to/execution-container/storage:/storage
The bound ports are where other services will communicate with the execution container. These ports should match the
ports specified in the server.json
configuration file, and
the network configuration.
The path of the three mapped volumes must correspond to the execution container folders created in the storage configuration step.
Deploy the Component
- Open your terminal and navigate to the directory containing your
docker-compose.yml
file. -
Execute the following Docker Compose command to start the execution container:
docker-compose up -d confidential-computing-execution-container
-
Check the logs of the authentication container to ensure it is running without errors:
docker logs -f cc-execution-container