How to become a witness
So you want to be a witness? Great! You've come to the right place. But before we get down to it, you need to ask yourself a difficult question:
Witnesses play a vital role for Steem and it's important that a witness be both trustworthy and reliable.
A trustworthy witness has Steem's interest at heart. Other users can trust that the witness isn't trying to game the system for personal gain and wants to support Steem's growth.
A reliable witness ensures that their server runs smoothly 24 hours a day, 7 days a week, 365.25 days per year.
Witnesses also require a lot of knowledge in order to do their job well.
A witness must know what a witness does and why witnesses are so integral to the Steem ecosystem. If you can't answer @thecryptofiend's Witness Questionnaire, you're probably not ready for the responsibility being a witness brings.
A witness must be comfortable on the command-line, building software from source, hardening a server, and with general server maintenance. If you've never done this before, you're probably not ready.
If after reading this stark introduction you feel you have what it takes to be a witness, continue reading, and good luck!
1. Procure a server
When a witness is selected to create and sign a transaction block it must complete this quickly. The following specifications are the minimum requirements for a reliable witness. Keep in mind that over time this will change.
- CPU: Dual core @ 2GHz or higher per core
- Memory: 16GB (32GB to be future-proof)
- Bandwidth: 1 Gbit/s
- Storage: 500GB drive
This guide assumes you're using Ubuntu 16.04 LTS. You can use other Linux distributions, but there may be slight differences.
It's common for witnesses to rent a server from a hosting provider such as ovh and Heztner. You can use your own machine, but keep in mind the responsibility you have as a witness.
2. Harden the server
To be both trustworthy and reliable the server must be secure. This section covers some common ways to harden a server.
Use SSH keys to login
It's common for attackers to try and brute-force SSH passwords. Using SSH keys mitigates this since it's much more difficult to brute-force with today's technology.
Generate a passphrase-protected SSH for each computer that will connect to your server using
ssh-keygen -t rsa -b 4096 -C "your_email@example.com
.Copy the contents of
~/.ssh/id_rsa.pub
from each computer into individual lines of~/.ssh/authorized_keys
on the server, or runssh-copy-id <server-ip-address>
on every computer to which you are granting access (you'll have to enter the server password at the prompt).Test that you can login using SSH keys. This is vital because the next step disables password logins.
Disable password authentication in SSH on the server. Open
/etc/ssh/sshd_config
, find the line that says#PasswordAuthentication yes
and change it toPasswordAuthentication no
. Restart the SSH server daemon to apply the change withsudo service ssh restart
.
You can only login to your server using SSH keys. If you lose the keys on the clients that connect to the server, you won't be able to login to the machine. Make a backup.
Disable root login
On some systems root login is enabled by default. Before you disable the root login make sure you are able to login via SSH with another account.
To disable root login via SSH, open /etc/ssh/sshd_config
and find the following line:
#PermitRootLogin no
Uncomment the line by removing the #
symbol:
PermitRootLogin no
Then restart the SSH server with:
sudo service ssh restart
Create a steem user account
Running steemd
under its own account offers a last line of defense should your login account be compromised. It also helps protect against mistakes when you're administering the server.
-> % sudo useradd steem
-> % sudo passwd steem
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Every time we work with steemd
we first need to switch user.
3. Install steem
As steem evolves this information will become out of date. You can find the latest instructions in the Steem GitHub repository.
First install the dependencies:
# Required packages
sudo apt-get install git make automake cmake g++ libssl-dev autoconf libtool
# Boost packages (also required)
sudo apt-get install libboost-thread-dev libboost-date-time-dev libboost-system-dev libboost-filesystem-dev libboost-program-options-dev libboost-signals-dev libboost-serialization-dev libboost-chrono-dev libboost-test-dev libboost-context-dev libboost-locale-dev libboost-coroutine-dev libboost-iostreams-dev
# Optional packages (not required, but will make a nicer experience)
sudo apt-get install doxygen perl libreadline-dev libncurses5-dev
Next, clone the source code repository, checkout the latest stable version and update the submodules. In the example below, v0.14.2
is used as the version. You can find the list of releases here.
git clone https://github.com/steemit/steem
cd steem
git checkout v0.14.2
git submodule update --init --recursive
And finally, build and install the software
cmake -DCMAKE_BUILD_TYPE=Release .
make steemd
make cli_wallet
sudo make install
4. Configure cli_wallet
cli_wallet isn't strictly needed for being a witness, but this guide uses it to automate updating the price feed, so we want to make sure it's setup properly.
Login as the steem user:
-> % su steem
Password:
Run cli_wallet. Since we don't have a running node yet, we'll connect to the node managed by @xeroc and @jesta.
cli_wallet -s wss://node.steem.ws/
cli_wallet runs an interactive console. First we need to set a password:
new >>> set_password "some-secure-password"
Then import your ACTIVE
private key, which you can find on your Steemit profile page under Permissions.
locked >>> unlock "<some-secure-password>"
import_key <active-private-key>
5. Configure steemd
Login as the steem user:
-> % su steem
Password:
Run steemd from the home folder to create the default config file; after a few seconds, stop steemd by pressing Ctrl+C
.
-> % cd ~
-> % steemd
-> % ls ~/witness_node_data_dir
blockchain config.ini db_version logs node p2p
There is now a folder called witness_node_data_dir
which contains the default config file config.ini
. This is the file that needs editing.
Check seed latency
The seed-node
addresses can optionally be checked for latency issues. @arcange encountered a strange issue where steemd
would crash because a seed node was responding slowly.
Check each node using ping
to see how quickly it responds:
-> % ping -U seed.steemd.com
PING seed.steemd.com (162.213.199.171) 56(84) bytes of data.
64 bytes from 162.213.199.171: icmp_seq=1 ttl=59 time=138 ms
64 bytes from 162.213.199.171: icmp_seq=2 ttl=59 time=138 ms
64 bytes from 162.213.199.171: icmp_seq=3 ttl=59 time=139 ms
64 bytes from 162.213.199.171: icmp_seq=4 ttl=59 time=138 ms
The example above is the node that was causing issues for @arcange. 138ms is a long time in steem land. Compare this to the node run by @pharesim:
-> % ping -U steemd.pharesim.me
PING steemd.pharesim.me (176.9.85.102) 56(84) bytes of data.
64 bytes from 176.9.85.102: icmp_seq=1 ttl=55 time=19.4 ms
64 bytes from 176.9.85.102: icmp_seq=2 ttl=55 time=15.2 ms
64 bytes from 176.9.85.102: icmp_seq=3 ttl=55 time=15.3 ms
64 bytes from 176.9.85.102: icmp_seq=4 ttl=55 time=14.9 ms
Remove nodes from the config file that respond too slow.
Witness name
Set the witness
setting in the config file to your witness name. For most this is simply your steemit username:
# name of witness controlled by this node (e.g. initwitness )
witness = "bitcalm"
Note: The quotation marks surrounding the witness name are required.
Private key
The private key can be generated using cli_wallet
.
locked >>> unlock "<some-secure-password>"
suggest_brain_key
The response looks like the following.
suggest_brain_key
{
"brain_priv_key": "AXTREE DEWLIKE MINICAM NIECE TYLOSE IVYWOOD GAINSAY BORISH OZENA UNTOUGH UPHER LANCED MILEWAY UNTILL STINGY WAGLING",
"wif_priv_key": "5Jv8oJuSyHipaoSdTGNHaUpaHXQnBXonJH4Hf3XizRb3SxN3ab2",
"pub_key": "STM5BmtqDNg945q7LUhfRrSvb2Ar5fvbW1bKXGRLzs5FiJPyzyVoC"
}
Important: Put this information somewhere safe.
Copy the wif_priv_key
from the output to the private-key
setting in the config file.
# WIF PRIVATE KEY to be used by one or more witnesses or miners
private-key = 5Jv8oJuSyHipaoSdTGNHaUpaHXQnBXonJH4Hf3XizRb3SxN3ab2
The public key will be used later when you broadcast your intent to become a witness.
Updating the price feed
We'll provide price feed updates using steem_price_feed.bash created by @steempty.
Login as the steem user:
-> % su steem
Password:
Clone the git repository containing the script:
git clone https://github.com/steempty/steem_price_feed.bash
Create a file called lock
in the home folder and add the JSON-RPC command for unlocking the wallet:
{"id":0,"method":"unlock","params":["<your_password>"]}
Change the file permissions so it's only readable by the steem
user:
-> % chmod 400 lock
The update_price_feed.bash
script uses cli_wallet
. We'll run this as a daemon in the next section so it's always available.
6. Run the witness
We need steemd
, cli_wallet
, and steem_price_feed.bash
to all run automatically whenever the machine is rebooted, and restart whenever an error occurs.
There are a few options for this and this guide uses supervisor.
Supervisor is installed by default but if it's not you can install it using apt-get
:
-> % sudo apt-get install supervisor
On Ubuntu 16.04 supervisor doesn't startup by default when the system boots. To enable this, run:
-> % sudo systemctl enable supervisor
Create the file /etc/supervisor/conf.d/steem.conf
with the following contents, replacing <your-witness-name>
.
[program:steemd]
command=steemd --replay-blockchain
directory=/home/steem
user=steem
startsecs=1800
autostart=true
autorestart=true
stdout_logfile=AUTO
stderr_logfile=AUTO
[program:cli_wallet]
command=bash -c "sleep 1800 && exec cli_wallet -d --rpc-endpoint 127.0.0.1:8092"
directory=/home/steem
user=steem
startsecs=10
autostart=true
autorestart=true
stdout_logfile=AUTO
stderr_logfile=AUTO
[program:steem_price_feed]
command=bash -c "sleep 1810 && exec steem_price_feed.bash/steem_price_feed.bash -w <your-witness-name>"
directory=/home/steem
user=steem
autostart=true
autorestart=true
stdout_logfile=AUTO
stderr_logfile=AUTO
Note: cli_wallet
and steem_price_feed
are delayed by 30 minutes to give steemd
a chance to sync up. This may not be long enough for everyone.
Restart supervisor so it picks up the new config file:
-> % sudo service supervisor restart
You can also manually start and stop services with the following commands:
-> % sudo supervisorctl stop steemd
steemd: stopped
-> % sudo supervisorctl start steemd
steemd: started
To monitor the status of all processes managed by supervisor, use the following command:
-> % sudo supervisorctl status
cli_wallet RUNNING pid 21378, uptime 1:43:07
steem_price_feed RUNNING pid 22685, uptime 1:29:48
steemd RUNNING pid 20787, uptime 6:50:38
Supervisor logs all output to files in /var/log/supervisor/
.
7. Broadcast your intent to become a witness
The last step is to broadcast your intent to become a witness to the network.
Login as the steem user:
-> % su steem
Password:
Start cli_wallet
and use the update_witness
command:
locked >>> unlock "<some-secure-password>"
update_witness "<your-witness-name>" "<your-witness-post>" "<your-public-brain-key>" {"account_creation_fee":"10.000 STEEM","maximum_block_size":65536,"sbd_interest_rate":1000} true
Your witness is running and you've broadcast your intent. Now what?
8. Get votes
The higher the total vests you have from your witness votes, the higher in the witness table you are, which means you will be selected more often to create an sign blocks; make it to the top 19 and you get selected every round.
But getting votes, especially big votes, isn't easy. It takes time to build up a reputation and show people that you are both trustworthy and reliable.
This makes it very hard to give advice other than that you continue being a positive force in the community, interacting and helping your fellow Steemians.
Banner photo by Sebastien Wiertz used under the CC-BY-2.0 license. Changes were made to the original.
To harden your server even more, make sure ssh login for root is disabled, forbid login for an IP after a couple of failed attempts, and close down all other ports but the one for SSH. But take care to not lock yourself out in the process.
Added a section for disabling root login. Thanks. Also some great advice that needs repeating: take care not to lock yourself out in the process
fail2ban works fine
and you have to change the ssh port away from default.
Use 127.0.0.1, there's no reason for it to be accessible from outside at all
Thank you for the tut. I am thinking of addapting this to be ran on a FreeBSD Jail and hopefully start a new trend =)
@remind.bot 3 hrs
Thanks for the shout out captain!
Credit where credit's due, artiste.
Congratulations @bitcalm! This post was recommended by @thecryptofiend, and was so good that we decided to feature it in our newspaper. Check it out here: https://t.co/Xq9gkf7Go7
Thanks. Always a great a feeling when your work gets recognised :)
Thanks @bitcalm! Just used this guide to help me get a witness up and running :) Most things went smoothly.
Here's something to maybe add before the 'brodcast your witness' part:
The logs can be found in /var/log/supervisor/steem*
If you do a
$tail -f /var/log/supervisor/*
you should see "Syncing blockchain" lines.
If you don't see these lines something's wrong.
You may need to add seed-node lines to the /home/water/witness_node_data_dir/config.ini
The default version had no entries (for me anyway).
Anyway, thanks so much, just wanted to pass on what I learned :)
Please check out my witness thread at https://steemit.com/witness-category/@nonlinearone/vote-for-nonlinearone-as-witness-bryan-s-witness-thread-version-1-0
That's odd that the default config had no seed-node entries. Are you sure you're using v0.14.2? Thanks for the tips, I'll update the post when I get a chance. Glad you got your witness up and running.
Thanks for this excellent guide! I have been thinking about trying to become a witness. This guide will really help!
One question regarding the servers. On OVC, they have options for "Dedicated" and "Cloud". The cloud looks cheaper. Do you have any tips/suggestions on which server package is good to choose? (When I searched, the SP-30 under 'RAM Instances' with some additional HD space added in seems like the most affordable option to meet all the requiremets.)
I recommend you chat with some of the expert witnesses in the chat that have more experience running on such services. I'm using my own server, so my experience is a little different. The feeling I get is that if the CPU/RAM match, the bandwidth is really important - if throughput is inconsistent, you might miss blocks because you're too slow to respond. I'm sorry I can't help you more but I've only been running my node for 4 days and this article is the information I collected while doing it.
No problem. Thanks for your reply :)
Ugh! You suck! You have officially ruined an upcoming weekend of mine! ;)
Nice language... Easy to read. Reblog!
Thanks. Readability is very important for a guide like this, so that's good to hear.
Great How-to. I feel that I'm technically ready to become a witness but I'm going to hold off for awhile and focus on content creation for right now. I feel like if I can gain a bigger following and build my reputation up higher I have a better chance of becoming a witness in the future.
Great post on the whole process and security hardening! One tiny note that would be good to have is to checkout a specific release tag after cloning the steem repo. Using SSH keys are not just secure but convenient, no having to type the password!
Thanks for the tip about checking out a specific release. I've updated the post to include this.