Running a TEE Node
Last updated
Last updated
If you're planning to run the Tee node, it's important to make sure your system meets the recommended requirements to ensure that your miner performs at its best.
Resource | Specification |
---|---|
For a system to support Intel Software Guard Extensions (Intel SGX) and Flexible Launch Control (FLC), it needs a CPU that supports these features. The CPU should be either Intel ME, Intel SPS, or both Intel SPS and Intel ME. Additionally, the BIOS must support Intel SGX and the SGX option must be enabled. To enable SGX functionality, please refer to the server manufacturer's BIOS guide. You can also check out the list of CPU models that support SGX to ensure your system supports Intel SGX.
CPU Recommended Models: Intel E, E3, Celeron (some models), Core series CPUs, with Intel Core i5-10500 being the optimal choice.
Recommended Motherboard BIOS: Preferred options include mainstream manufacturers such as Supermicro.
The server requires a static public IPv4 IP. Please ensure that the IP address is accessible and not behind a NAT. Run the following command to confirm your public IP.
Running a TEE node can increase the reputation points of a running Consensus Node. TEE nodes are divided into several roles. Some TEE nodes need to be bound to a Consensus Node to run. You can choose to bind your own Consensus Node or a Consensus Node account you are familiar with.
Full: Full node is a type of node that has all the necessary functions to operate as a fully-capable Tee Node. This includes generating random challenges, verifying data, computing tags, and generating and replacing space holder data, etc.
Verifier: Verifier nodes handles random challenges for idle and service data.
Marker: These nodes are called Markers, and their role is to compute tags for the user's data, also known as service data. They are also responsible for creating, verifying, and replacing idle data segments. These nodes can be registered independently and serve a designated Storage Node cluster. It's important to note that operating the TEE Node in this capacity does not increase reputation points.
To run the TEE node in both Full
and Verifier
operational capacities, you need two separate accounts.
Stash Account: This is the account where you keep all the tokens you want to stake. This account requires at least 3,000,000 TCESS for staking it can be either from the node owner itself or delegated by other users.
Controller Account: This account is a wallet used to pay the transaction gas fees required to run the TEE node and that these tokens are not safe, please do not put too much token in this account.
If you only run a TEE node with the Marker
role, then you only need prepare the Controller Account
You can also refer to the artcle Creating CESS Accounts for creating a CESS account.
You can either use CESS testnet faucet to get TCESS, or contact us to receive TCESS tokens for staking.
Before running, if you have previously deployed a previous version of CESS Tee Node on your instance, please be sure to uninstall it before running. The uninstallation method is as follows (if it is a new machine, please ignore it)
The cess-nodeadm
is a CESS node deployment and management tool. It helps deploying and managing Storage nodes, Tee nodes, and Consensus nodes, simplifying the devOps for all CESS miners.
You can verify that you are running the latest version of cess-nodeadm here.
On successful installation of cess-nodeadm you will see Install cess nodeadm success
message.
If the installation fails, please check the troubleshooting procedures.
Execute:
The following is an operational example of running the miner in the Full
capacity mode:
Tips: You can press Enter to skip when the default value of 'current' is suitable
If you select the "authority" option, the Intel SGX driver on your device will be initiated in software mode. You might encounter a notification that reads "Software enable has been set. Please reboot your system to finish enabling Intel SGX." Therefore, it is recommended that you restart your device after completing the configuration and before moving on to the next steps.
You will see the follwing message printed on the screen.
Give your node a name
then you can either enter CESS chain ws url
or leave it as default.
The next prompt you will asked to set the TEE worker port. You can either set a custom port or leave it as default. Once the port is set the public IP of the system is automaticallt detected. In case you find that the public ip is incorrect you can enter it manually. Instead or IP you can also use your domain name here.
The current version of Tee worker supports two running remote attestation types. You can choose according to your machine. For details on how to know which remote attestation type your machine supports, please see the Questions & Answers
at the end of the article.
You can choose role now. Full
mode has all the capabilities of Tee worker, Verifier
only has the capabilities of Tee worker to verify the proof from miners, and Marker
only has the capabilities of Tee worker to tag file from miners. When you choose the Marker
role, you do not need to fill in the CESS validator stash account in the next step.
Then enter your CESS Controller account mnemonic phrase.
Lastly, you will see the following messages printed on the screen which downloads all the required docker images.
If your has some serious problems and you want to completely reinstall your Tee Node, you can use the following command to clear all runtime data from you instance.
cess-nodeadm
Currently the most updated version is v0.5.5.
I don't want to expose my IP address on the chain. What should I do?
During the cess config set process, you can set your endpoint with a domain name. For example, if your registered domain is tee-xxx.cess.network, you can enter http://tee-xxx.cess.network when setting the endpoint. The script will then ask you if you want to enable one-click domain proxy. You can enter y to enable it, as shown below:
Alternatively, you can manually configure an nginx proxy. Please avoid using the intermediate proxy provided by the domain service provider.
How do I know if the program is working properly?
You can select Chain State in the block explorer. Through this method, you can check whether the registration was successful.
I don't want the program to update automatically. What should I do?
After the program has started successfully, a watchtower service will manage local services on behalf of the user. When the CESS official updates a component, the watchtower will pull the latest program for automatic upgrading. If you don't want to use the automatic upgrade feature, you can disable it with the following command before the cess config set.
Every automatic upgrade from you means a bug fix for the consensus miner program by the official, and we strongly discourage you from turning off the automatic upgrade feature, as this may render your service unusable.
How do I know which remote attestation method my machine supports? If the processor supports Intel® SGX and FLC, then DCAP is supported. There are two options to determine if your system's processor supports FLC:
First Option: On Linux* systems, execute cpuid in a terminal:
Open a terminal and run: $ cpuid | grep -i sgx
Look for the output: SGX_LC: SGX launch config supported = true
Second Option: Using test-sgx.c:
Go to the SGX hardware Github and download the file test-sgx.c or clone the repository
Compile and run test-sgx.c according to the following instructions:
Find Output: sgx launch control: 1