Part 1 – Server setup

This section will help you set up and configure a server to prepare it for being a Pocket node.

Setup a server

The first thing you’ll need to run a Pocket node is a server. For this guide, we’ll be using a virtual machine on the Linode cloud service, but you can use any cloud service you like, or run a server of your own.

Let’s start by creating a Linode instance (a virtual machine).

Create a Linode instance

To create a Linode instance, do the following:

1. Sign up for a Linode account and login.

2. Create a new Linode with the following specifications:

   • Image / Distribution: Ubuntu 20.04 LTS
   • Region: Atlanta, GA
   • Linode Plan: Dedicated 16 GB - 8 CPU, 320 GB Storage, 16 GB RAM
   • Linode Label: pokt001

3. Wait for the Linode to be created and show up as running in the web interface.

Add a storage volume

The Pocket blockchain is very large and growing all the time, and the snapshot we’ll be downloading in a later step is too large to fit on this Linode instance.

Because of this, we’ll need to create a secondary storage volume. We recommend a size of at least 500GB, but as this requirement will keep growing, a larger volume size (or a dynamically adjustable disk size) will be important.

1. In your Linode account, click Volumes and then Create Volume.

2. Create a volume with the following specifications:

   • Label: poktuserdir
   • Size: 800GB
   • Region: [Same as your instance]
   • Linode: pokt001

Configure DNS

Now that the Linode instance is created and running, you’ll need to set up a DNS record that points to the IP address of the Linode instance.

Pocket nodes require a DNS name. DNS (Domain Name Service) names are used to map an IP address to more human-friendly names. So rather than referencing a server with an address like 134.23.153.21 we can use a name like pokt001.pokt.run.

Specifically, you’ll need to add an A record for the domain name. For the exact steps, consult the DNS documentation for your provider. Then create a record with the following information:

• Name: pokt001
• Type: A
• Value: [Linode_IP_Address]
• TTL: 300

After setting up your DNS record, wait a few minutes for the DNS to propagate. Then use the following command to check that the DNS record is working:

ping -c 3 pokt001.pokt.run

You should see a response that looks something like this:

64 bytes from 134.23.153.21: icmp_seq=0 ttl=47 time=92.403 ms
64 bytes from 134.23.153.21: icmp_seq=1 ttl=47 time=142.828 ms
64 bytes from 134.23.153.21: icmp_seq=2 ttl=47 time=182.456 ms

If the IP address matches the IP address of your Linode instance, you’re all set!

Login with SSH

Now that we have a DNS record setup, we will look at using SSH to log in and continue the setup process.

The Secure Shell Protocol (SSH) is a secure way to connect to your Linode instance from a remote machine, like your local computer. We’ll be using SSH to complete the remainder of the setup process.

SSH from Mac or Linux

If you’re using a Mac, or Linux, on your local computer, you can SSH into your node by doing the following:

• Open a terminal

• SSH into your node using the following command:

  ssh root@pokt001.pokt.run
  

You’ll be prompted for your password. This is the root password that you set when you created your Linode.

SSH from Windows

Windows 10 and later have a built-in SSH client. You can use SSH on Windows by doing the following:

• Open the Windows terminal

• SSH into your node using the following command:

  ssh root@pokt001.pokt.run
  

If you’re using an older version of Windows, you might need to install PuTTY or some other SSH client.

Set the hostname

At this point you should be logged into your node as the root user.

In a previous step, we set the DNS name for the node. Now we’ll use the same name for the hostname on the server.

To set the server hostname use the following steps:

1. Open the /etc/hostname file with the following command:

   nano /etc/hostname
   

2. Change the localhost value to the fully qualified hostname of your node (for example, pokt001.pokt.run).

3. Save the file with Ctrl+O and then Enter.

4. Exit nano with Ctrl+X.

5. Reboot the server with the following command:

   reboot
   

6. Wait for the server to reboot then ssh back in as the root user before continuing on.

Create a Pocket user account

For security reasons it’s best not to use the root user. Instead, it’s better to create a new user and add the user to the sudo group.

To create a new user, enter the following commands:

1. Create a new user named pocket, add it to the sudo group, and set the default shell to bash. If you want to specify the location of the home directory, you can use the -d option followed by the path to the home directory:

   useradd -m -g sudo -s /bin/bash pocket && passwd pocket
   

2. For the rest of this guide, we’ll be using the pocket user. So now that the pocket user is created, you can switch from using root to the pocket user with the following command:

   su - pocket
   

Mount the volume

Next we want to mount the secondary storage volume that we created in a previous step.

1. Verify that the volume is attached to your instance.

   Command Response

   sudo fdisk -l
   

   Disk /dev/sdc: 800 GiB, 858993459200 bytes, 1677721600 sectors
   Disk model: Volume
   Units: sectors of 1 * 512 = 512 bytes
   Sector size (logical/physical): 512 bytes / 512 bytes
   I/O size (minimum/optimal): 512 bytes / 512 bytes
   

2. Create a new partition. If the previous command shows a file path different from /dev/sdc, use that instead in the commands below:

   sudo mkfs.ext4 /dev/sdc
   

3. Create a new mount point:

   sudo mkdir /mnt/data
   

4. Mount the new partition:

   sudo mount /dev/sdc /mnt/data
   

5. Verify that the partition was created by running the following command:

   Command Response

   sudo lsblk -o NAME,PATH,SIZE,FSAVAIL,FSUSE%,MOUNTPOINT
   

   NAME PATH       SIZE FSAVAIL FSUSE% MOUNTPOINT
   sda  /dev/sda 319.5G  289.5G     3% /
   sdb  /dev/sdb   512M                [SWAP]
   sdc  /dev/sdc   800G    328G    53% /mnt/data
   

6. Set the volume to be mounted automatically. Open /etc/fstab:

   sudo nano /etc/fstab
   

7. Add the following line to the bottom of the file:

   /dev/sdc /mnt/data ext4 defaults,noatime,nofail 0 2
   

8. Save the file with Ctrl+O and then Enter.

9. Exit nano with Ctrl+X.

Move the home directory

Many Pocket commands assume a data directory path of ~/.pocket. While it is possible to specify a different data directory with every command, it will be much easier to change the location of the pocket user home directory. For this tutorial, we will be putting the Pocket data directory at /mnt/data/.pocket.

To change the home directory of the pocket user:

sudo usermod -d /mnt/data pocket

Configure SSH Key Login (Optional):

While not required, using an SSH key provides a more secure means of accessing your server.

Using an SSH key removes the ability for credentials to be sniffed in the login process, and removes the pitfalls that can often come with user generated passwords since the key will truly be random.

One important thing to understand, is that without access to the ssh key, you won’t be able to log into your node. If you intend on accessing your node from multiple computers, it’s recommended that you repeat the Generate Key and Upload Key steps from each computer that you intend to access your node from before moving on to the Disable Root Login and Password Authentication step.

1. Log Out

   At the terminal you’ll need to enter the logout command twice. The first logout logs you out of the pocket user, back to the root user, and the second logout logs you out of the server and back to your terminal.

2. Generate Key

   Next, we’ll generate an ssh key. To do that you’ll run the ssh-keygen command. You’ll be prompted to specify the file you want to save the key to, and for a password. Specifying a password means that if someone has access to your key, they’d still need to know the password to be able to use it to login. To create the key, do the following:

   • Run the ssh-keygen command

     ssh-keygen -t rsa -b 4096
     

   • Enter file in which to save the key (~/.ssh/id_rsa)

   • Enter a passphrase (empty for no passphrase)

   • Enter same passphrase again

   The results should looking something like the following:

   The key fingerprint is:
   SHA256:jr2MLXIha188wYsp/bNflN9BuqQ3LWCAXJNTtHO7sWk
   The key's randomart image is:
   +---[RSA 4096]----+
   |         o+o     |
   |      . oo. .    |
   |       o ..o . . |
   |       .  . o.+  |
   |        S  oo= . |
   |    ...B o..+.B..|
   |    .o=.B  ..E...|
   |    +.o*.o .o o  |
   |   . +o.*+.      |
   +----[SHA256]-----+
   

3. Upload Key

   Now we’re going to upload the key so that we can use it to log into the pocket user. If you choose a different path for the ssh key, it’s important to replace the ~/.ssh/id_rsa with the key you used.

   ssh-copy-id -i ~/.ssh/id_rsa pocket@pokt001.pokt.run
   

   Info

   Windows users may not have access to this command. If you don't have access to a Bash shell, you can use PowerShell to mimic this command. [See these instructions for more details.](https://chrisjhart.com/Windows-10-ssh-copy-id/)
   

4. Disable Root Login and Password Authentication

   Now we’re now going to configure ssh to no longer allow root logins, and to not allow any password based login attempts. Meaning without access to the ssh key for the pocket user, no one will be able to log into the server.

   First we’ll need to log back into the server:

   ssh pocket@pokt001.pokt.run
   

   From there, we’ll want to open the /etc/ssh/sshd_config file to make some changes to the default configuration:

   sudo nano /etc/ssh/sshd_config
   

   Once there, we’ll need to find and change the following lines:

   • #PermitRootLogin prohibit-password -> PermitRootLogin no
   • #PubkeyAuthentication yes -> PubkeyAuthentication yes
   • #PasswordAuthentication yes -> PasswordAuthentication no

   Once changed, Ctrl-O followed by Enter will save the changes, and Ctrl-X will exit nano back to the terminal.

   Then we’ll need to restart the ssh server for these changes to take effect:

   sudo systemctl restart sshd.service
   

5. Verify Everything Works

   The last step is to log out of the server, and try logging back in. If you’re no longer prompted for a password, then everything is working as expected.

   Windows Linux/macOS

   ssh -i C:\Users\<USER>\.ssh\id_rsa -l pocket pokt001.pokt.run
   

   ssh -i ~\.ssh\id_rsa pocket@pokt001.pokt.run
   

That’s it for the server setup! Continue on to install the necessary software.

Part 2 – Software installation

This section will help you install all the necessary software for your node.

Install dependencies

Now let’s move on to the Pocket CLI installation.

At this point you should be logged in via SSH as the pocket user that we set up in a previous step. Before we install the Pocket software, we need to update the existing system packages and add a few dependencies.

Updating system packages

1. Update the repository index with the following command:

   sudo apt update
   

2. Update the distribution with the following command:

   sudo apt dist-upgrade -y
   

After the update completes, we’re ready to install the dependencies.

Installing dependencies

There are a handful of dependencies but installing them won’t take long. Also, some might already be installed. So if one of the dependencies exists, you can just move on to the next one.

git

sudo apt-get install git -y

build tools

sudo apt-get install build-essential -y

curl

sudo apt-get install curl -y

file

sudo apt-get install file -y

nginx

sudo apt install nginx -y

certbot

sudo apt install certbot -y

python3-certbot-nginx

sudo apt-get install python3-certbot-nginx -y

jq

sudo apt install jq -y

Install Go

After installing the dependencies, there is one more dependency we’ll need to add, and that’s Go. Go (sometimes known as “Golang”) is the programming language that the Pocket software was written in.

We could install Go using apt, but we want to get the latest stable version which probably isn’t available by default in the apt repository. So, we’ll use the steps below to install Go.

1. Make sure you’re in the pocket home directory.

   cd ~
   

2. Find the latest version of Go from https://golang.org/dl/ then download it with the following command. (Make sure to change the link below to point to the correct version of Go.)

   wget https://dl.google.com/go/go1.19.2.linux-amd64.tar.gz
   

3. Extract the archive:

   sudo tar -xvf go1.19.2.linux-amd64.tar.gz
   

4. Set permissions on the extracted files:

   sudo chown -R pocket ./go
   

5. Add Go to the PATH:

   echo 'export PATH=$PATH:$HOME/go/bin' >> ~/.profile
   

6. Set the GOPATH and GOBIN environment variables:

   echo 'export GOPATH=$HOME/go' >> ~/.profile
   

   echo 'export GOBIN=$HOME/go/bin' >> ~/.profile
   

7. Reload your .profile:

   source ~/.profile
   

8. Verify the installation:
   Command Response

   go version
   

   go version go1.19.2 linux/amd64
   

   Info

   Make sure the version number matches the version you downloaded. If the go version command doesn’t work, try logging out and logging back in.

9. Verify the GOPATH and GOBIN variables are set correctly:
   Command Response

   go env
   

   GOPATH="/mnt/data/go"
   GOBIN="/mnt/data/go/bin"
   

Install Pocket

After you can verify that you have the latest stable version of Go, we’re ready to install the Pocket software.

We’ll be downloading Pocket Core from GitHub and then compiling it with Go to get it fully installed.

To download and install Pocket Core, do the following:

1. Create a project directory:

   sudo mkdir -p $GOPATH/src/github.com/pokt-network
   

2. Change to the project directory:

   cd $GOPATH/src/github.com/pokt-network
   

3. Clone the Pocket Core repository:

   sudo git clone https://github.com/pokt-network/pocket-core.git
   

4. Change to the code directory:

   cd pocket-core
   

5. Checkout the latest version. You can find the latest tag by going to https://github.com/pokt-network/pocket-core/tags:

   sudo git checkout tags/RC-0.9.2
   

   Info

   You may see a warning about being in a “detached HEAD” state. This is normal.

6. Build project code:

   go build -o $GOPATH/bin/pocket $GOPATH/src/github.com/pokt-network/pocket-core/app/cmd/pocket_core/main.go
   

7. Test that the build succeeded:

   Command Response

   pocket version
   

   AppVersion: RC-0.9.2
   

That’s it for the software installation. Now let’s move on to the Pocket core configuration.

Part 3 – Pocket configuration

This section will help you configure your instance of Pocket.

Download snapshot

Rather than synchronizing your Pocket node from block zero (which could take weeks), you can use a snapshot. A snapshot of the Pocket blockchain is taken every 12 hours and can be downloaded using the instructions on the Pocket Snapshots Repository page.

Downloading a snapshot will likely take a few hours, so we’re going to use the screen command so that the download can run in the background, allowing you to perform other tasks.

To download the most recent snapshot:

1. Create a screen instance:

   screen
   

   Press Enter to get back to a prompt.
2. Change into the .pocket directory.

   cd ~/.pocket
   

3. Create a directory named data and change into it:

   mkdir data && cd data
   

4. Download the latest snapshot using the following command:

   wget -qO- https://snapshot.nodes.pokt.network/latest.tar.gz | tar xvfz -
   

While the snapshot is downloading, press Ctrl-A and then d to let the process run in the background and be returned to a prompt.

To return to your screen instance to see how things are going:

screen -r

You can also check on the status of the download by watching your disk usage:

df -h

Once your download is completed, make the pocket user the owner of the data directory:

sudo chown -R pocket ~/.pocket/data

And when you’re done with your screen instance, you can exit out of it:

exit

Create a Pocket wallet account

Pocket nodes are associated with a Pocket wallet account. This is the account that will be used to send and receive transactions from the node. You can either create a new account using the Pocket CLI we just installed, or you can use an existing account. For this guide, we’ll be creating a new account.

Creating an account

To create an account, run the following command:

pocket accounts create

You’ll be prompted to set a passphrase for the account. You can use any passphrase you like but for security reasons, it’s best to use a passphrase that is at least 12 characters long, preferably longer.

pocket accounts import-armored <armoredJSONFile>

Listing accounts

After you’ve created the account you can use the pocket accounts list command to confirm that the account was added successfully.

pocket accounts list

Setting the validator address

Next, set the account as the one the node will use with the following command:

pocket accounts set-validator [YOUR_ACCOUNT_ADDRESS]

Confirm the validator address

Finally, you can confirm that the validator address was set correctly by running the following command:

 pocket accounts get-validator

Create config.json

The Pocket core software uses a config file to store configuration details. By default the config file is located at ~/.pocket/config/config.json. In this step we’ll look at how to create a new config file.

To create a new config file:

1. Run the following command, which will create the default config.json file, add the seeds, set port 8081 to 8082, and increase the RPC timeout value:

   echo $(pocket util print-configs) | jq '.tendermint_config.P2P.Seeds = "03b74fa3c68356bb40d58ecc10129479b159a145@seed1.mainnet.pokt.network:20656,64c91701ea98440bc3674fdb9a99311461cdfd6f@seed2.mainnet.pokt.network:21656,0057ee693f3ce332c4ffcb499ede024c586ae37b@seed3.mainnet.pokt.network:22856,9fd99b89947c6af57cd0269ad01ecb99960177cd@seed4.mainnet.pokt.network:23856,1243026603e9073507a3157bc4de99da74a078fc@seed5.mainnet.pokt.network:24856,6282b55feaff460bb35820363f1eb26237cf5ac3@seed6.mainnet.pokt.network:25856,3640ee055889befbc912dd7d3ed27d6791139395@seed7.mainnet.pokt.network:26856,1951cded4489bf51af56f3dbdd6df55c1a952b1a@seed8.mainnet.pokt.network:27856,a5f4a4cd88db9fd5def1574a0bffef3c6f354a76@seed9.mainnet.pokt.network:28856,d4039bd71d48def9f9f61f670c098b8956e52a08@seed10.mainnet.pokt.network:29856,5c133f07ed296bb9e21e3e42d5f26e0f7d2b2832@poktseed100.chainflow.io:26656"' | jq '.pocket_config.rpc_timeout = 15000' | jq '.pocket_config.rpc_port = "8082"' | jq '.pocket_config.remote_cli_url = "http://localhost:8082"' | jq . > ~/.pocket/config/config.json
   

   Warning

   This is a long command! Make sure you’ve copied it completely.

2. Verify the config.json file setting by viewing the contents of the file:

   Command Response

   cat ~/.pocket/config/config.json
   

   {
     "tendermint_config": {
       "RootDir": "/mnt/data/.pocket",
       "ProxyApp": "tcp://127.0.0.1:26658",
       "Moniker": "pokt001.pokt.run",
       "FastSyncMode": true,
       "DBBackend": "goleveldb",
       "LevelDBOptions": {
         "block_cache_capacity": 83886,
         "block_cache_evict_removed": false,
         "block_size": 4096,
         "disable_buffer_pool": true,
         "open_files_cache_capacity": -1,
         "write_buffer": 838860
   },
   ...
   ...
   ...
   

Create chains.json

Pocket nodes relay transactions to other blockchains. So, you’ll need to configure the chains your node can relay to. For this guide, we’ll just be setting up our node to relay to the Pocket mainnet blockchain, essentially through itself.

To maximize your rewards, you’ll want to relay to other chains. We’ll cover that in more detail later but here is a list of other blockchains you could relay to.

Generating a chains.json file with the CLI

You can use the Pocket CLI to generate a chains.json file for your node by running the following command:

pocket util generate-chains

This will prompt you for the following information:

• Enter the ID of the Pocket Network RelayChain ID:

  0001
  

• Enter the URL of the local network identifier.

  http://127.0.0.1:8082/
  

• When you’re prompted to add another chain, enter n for now.

Create genesis.json

Now that we have a chains.json file set up, so we can move on to test our node.

When you start a Pocket node for the first time, it will need to find other nodes (peers) to connect with. To do that we use a file named genesis.json with details about peers the node should connect to get on the network.

To create a JSON file with the genesis information:

1. Change to the .pocket/config directory:

   cd ~/.pocket/config
   

2. Use the following command to get the genesis.json file from GitHub:

   wget https://raw.githubusercontent.com/pokt-network/pocket-network-genesis/master/mainnet/genesis.json genesis.json
   

Set open file limits

Ubuntu and other UNIX-like systems have a ulimit shell command that’s used to set resource limits for users. One of the limits that can be set is the number of open files a user is allowed to have. Pocket nodes will have a lot of files open at times, so we’ll want to increase the default ulimit for the pocket user account.

Increasing the ulimit

1. Before increasing the ulimit, you can check the current ulimit with the following command:

   ulimit -n
   

2. Increase the ulimit to 16384. The -Sn option is for setting the soft limit on the number of open files:

   ulimit -Sn 16384
   

3. Check the new ulimit to confirm that it was set correctly. The -n option is for getting the limit for just the number of open files:

   ulimit -n
   

Permanent settings

Using the above method for setting the ulimit only keeps the change in effect for the current session. To permanently set the ulimit, you can do the following:

1. Open the /etc/security/limits.conf file.

   sudo nano /etc/security/limits.conf
   

2. Add the following line to the bottom of the file:

   pocket           soft    nofile          16384
   

3. Save the file with Ctrl+O and then Enter.
4. Exit nano with Ctrl+X.

After permanently setting the ulimit, the next thing we’ll do is download a snapshot of the Pocket blockchain.

Configure systemd

Next, we’ll configure the Pocket service using systemd, a Linux service manager. This will enable the Pocket node to run and restart even when we’re not logged in.

Creating a systemd service in Linux

To setup a systemd service for Pocket, do the following:

1. Open nano and create a new file called pocket.service:

   sudo nano /etc/systemd/system/pocket.service
   

2. Add the following lines to the file:

   [Unit]
   Description=Pocket service
   After=network.target mnt-data.mount
   Wants=network-online.target systemd-networkd-wait-online.service
   
   [Service]
   User=pocket
   Group=sudo
   ExecStart=/home/pocket/go/bin/pocket start
   ExecStop=/home/pocket/go/bin/pocket stop
   
   [Install]
   WantedBy=default.target
   

3. Make sure the User is set to the user that will run the Pocket service.

4. Make sure the ExecStart and ExecStop paths are set to the path for the Pocket binary.

5. Save the file with Ctrl+O and then return.

6. Exit nano with Ctrl+X.

7. Reload the service files to include the pocket service:

   sudo systemctl daemon-reload
   

8. Start the pocket service:

   sudo systemctl start pocket.service
   

9. Verify the service is running:

   Command Response

   sudo systemctl status pocket.service
   

   pocket.service - Pocket service
     Loaded: loaded (/etc/systemd/system/pocket.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-10-07 00:07:05 UTC; 1 weeks 0 days ago
   

10. Stop the pocket service:

    sudo systemctl stop pocket.service
    

11. Verify the service is stopped:

    sudo systemctl status pocket.service
    

12. Set the service to start on boot:

    sudo systemctl enable pocket.service
    

13. Verify the service is set to start on boot:

    Command Response

    sudo systemctl list-unit-files --type=service | grep pocket.service
    

    pocket.service                             enabled         enabled
    

14. Start the pocket service:

    sudo systemctl start pocket.service
    

Other systemctl commands

• Restart the Pocket service:

  sudo systemctl restart pocket.service
  

• Prevent the service from starting on boot:

  sudo systemctl disable pocket.service
  

• View mounted volumes:

  sudo systemctl list-units --type=mount
  

Viewing the logs

• View the logs for the Pocket service:

  sudo journalctl -u pocket.service
  

• View just the last 100 lines of the logs (equivalent to the tail -f command):

  sudo journalctl -u pocket.service -n 100 --no-pager
  

Finding Errors

You can use grep to find errors in the logs.

sudo journalctl -u pocket.service | grep -i error

sudo chown -R pocket ~/.pocket/data

exit

We’re just about done. We just need to setup an HTTP proxy and we’ll be ready to go live. We’ll setup the proxy next.

Part 4 – Proxy configuration

This section will help you set up the proxy setting on your node.

Setup SSL

Pocket requires that nodes have an SSL certificate for secure communications. SSL (Secure Sockets Layer) is a layer of security that sits on top of TCP/IP. It’s used to encrypt the data sent between a client and a server. To use SSL, you need to have a certificate and a key. Thankfully, getting an SSL certificate is straightforward and free.

To get a certificate, we’ll be using Let’s Encrypt which is a service that issues SSL certificates for free. We’ll also be using software called certbot to register, install, and renew the certificate.

Registering an SSL certificate

We installed certbot in a previous step so we just need to use it to request a certificate.

To get a certificate, we’ll need to use the certbot command with the following options:

• --register-unsafely-without-email: This option is required to get a certificate without an email address.
• --agree-tos: This option is required to agree to the Let’s Encrypt Terms of Service.
• --nginx: This option is required to use the nginx plugin.
• --no-redirect: This option is required to disable the redirect to the Let’s Encrypt website.
• --domain: This option is required to specify the domain name.

Here’s an example of how to request a certificate. Just replace $HOSTNAME with the DNS name of your node:

sudo certbot --nginx --domain $HOSTNAME --register-unsafely-without-email --no-redirect --agree-tos

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pokt001.pokt.run
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://pokt001.pokt.run
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The output from this command should confirm that the certificate was successfully registered.

Testing your certificate

To be sure, you’ll also want to test that the certificate is working.

There is a command that certbot provides to test your certificate. It’s used for testing the auto-renewal of the certificate but it also confirms that the certificate is working. You can run it using the following command:

sudo certbot renew --dry-run

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/pokt001.pokt.run/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The resulting output should confirm that the certificate is working.

Configure Nginx

Nginx is a web server. We installed it in a previous step but we need to do some additional configuration.

Nginx uses config files to define servers and routes for incoming requests. For Pocket nodes, nginx needs to relay public requests to a local HTTP server that pocket core is running. This is referred to as the proxy. We’ll also need to proxy requests made by the Pocket CLI. For example, when we run the command pocket query height, the CLI makes an http request to the node’s local HTTP server.

Config files

The nginx configuration files we’re interested in are located in the /etc/nginx/sites-available/ directory. In that directory there is a default configuration file named default. This is the configuration that is created when you install nginx, but we’ll be creating our own for our node.

To configure nginx:

1. Confirm the name of your SSL certificate:

   sudo ls /etc/letsencrypt/live/
   

2. Create a new config file with nano:

   sudo nano /etc/nginx/sites-available/pocket
   

3. Add the following code, making sure to change the hostname values (pokt001.pokt.run) to your node’s DNS hostname in the three places found below:

   server {
       listen 80 default_server;
       listen [::]:80 default_server;
   
       root /var/www/html;
   
       index index.html index.htm index.nginx-debian.html;
   
       server_name _;
   
       location / {
           try_files $uri $uri/ =404;
       }
   }
   
   server {
       add_header Access-Control-Allow-Origin "*";
       listen 80 ;
       listen [::]:80 ;
       listen 8081 ssl;
       listen [::]:8081 ssl;
   
       root /var/www/html;
   
       index index.html index.htm index.nginx-debian.html;
   
       server_name pokt001.pokt.run;
   
       location / {
           try_files $uri $uri/ =404;
       }
   
       listen [::]:443 ssl ipv6only=on;
       listen 443 ssl;
   
       ssl_certificate /etc/letsencrypt/live/pokt001.pokt.run/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/pokt001.pokt.run/privkey.pem;
   
       include /etc/letsencrypt/options-ssl-nginx.conf;
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
   
       access_log /var/log/nginx/reverse-access.log;
       error_log /var/log/nginx/reverse-error.log;
   
       location ~* ^/v1/client/(dispatch|relay|challenge|sim) {
           proxy_pass http://127.0.0.1:8082;
           add_header Access-Control-Allow-Methods "POST, OPTIONS";
           allow all;
       }
   
       location = /v1 {
           add_header Access-Control-Allow-Methods "GET";
           proxy_pass http://127.0.0.1:8082;
           allow all;
       }
   }
   

4. Save the change with Ctrl+O.
5. Exit nano with Ctrl+X.
6. Stop nginx with:

   sudo systemctl stop nginx
   

7. Disable the default configuration:

   sudo rm /etc/nginx/sites-enabled/default
   

8. Enable our new configuration:

   sudo ln -s /etc/nginx/sites-available/pocket /etc/nginx/sites-enabled/pocket
   

9. Start nginx:

   sudo systemctl start nginx
   

Enable UFW

We’re almost done, but before we finish we’ll make our server more secure by setting firewall rules to limit network exposure. The Uncomplicated Firewall (UFW) is a security tool that makes configuring the firewall reasonably simple. We’ll use it to disable unnecessary ports.

Ports you need to open

For running a Pocket node, you’ll need to open the following ports:

• 22: SSH
• 80: HTTP
• 443: HTTPS
• 8081: For the Pocket HTTP API
• 26656: For the Pocket RPC API

Use UFW to disable unnecessary ports

To use UFW to configure the firewall:

1. Enable UFW. When prompted, press y to confirm:

   sudo ufw enable
   

2. Set the default to deny all incoming connections:

   sudo ufw default deny
   

3. Allow the SSH port:

   sudo ufw allow ssh
   

4. Allow port 80:

   sudo ufw allow 80
   

5. Allow port 443:

   sudo ufw allow 443
   

6. Allow port 8081:

   sudo ufw allow 8081
   

7. Allow port 26656:

   sudo ufw allow 26656
   

That’s it for the UFW setup. Let’s just check the status to confirm the ports are open. To do that, run the following command:

sudo ufw status

After confirming only the necessary ports are open, you can move on to the final steps.

Part 5 – Going live

This section will details the final steps in going live with your node.

Test everything

At this point your Pocket node should be up and running!

But you’ll want to test it to confirm. The following are some of the things you can do to test your Pocket Node.

Make sure the Pocket process is running

The first thing to check is that the pocket service is running. You can do that by running the following command:

top -b -n 1 | grep pocket

You should see output similar to the following:

  44871 root      20   0 1018268  33948  21448 S   0.0   0.4   0:00.17 pocket

Block height

You’ll want to check that the node is fully synced with the Pocket blockchain. The easiest way is to run the following command:

pocket query height

The result should look something like the following.

{
    "height": 48161
}

Network status

Another way to see if your node is fully synced is to check the status with the following command:

curl http://127.0.0.1:26657/status

The result should look something like the following. Note the highlighted property catching_up which indicates if the node is catching up with the blockchain or fully synced. In the example below, the node is fully synced.

{
  "jsonrpc": "2.0",
  "id": -1,
  "result": {
    "node_info": {
      "protocol_version": {
        "p2p": "7",
        "block": "10",
        "app": "0"
      },
      "id": "80b80c106115259349df8ef06267cff7bbabd194",
      "listen_addr": "tcp://0.0.0.0:26656",
      "network": "mainnet",
      "version": "0.33.7",
      "channels": "4020212223303800",
      "moniker": "localhost",
      "other": {
        "tx_index": "on",
        "rpc_address": "tcp://127.0.0.1:26657"
      }
    },
    "sync_info": {
      "latest_block_hash": "F39BBF5C64D9E02E28DDBB8640F84A22CFAE1727CFBC72537982EF5914E4BB25",
      "latest_app_hash": "6198835747411135C1F812CB45FA5621D5ADB63342EC0678C20879D7D39F03B5",
      "latest_block_height": "50021",
      "latest_block_time": "2022-02-04T12:16:10.77575197Z",
      "earliest_block_hash": "7D551967CB8BBC9F8C0EAE78797D0576951DDA25CE63DF1801C020478C0B02F8",
      "earliest_app_hash": "",
      "earliest_block_height": "1",
      "earliest_block_time": "2020-07-28T15:00:00Z",
      "catching_up": false
    },
    "validator_info": {
      "address": "80B80C106115259349DF8EF06267CFF7BBABD194",
      "pub_key": {
        "type": "tendermint/PubKeyEd25519",
        "value": "ee+o9bKqCbAO13FgWTLmJdi9hhfYg8AHsif5430uz8A="
      },
      "voting_power": "0"
    }
  }
}

Make sure your node is visible to other nodes

You’ll also want to make sure your node is accessible to other nodes.

To test and confirm your node is visible to other nodes on the public network, you’ll make an HTTP request using the public DNS name for the node. You can use the following command to make that request:

curl https://pokt001.pokt.run:8081/v1

This should return the following. This is the version of pocket-core that is running.

"RC-0.9.2"

Staking your node

To earn POKT rewards, you’ll need to stake at least 15,000 POKT. That said, you should stake at least 15,100 POKT or more to be safe. This provides a little extra room in case your node gets slashed (penalized) for some reason.

If you’re using the Pocket CLI to fund an account, keep in mind that the CLI uses uPOKT (the smallest unit of POKT) for its calculations. The formula for converting POKT to uPOKT is: uPOKT = POKT * 10^6. So, multiplying 15050 POKT by 10^6 (one million) will result in 15050000000 uPOKT.

Also keep in mind that there is a cost for every transaction you send. At the moment, that cost is a flat fee of 0.01 POKT, or 10000 uPOKT, but this may be subject to change.

1. List your accounts:

   pocket accounts list
   

2. Confirm the validator account is set:

   pocket accounts get-validator
   

3. Confirm the validator account has enough POKT. This should be at least 15,101 POKT. You’ll want 15,100 to stake and a bit more for network fees:

   pocket query balance [YOUR_VALIDATOR_ADDRESS]
   

4. Stake your node, making sure to enter the correct details for your setup:

   pocket nodes stake custodial [YOUR_VALIDATOR_ADDRESS] 15100000000 [CHAIN_IDS] https://[HOSTNAME]:443 mainnet 10000 false
   

After you send the stake command, you’ll be prompted for your passphrase, then you should see something like this:

http://localhost:8082/v1/client/rawtx
{
    "logs": null,
    "txhash": "155D46196C69F75F85791C4190D384B8BAFFBBEFCC5D1311130C54A1C54435A7"
}

The actual time it takes to stake will vary depending on when the last block was processed, but generally, it should take less than 15 minutes.

Confirm your node is live

After you’ve staked your node, you can confirm it’s live by running the following command:

pocket query node [YOUR_VALIDATOR_ADDRESS]

If you see something like the following, it just means your node is not live yet:

http://localhost:8082/v1/query/node
the http status code was not okay: 400, and the status was: 400 Bad Request, with a response of {"code":400,"message":"validator not found for 07f5084ab5f5246d747fd1154d5d4387ee5a7111"}

If this happens, please wait a few minutes and try again.

Tutorial complete

Congratulations! You’ve successfully set up a Pocket node.

There’s more to running a Pocket node than this, such as maintenance, upgrades, and other administrative tasks, but hopefully this has gotten you started and on the right path. Thank you for doing your part to help decentralize Web3!