How to become a witness

in witness-category •  8 years ago  (edited)

So you want to be a witness? Great! You've come to the right place. But before we get down to it, you need to ask yourself a difficult question:

Am I ready to be a witness?

Witnesses play a vital role for Steem and it's important that a witness be both trustworthy and reliable.

  • A trustworthy witness has Steem's interest at heart. Other users can trust that the witness isn't trying to game the system for personal gain and wants to support Steem's growth.

  • A reliable witness ensures that their server runs smoothly 24 hours a day, 7 days a week, 365.25 days per year.

Witnesses also require a lot of knowledge in order to do their job well.

  • A witness must know what a witness does and why witnesses are so integral to the Steem ecosystem. If you can't answer @thecryptofiend's Witness Questionnaire, you're probably not ready for the responsibility being a witness brings.

  • A witness must be comfortable on the command-line, building software from source, hardening a server, and with general server maintenance. If you've never done this before, you're probably not ready.

If after reading this stark introduction you feel you have what it takes to be a witness, continue reading, and good luck!

1. Procure a server

When a witness is selected to create and sign a transaction block it must complete this quickly. The following specifications are the minimum requirements for a reliable witness. Keep in mind that over time this will change.

  • CPU: Dual core @ 2GHz or higher per core
  • Memory: 16GB (32GB to be future-proof)
  • Bandwidth: 1 Gbit/s
  • Storage: 500GB drive

This guide assumes you're using Ubuntu 16.04 LTS. You can use other Linux distributions, but there may be slight differences.

It's common for witnesses to rent a server from a hosting provider such as ovh and Heztner. You can use your own machine, but keep in mind the responsibility you have as a witness.

2. Harden the server

To be both trustworthy and reliable the server must be secure. This section covers some common ways to harden a server.

Use SSH keys to login

It's common for attackers to try and brute-force SSH passwords. Using SSH keys mitigates this since it's much more difficult to brute-force with today's technology.

  1. Generate a passphrase-protected SSH for each computer that will connect to your server using ssh-keygen -t rsa -b 4096 -C "[email protected].

  2. Copy the contents of ~/.ssh/id_rsa.pub from each computer into individual lines of ~/.ssh/authorized_keys on the server, or run ssh-copy-id <server-ip-address> on every computer to which you are granting access (you'll have to enter the server password at the prompt).

  3. Test that you can login using SSH keys. This is vital because the next step disables password logins.

  4. Disable password authentication in SSH on the server. Open /etc/ssh/sshd_config, find the line that says #PasswordAuthentication yes and change it to PasswordAuthentication no. Restart the SSH server daemon to apply the change with sudo service ssh restart.

You can only login to your server using SSH keys. If you lose the keys on the clients that connect to the server, you won't be able to login to the machine. Make a backup.

Disable root login

On some systems root login is enabled by default. Before you disable the root login make sure you are able to login via SSH with another account.

To disable root login via SSH, open /etc/ssh/sshd_config and find the following line:

#PermitRootLogin no

Uncomment the line by removing the # symbol:

PermitRootLogin no

Then restart the SSH server with:

sudo service ssh restart

Create a steem user account

Running steemd under its own account offers a last line of defense should your login account be compromised. It also helps protect against mistakes when you're administering the server.

-> % sudo useradd steem                     
-> % sudo passwd steem
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Every time we work with steemd we first need to switch user.

3. Install steem

As steem evolves this information will become out of date. You can find the latest instructions in the Steem GitHub repository.

First install the dependencies:

# Required packages
sudo apt-get install git make automake cmake g++ libssl-dev autoconf libtool

# Boost packages (also required)
sudo apt-get install libboost-thread-dev libboost-date-time-dev libboost-system-dev libboost-filesystem-dev libboost-program-options-dev libboost-signals-dev libboost-serialization-dev libboost-chrono-dev libboost-test-dev libboost-context-dev libboost-locale-dev libboost-coroutine-dev libboost-iostreams-dev

# Optional packages (not required, but will make a nicer experience)
sudo apt-get install doxygen perl libreadline-dev libncurses5-dev

Next, clone the source code repository, checkout the latest stable version and update the submodules. In the example below, v0.14.2 is used as the version. You can find the list of releases here.

git clone https://github.com/steemit/steem
cd steem
git checkout v0.14.2
git submodule update --init --recursive

And finally, build and install the software

cmake -DCMAKE_BUILD_TYPE=Release .
make steemd
make cli_wallet
sudo make install

4. Configure cli_wallet

cli_wallet isn't strictly needed for being a witness, but this guide uses it to automate updating the price feed, so we want to make sure it's setup properly.

Login as the steem user:

-> % su steem
Password:

Run cli_wallet. Since we don't have a running node yet, we'll connect to the node managed by @xeroc and @jesta.

cli_wallet -s wss://node.steem.ws/

cli_wallet runs an interactive console. First we need to set a password:

new >>> set_password "some-secure-password"

Then import your ACTIVE private key, which you can find on your Steemit profile page under Permissions.

locked >>> unlock "<some-secure-password>"
import_key <active-private-key>

5. Configure steemd

Login as the steem user:

-> % su steem
Password:

Run steemd from the home folder to create the default config file; after a few seconds, stop steemd by pressing Ctrl+C.

-> % cd ~
-> % steemd
-> % ls ~/witness_node_data_dir
blockchain  config.ini  db_version  logs  node  p2p

There is now a folder called witness_node_data_dir which contains the default config file config.ini. This is the file that needs editing.

Check seed latency

The seed-node addresses can optionally be checked for latency issues. @arcange encountered a strange issue where steemd would crash because a seed node was responding slowly.

Check each node using ping to see how quickly it responds:

-> % ping -U seed.steemd.com
PING seed.steemd.com (162.213.199.171) 56(84) bytes of data.
64 bytes from 162.213.199.171: icmp_seq=1 ttl=59 time=138 ms
64 bytes from 162.213.199.171: icmp_seq=2 ttl=59 time=138 ms
64 bytes from 162.213.199.171: icmp_seq=3 ttl=59 time=139 ms
64 bytes from 162.213.199.171: icmp_seq=4 ttl=59 time=138 ms

The example above is the node that was causing issues for @arcange. 138ms is a long time in steem land. Compare this to the node run by @pharesim:

-> % ping -U steemd.pharesim.me
PING steemd.pharesim.me (176.9.85.102) 56(84) bytes of data.
64 bytes from 176.9.85.102: icmp_seq=1 ttl=55 time=19.4 ms
64 bytes from 176.9.85.102: icmp_seq=2 ttl=55 time=15.2 ms
64 bytes from 176.9.85.102: icmp_seq=3 ttl=55 time=15.3 ms
64 bytes from 176.9.85.102: icmp_seq=4 ttl=55 time=14.9 ms

Remove nodes from the config file that respond too slow.

Witness name

Set the witness setting in the config file to your witness name. For most this is simply your steemit username:

# name of witness controlled by this node (e.g. initwitness )
witness = "bitcalm"

Note: The quotation marks surrounding the witness name are required.

Private key

The private key can be generated using cli_wallet.

locked >>> unlock "<some-secure-password>"
suggest_brain_key

The response looks like the following.

suggest_brain_key
{
  "brain_priv_key": "AXTREE DEWLIKE MINICAM NIECE TYLOSE IVYWOOD GAINSAY BORISH OZENA UNTOUGH UPHER LANCED MILEWAY UNTILL STINGY WAGLING",
  "wif_priv_key": "5Jv8oJuSyHipaoSdTGNHaUpaHXQnBXonJH4Hf3XizRb3SxN3ab2",
  "pub_key": "STM5BmtqDNg945q7LUhfRrSvb2Ar5fvbW1bKXGRLzs5FiJPyzyVoC"
}

Important: Put this information somewhere safe.

Copy the wif_priv_key from the output to the private-key setting in the config file.

# WIF PRIVATE KEY to be used by one or more witnesses or miners
private-key = 5Jv8oJuSyHipaoSdTGNHaUpaHXQnBXonJH4Hf3XizRb3SxN3ab2

The public key will be used later when you broadcast your intent to become a witness.

Updating the price feed

We'll provide price feed updates using steem_price_feed.bash created by @steempty.

Login as the steem user:

-> % su steem
Password:

Clone the git repository containing the script:

git clone https://github.com/steempty/steem_price_feed.bash

Create a file called lock in the home folder and add the JSON-RPC command for unlocking the wallet:

{"id":0,"method":"unlock","params":["<your_password>"]}

Change the file permissions so it's only readable by the steem user:

-> % chmod 400 lock

The update_price_feed.bash script uses cli_wallet. We'll run this as a daemon in the next section so it's always available.

6. Run the witness

We need steemd, cli_wallet, and steem_price_feed.bash to all run automatically whenever the machine is rebooted, and restart whenever an error occurs.

There are a few options for this and this guide uses supervisor.

Supervisor is installed by default but if it's not you can install it using apt-get:

-> % sudo apt-get install supervisor

On Ubuntu 16.04 supervisor doesn't startup by default when the system boots. To enable this, run:

-> % sudo systemctl enable supervisor

Create the file /etc/supervisor/conf.d/steem.conf with the following contents, replacing <your-witness-name>.

[program:steemd]
command=steemd --replay-blockchain
directory=/home/steem
user=steem
startsecs=1800
autostart=true
autorestart=true
stdout_logfile=AUTO
stderr_logfile=AUTO

[program:cli_wallet]
command=bash -c "sleep 1800 && exec cli_wallet -d --rpc-endpoint 127.0.0.1:8092"
directory=/home/steem
user=steem
startsecs=10
autostart=true
autorestart=true
stdout_logfile=AUTO
stderr_logfile=AUTO

[program:steem_price_feed]
command=bash -c "sleep 1810 && exec steem_price_feed.bash/steem_price_feed.bash -w <your-witness-name>"
directory=/home/steem
user=steem
autostart=true
autorestart=true
stdout_logfile=AUTO
stderr_logfile=AUTO

Note: cli_wallet and steem_price_feed are delayed by 30 minutes to give steemd a chance to sync up. This may not be long enough for everyone.

Restart supervisor so it picks up the new config file:

-> % sudo service supervisor restart

You can also manually start and stop services with the following commands:

-> % sudo supervisorctl stop steemd
steemd: stopped
-> % sudo supervisorctl start steemd
steemd: started

To monitor the status of all processes managed by supervisor, use the following command:

-> % sudo supervisorctl status
cli_wallet          RUNNING   pid 21378, uptime 1:43:07
steem_price_feed    RUNNING   pid 22685, uptime 1:29:48
steemd              RUNNING   pid 20787, uptime 6:50:38

Supervisor logs all output to files in /var/log/supervisor/.

7. Broadcast your intent to become a witness

The last step is to broadcast your intent to become a witness to the network.

Login as the steem user:

-> % su steem
Password:

Start cli_wallet and use the update_witness command:

locked >>> unlock "<some-secure-password>"
update_witness "<your-witness-name>" "<your-witness-post>" "<your-public-brain-key>" {"account_creation_fee":"10.000 STEEM","maximum_block_size":65536,"sbd_interest_rate":1000} true

Your witness is running and you've broadcast your intent. Now what?

8. Get votes

The higher the total vests you have from your witness votes, the higher in the witness table you are, which means you will be selected more often to create an sign blocks; make it to the top 19 and you get selected every round.

But getting votes, especially big votes, isn't easy. It takes time to build up a reputation and show people that you are both trustworthy and reliable.

This makes it very hard to give advice other than that you continue being a positive force in the community, interacting and helping your fellow Steemians.


Many thanks to @aizensou, @klye, @someguy123, @furion, and other in the witness chat for helping me setup my witness and answering my newbie questions.

Banner photo by Sebastien Wiertz used under the CC-BY-2.0 license. Changes were made to the original.


Vote for me as witness to show your support.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

To harden your server even more, make sure ssh login for root is disabled, forbid login for an IP after a couple of failed attempts, and close down all other ports but the one for SSH. But take care to not lock yourself out in the process.

Added a section for disabling root login. Thanks. Also some great advice that needs repeating: take care not to lock yourself out in the process

fail2ban works fine

and you have to change the ssh port away from default.

Use 127.0.0.1, there's no reason for it to be accessible from outside at all

Thank you for the tut. I am thinking of addapting this to be ran on a FreeBSD Jail and hopefully start a new trend =)

@remind.bot 3 hrs

Thanks for the shout out captain!

Credit where credit's due, artiste.

Congratulations @bitcalm! This post was recommended by @thecryptofiend, and was so good that we decided to feature it in our newspaper. Check it out here: https://t.co/Xq9gkf7Go7

Thanks. Always a great a feeling when your work gets recognised :)

Thanks @bitcalm! Just used this guide to help me get a witness up and running :) Most things went smoothly.

Here's something to maybe add before the 'brodcast your witness' part:

The logs can be found in /var/log/supervisor/steem*

If you do a
$tail -f /var/log/supervisor/*
you should see "Syncing blockchain" lines.

If you don't see these lines something's wrong.

You may need to add seed-node lines to the /home/water/witness_node_data_dir/config.ini

The default version had no entries (for me anyway).

Anyway, thanks so much, just wanted to pass on what I learned :)

Please check out my witness thread at https://steemit.com/witness-category/@nonlinearone/vote-for-nonlinearone-as-witness-bryan-s-witness-thread-version-1-0

That's odd that the default config had no seed-node entries. Are you sure you're using v0.14.2? Thanks for the tips, I'll update the post when I get a chance. Glad you got your witness up and running.

Thanks for this excellent guide! I have been thinking about trying to become a witness. This guide will really help!

One question regarding the servers. On OVC, they have options for "Dedicated" and "Cloud". The cloud looks cheaper. Do you have any tips/suggestions on which server package is good to choose? (When I searched, the SP-30 under 'RAM Instances' with some additional HD space added in seems like the most affordable option to meet all the requiremets.)

I recommend you chat with some of the expert witnesses in the chat that have more experience running on such services. I'm using my own server, so my experience is a little different. The feeling I get is that if the CPU/RAM match, the bandwidth is really important - if throughput is inconsistent, you might miss blocks because you're too slow to respond. I'm sorry I can't help you more but I've only been running my node for 4 days and this article is the information I collected while doing it.

No problem. Thanks for your reply :)

Ugh! You suck! You have officially ruined an upcoming weekend of mine! ;)

Nice language... Easy to read. Reblog!

Thanks. Readability is very important for a guide like this, so that's good to hear.

Great How-to. I feel that I'm technically ready to become a witness but I'm going to hold off for awhile and focus on content creation for right now. I feel like if I can gain a bigger following and build my reputation up higher I have a better chance of becoming a witness in the future.

Great post on the whole process and security hardening! One tiny note that would be good to have is to checkout a specific release tag after cloning the steem repo. Using SSH keys are not just secure but convenient, no having to type the password!

Thanks for the tip about checking out a specific release. I've updated the post to include this.

This a brilliant guide! I hope it encourages non-developers to take up witnessing - some diversity will be great!

It's a steep learning curve but hopefully this guide will make onboarding a little easier. Diversity is only a good thing.

wow much respect for the role of witness.
This is obviously not my part to play in the success of Steemit at this time.
Great post!

Great information, and very detailed.

"Can I get a witness?"

-Marvin Gaye

Always wondered what this entailed...Excellent work:)

This is very useful information. Thank you for sharing it:)

many thanks

This post has been linked to from another place on Steem.

Learn more about linkback bot v0.4. Upvote if you want the bot to continue posting linkbacks for your posts. Flag if otherwise.

Built by @ontofractal

Very nice witness guide!

Thanks. I think it's already helped a few people become witnesses. :)

Hello are the hardware requirements so high really? I'm running nodes for several crypto networks, but never saw so high requirements. I'd like to set up witness node also if possible just need to make sure if my servers can handle it.

In part 4. the line cli_wallet -s wss://node.steem.ws/ gives me an error message

0 exception: unspecified
Timer Expired {"message":"Timer Expired"} asio websocket.cpp:513 operator()

{"uri":"wss://node.steem.ws/"}
th_a  websocket.cpp:699 secure_connect

{"uri":"wss://node.steem.ws/"}
th_a  websocket.cpp:673 connect

``

is wss://node.steem.ws/ down?

Nicely written, you deserve my vote. Btw, the github link is dead.

Great post.
Thanks for this, i ReSteem it since it is good knowledge :)

Thank you.

I simply am not ready to be a witness as of now. the job seems to complicated for me