Node Operator

This article provides a guide to deploying the node operator components of Confidential Computing. It provides guidance on how to:

• Configure the genesis block
• Deploy a blockchain node
• Deploy the execution container

1. Configuring Genesis Block

Confidential Computing requires that a specific set of smart contracts are deployed on the blockchain. The deployment of these smart contracts is specified in a genesis block, which the blockchain nodes use when initializing the blockchain.

Create a genesis block using our genesis creator docker image:

docker run \
  --name cc-genesis-creator \
  -e NODE_ADDRESSES='["NODE_ADDRESS_1", "NODE_ADDRESS_2"]'
  -v .:/ \
  registry.gitlab.com/secata/pbc/core/execution-container/cc-genesis-creator:latest

This creates a genesis.zip file, in the working directory. Make sure to run the command in the blockchain-node/conf/ directory created in the storage configuration step.

The NODE_ADDRESSES environment variable must be filled out with the blockchain addresses of the nodes participating in the system. If there are more than two nodes deployed, add additional entries as needed.

2. Blockchain Node

Warning

Before deploying any component make sure you have followed the node operator sections in the getting started guide

The blockchain node is the core component required to operate a blockchain within the Partisia Platform. In the context of Confidential Computing, the blockchain coordinates the execution of analyses and maintains an immutable audit trail of related activities. For additional information about blockchain nodes, see here.

Populating the Configuration File

We recommend using in the following configuration in the blockchain-node/conf/server.json file created in the storage configuration step:

    {
        "blockchain": { // (1)!
            "externalListenerPort": 9111, // (2)!
            "externalListenerKey:" "EXTERNAL_LISTENER_KEY", // (3)!
            "floodingPort": 8999, // (4)!
            "storage": "STORAGE_PATH", // (5)!
            "peers": ["BLOCKCHAIN_PEER_HOST"] // (6)!
        },
        "enableReaderNode": true,
        "restPort": 8041, // (7)!
        "genesisFile": "GENESIS_FILE_PATH", // (8)!
        "producer": { // (9)!
            "roundRobinConfig": { // (10)!
                "producerKey": "BLOCK_PRODUCER_PRIVATE_KEY", // (11)!
                "timeout": 20000
            }
        }
    }

1. Configuration of the node related to the Blockchain.
2. Port to listen for TCP traffic. Used by all Execution Containers of the platform.
3. ECDSA private key of the TLS connection of the reader node.
   • It should be the key in the externalListenerKey.pk file from the getting started guide.
4. The open port to flood transactions to on this node.
5. Path to the storage folder inside the Docker container.
6. List of TCP hosts to flood transactions to. It should include all peer nodes deployed by other organizations.
7. REST endpoint port for users to interact with the blockchain.
8. Path to the generated genesis block file as seen from within the Docker container.
9. Configuration for producing blocks on the chain.
10. Configuration for Round-Robin block producer selection.

11. ECDSA private key of the node, used to sign blocks.

12. It should be the key in the blockProducerKey.pk file from the getting started guide.

In-depth configuration of the blockchain node image can be found here.

Configure the Docker Image

In addition, you must configure the blockchain node docker image by adding the following to your docker-compose.yml file:

Click here to view: Blockchain Node - Example Docker Configuration

services:
  confidential-computing-node:
    container_name: cc-blockchain-node
    image: registry.gitlab.com/secata/platform/platform-blockchain/blockchain-node:latest
    restart: unless-stopped
    ports:
      - "8041:8041"
      - "8999:8999"
      - "9111:9111"
    environment:
      PREPROCESSING_KEEP_FILES: "true"
    volumes:
      - /path/to/blockchain-node/conf:/conf
      - /path/to/blockchain-node/logs:/logs
      - /path/to/blockchain-node/storage:/storage

The bound ports are where other services will communicate with the blockchain node. These ports should match the ports specified in the server.json configuration file, and the network configuration.

The path of the three mapped volumes must correspond to the node operator folders created in the storage configuration step.

Deploy the Component

1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.

2. Execute the following Docker Compose command to start the blockchain node container:

   docker-compose up -d confidential-computing-node
   

3. Check the logs of the authentication container to ensure it is running without errors:

   docker logs -f cc-blockchain-node
   

3. Execution Container

The execution container is a component of the blockchain system responsible for handling off-chain operations. It supports computational tasks that do not need to occur on-chain.

In the context of Confidential Computing, the execution container generates preprocessing material and performs the required analysis computations.

Populating the Configuration File

We recommend using in the following configuration in the execution-container/conf/server.json file created in the storage configuration step:

    {
        "restEndpointPort": 8071, // (1)!
        "engineNetworkTcpAddress": "EXECUTION_ENGINE_TCP_HOST", // (2)!
        "readerNodeEndpoint": "BLOCKCHAIN_NODE_REST_URL",
        "tcpReaderAddresses": ["BLOCKCHAIN_NODE_TCP_HOST"], // (3)!
        "blockchainShards": 0,
        "storagePath": "STORAGE_PATH", // (4)!
        "transactionPrivateKey": "TRANSACTION_PRIVATE_KEY", // (5)!
        "tcpNetworkPrivateKey": "TCP_PRIVATE_KEY", // (6)!
        "globalOffChainConfig": { // (7)!
           "PREPROCESSING_KEYSHARE_HEX": "PREPROCESSING_KEY" // (8)!
        }
    }

1. Port for the execution container REST endpoint. Used by other non execution container components.
2. Publicly reachable hostname or IP address and port for this execution container's TCP communication. This address must be accessible by other Execution Containers across all organizations.
3. List of blockchain node TCP hosts. At a minimum, it should include the address of the node you are deploying. Should be on the form publickey:domain:port.
   • The public key is the base64 encoded public part of the external listener key used by the blockchain node.
   • For your own node, you can get the public key by cargo pbc account publickey externalListenerKey.pk
4. Path to the folder used for persistent storage. The path is specified inside the Docker container.
5. ECDSA Private key identifying the Execution Container when sending transactions to the on-chain nodes.
   • It should be the key in the transactionPrivateKey.pk file from the getting started guide.
6. ECDSA private key identifying the Execution Container when communicating with the other Execution Containers.
   • It should be the key in the tcpPrivateKey.pk file from the getting started guide.
7. Configuration related to off-chain nodes.
8. ECDSA private key for loading pre-processing material.
   • It should be the key in the preprocessingKey.pk file from the getting started guide.

Configure the Docker Image

In addition, you must configure the execution container docker image by adding the following to your docker-compose.yml file:

Click to expand: Execution Container - Example Docker Configuration

services:
  confidential-computing-execution-container:
    container_name: cc-execution-container
    image: registry.gitlab.com/secata/pbc/core/execution-container/execution-container-standalone:latest
    restart: unless-stopped
    ports:
      - "8071:8071"
      - "9000:9000"
    volumes:
      - /path/to/execution-container/conf:/conf
      - /path/to/execution-container/logs:/logs
      - /path/to/execution-container/storage:/storage

The bound ports are where other services will communicate with the execution container. These ports should match the ports specified in the server.json configuration file, and the network configuration.

The path of the three mapped volumes must correspond to the execution container folders created in the storage configuration step.

Deploy the Component

1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.

2. Execute the following Docker Compose command to start the execution container:

   docker-compose up -d confidential-computing-execution-container
   

3. Check the logs of the authentication container to ensure it is running without errors:

   docker logs -f cc-execution-container