From 110ac5b1a3d4108ea6774d537df047e94ebfbf1f Mon Sep 17 00:00:00 2001 From: Shannon Appelcline Date: Fri, 19 Jun 2020 09:27:33 -1000 Subject: [PATCH] better edited for new Standup integration --- ..._Up_a_Bitcoin-Core_VPS_with_StackScript.md | 61 ++++++++----------- 1 file changed, 27 insertions(+), 34 deletions(-) diff --git a/02_2_Setting_Up_a_Bitcoin-Core_VPS_with_StackScript.md b/02_2_Setting_Up_a_Bitcoin-Core_VPS_with_StackScript.md index b9e8cd4..892b9ea 100644 --- a/02_2_Setting_Up_a_Bitcoin-Core_VPS_with_StackScript.md +++ b/02_2_Setting_Up_a_Bitcoin-Core_VPS_with_StackScript.md @@ -6,9 +6,9 @@ This document explains how to set up a VPS (Virtual Private Sever) to run a Bitc > :warning: **WARNING:** Don’t use a VPS for a bitcoin wallet with significant real funds; see http://blog.thestateofme.com/2012/03/03/lessons-to-be-learned-from-the-linode-bitcoin-incident/ . It is very nice to be able experiment with real bitcoin transactions on a live node without tying up a self-hosted server on a local network. It's also useful to be able to use an iPhone or iPad to communicate via SSH to your VPS to do some simple bitcoin tasks. But a higher level of safety is required for significant funds. -If you want to instead do all the setup by hand, please read the parallel HOWTO file, [§2.1: Setting up a Bitcoin-Core VPS by Hand](02_1_Setting_Up_a_Bitcoin-Core_VPS_by_Hand.md). - -If you already have a Bitcoin node running, instead read the next HOWTO file, [Chapter Three: Understanding Your Bitcoin Setup](03_0_Understanding_Your_Bitcoin_Setup.md). +* If you want to instead do all the setup by hand, goto [§2.1: Setting up a Bitcoin-Core VPS by Hand](02_1_Setting_Up_a_Bitcoin-Core_VPS_by_Hand.md). +* If you want to instead setup on a machine other than a Linode VPS, such as an AWS machine or a Mac, goto [§2.3: Setting Up a Bitcoin-Core via Other Means](02_3_Setting_Up_Bitcoin_Core_Other.md) +* If you already have a Bitcoin node running, goto [Chapter Three: Understanding Your Bitcoin Setup](03_0_Understanding_Your_Bitcoin_Setup.md). ## Getting Started with Linode @@ -30,7 +30,7 @@ https://www.linode.com/?r=23211828bc517e2cb36e0ca81b91cc8c0e1b2d96 You'll need to provide an email address and later preload money from a credit card or PayPal for future costs. -When you're done, you should land on https://manager.linode.com +When you're done, you should land on [https://cloud.linode.com/dashboard](https://cloud.linode.com/dashboard). ### Consider Two-Factor Authentication @@ -40,25 +40,25 @@ Your server security won't be complete if people can break into your Linode acco ### Load the StackScript -Download the [Linode Standup Script](https://github.com/BlockchainCommons/Bitcoin-Standup-Scripts/blob/master/Scripts/LinodeStandUp.sh) from the [Bitcoin Standup Scripts report](https://github.com/BlockchainCommons/Bitcoin-Standup-Scripts). This script basically automates the Bitcoin VPS setup instructions from [§2.1](02_1_Setting_Up_a_Bitcoin-Core_VPS_by_Hand.md). If you want to be particulary prudent, read it over carefully. If you are satisfied, you can copy that StackScript into your own account by going to the [Stackscripts page](https://cloud.linode.com/stackscripts?type=account) on your Linode account and selecting to [Create New Stackscript](https://cloud.linode.com/stackscripts/create). Give it a good name (we use `Bitcoin Standup`), then copy and paste the script. Choose Debian 10 for your target image and "Save" it. +Download the [Linode Standup Script](https://github.com/BlockchainCommons/Bitcoin-Standup-Scripts/blob/master/Scripts/LinodeStandUp.sh) from the [Bitcoin Standup Scripts repo](https://github.com/BlockchainCommons/Bitcoin-Standup-Scripts). This script basically automates the Bitcoin VPS setup instructions from [§2.1](02_1_Setting_Up_a_Bitcoin-Core_VPS_by_Hand.md). If you want to be particulary prudent, read it over carefully. If you are satisfied, you can copy that StackScript into your own account by going to the [Stackscripts page](https://cloud.linode.com/stackscripts?type=account) on your Linode account and selecting to [Create New Stackscript](https://cloud.linode.com/stackscripts/create). Give it a good name (we use `Bitcoin Standup`), then copy and paste the script. Choose Debian 10 for your target image and "Save" it. ### Do the Initial Setup You're now ready to create a node based on the Stackscript. 1. On the [Stackscripts page](https://cloud.linode.com/stackscripts?type=account), click on the "..." to the right of your new script and choose "Deploy New Linode". -2. Fill in a short and fully qualified hostname - * **Short Hostname.** Pick a name for your VPS. For example, "mybtctest" +2. Fill in a short and a fully qualified hostname + * **Short Hostname.** Pick a name for your VPS. For example, "mybtctest". * **Fully Qualified Hostname.** If you're going to include this VPS as part of a network with full DNS records, type in the hostname with its domain. For example, "mybtctest.mydomain.com". Otherwise, just repeat the short hostname and add ".local", for example "mybtctest.local". 3. Enter the password for the "standup" user. 4. Choose an Installation Type in the advanced options. - * **Installation Type.** This is likely "Mainnet" or "Pruned Mainnet" if you are setting up a node for usage and "Pruned Testnet" if you're just playing around. See the [Appendix](#Appendix) for more information on these options. + * **Installation Type.** This is likely "Mainnet" or "Pruned Mainnet" if you are setting up a node for usage and "Pruned Testnet" if you're just playing around. See the [Appendix](#appendix-bitcoin-installation-types) for more information on these options. 5. Fill in any other appropriate advanced options. * **X25519 Public Key.** This is a public key to add to Tor's list of authorized clients. If you don't use it, anyone who gets the QR code for your node can access it. You'll get this public key from whichever client you're using to connect to your node. For example, if you use [FullyNoded 2](https://github.com/BlockchainCommons/FullyNoded-2), you can go to its settings and "Export Tor V3 Authentication Public Key" for use here. * **SSH Key.** Copy your local computer's SSH key here; this allows you be able to automatically login in via SSH to the standup account. If you haven't setup an SSH key on your local computer yet, there are good instructions for it on [Github](https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/). You may also want to add your SSH key into your Linode LISH (Linode Interactive Shell) by going to your "Linode Home Page / My Preferences / LISH Settings / LISH Keys". Using an SSH key will give you a simpler and safer way to log in to your server. * **SSH-Allowed IPs.** This is a comma-separated list of IPs that will be allowed to SSH into the VPS. For example "192.168.1.15,192.168.1.16". If you do not enter any IPs, _your VPS will not be very secure_. It will constantly be bombarded by attackers trying to find their way in, and they may very well succeed. 4. Select an Image - * **Target Image.** If you followed the instructions, this will only allow you to select "Debian 10", though "Debian 9" did also work with previous versions of this Stackscript (and might still). + * **Target Image.** If you followed the instructions, this will only allow you to select "Debian 10" (though "Debian 9" did also work with previous versions of this Stackscript and might still). 5. Choose a region for where the Linode will be located. *The remaining questions all have to do with the mechanics of the VPS deployment and should be left as they are with one exception: bump the Swap Disk from 256MB to 512MB, to ensure that you have enough memory to download the blockchain._ @@ -77,7 +77,7 @@ The following chart shows minimum requirements | Setup | Memory | Storage | Linnode | |-------|--------|---------|---------| -| Mainnet | 2G | 120G | Linode 16GB | +| Mainnet | 2G | 280G | Linode 16GB | | Pruned Mainnet | 2G | ~5G | Linode 4GB | | Testnet | 2G | ~15G | Linode 4GB | | Pruned Testnet | 2G | ~5G | Linode 4GB | @@ -85,22 +85,17 @@ The following chart shows minimum requirements Note, there may be ways to reduce both costs. -* For the machines we suggest as **Linode 4GB**, you may be able to reduce that to a Linode 2GB. Some versions of Bitcoin Core have worked well at that size, some have occasionally run out of memory and then recovered, and some have continuously run out of memory. Use at your own risk. -* For the Unpruned Mainnet, which we suggest as a **Linode 16GB**, you can probably get by with a Linode 4GB, but add [Block Storage](https://cloud.linode.com/volumes) sufficient to store the blockchain. This is certainly a better long-term solution since the Bitcoin blockchain's storage requirements continuously increase if you don't prune, while the CPU requirements don't (or don't to the same degree). A 320 GibiByte storage would be $32 a month, which combined with a Linode 4GB is $52 a month, instead of $80, and more importantly you can keep growing it. We don't fully document this setup for two reasons (1) we don't suggest the unpruned mainnet setup, and so we suspect it's a much less common setup; and (2) we haven't tested how Linodes volumes compare to their intrinic SSDs for performance and usage. But there's full documentation on the Block Storage page. You'd need to set up the Linode, run its stackscript, but then interrupt it to move the blockchain storage overly to a newly commissioned volume. +* For the machines we suggest as **Linode 4GB**, you may be able to reduce that to a Linode 2GB. Some versions of Bitcoin Core have worked well at that size, some have occasionally run out of memory and then recovered, and some have continuously run out of memory. Remember to up that swap space to maximize the odds of this working. Use at your own risk. +* For the Unpruned Mainnet, which we suggest as a **Linode 16GB**, you can probably get by with a Linode 4GB, but add [Block Storage](https://cloud.linode.com/volumes) sufficient to store the blockchain. This is certainly a better long-term solution since the Bitcoin blockchain's storage requirements continuously increase if you don't prune, while the CPU requirements don't (or don't to the same degree). A 320 GibiByte storage would be $32 a month, which combined with a Linode 4GB is $52 a month, instead of $80, and more importantly you can keep growing it. We don't fully document this setup for two reasons (1) we don't suggest the unpruned mainnet setup, and so we suspect it's a much less common setup; and (2) we haven't tested how Linodes volumes compare to their intrinic SSDs for performance and usage. But there's full documentation on the Block Storage page. You'd need to set up the Linode, run its stackscript, but then interrupt it to move the blockchain storage overly to a newly commissioned volume before continuing. -Just choose your Linode type, choose a Location that's geographically as close to you as possible, and click "Add your Linode!". ### Do the Final Setup -The last thing you need to do is enter a root password, then click create. (If you missed anything, you'll be told so now!) - - -**Installation Type.** See _Appendix I_ for more on these Bitcoin installation types. If you're planning to get on the main Bitcoin network, you'll probably want to choose "Pruned Mainnet". If you're wanting to play with Bitcoin Core and learn more about how it works, you'll probably want to choose "Unpruned Testnet". - +The last thing you need to do is enter a root password. (If you missed anything, you'll be told so now!) Click "Deploy" to initialize your disks and to prepare your VPS. The whole queue should run in less than a minute. When it's done you should see in the "Host Job Queue", green "Success" buttons stating "Disk Create from StackScript - Setting password for root… done." and "Create Filesystem - 256MB Swap Image". -You may now want to change your Linode VPS's name from the default `linodexxxxxxxx`. Go to the Settings tab, and change the label to be more useful, such as your VPS's short hostname. For instance I have renamed mine to `bitcoin-testnet-pruned` to differentiate it from other VPSs in my account. +You may now want to change your Linode VPS's name from the default `linodexxxxxxxx`. Go to the Settings tab, and change the label to be more useful, such as your VPS's short hostname. For instance you might name it `bitcoin-testnet-pruned` to differentiate it from other VPSs in your account. ## Login to Your VPS @@ -108,7 +103,7 @@ If you watch your Linode control panel, you should see the new computer spin up. First, you'll need the IP address. Click on the "Linodes" tab and you should see a listing of your VPS, the fact that it's running, its "plan", its IP address, and some other information. -Go to your local console and login to the user1 account using that address: +Go to your local console and login to the `standup` account using that address: ``` ssh standup@[IP-ADDRESS] @@ -126,13 +121,13 @@ If you configured your VPS to use an SSH key, the login should be automatic (pos Here's a little catch: _your StackScript is running right now_. The BASH script gets executed the first time the VPS is booted. That means your VPS isn't ready yet. -In past versions, this has taken a bit of time, but the Standup script seems to finish in about 10 minutes. So, go take a break, get an espresso, or otherwise relax for a few minutes. There are two parts of the script that take a while: the updating of all the Debian packages; and the downloading of the Bitcoin code. They shouldn't take more than 5 minutes each, which means if you come back in 10 minutes, you'll probably be ready to go. +The total run time is about 10 minutes. So, go take a break, get an espresso, or otherwise relax for a few minutes. There are two parts of the script that take a while: the updating of all the Debian packages; and the downloading of the Bitcoin code. They shouldn't take more than 5 minutes each, which means if you come back in 10 minutes, you'll probably be ready to go. If you're impatient you can jump ahead and `sudo tail -f ~root/standup.log` which will display the current progress of installation, as described in the next section. ## Verify Your Installation -You'll know that stackscrpit is done when the `standup.log` says something like the following: +You'll know that stackscrpit is done when the `tail` of the `standup.log` says something like the following: ``` /root/StackScript - Bitcoin is setup as a service and will automatically start if your VPS reboots and so is Tor /root/StackScript - You can manually stop Bitcoin with: sudo systemctl stop bitcoind.service @@ -141,7 +136,7 @@ You'll know that stackscrpit is done when the `standup.log` says something like At that point, your home directory should look like this: ``` -~$ ls +$ ls bitcoin-0.20.0-x86_64-linux-gnu.tar.gz laanwj-releases.asc SHA256SUMS.asc ``` @@ -165,7 +160,7 @@ If you see something like the following, all should be well: /root/StackScript - VERIFICATION SUCCESS / SIG: gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) " [unknown] /root/StackScript - VERIFICATION SUCCESS / SHA: 35ec10f87b6bc1e44fd9cd1157e5dfa4``` ``` -However, if either of those two checks instead reads "VERIFICATION ERROR", then there's a problem. Since this is all scripted, it's possible that there's just been a minor change that has caused the script's checks not to work right. (This has happened a few times over the existence of this script.) But, it's also possible that someone is trying to encourage you to run a fake copy of the Bitcoin daemon. So, _be very sure you know what happened before you make use of Bitcoin!_ +However, if either of those two checks instead reads "VERIFICATION ERROR", then there's a problem. Since this is all scripted, it's possible that there's just been a minor change that has caused the script's checks not to work right. (This has happened a few times over the existence of the script that became Standup.) But, it's also possible that someone is trying to encourage you to run a fake copy of the Bitcoin daemon. So, _be very sure you know what happened before you make use of Bitcoin!_ ### Read the Logs @@ -175,7 +170,7 @@ It's best to look through the standard StackScript log file, which has all of th `$ sudo more ~root/standup.log` -Note that it is totally normal to see _some_ errors, particularly when running the very noisy gpg software and when various things try to access the non-existant /dev/tty device. +Note that it is totally normal to see _some_ errors, particularly when running the very noisy gpg software and when various things try to access the non-existant `/dev/tty` device. If you want instead to look at a smaller set of info, all of the errors should be in: @@ -191,15 +186,15 @@ Although the default Debian 10 image that we are using for your VPS has been mod ### Protected Services -Your Bitcoin VPS installation is minimal and allows almost no communication. This is managed through Part 5 of the StackScript, which sets up Tor and ensures that it's the only way to speak with the Bitcoin ports, other than localhost connections. It's further supplement by the uncomplicated firewall (`ufw`), which blocks everything except SSH connections. +Your Bitcoin VPS installation is minimal and allows almost no communication. This is managed through Part 5 of the StackScript, which sets up Tor and ensures that it's the only way to speak with the Bitcoin ports, other than localhost connections. It's further supplemented by the uncomplicated firewall (`ufw`), which blocks everything except SSH connections. **Adjusting Tor.** You might want to better protect services like SSH. See [Chapter 12: Using Tor](https://github.com/BlockchainCommons/Learning-Bitcoin-from-the-Command-Line/blob/master/12_0_Using_Tor.md) for more on Tor. -**Adjusting UFW.** You should probably leave UFW in its super-protected stage! You don't want to use a Bitcoin machine for other services, because everyone increases your vulnerability! If you decide otherwise, there are several [guides to UFW](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands) that will allow you to add services. It's, as advertised, uncomplicated. For example adding mail services would just require opening the mail port: `sudo ufw allow 25`. But don't do that. +**Adjusting UFW.** You should probably leave UFW in its super-protected stage! You don't want to use a Bitcoin machine for other services, because everyone increases your vulnerability! If you decide otherwise, there are several [guides to UFW](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands) that will allow you to add services. As advertised, uit's ncomplicated. For example adding mail services would just require opening the mail port: `sudo ufw allow 25`. But don't do that. ### Protected Shells -If you provided an IP access for SSH control, SSH (and SCP) access to the server is severely restricted. /etc/hosts.deny disallows anyone from logging in. _We do not suggest changing this_. /etc/hosts.allow then allows specific IP addresses. Just add more IP addresses in a comma-separated list if you need to offer more access. +If you defined "SSH-allowed IPs", SSH (and SCP) access to the server is severely restricted. `/etc/hosts.deny` disallows anyone from logging in. _We do not suggest changing this_. `/etc/hosts.allow` then allows specific IP addresses. Just add more IP addresses in a comma-separated list if you need to offer more access. For example: @@ -221,14 +216,12 @@ echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean false" So now you probably want to play with Bitcoin! -But wait, your Bitcoin daemon is probably still downloading blocks. This alias, from your .bash configuration will tell you how things are going. - -The `bitcoin-cli getblockcount` will tell you how you're currently doing: +But wait, your Bitcoin daemon is probably still downloading blocks. The `bitcoin-cli getblockcount` will tell you how you're currently doing: ``` $ bitcoin-cli getblockcount 1771352 ``` -If it's different every time you type the command, you need to wait before working with Bitcoin. This typically takes 1-6 hours currently fora pruned setup, depending on your precise machine. +If it's different every time you type the command, you need to wait before working with Bitcoin. This takes 1-6 hours currently for a pruned setup, depending on your precise machine. But, once it settles at a number, you're ready to continue! @@ -236,7 +229,7 @@ Still, it might be time for a few more espressos. But soon enough, your system w ## Summary: Setting Up a Bitcoin-Core VPS by Hand -Creating a Bitcoin-Core VPS with a StackScript made the whole process quick, simple and (hopefully) painless. +Creating a Bitcoin-Core VPS with the Standup scripts made the whole process quick, simple and (hopefully) painless. ## What's Next? @@ -249,7 +242,7 @@ You have a few options for what's next: ## Appendix: Bitcoin Installation Types -**Mainnet.** This will download the entirety of the Bitnet blockchain. That's 120G of data (and getting more every day). +**Mainnet.** This will download the entirety of the Bitnet blockchain. That's 280G of data (and getting more every day). **Pruned Mainnet.** This will cut the blockchain you're storing down to just the last 550 blocks. If you're not mining or running some other Bitcoin service, this should be plenty for validation.