265 lines
8.8 KiB
Plaintext
265 lines
8.8 KiB
Plaintext
Runbook (mpabi): Agave RPC (mainnet, private) + Geyser plugin -> Postgres
|
|
|
|
Cel:
|
|
- Na mpabi odpalic prywatny Agave RPC (non-voting) po WireGuard (wg0).
|
|
- Zbudowac Agave ze zrodel (pinned release).
|
|
- (Po starcie) dodac Geyser plugin zapisujacy do PostgreSQL.
|
|
|
|
Skrot (kolejnosc):
|
|
1) Preconditions: WG + UFW (SSH tylko po wg0).
|
|
2) Storage: SOLACCT->/var/lib/solana/accounts, SOLLEDG->/var/lib/solana/ledger (+ decyzja: wipe czy kontynuacja).
|
|
3) Pakiety + sysctl/limits.
|
|
4) /opt/solana/bin: Anza tools (solana-keygen itd.).
|
|
5) Build Agave ze zrodel (pin tag) + install do /opt/solana/bin/agave-validator.
|
|
6) Identity (0600).
|
|
7) Genesis + snapshot (mainnet).
|
|
8) Systemd: agave-validator (User=solana) + RPC smoke test po WG.
|
|
9) Geyser plugin -> Postgres + dopiecie do systemd + weryfikacja.
|
|
|
|
Konwencja:
|
|
- Komendy uruchamiasz jako user: `user` (z sudo).
|
|
- Validator dziala jako uzytkownik systemowy: `solana`.
|
|
- Biny instalujemy do /opt/solana/bin (root-owned, stabilne sciezki).
|
|
- Dane runtime:
|
|
- ledger: /var/lib/solana/ledger (SOLLEDG = /dev/nvme1n1p1)
|
|
- accounts: /var/lib/solana/accounts (SOLACCT = /dev/nvme0n1p1)
|
|
|
|
Parametry hosta (mpabi):
|
|
- Public iface: enp6s0, public IP: 149.50.116.219
|
|
- WireGuard iface: wg0, WG IP: 10.66.66.1
|
|
- RPC: 8899, WS: 8900
|
|
- Cluster inbound UDP: 8000-8020 (na public)
|
|
|
|
=====================
|
|
0) Preconditions
|
|
=====================
|
|
1) WireGuard up:
|
|
ip -4 a show wg0
|
|
wg show
|
|
|
|
2) SSH powinno byc tylko po wg0 (defense-in-depth):
|
|
sudo ufw status verbose
|
|
|
|
3) Upewnij sie, ze masz sudo do operacji operatorskich (systemctl/journalctl/ufw).
|
|
|
|
=====================
|
|
1) Storage: mount SOLACCT/SOLLEDG
|
|
=====================
|
|
UWAGA: ten wariant NIE formatuje dyskow (bez kasowania), tylko montuje istniejace XFS.
|
|
|
|
UUIDs (wg lsblk -f):
|
|
- SOLACCT: 055bf4e7-00f0-45a0-a995-2413b14428c4 (/dev/nvme0n1p1)
|
|
- SOLLEDG: 6ac7a8c6-efc7-4803-a3dc-a66ea2ef0125 (/dev/nvme1n1p1)
|
|
|
|
1) (Opcjonalnie) obejrzyj co zajmuje SOLLEDG (zanim podepniesz pod /var/lib/solana/ledger):
|
|
sudo mkdir -p /mnt/solledg
|
|
sudo mount /dev/nvme1n1p1 /mnt/solledg
|
|
sudo du -sh /mnt/solledg/* 2>/dev/null | sort -h | tail
|
|
sudo umount /mnt/solledg
|
|
|
|
2) Utworz usera solana + mountpointy:
|
|
sudo getent group solana >/dev/null || sudo groupadd --system solana
|
|
sudo id -u solana >/dev/null 2>&1 || sudo useradd --system --gid solana \
|
|
--home-dir /var/lib/solana --create-home --shell /bin/bash solana
|
|
|
|
sudo install -d -o solana -g solana -m 0750 /var/lib/solana/accounts /var/lib/solana/ledger
|
|
|
|
3) Dodaj wpisy do /etc/fstab (sprawdz czy nie ma juz duplikatow):
|
|
grep -nE '(/var/lib/solana/(accounts|ledger))' /etc/fstab || true
|
|
|
|
UUID_ACCTS="055bf4e7-00f0-45a0-a995-2413b14428c4"
|
|
UUID_LEDGER="6ac7a8c6-efc7-4803-a3dc-a66ea2ef0125"
|
|
|
|
echo "UUID=$UUID_ACCTS /var/lib/solana/accounts xfs noatime,nodiratime 0 2" | sudo tee -a /etc/fstab >/dev/null
|
|
echo "UUID=$UUID_LEDGER /var/lib/solana/ledger xfs noatime,nodiratime 0 2" | sudo tee -a /etc/fstab >/dev/null
|
|
|
|
sudo mount -a
|
|
sudo systemctl daemon-reload
|
|
|
|
4) Permissions (krytyczne):
|
|
sudo chown solana:solana /var/lib/solana/accounts /var/lib/solana/ledger
|
|
sudo chmod 750 /var/lib/solana/accounts /var/lib/solana/ledger
|
|
|
|
5) Verify:
|
|
df -hT /var/lib/solana/accounts /var/lib/solana/ledger
|
|
findmnt /var/lib/solana/accounts
|
|
findmnt /var/lib/solana/ledger
|
|
stat -c '%U:%G %a %n' /var/lib/solana/accounts /var/lib/solana/ledger
|
|
|
|
DECYZJA: co robimy z SOLLEDG (63% used)?
|
|
- Opcja A: zostawiamy (jesli to stary ledger Solany i chcesz kontynuowac).
|
|
- Opcja B: czyscimy i robimy sync od nowa (destrukcyjne, rekomendowane dla powtarzalnosci):
|
|
sudo systemctl stop agave-validator 2>/dev/null || true
|
|
sudo -u solana -H bash -lc '
|
|
cd /var/lib/solana/ledger
|
|
rm -rf rocksdb snapshots accounts_index accounts_hash_cache admin.rpc ledger.lock
|
|
'
|
|
|
|
=====================
|
|
2) Pakiety + sysctl/limits
|
|
=====================
|
|
1) Pakiety:
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
chrony curl jq git ca-certificates ripgrep \
|
|
smartmontools nvme-cli \
|
|
build-essential pkg-config libssl-dev \
|
|
clang llvm-dev libclang-dev \
|
|
cmake protobuf-compiler libudev-dev zlib1g-dev
|
|
|
|
2) Sysctl:
|
|
sudo tee /etc/sysctl.d/90-agave.conf >/dev/null <<'EOF'
|
|
fs.file-max = 2000000
|
|
vm.max_map_count = 1000000
|
|
net.core.somaxconn = 65535
|
|
net.core.netdev_max_backlog = 250000
|
|
net.core.rmem_max = 134217728
|
|
net.core.wmem_max = 134217728
|
|
EOF
|
|
sudo sysctl --system
|
|
|
|
3) ulimit:
|
|
sudo tee /etc/security/limits.d/90-solana.conf >/dev/null <<'EOF'
|
|
* soft nofile 1000000
|
|
* hard nofile 1000000
|
|
EOF
|
|
|
|
=====================
|
|
3) Firewall (UFW) dla prywatnego RPC
|
|
=====================
|
|
Docelowo:
|
|
- SSH 22/tcp: tylko wg0
|
|
- RPC 8899/tcp, WS 8900/tcp: tylko wg0 (dodatkowo bind na 10.66.66.1)
|
|
- WireGuard: 51820/udp (public)
|
|
- Cluster sync: 8000-8020/udp (public)
|
|
|
|
Komendy (jesli jeszcze nie ustawione):
|
|
sudo ufw default deny incoming
|
|
sudo ufw default allow outgoing
|
|
sudo ufw allow 51820/udp
|
|
|
|
sudo ufw allow in on wg0 to any port 22 proto tcp
|
|
sudo ufw deny in on enp6s0 to any port 22 proto tcp
|
|
|
|
sudo ufw allow in on wg0 to any port 8899 proto tcp
|
|
sudo ufw allow in on wg0 to any port 8900 proto tcp
|
|
sudo ufw deny in on enp6s0 to any port 8899 proto tcp
|
|
sudo ufw deny in on enp6s0 to any port 8900 proto tcp
|
|
|
|
sudo ufw allow in on enp6s0 to any port 8000:8020 proto udp
|
|
|
|
sudo ufw enable
|
|
sudo ufw status verbose
|
|
|
|
=====================
|
|
4) Instalacja narzedzi Solana/Anza do /opt/solana/bin
|
|
=====================
|
|
1) Installer (jako solana):
|
|
sudo install -d -o root -g root -m 0755 /opt/solana/bin
|
|
sudo -u solana -H bash -lc 'sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)"'
|
|
|
|
2) Skopiuj biny do /opt/solana/bin:
|
|
sudo cp -a /var/lib/solana/.local/share/solana/install/active_release/bin/. /opt/solana/bin/
|
|
sudo find /opt/solana/bin -maxdepth 1 -type f -exec chmod 0755 {} \;
|
|
|
|
3) Verify:
|
|
/opt/solana/bin/solana --version || true
|
|
/opt/solana/bin/solana-keygen --version
|
|
|
|
=====================
|
|
5) Build + install agave-validator (pinned latest stable)
|
|
=====================
|
|
Patrz:
|
|
- trade-iac/doc/step-002f-agave-build-from-source-latest.txt
|
|
|
|
Skrót:
|
|
1) Wybierz TAG (np. v3.0.x) i zbuduj jako solana do /var/lib/solana/src/
|
|
2) Zainstaluj binarke do /opt/solana/bin/agave-validator
|
|
3) Verify:
|
|
/opt/solana/bin/agave-validator --version
|
|
|
|
=====================
|
|
6) Identity
|
|
=====================
|
|
1) Utworz raz:
|
|
if [ ! -f /var/lib/solana/identity.json ]; then
|
|
sudo -u solana -H /opt/solana/bin/solana-keygen new --no-passphrase -o /var/lib/solana/identity.json
|
|
sudo chown solana:solana /var/lib/solana/identity.json
|
|
sudo chmod 0600 /var/lib/solana/identity.json
|
|
fi
|
|
|
|
2) Zapisz pubkey do notatek:
|
|
sudo -u solana -H /opt/solana/bin/solana-keygen pubkey /var/lib/solana/identity.json
|
|
|
|
=====================
|
|
7) Genesis + snapshot (mainnet)
|
|
=====================
|
|
1) Genesis:
|
|
patrz: trade-iac/doc/step-002c-genesis-download-mainnet.txt
|
|
|
|
2) Snapshot (wymagany na mainnet):
|
|
patrz: trade-iac/doc/step-002d-snapshot-download-mainnet.txt
|
|
|
|
=====================
|
|
8) Systemd: agave-validator (RPC-only)
|
|
=====================
|
|
Unit template:
|
|
- trade-iac/doc/step-002b-agave-validator-systemd.txt
|
|
|
|
Wazne:
|
|
- `User=solana`
|
|
- `--rpc-bind-address 10.66.66.1`
|
|
- `--private-rpc`
|
|
- nie uzywaj `\\` w ExecStart (tylko pojedynczy `\` na koncu linii)
|
|
|
|
Start/verify:
|
|
sudo systemctl daemon-reload
|
|
sudo systemctl enable --now agave-validator
|
|
systemctl is-active agave-validator
|
|
sudo journalctl -u agave-validator -n 120 --no-pager
|
|
|
|
RPC smoke test (po WG):
|
|
curl -sS -H 'content-type: application/json' \
|
|
--data '{"jsonrpc":"2.0","id":1,"method":"getVersion"}' \
|
|
http://10.66.66.1:8899 | jq .
|
|
|
|
Manual run (exports + komenda w plikach na mpabi):
|
|
# Zawiera "solana export" (PATH + SOLANA_RPC_URL) i helper `agave_run()`:
|
|
# - /etc/solana/agave-env.sh
|
|
# - /etc/solana/agave-validator.args
|
|
sudo -u solana -H bash -lc 'source /etc/solana/agave-env.sh; agave_run'
|
|
|
|
=====================
|
|
9) Geyser plugin -> PostgreSQL
|
|
=====================
|
|
Krok po kroku:
|
|
- trade-iac/doc/step-003-geyser-plugin-postgres.txt
|
|
|
|
Skrót:
|
|
1) Postgres:
|
|
sudo apt-get install -y postgresql
|
|
sudo systemctl enable --now postgresql
|
|
|
|
2) DB/user:
|
|
sudo -u postgres psql -v ON_ERROR_STOP=1 <<'SQL'
|
|
DO $$
|
|
BEGIN
|
|
IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'geyser') THEN
|
|
CREATE ROLE geyser LOGIN PASSWORD 'CHANGE_ME';
|
|
END IF;
|
|
END $$;
|
|
CREATE DATABASE geyser OWNER geyser;
|
|
SQL
|
|
|
|
3) Build plugin (.so) i instaluj do /opt/solana/plugins/
|
|
4) Skopiuj example JSON config do /etc/solana/geyser-postgres.json, ustaw DSN, selektory.
|
|
5) Dopisz do unit ExecStart:
|
|
--geyser-plugin-config /etc/solana/geyser-postgres.json
|
|
i zrestartuj:
|
|
sudo systemctl daemon-reload
|
|
sudo systemctl restart agave-validator
|
|
|
|
Verify:
|
|
sudo journalctl -u agave-validator -n 200 --no-pager | rg -i 'geyser|plugin|postgres' || true
|
|
sudo -u postgres psql -d geyser -c '\\dt' | head
|