info
The following information applies to the Polkadot network. If you want to set up a validator onKusama, check out the Kusama guide instead.
This guide will instruct you how to set up a validator node on the Polkadot network.
Preliminaries
Running a validator on a live network is a lot of responsibility! You will be accountable for notonly your own stake, but also the stake of your current nominators. If you make a mistake and getslashed, your money and your reputation will be at risk. However, running a validator can also bevery rewarding, knowing that you contribute to the security of a decentralized network while growingyour stash.
danger
It is highly recommended that you have significant system administration experience beforeattempting to run your own validator.
You must be able to handle technical issues and anomalies with your node which you must be able totackle yourself. Being a validator involves more than just executing the Polkadot binary.
Since security is so important to running a successful validator, you should take a look at thesecure validator information to make sure you understand thefactors to consider when constructing your infrastructure. Web3 Foundation also maintains areference implementation for a validator set-upthat you can use by deploying yourself (video walkthrough is availablehere). As you progress in your journey as avalidator, you will likely want to use this repository as a starting point for your ownmodifications and customizations.
If you need help, please reach out on thePolkadot Validator Loungeon Riot. The team and other validators are there to help answer questions and provide tips fromexperience.
How many DOT do I need?
You can have a rough estimate on that by using the methods listedhere.To be elected into the set, you need a minimum stake behind your validator. This stake can come fromyourself or from nominators. This means that as a minimum, you willneed enough DOT to set up Stash and Controller accounts with theexistential deposit, plus a little extra for transaction fees. The rest can come from nominators. Tounderstand how validators are elected, check theNPoS Election algorithms page.
On-Chain Data for Reference
On Polkadot, the minimum stake backing a validator in the active set is in the era.
On Kusama, the minimum stake backing a validator in the active set is in theera.
Warning: Any DOT that you stake for your validator is liable to be slashed, meaning that aninsecure or improper setup may result in loss of DOT tokens! If you are not confident in yourability to run a validator node, it is recommended to nominate your DOT to a trusted validator nodeinstead.
Initial Set-up
Requirements
The most common way for a beginner to run a validator is on a cloud server running Linux. You maychoose whatever VPS provider that your prefer. As OS it is best to use a recentDebian Linux. For this guide we will be using Ubuntu 22.04, but the instructions should besimilar for other platforms.
Reference Hardware
The transaction weights in Polkadot are benchmarked on reference hardware. We ran the benchmark onVM instances of two major cloud providers: Google Cloud Platform (GCP) and Amazon Web Services(AWS). To be specific, we used c2d-highcpu-8 VM instance on GCP and c6id.2xlarge on AWS. It isrecommended that the hardware used to run the validators at least matches the specs of the referencehardware in order to ensure they are able to process all blocks in time. If you use subpar hardwareyou will possibly run into performance issues, get less era points, and potentially even getslashed.
- CPU
- x86-64 compatible;
- Intel Ice Lake, or newer (Xeon or Core series); AMD Zen3, or newer (EPYC or Ryzen);
- 4 physical cores @ 3.4GHz;
- Simultaneous multithreading disabled (Hyper-Threading on Intel, SMT on AMD);
- Prefer single-threaded performance over higher cores count. A comparison of single-threadedperformance can be found here.
- Storage
- An NVMe SSD of 1 TB (As it should be reasonably sized to deal with blockchain growth). Anestimation of current chain snapshot sizes can be found here. Ingeneral, the latency is more important than the throughput.
- Memory
- 16GB DDR4 ECC.
- System
- Linux Kernel 5.16 or newer.
- Network
- The minimum symmetric networking speed is set to 500 Mbit/s (= 62.5 MB/s). This is required tosupport a large number of parachains and allow for proper congestion control in busy networksituations.
The specs posted above are not a hard requirement to run a validator, but are considered bestpractice. Running a validator is a responsible task; using professional hardware is a must in anyway.
Node Prerequisites: Install Rust and Dependencies
Once you choose your cloud service provider and set-up your new server, the first thing you will dois install Rust.
If you have never installed Rust, you should do this first.
If you have already installed Rust, run the following command to make sure you are using the latestversion.
rustup update
If not, this command will fetch the latest version of Rust and install it.
curl https://sh.rustup.rs -sSf | sh -s -- -y
note
If you do not have "curl" installed, run:
sudo apt install curl
It will also be valuable to have "websocat" (Netcat, curl and socat for WebSockets) installed forRPC interactions. Installation instructions for various operating systems can be foundhere.
To configure your shell, run the following command.
source $HOME/.cargo/env
Verify your installation.
rustc --version
Finally, run this command to install the necessary dependencies for compiling and running thePolkadot node software.
sudo apt install make clang pkg-config libssl-dev build-essential
Note - if you are using OSX and you have Homebrew installed, you can issue thefollowing equivalent command INSTEAD of the previous one:
brew install cmake pkg-config openssl git llvm
Install & Configure Network Time Protocol (NTP) Client
NTP is a networking protocol designed tosynchronize the clocks of computers over a network. NTP allows you to synchronize the clocks of allthe systems within the network. Currently it is required that validators' local clocks stayreasonably in sync, so you should be running NTP or a similar service. You can check whether youhave the NTP client by running:
If you are using Ubuntu 18.04 or a newer version, NTP Client should be installed by default.
timedatectl
If NTP is installed and running, you should see System clock synchronized: yes (or a similarmessage). If you do not see it, you can install it by executing:
sudo apt-get install ntp
ntpd will be started automatically after install. You can query ntpd for status information toverify that everything is working:
sudo ntpq -p
danger
Skipping this can result in the validator node missing block authorship opportunities. If the clockis out of sync (even by a small amount), the blocks the validator produces may not get accepted bythe network. This will result in ImOnline heartbeats making it on chain, but zero allocated blocksmaking it on chain.
Building and Installing the polkadot binary
Optional: Installation via Package Managers
The Polkadot Binary in included in Debian derivatives (i.e. Debian, Ubuntu) andRPM-based distros (i.e. Fedora, CentOS).
Debian-based (Debian, Ubuntu)
Run the following commands as the root user:
# Import the [emailprotected] GPG key
gpg --recv-keys --keyserver hkps://keys.mailvelope.com 9D4B2B6EB8F97156D19669A9FF0812D491B96798
gpg --export 9D4B2B6EB8F97156D19669A9FF0812D491B96798 > /usr/share/keyrings/parity.gpg
# Add the Parity repository and update the package index
echo 'deb [signed-by=/usr/share/keyrings/parity.gpg] https://releases.parity.io/deb release main' > /etc/apt/sources.list.d/parity.list
apt update
# Install the `parity-keyring` package - This will ensure the GPG key
# used by APT remains up-to-date
apt install parity-keyring
# Install polkadot
apt install polkadot
RPM-based (Fedora, CentOS)
Run the following commands as the root user:
# Install dnf-plugins-core (This might already be installed)
dnf install dnf-plugins-core
# Add the repository and enable it
dnf config-manager --add-repo https://releases.parity.io/rpm/polkadot.repo
dnf config-manager --set-enabled polkadot
# Install polkadot (You may have to confirm the import of the GPG key, which
# should have the following fingerprint: 9D4B2B6EB8F97156D19669A9FF0812D491B96798)
dnf install polkadot
After installing Polkadot, you can verify the installation by running
which polkadot
It should return
/usr/bin/polkadot
By default, the Polkadot systemd service is disabled
To start the service, run:
sudo systemctl start polkadot.service
Polkadot Binary
You will need to build the polkadot binary from theparitytech/polkadot repository on GitHub using the sourcecode available in the v0.9 branch.
You should generally use the latest 0.9.x tag. You should either review the output from the "gittag" command or visit the Releases to see a listof all the potential 0.9 releases. You should replace VERSION below with the latest build (i.e.,the highest number). You can also find the latest Kusama version on therelease tab.
note
If you prefer to use SSH rather than HTTPS, you can replace the first line of the below with
git clone [emailprotected]:paritytech/polkadot.git
git clone https://github.com/paritytech/polkadot.git
cd polkadot
Run the following command to find the latest version.
git tag -l | sort -V | grep -v -- '-rc'
Find the latest version; replace "VERSION" in the commmand below and run to change your branch.
git checkout VERSION
./scripts/init.sh
Build native code with the production profile.
cargo build --profile production
This step will take a while (generally 10 - 40 minutes, depending on your hardware).
Compilation Errors
If you run into compile errors, you may have to pin the version of Rust compiler to the one that wasused to build the release. Check out Rust compiler versions section in the release notes. This canbe done by running:
rustup install nightly-2022-05-18
rustup target add wasm32-unknown-unknown --toolchain nightly-2022-05-18
cargo +nightly-2022-05-18 build --release
You may also need to run the build more than once.
If you would like to execute the tests, run the following command:
cargo test --all
If you are interested in generating keys locally, you can also install subkey from the samedirectory. You may then take the generated subkey executable and transfer it to an air-gappedmachine for extra security.
cargo install --force --git https://github.com/paritytech/substrate subkey
Synchronize Chain Data
You can begin syncing your node by running the following command if you do not want to start invalidator mode right away:
./target/production/polkadot
2021-06-17 03:07:07 Parity Polkadot
2021-06-17 03:07:07 ✌️ version 0.9.5-95f6aa201-x86_64-linux-gnu
2021-06-17 03:07:07 ❤️ by Parity Technologies <[emailprotected]>, 2017-2021
2021-06-17 03:07:07 📋 Chain specification: Polkadot
2021-06-17 03:07:07 🏷 Node name: boiling-pet-7554
2021-06-17 03:07:07 👤 Role: FULL
2021-06-17 03:07:07 💾 Database: RocksDb at /root/.local/share/polkadot/chains/polkadot/db
2021-06-17 03:07:07 ⛓ Native runtime: polkadot-9050 (parity-polkadot-0.tx7.au0)
2021-06-17 03:07:10 🏷 Local node identity is: 12D3KooWLtXFWf1oGrnxMGmPKPW54xWCHAXHbFh4Eap6KXmxoi9u
2021-06-17 03:07:10 📦 Highest known block at #17914
2021-06-17 03:07:10 〽️ Prometheus server started at 127.0.0.1:9615
2021-06-17 03:07:10 Listening for new connections on 127.0.0.1:9944.
Example of node sync
2021-06-17 03:07:39 🔍 Discovered new external address for our node: /ip4/10.26.16.1/tcp/30333/ws/p2p/12D3KooWLtXFWf1oGrnxMGmPKPW54xWCHAXHbFh4Eap6KXmxoi9u
2021-06-17 03:07:40 ⚙️ Syncing 218.8 bps, target=#5553764 (17 peers), best: #24034 (0x08af…dcf5), finalized #23552 (0xd4f0…2642), ⬇ 173.5kiB/s ⬆ 12.7kiB/s
2021-06-17 03:07:45 ⚙️ Syncing 214.8 bps, target=#5553765 (20 peers), best: #25108 (0xb272…e800), finalized #25088 (0x94e6…8a9f), ⬇ 134.3kiB/s ⬆ 7.4kiB/s
2021-06-17 03:07:50 ⚙️ Syncing 214.8 bps, target=#5553766 (21 peers), best: #26182 (0xe7a5…01a2), finalized #26112 (0xcc29…b1a9), ⬇ 5.0kiB/s ⬆ 1.1kiB/s
2021-06-17 03:07:55 ⚙️ Syncing 138.4 bps, target=#5553767 (21 peers), best: #26874 (0xcf4b…6553), finalized #26624 (0x9dd9…27f8), ⬇ 18.9kiB/s ⬆ 2.0kiB/s
2021-06-17 03:08:00 ⚙️ Syncing 37.0 bps, target=#5553768 (22 peers), best: #27059 (0x5b73…6fc9), finalized #26624 (0x9dd9…27f8), ⬇ 14.3kiB/s ⬆ 4.4kiB/s
Use Warp sync for faster syncing
By default, the node performs full sync, which downloads and validates the full blockchainhistory. Full sync works by listening to announced blocks and requesting the blocks from theannouncing peers, or just the block headers in case of light clients.
Fast sync is another option that works by downloading the block header history and validating theauthority set changes in order to arrive at a specific (usually the most recent) header. After thedesired header has been reached and verified, the state can be downloaded and imported. Once thisprocess has been completed, the node can proceed with a full sync.
./target/production/polkadot --sync warp
Warp sync initially downloads and validates the finality proofs fromGRANDPA and then downloads the state of thelatest finalized block. After the warp sync, the node is ready to import the latest blocks from thenetwork and can be used as a Validator. The blocks from genesis will be downloaded in thebackground. Checkthis discussionfor more information about the different sync options available.
Validators should sync using the RocksDb backend
This is implicit by default, but can be explicit by passing the --database RocksDb flag.
In the future, it is recommended to switch to the faster and more efficient ParityDB option. Notethat ParityDB is still experimental and should not be used in production. If you want to testout ParityDB, you can add the flag --database paritydb. Switching between database backends willrequire a resync.
Depending on the size of the chain when you do this, this step may take anywhere from a few minutesto a few hours.
If you are interested in determining how much longer you have to go, your server logs (printed toSTDOUT from the polkadot process) will tell you the latest block your node has processed andverified. You can then compare that to the current highest block viaTelemetry or thePolkadotJS Block Explorer.
Database Snapshot Services
If you start a node for the first time, it will start building from the genesis block. This processcan take a while depending on the database size. To make this process faster, snapshots can be used.Snapshots are compressed backups of the database directory of Polkadot/Kusama nodes, containing thewhole chain (or a pruned version of it, with states only from the latest 1000 or 256 blocks). Listedbelow are a few public snapshot providers for Polkadot and Kusama.
caution
For the security of the network, it is recommended that you sync from scratch, even if you arerunning your node in pruning mode for validation. The reason is that if these snapshots getcorrupted and a majority of nodes run based on these snapshots, the network could end up running ona non-canonical chain.
Bond DOT
It is highly recommended that you make your controller and stash accounts be two separate accounts.For this, you will create two accounts and make sure each of them have at least enough funds to paythe fees for making transactions. Keep most of your funds in the stash account since it is meant tobe the custodian of your staking funds.
Make sure not to bond all your DOT balance since you will be unable to pay transaction fees fromyour bonded balance.
It is now time to set up our validator. We will do the following:
- Bond the DOT of the Stash account. These DOT will be put at stake for the security of the networkand can be slashed.
- Select the Controller. This is the account that will decide when to start or stop validating.
First, go to the Staking section. Click on"Account Actions", and then the "+ Stash" button.
- Stash account - Select your Stash account. In this example, we will bond 1 DOT, where theminimum bonding amount is 1. Make sure that your Stash account contains at least this much. Youcan, of course, stake more than this.
- Controller account - Select the Controller account created earlier. This account will alsoneed a small amount of DOT in order to start and stop validating.
- Value bonded - How much DOT from the Stash account you want to bond/stake. Note that you donot need to bond all of the DOT in that account. Also note that you can always bond more DOTlater. However, withdrawing any bonded amount requires the duration of the unbonding period. OnKusama, the unbonding period is 7 days. On Polkadot, the planned unbonding period is 28 days.
- Payment destination - The account where the rewards from validating are sent. More infohere. Starting with runtime version v23 nativelyincluded in client version 0.9.3,payouts can go to any custom address. If you'd like to redirect payments to an account that isneither the controller nor the stash account, set one up. Note that it is extremely unsafe to setan exchange address as the recipient of the staking rewards.
Once everything is filled in properly, click Bond and sign the transaction with your Stashaccount.
After a few seconds, you should see an ExtrinsicSuccess message.
Your bonded account will available under Stashes. You should now see a new card with all youraccounts (note: you may need to refresh the screen). The bonded amount on the right corresponds tothe funds bonded by the Stash account.
Set Session Keys
Session keys are consensus critical
If you are not sure if your node has the current session keys that you made the setKeystransaction then you can use one of the two available RPC methods to query your node:hasKey tocheck for a specific key orhasSessionKeysto check the full session key public key string.
Once your node is fully synced, stop the process by pressing Ctrl-C. At your terminal prompt, youwill now start running the node.
./target/release/polkadot --validator --name "name on telemetry"
Similarly:
2021-06-17 03:12:08 Parity Polkadot
2021-06-17 03:12:08 ✌️ version 0.9.5-95f6aa201-x86_64-linux-gnu
2021-06-17 03:12:08 ❤️ by Parity Technologies <[emailprotected]>, 2017-2021
2021-06-17 03:12:08 📋 Chain specification: Polkadot
2021-06-17 03:12:08 🏷 Node name: nateched-test
2021-06-17 03:12:08 👤 Role: AUTHORITY
2021-06-17 03:12:08 💾 Database: RocksDb at /root/.local/share/polkadot/chains/polkadot/db
2021-06-17 03:12:08 ⛓ Native runtime: polkadot-9050 (parity-polkadot-0.tx7.au0)
2021-06-17 03:12:12 🏷 Local node identity is: 12D3KooWLtXFWf1oGrnxMGmPKPW54xWCHAXHbFh4Eap6KXmxoi9u
2021-06-17 03:12:12 📦 Highest known block at #64673
2021-06-17 03:12:12 〽️ Prometheus server started at 127.0.0.1:9615
2021-06-17 03:12:12 Listening for new connections on 127.0.0.1:9944.
2021-06-17 03:12:12 👶 Starting BABE Authorship worker
2021-06-17 03:12:16 🔍 Discovered new external address for our node: /ip4/10.26.11.1/tcp/30333/p2p/12D3KooWLtXFWf1oGrnxMGmPKPW54xWCHAXHbFh4Eap6KXmxoi9u
2021-06-17 03:12:17 ⚙️ Syncing, target=#5553810 (14 peers), best: #65068 (0x6da5…0662), finalized #65024 (0x4e84…d170), ⬇ 352.2kiB/s ⬆ 75.6kiB/s
You can give your validator any name that you like, but note that others will be able to see it, andit will be included in the list of all servers using the same telemetry server. Since numerouspeople are using telemetry, it is recommended that you choose something likely to be unique.
Generating the Session Keys
You need to tell the chain your Session keys by signing and submitting an extrinsic. This is whatassociates your validator node with your Controller account on Polkadot.
Option 1: PolkadotJS-APPS
You can generate your Session keys in the client via the appsRPC. If you are doing this, make sure that you have the PolkadotJS-Apps explorer attached to yourvalidator node. You can configure the apps dashboard to connect to the endpoint of your validator inthe Settings tab. If you are connected to a default endpoint hosted by Parity of Web3 Foundation,you will not be able to use this method since making RPC requests to this node would effect thelocal keystore hosted on a public node and you want to make sure you are interacting with thekeystore for your node.
Once ensuring that you have connected to your node, the easiest way to set session keys for yournode is by calling the author_rotateKeys RPC request to create new keys in your validator'skeystore. Navigate to Toolbox tab and select RPC Calls then select the author > rotateKeys() optionand remember to save the output that you get back for a later step.
Option 2: CLI
If you are on a remote server, it is easier to run this command on the same machine (while the nodeis running with the default WS RPC port configured):
echo '{"id":1,"jsonrpc":"2.0","method":"author_rotateKeys","params":[]}' | websocat -n1 -B 99999999 ws://127.0.0.1:9944
The output will have a hex-encoded "result" field. The result is the concatenation of the fourpublic keys. Save this result for a later step.
You can restart your node at this point.
Submitting the setKeys Transaction
You need to tell the chain your Session keys by signing and submitting an extrinsic. This is whatassociates your validator with your Controller account.
Go to Staking > Account Actions, and click "SetSession Key" on the bonding account you generated earlier. Enter the output from author_rotateKeysin the field and click "Set Session Key".
Submit this extrinsic and you are now ready to start validating.
Validate
To verify that your node is live and synchronized, head toTelemetry and find your node. Note that thiswill show all nodes on the Polkadot network, which is why it is important to select a unique name!
In this example, we used the name techedtest and have successfully located it upon searching:
Setup via Validator Tab
Here you will need to input the Keys from rotateKeys, which is the Hex output fromauthor_rotateKeys. The keys will show as pending until applied at the start of a new session.
The "reward commission percentage" is the commission percentage that you can declare against yourvalidator's rewards. This is the rate that your validator will be commissioned with.
- Payment preferences - You can specify the percentage of the rewards that will get paid to you.The remaining will be split among your nominators.
Setting a commission rate of 100% suggests that you do not want your validator to receive
nominations
You can also determine if you would like to receive nominations with the "allows new nominations"option.
Click "Bond & Validate".
If you go to the "Staking" tab, you will see a list of active validators currently running on thenetwork. At the top of the page, it shows the number of validator slots that are available as wellas the number of nodes that have signaled their intention to be a validator. You can go to the"Waiting" tab to double check to see whether your node is listed there.
The validator set is refreshed every era. In the next era, if there is a slot available and yournode is selected to join the validator set, your node will become an active validator. Until then,it will remain in the waiting queue. If your validator is not selected to become part of thevalidator set, it will remain in the waiting queue until it is. There is no need to re-start ifyou are not selected for the validator set in a particular era. However, it may be necessary toincrease the number of DOT staked or seek out nominators for your validator in order to join thevalidator set.
Congratulations! If you have followed all of these steps, and been selected to be a part of thevalidator set, you are now running a Polkadot validator! If you need help, reach out on thePolkadot Validator chat.
Thousand Validators Programme
The Thousand Validators Programme is a joint initiative by Web3 Foundation and Parity Technologiesto provide support for community validators. If you are interested in applying for the programme,you can find more information on the wiki page.
FAQ
Why am I unable to synchronize the chain with 0 peers?
Make sure to enable 30333 libp2p port. Eventually, it will take a little bit of time to discoverother peers over the network.
How do I clear all my chain data?
./target/release/polkadot purge-chain
info
Check out the Substrate StackExchange to quickly get theanswers you need.
Note about VPS
VPS providers are very popular for running servers of any kind. Extensive benchmarking was conductedto ensure that VPS servers are able to keep up with the work load in general.
note
Before you run a live Validator, please verify if the advertised performance is actually deliveredconsistently by the VPS provider.
that this is not an endorsem*nt in any way:
- GCP's c2 and c2d machine families
- AWS's c6id machine family
The following additional configurations were applied to the instances to tune their performance:
Disable SMT
As critical path of Substrate is single-threaded we need to optimize for single-core CPUperformance. The node still profits from multiple cores when doing networking and other non-runtimeoperations. It is therefore still necessary to run it on at least the minimum required number ofcores. Disabling SMT improves the performance as each vCPU becomes mapped to a physical CPU corerather than being presented to the OS as two logical cores. SMT implementation is calledHyper-Threading on Intel and 2-way SMT on AMD Zen. To disable SMT in runtime:
for cpunum in $(cat /sys/devices/system/cpu/cpu*/topology/thread_siblings_list | cut -s -d, -f2- | tr ',' '\n' | sort -un)
do
echo 0 > /sys/devices/system/cpu/cpu$cpunum/online
done
It will disable every other (vCPU) core.
To save changes permanently add nosmt=force as kernel parameter. Edit /etc/default/grub and addnosmt=force to GRUB_CMDLINE_LINUX_DEFAULT variable and run sudo update-grub. After the rebootyou should see half of the cores are offline. Run lscpu --extended to confirm.
Disable automatic NUMA balancing
If you have multiple physical CPUs (CPU0 and CPU1) in the system each with its own memory bank (MB0and MB1), then it is usually slower for a CPU0 to access MB1 due to the slower interconnection. Toprevent the OS from automatically moving the running Substrate process from one CPU to another andthus causing an increased latency, it is recommended to disable automatic NUMA balancing.
With automatic NUMA balancing disabled, an OS will always run a process on the same NUMA node whereit was initially scheduled.
To disable NUMA balancing in runtime:
sysctl kernel.numa_balancing=0
To save changes permanently, update startup options and reconfigure GRUB. Edit /etc/default/gruband add numa_balancing=disable to GRUB_CMDLINE_LINUX_DEFAULT variable and runsudo update-grub. After reboot you can confirm the change by runningsysctl -a | grep 'kernel.numa_balancing' and checking if the parameter is set to 0
Configure Spectre/Meltdown Mitigations
Spectre and Meltdown are vulnerabilities discovered in modern CPUs a few years ago. Mitigations weremade to the Linux kernel to cope with the multiple variations of these attacks. Check outhttps://meltdownattack.com/ for more info.
Initially those mitigations added ~20% penalty to the performance of the workloads. As CPUmanufacturers started to roll-out mitigations implemented in hardware, the performance gapnarrowed down. As thebenchmark demonstrates, the performance penalty got reduced to ~7% on Intel 10th Gen CPUs. This istrue for the workloads running on both bare-metal and VMs. But the penalty remains high for thecontainerized workloads in some cases.
As demonstrated inYusuke Endoh's article,a performance penalty for containerized workloads can be as high as 100%. This is due to SECCOMPprofile being overprotective about applying Spectre/Meltdown mitigations without providing realsecurity. A longer explanation is a available in thekernel patch discussion.
Linux 5.16loosened the protectionsapplied to SECCOMP threads by default. Containers running on kernel 5.16 and later now don't sufferfrom the performance penalty implied by using a SECCOMP profile in container runtimes.
For Linux >= 5.16
You are all set. The performance of containerized workloads is on par with non-containerized ones.You don't have to do anything.
For Linux < 5.16
You'll need to disable mitigations for Spectre V2 for user-space tasks as well as Speculative StoreBypass Disable (SSBD) for Spectre V4.This patch messagedescribes the reasoning for this default change in more detail:
Ultimately setting SSBD and STIBP by default for all seccomp jails is a bad sweet spot and baddefault with more cons than pros that end up reducing security in the public cloud (by giving anhuge incentive to not expose SPEC_CTRL which would be needed to get full security with IBPB aftersetting nosmt in the guest) and by excessively hurting performance to more secure apps usingseccomp that end up having to opt out with SECCOMP_FILTER_FLAG_SPEC_ALLOW.
To disable the mitigations edit /etc/default/grub and addspec_store_bypass_disable=prctl spectre_v2_user=prctl to GRUB_CMDLINE_LINUX_DEFAULT variable,run sudo update-grub, then reboot.
Note that mitigations are not disabled completely. You can fully disable all the available kernelmitigations by setting mitigations=off. But we don't recommend doing this unless you run a fullytrusted code on the host.
VPS List
provider
You may be locked out of your account and your server shut down if you come in violation. Forinstance, Digital Ocean lists "Mining of Cryptocurrencies" under the Network Abuse section of theirAcceptable Use Policy and requiresexplicit permission to do so. This may extend to other cryptocurrency activity.
Using Docker
If you have Docker installed, you can use it to start your validator node without needing to buildthe binary. You can do this with a simple one line command:
$ docker run parity/polkadot:latest --validator --name "name on telemetry"
