Universa node: server configuration

The server should already satisfy the requirements (hardware/OS) specified on Node Owner Central.

Required packages

Latest PostgreSQL repository

Configure PostgreSQL 10 apt sources as described here.

Mandatory packages

Install mandatory packages needed for Universa node launch/maintenance.

apt-get install apache2-utils build-essential check-postgres curl dirmngr git haveged libpam-systemd libpq-dev libssl-dev lsb-release netfilter-persistent nginx-light postgresql postgresql-client pgtop rsync sudo wget vim hdparm net-tools

Java

Installing Oracle JDK from webupd is discontinued because Oracle license has changed. There are two options now:

  1. Register in Oracle, download and install Linux x64 tar.gz archive.

  2. Install openjdk-11-jdk package from Debian stretch-backports repository.

DISCONTINUED METHOD

Install webupd8.org Oracle Java packages for Debian:

su -
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer oracle-java8-set-default binfmt-support
exit

Open the /etc/java-8-oracle/security/java.security file in a text editor. Change the line: securerandom.source=file:/dev/random to: securerandom.source=file:/dev/urandom Save your change and exit the text editor. See details here

Other packages

Recommended packages, but not mandatory:

  • cryptsetup – to protect private keys and other sensitive data in LUKS encrypted partition, or even full PostgreSQL data.
  • certbot – to get free ssl certificates for Nginx http server

Nginx

See conf files in attached nginx.tgz, real domain mentioned as template #{domain}.

Every external node should use its personal domain, we highly recommend to use CloudFlare for protect node, https and so on. To encrypt traffic between CloudFlare and node we recommend “Let’s Encrypt” free SSL certificates – install certbot package for this purpose.

Unpack example files from archive and place them to /etc/nginx, change domain name everywhere, edit the SSL certificate paths, generate dhparam, make symlink and reload nginx.

ln -s /etc/nginx/sites-available/universa_node /etc/nginx/sites-enabled
openssl dhparam -out /etc/nginx/dhparam.pem 4096
nginx -t && nginx -s reload

Obtaining an SSL certificate with certbot

When configuring your node to use free Let‘s Encrypt SSL certificates, you should take the following precaution:

Before you’ve received the first SSL certificate for your host, you can’t actually use 8443 ssl line in your Nginx conf file (because there is no certificate yet), so just comment it out for now.

Edit command and get certificates with:

certbot certonly -d #{domain} --webroot -w /var/www/letsencrypt

After successful execution, uncomment the SSL-related section in your Nginx file and reload Nginx again (service nginx reload).

Extra configuration

PostgreSQL

After you’ve installed the packages, create the user for Universa with some custom password and database you wish.

CREATE USER universa PASSWORD '<PASSWORD>';
CREATE DATABASE universa_node WITH OWNER=universa;

Add the following line to the pg_hba.conf; alter it in case if you’ve changed the user name/database name:

local    universa_node   universa       md5

Tuning postgresql.conf

Enable more simultaneous connections in /etc/postgresql/10/main/postgresql.conf:

max_connections = 500

Also, configure the memory-related settings, depending on your server RAM and disk type, so you have to change the numbers (refer to http://pgtune.leopard.in.ua/ and PostgreSQL documentation):

shared_buffers = 196MB 
work_mem = 64MB
maintenance_work_mem = 256MB
max_wal_size = 8GB

Restart server:

systemctl restart postgresql.service

Prepare dedicated user for service

Add user deploy for node, please use exactly this name:

useradd -m -s /bin/bash deploy

Enable systemd log view:

usermod -a -G systemd-journal deploy 

Enable systemd service for user:

loginctl enable-linger deploy 

Prepare systend service file /home/deploy/.config/systemd/user/java.service

[Unit]
Description=universa java daemon
After=network.target

[Service]
StandardOutput=journal+console
StandardError=journal+console
Type=simple
WorkingDirectory=/home/deploy/universad/current
ExecStart=/usr/bin/java -jar /home/deploy/universad/current/app/uninode.jar -c /home/deploy/universad/current                          
TimeoutStartSec=15s
ExecStop=/bin/kill -TERM $MAINPID
TimeoutStopSec=10s
Restart=always

[Install]
WantedBy=default.target

Reload systemd and enable the service

systemctl --user daemon-reload
systemctl --user enable java

Prepare keys for network with uniclient tool, example for 10 nodes

for n in $(seq 1 10); do uniclient -g node_$(printf "%04d" $n); done

Preapre config in yaml format, example for first node. You have to change domain node-1-test.example.com and ip address.

---                                                                                                                                     
http_client_port: 2052                                                                                                                  
http_client_listen:                                                                                                                     
- 127.0.0.1                                                                                                                             
http_server_port: 2082                                                                                                                  
udp_server_port: 2700                                                                                                                   
database: jdbc:postgresql://localhost:5432/universa_node?user=universa&password=<PASSWORD>                                              
node_number: 1                                                                                                                          
public_host: node-1-test.example.com                                                                                                    
node_name: node-1-test.example,com                                                                                                    
ip:                                                                                                                                     
- 1.2.3.4
ipv6:
- 1111:2222:33:4::5555

upload jars to folder ~/universad/current/app

upload public keys for all nodes to ~/universad/current/config/keys

upload node conf files to ~/universad/current/config/keys

upload current node conf file to ~/universad/shared/config/config.yaml

upload private key to folder ~/universad/current/tmp - it may be tmpfs or ramfs folder

Now we ready to start node as systemd service

systemctl --user start java

To check status

systemctl --user status java

To follow log

journalctl -f --user-unit java

Next part suitable only for managed nodes

SSH

Prepare authorized_keys file and add attached public SSH keys to it as deploy user (your system can use file authorized_keys2 instead).

mkdir -m 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Generate SSH keypair for deploy user:

ssh-keygen

If you have multiple nodes you have to generate this key once and then copy it to other nodes.

Firewall and open ports

The following ports must be open:

tcp 22 or other non standard port used for sshd                                                                                                                       
tcp 80                                                                                                                      
tcp 8080                                                                                                                      
tcp 8443                                                                                                                      
tcp 2052                                                                                                                      
tcp 2082                                                                                                                      
udp 2700                                                                                                                      

... TO BE CONTINUED.