MAP VPS Setup - noncesense-research-lab/archival_network GitHub Wiki
Authors: @neptuneresearch @serhack
See /map_vps_setup_files
for configuration files.
See /map_vps_setup_scripts
for bash scripts for each section.
The first script 0_map_vps_setup.sh
will set all of the scripts as executable and proceed to run them all, pausing for user keypress after each section completes.
Run the following command to update the OS packages.
sudo apt-get update && sudo apt-get upgrade -y
This may cause the grub
installer to appear. If it does:
- Optional: Review differences
- Accept differences
- Choose the device the OS is installed on, default is
/dev/sda
- Choose not to install
grub
This may already be installed.
See Automatic Updates for more information.
sudo apt install unattended-upgrades
-
Install.
sudo apt-get install ufw
-
Configure by running each of the following rule commands.
Rule Command | Purpose |
---|---|
sudo ufw default allow outgoing |
Allow all outgoing traffic |
sudo ufw default deny incoming |
Deny all incoming traffic by default |
sudo ufw allow from any to any port 4422 proto tcp |
Allow incoming traffic to TCP port 4422 for sshd
|
sudo ufw allow from any to any port 18080 proto tcp |
Allow incoming traffic to TCP port 18080 for monerod
|
-
Enable the firewall and its logging.
sudo ufw enable
sudo ufw logging on
All MAP nodes must be in the UTC time zone in order to standardize the timestamps in the archive output.
-
Run the timezone configuration tool.
sudo dpkg-reconfigure tzdata
-
Enter the following configuration.
Setting | Value |
---|---|
Geographic area | None of the above |
Time zone | UTC |
-
Result example:
Current default time zone: 'Etc/UTC'
Local time is now: Sun Oct 7 00:13:21 UTC 2018.
Universal Time is now: Sun Oct 7 00:13:21 UTC 2018.
Set the hostname to MAP-CITY-X
, where CITY
is the city where the server is physically located, and X
is the index of the server in that city starting at 0. Example: MAP-TOKYO-0
sudo echo "MAP-CITY-0" > /etc/hostname
sudo hostname -F /etc/hostname
If the server has a domain name, add a self entry for the server to the file /etc/hosts
.
Add line to end:
0.0.0.0 server.org hostname
where:
Key | Value |
---|---|
0.0.0.0 | Public IP for server |
server.org | Domain name for server |
hostname | Hostname for server (MAP-CITY-X , same as in /etc/hostname ) |
Set the Message of the Day on the server with the following command.
sudo echo "Welcome to $HOSTNAME part of the MAP (Monero Archival Project). Project coordinator : IsthmusCrypto. Infra Coordinator : SerHack. Any issues should be reported to the Project Coordinator" > /etc/motd
-
Create the user account
map
.sudo adduser map
-
Add
map
tosudo
group so it cansudo
.sudo usermod -aG sudo map
-
Create
sshusers
group (used bysshd_config AllowGroups
).sudo groupadd sshusers
-
Add
map
tosshusers
group.sudo adduser map sshusers
Recommend to first backup original configuration file /etc/ssh/sshd_config
for future reference.
-
Install the file
map_vps_setup_files/sshd_config
as/etc/ssh/sshd_config
. -
Skip to step 4 of the Full Configuration.
Configure sshd via its configuration file /etc/ssh/sshd_config
as follows.
Add the following settings.
Setting | Description |
---|---|
Port 4422 |
Use nonstandard port so that naive attempts to connect on the default port are rejected quicker |
AddressFamily inet |
Use ipv4 only |
PermitRootLogin no |
No root account login over ssh |
LoginGraceTime 60 |
Login attempts timeout after 60 seconds |
MaxAuthTries 8 |
Login attempts limit to 8 |
PubkeyAuthentication yes |
Enable login via public key authentication |
AuthorizedKeysFile .ssh/authorized_keys |
File which stores authorized public keys (NOTE: this is one line, the Markdown may have wrapped it to 2 lines) |
PasswordAuthentication no |
Disable login via password |
Protocol 2 |
Disable SSH protocol V1 |
AllowGroups sshusers |
Only allow login from users of group sshusers
|
The following default settings can remain.
Default Setting |
---|
ChallengeResponseAuthentication no |
UsePAM yes |
X11Forwarding yes |
PrintMotd no |
AcceptEnv LANG LC_* |
Subsystem sftp /usr/lib/openssh/sftp-server |
All other settings in the file that do not appear in the table below should be disabled by commenting the line with #
at the beginning, ex: #AddressFamily any
-
Create the folder
/home/map/.ssh
andchmod 700 /home/map/.ssh
. -
Install the file
/map_vps_setup_files/authorized_keys
as/home/map/.ssh/authorized_keys
andchmod 600 /home/map/.ssh/authorized_keys
. -
Add other public SSH keys as desired.
-
Set owner on
/home/map/.ssh
and its contents:sudo chown -R map:map /home/map/.ssh
After configuring, restart ssh.
sudo systemctl restart ssh
If ssh fails to restart because of bad configuration, you can find the invalid configuration line(s) in the syslog at /var/log/syslog
.
With the above configuration:
ssh login command | ssh response |
---|---|
ssh map@map-city-0 |
Connection refused |
ssh map@map-city-0 -p 4422 -i ~/.ssh/map (and client DOES NOT have key in authorized_keys ) |
Permission denied (publickey) |
ssh map@map-city-0 -p 4422 -i ~/.ssh/map (and client DOES have key in authorized_keys ) |
Login is successful |
monerod-archive
requires the following directories.
Directory | Purpose |
---|---|
/usr/bin/monero |
Application |
/var/lib/monero |
Data (aka .bitmonero ) |
/var/log/monero |
Logs |
/opt/monerodarchive |
monerod-archive output |
All directories should have permissions 755
and owner map:map
.
For each directory, replace the directory name into the following commmands:
# Create directory
sudo mkdir /usr/bin/monero
# Set owner to map user, map group
sudo chown map:map /usr/bin/monero
# Set directory permissions
sudo chown 755 /usr/bin/monero
cd /usr/bin/monero
wget https://github.com/neptuneresearch/monerod-archive/releases/download/0.08/monerod-archive-v8-linux-amd64.tar.gz
tar -vxf ./monerod-archive-v8-linux-amd64.tar.gz
-
Install the file
/map_vps_setup_files/monerod-archive.conf
as/etc/monerod-archive.conf
. -
Set owner and permissions as follows.
sudo chown map:map /etc/monerod-archive.conf
sudo chmod 644 /etc/monerod-archive.conf
-
Install the file
/map_vps_setup_files/monerod-archive.service
as/etc/systemd/system/monerod-archive.service
. -
Reload systemd service files:
sudo systemctl daemon-reload
-
Enable monerod-archive service at startup:
sudo systemctl enable monerod-archive
-
Start monerod-archive service now:
sudo systemctl start monerod-archive
-
Check status of monerod-archive service:
sudo systemctl status monerod-archive
Install the file /map_vps_setup_files/monerod-archive.logrotate.conf
as /etc/logrotate.d/monerod-archive
.
apt−get install collectd collectd-utils
Install the file map_vps_setup_files/collectd.conf
as /etc/collectd/collectd.conf
.
-
Edit the file
/etc/collectd/collectd.conf
and enable the plugin "Network". The other plugins (cpu, df etc..) have been already enabled . A list of plugins that can be set up.TODO: add lists of plugins enabled.
-
Add the following block in Plugin configuration section
<Plugin processes>
CollectFileDescriptor true
CollectContextSwitch true
Process "monerod-archive-v7"
</Plugin>
<Plugin ping>
Host "$GRAFANAHOST"
Interval 1.0
Timeout 0.9
TTL 255
MaxMissed -1
</Plugin>
<Plugin network>
Server "$GRAFANAHOST" "$GRAFANAPORT"
</Plugin>
Replace $GRAFANAHOST, $GRAFANAPORT
with ip address and port where Grafana and InfluxDB are installed.
- Go to Grafana dashboard. Select the appropriate hostname and then it will show you the new data! (It may take some minutes to fetch data).