1 of 4

Sentry and Archive nodes

These pages go into detail for setting up infrastructure other than full nodes and validators.

Sentry nodes
Mantlemint
Archive
IBC relayers

Mantlemint

Note: Mantlemint is currently in beta. This means some of these instructions may not work as expected, or could be subject to change

What is Mantlemint?

Mantlemint is a fast core optimized for serving massive user queries. A mantlemint node will perform 3-4x more queries than a standard Secret Node.

Native query performance on RPC is slow and is not suitable for massive query handling, due to the inefficiencies introduced by IAVL tree. Mantlemint is running on fauxMerkleTree mode, basically removing the IAVL inefficiencies while using the same core to compute the same module outputs.

If you are looking to serve any kind of public node accepting varying degrees of end-user queries, it is recommended that you run a mantlemint instance alongside of your RPC. While mantlemint is indeed faster at resolving queries, due to the absence of IAVL tree and native tendermint, it cannot join p2p network by itself. Rather, you would have to relay finalized blocks to mantlemint, using RPC's websocket.

Mantlemint has been adapted for Secret Network from Terra.

Features

Superior LCD performance
- With the exception of Tendermint RPC/Transactions.
Super reliable and effective LCD response cache to prevent unnecessary computation for query resolving
Fully archival; historical states are available with ?height query parameter.
Useful default indexes

Prerequisites

Fully synced RPC Node with Websockets available

To start a Mantlemint node, you'll need **** access to at least 1 running RPC node. Since Mantlemint cannot join p2p network by itself, it depends on RPC to receive recently proposed blocks. This RPC node should also have Websockets enabled. Websockets are how Mantlemint receives new blocks after it catches up to the current block.

Minimum Requirements

1TB of storage (recommended SATA or NVMe SSD)
16 GB of RAM (recommended 32 GB)
2 available CPU cores (recommended 4 cores)

Mantlemint can only be ran as a full archive node. For this reason it requires a large amount of storage (as of August 2022 this is currently 450GB).

Setup

1a. Build from source

a. Clone the repository https://github.com/scrtlabs/mantlemint

git clone https://github.com/scrtlabs/mantlemint.git

b. If you haven't already, install golang

c. Run go build -mod=readonly -o build/mantlemint ./sync.go

1b. Run from Binary

If you don't want to compile yourself, you can just download the mantlemint executable built for Ubuntu 20.04

wget -O mantlemint https://github.com/scrtlabs/mantlemint/releases/download/v0.0.1-scrt/mantlemint

2. Install SGX

Install SGX the same way you would for a node, as described in the Node Setup section

3. Download and unpack the `secretd` package

wget "https://github.com/scrtlabs/SecretNetwork/releases/download/v1.3.1/secretnetwork_1.3.1_mainnet_goleveldb_amd64.deb"
sudo apt install -y ./secretnetwork_1.3.1_mainnet_*_amd64.deb

4. Register the node

To allow Mantlemint to sync blocks and run queries that contain encrypted data, we will need to register it.

export SCRT_ENCLAVE_DIR=/usr/lib
export SCRT_SGX_STORAGE=/opt/secret/.sgx_secrets
secretd auto-register

5. Create a directory for mantlemint data

This directory should be separate from other mantlemint instances or secretd instances

mkdir -p $home/.mantlemint

6. Create an app.toml file

Create a config/app.toml file in your mantlemint directory, and set it with a similar app.toml file to what a secretd node uses

mkdir -p $home/.mantlemint/config

Example app.toml file:

# This is a TOML config file.
# For more information, see https://github.com/toml-lang/toml

###############################################################################
###                           Base Configuration                            ###
###############################################################################

# The minimum gas prices a validator is willing to accept for processing a
# transaction. A transaction's fees must meet the minimum of any denomination
# specified in this config (e.g. 0.25token1;0.0001token2).
minimum-gas-prices = "0.0125uscrt"

# default: the last 100 states are kept in addition to every 500th state; pruning at 10 block intervals
# nothing: all historic states will be saved, nothing will be deleted (i.e. archiving node)
# everything: all saved states will be deleted, storing only the current and previous state; pruning at 10 block intervals
# custom: allow pruning options to be manually specified through 'pruning-keep-recent', 'pruning-keep-every', and 'pruning-interval'
pruning = "default"

# These are applied if and only if the pruning strategy is custom.
pruning-keep-recent = "0"
pruning-keep-every = "50"
pruning-interval = "0"

# HaltHeight contains a non-zero block height at which a node will gracefully
# halt and shutdown that can be used to assist upgrades and testing.
#
# Note: Commitment of state will be attempted on the corresponding block.
halt-height = 3343000
# HaltTime contains a non-zero minimum block time (in Unix seconds) at which
# a node will gracefully halt and shutdown that can be used to assist upgrades
# and testing.
#
# Note: Commitment of state will be attempted on the corresponding block.
halt-time = 0

# MinRetainBlocks defines the minimum block height offset from the current
# block being committed, such that all blocks past this offset are pruned
# from Tendermint. It is used as part of the process of determining the
# ResponseCommit.RetainHeight value during ABCI Commit. A value of 0 indicates
# that no blocks should be pruned.
#
# This configuration value is only responsible for pruning Tendermint blocks.
# It has no bearing on application state pruning which is determined by the
# "pruning-*" configurations.
#
# Note: Tendermint block pruning is dependant on this parameter in conunction
# with the unbonding (safety threshold) period, state pruning and state sync
# snapshot parameters to determine the correct minimum value of
# ResponseCommit.RetainHeight.
min-retain-blocks = 0

# InterBlockCache enables inter-block caching.
inter-block-cache = true

# IndexEvents defines the set of events in the form {eventType}.{attributeKey},
# which informs Tendermint what to index. If empty, all events will be indexed.
#
# Example:
# ["message.sender", "message.recipient"]
index-events = []

# IavlCacheSize set the size of the iavl tree cache.
# Default cache size is 50mb.
iavl-cache-size = 781250

###############################################################################
###                         Telemetry Configuration                         ###
###############################################################################

[telemetry]

# Prefixed with keys to separate services.
service-name = ""

# Enabled enables the application telemetry functionality. When enabled,
# an in-memory sink is also enabled by default. Operators may also enabled
# other sinks such as Prometheus.
enabled = false

# Enable prefixing gauge values with hostname.
enable-hostname = false

# Enable adding hostname to labels.
enable-hostname-label = false

# Enable adding service to labels.
enable-service-label = false

# PrometheusRetentionTime, when positive, enables a Prometheus metrics sink.
prometheus-retention-time = 0

# GlobalLabels defines a global set of name/value label tuples applied to all
# metrics emitted using the wrapper functions defined in telemetry package.
#
# Example:
# [["chain_id", "cosmoshub-1"]]
global-labels = [
]

###############################################################################
###                           API Configuration                             ###
###############################################################################

[api]

# Enable defines if the API server should be enabled.
enable = true

# Swagger defines if swagger documentation should automatically be registered.
swagger = true

# Address defines the API server to listen on.
address = "tcp://0.0.0.0:1317"

# MaxOpenConnections defines the number of maximum open connections.
max-open-connections = 1000

# RPCReadTimeout defines the Tendermint RPC read timeout (in seconds).
rpc-read-timeout = 10

# RPCWriteTimeout defines the Tendermint RPC write timeout (in seconds).
rpc-write-timeout = 0

# RPCMaxBodyBytes defines the Tendermint maximum response body (in bytes).
rpc-max-body-bytes = 1000000

# EnableUnsafeCORS defines if CORS should be enabled (unsafe - use it at your own risk).
enabled-unsafe-cors = true

###############################################################################
###                           Rosetta Configuration                         ###
###############################################################################

[rosetta]

# Enable defines if the Rosetta API server should be enabled.
enable = false

# Address defines the Rosetta API server to listen on.
address = ":8080"

# Network defines the name of the blockchain that will be returned by Rosetta.
blockchain = "app"

# Network defines the name of the network that will be returned by Rosetta.
network = "network"

# Retries defines the number of retries when connecting to the node before failing.
retries = 3

# Offline defines if Rosetta server should run in offline mode.
offline = false

###############################################################################
###                           gRPC Configuration                            ###
###############################################################################

[grpc]

# Enable defines if the gRPC server should be enabled.
enable = true

# Address defines the gRPC server address to bind to.
address = "0.0.0.0:9090"

###############################################################################
###                        gRPC Web Configuration                           ###
###############################################################################

[grpc-web]

# GRPCWebEnable defines if the gRPC-web should be enabled.
# NOTE: gRPC must also be enabled, otherwise, this configuration is a no-op.
enable = true

# Address defines the gRPC-web server address to bind to.
address = "0.0.0.0:9091"

# EnableUnsafeCORS defines if CORS should be enabled (unsafe - use it at your own risk).
enable-unsafe-cors = false

###############################################################################
###                        State Sync Configuration                         ###
###############################################################################

# State sync snapshots allow other nodes to rapidly join the network without replaying historical
# blocks, instead downloading and applying a snapshot of the application state at a given height.
[state-sync]

# snapshot-interval specifies the block interval at which local state sync snapshots are
# taken (0 to disable). Must be a multiple of pruning-keep-every.
snapshot-interval = 100

# snapshot-keep-recent specifies the number of recent snapshots to keep and serve (0 to keep all).
snapshot-keep-recent = 2

[wasm]
# The maximum gas amount can be spent for contract query.
# The contract query will invoke contract execution vm,
# so we need to restrict the max usage to prevent DoS attack
contract-query-gas-limit = "10000000"

# The WASM VM memory cache size in MiB not bytes
contract-memory-cache-size = "0"

# The WASM VM memory cache size in number of cached modules. Can safely go up to 15, but not recommended for validators
contract-memory-enclave-cache-size = "0"

7. Download Genesis File

wget -O $home/.mantlemint/config/genesis.json "https://github.com/scrtlabs/SecretNetwork/releases/download/v1.2.0/genesis.json"

8. Download a snapshot

To start mantlemint, we highly recommend using a snapshot. The earlier one starting from block 3340000. This will save having to switch out mantlemint binaries to account for network upgrades.

To download and unpack a snapshot, use the following command

wget -qO - https://engfilestorage.blob.core.windows.net/mm-snapshots/height_3340000.tar | tar -xvf - -C /path/to/mm/directory

Make sure the files are unpacked in your chosen mantlemint directory

Pro Tip: Currently Mantlemint is fully archival. That means snapshots are really large. This command will download and unpack the snapshot without having to use twice the storage amount

9. Finally, you run Mantlemint

Now we are ready to run Mantlemint. It's slightly awkward to run as you have to set multiple environment variables, but they're fairly straightforward. An example run command would be -

# Tell SGX we are running on a production chain
SGX_MODE=HW \

# Location of genesis file
GENESIS_PATH=$home/.mantlemint/config/genesis.json \

# Home directory for mantlemint.
# Mantlemint will use this to:
# - read $HOME/config/app.toml
# - create and maintain $HOME/mantlemint.db directory
# - create and maintain $HOME/data/* for wasm blobs; (unsafe to share with RPC!)
# - create and maintain $HOME/$(INDEXER_DB).db for mantle indexers
MANTLEMINT_HOME=./hd/mm \ 

# Chain ID 
CHAIN_ID=secret-4  \

# RPC Endpoint; used to sync previous blocks when mantlemint is catching up
RPC_ENDPOINTS=http://20.104.20.173:26657,http://20.104.20.173:26657 \

# Name of mantlemint.db, akin to application.db in standard cosmos/tendermint
MANTLEMINT_DB=mantlemint \ 
# Name of indexer db
INDEXER_DB=indexer \ 

# WS Endpoint; used to sync live block as soon as they are available through RPC websocket  
WS_ENDPOINTS=ws://20.104.20.173:26657/websocket,ws://20.104.20.173:26657/websocket \

# Flag to enable/disable mantlemint sync, mainly for debugging
DISABLE_SYNC=false \ 

# Flags that help mantlemint find the secret-specific libraries and secret keys
SCRT_SGX_STORAGE="/opt/secret/.sgx_secrets" 
SCRT_ENCLAVE_DIR="/usr/lib" \

./mantlemint --x-crisis-skip-assert-invariants

That's it!

Sentry Nodes

Make Nodes Resilient To DDoS Attacks

The Sentry Node Architecture is an infrastructure example for DDoS mitigation on Tendermint-based networks.

Sentry Node Architecture Overview

Secret Nodes (Validators) are responsible for ensuring that the network can sustain denial of service attacks.

One recommended way to mitigate these risks is for validators to carefully structure their network topology in a so-called sentry node architecture.

Validator nodes should only connect to full-nodes they trust because they operate them themselves or are run by other validators they know socially. A validator node will typically run in a data center. Most data centers provide direct links the networks of major cloud providers. The validator can use those links to connect to sentry nodes in the cloud. This shifts the burden of denial-of-service from the validator's node directly to its sentry nodes, and may require new sentry nodes be spun up or activated to mitigate attacks on existing ones.

Sentry nodes can be quickly spun up or change their IP addresses. Because the links to the sentry nodes are in private IP space, an internet based attacked cannot disturb them directly. This will ensure validator block proposals and votes always make it to the rest of the network.

For those implementing Sentries on Validators who already have Public IP exposed. Currently any peer, be it a validator or full node, is given 16 attempts with exponential backoff, which in total amounts to around 35 hours, to connect. If the node remains unreachable then it is automatically removed from the address book. An unreachable validator node is not gossiped across the network i.e. all other nodes will each try to connect to the unreachable validator node before removing it from their address book.

Get Node Peer IDs

Log into your sentry node(s), and validator, then run the following commands to get the peer information:

Get node id

secretd tendermint show-node-id

ip r

Save your peer information, be sure to remember which are for sentries and which is for your validator, you'll need it later:

<your-node-id>@<your-public-ip>:26656

Setup Sentry Node

To setup basic sentry node architecture you can follow the instructions below:

Sentry Nodes should edit their config.toml:

First follow the Full Node Guide

Edit the full nodes config file you want to use as a sentry node:

nano /.secretd/config/config.toml

Proceed to add the peer id of your validator to the .secretd/config/config.toml:

# Comma separated list of peer IDs to keep private (will not be gossiped to other peers)
# Example ID: 3e16af0cead27979e1fc3dac57d03df3c7a77acc@1.4.7.7:26656
private_peer_ids = "node_ids_of_private_peers"

Now proceed to restart your secret node with the following command.

sudo systemctl restart secret-node

You now have a sentry node running!

Place Validator Behind Sentry Nodes

Validators nodes should add their sentry node peer information to their .secretd/config/config.toml:

nano .secretd/config/config.toml

Proceed to add the peer id of your sentry nodes to the persistent_peers list and set pex to false:

# Comma separated list of nodes to keep persistent connections to
# Do not add private peers to this list if you don't want them advertised
persistent_peers =[list of sentry nodes]

# Set true to enable the peer-exchange reactor
pex = false

Now proceed to restart your secret node with the following command.

sudo systemctl restart secret-node

You're now running your validator behind a sentry node!

Resources:

https://github.com/cosmos/gaia/blob/master/docs/validators/security.md

Archive Nodes

Creating Archives nodes is not possible as this time. Please use the provided API Archive nodes in API Endpoints Mainnet (Secret-4) if you need access to an Archive.

Archive All Blockchain Data.

An archive node keeps all the past blocks. An archive node makes it convenient to query the past state of the chain at any point in time. Finding out what an account's balance, stake size, etc at a certain block was, or which extrinsics resulted in a certain state change are fast operations when using an archive node. However, an archive node takes up a lot of disk space - nearly 2TB for secret-4 as of Feb 1, 2023.

Install latest `secretd`

To install secretd, please visit Install secretd.

Setup the Node

Setup the node using the Running a Full Node guide. You should stop at the Set minimum-gas-price Parameter step.

Do NOT begin syncing yet!

Install v1.2.0-archive `secretd`

Now that you have registered the node with the latest version, install v1.2.0-archive.

# Get the v1.2.0-archive binaries
wget "https://github.com/scrtlabs/SecretNetwork/releases/download/v1.2.0-archive/secretnetwork_1.2.0-archive_amd64.deb"

# Install the v1.2.0-archive binaries
sudo dpkg -i secretnetwork_1.2.0-archive_amd64.deb

Set Pruning Parameter

pruning="nothing"
sed -i -e "s/^pruning *=.*/pruning = \"$pruning\"/" $HOME/.secretd/config/app.toml

Begin Syncing

Note that the secret-node system file is created in a previous step.

sudo systemctl enable secret-node && sudo systemctl start secret-node

If everything above worked correctly, the following command will show your node streaming blocks (this is for debugging purposes only, kill this command anytime with Ctrl-C). It might take a while for blocks to start streaming, so grab some 🍿 while you wait!

journalctl -f -u secret-node

-- Logs begin at Mon 2020-02-10 16:41:59 UTC. --
Nov 09 11:16:31 scrt-node-01 secretd[619529]: 11:16AM INF indexed block height=12 module=txindex
Nov 09 11:16:35 scrt-node-01 secretd[619529]: 11:16AM INF Ensure peers module=pex numDialing=0 numInPeers=0 numOutPeers=0 numToDial=10
Nov 09 11:16:35 scrt-node-01 secretd[619529]: 11:16AM INF No addresses to dial. Falling back to seeds module=pex
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF Timed out dur=4983.86819 height=13 module=consensus round=0 step=1
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF received proposal module=consensus proposal={"Type":32,"block_id":{"hash":"0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4","parts":{"hash":"58F6211ED5D6795E2AE4D3B9DBB1280AD92B2EE4EEBAA2910F707C104258D2A0","total":1}},"height":13,"pol_round":-1,"round":0,"signature":"eHY9dH8dG5hElNEGbw1U5rWqPp7nXC/VvOlAbF4DeUQu/+q7xv5nmc0ULljGEQR8G9fhHaMQuKjgrxP2KsGICg==","timestamp":"2021-11-09T11:16:36.7744083Z"}
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF received complete proposal block hash=0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4 height=13 module=consensus
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF finalizing commit of block hash=0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4 height=13 module=consensus num_txs=0 root=E4968C9B525DADA22A346D5E158C648BC561EEC351F402A611B9DA2706FD8267
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF minted coins from module account amount=6268801uscrt from=mint module=x/bank
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF executed block height=13 module=state num_invalid_txs=0 num_valid_txs=0
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF commit synced commit=436F6D6D697449447B5B373520353520323020352032342031312032333820353320383720313137203133372031323020313638203234302035302032323020353720343520363620313832203138392032333920393920323439203736203338203131322035342032332033203233362034375D3A447D
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF committed state app_hash=4B371405180BEE3557758978A8F032DC392D42B6BDEF63F94C2670361703EC2F height=13 module=state num_txs=0
^C

You now have an Archive node running!

Execute upgrades

Syncing a node from scratch means that from time to time you'll need to perform an upgrade (at the block height that the upgrade was originally took place on mainnet).

You will need to use the designated archive-node binaries when available. For the rest of the upgrades, use the binaries for the respective version from the releases page.

As of the writing of these lines, the upgrade timing (in block-height) are:

v1.3.0 - block height 3,343,000 (binaries).
v1.4.0 - block height 5,309,200 (binaries).
v1.5.0 - block height 5,941,700 (binaries).
v1.6.0 - block height 6,537,300 (binaries).

For more detailed upgrade instructions, you can refer to the v1.5.0 upgrade instructions.

Sentry Nodes

Make Nodes Resilient To DDoS Attacks

The Sentry Node Architecture is an infrastructure example for DDoS mitigation on Tendermint-based networks.

Sentry Node Architecture Overview

Secret Nodes (Validators) are responsible for ensuring that the network can sustain denial of service attacks.

One recommended way to mitigate these risks is for validators to carefully structure their network topology in a so-called sentry node architecture.

Get Node Peer IDs

Log into your sentry node(s), and validator, then run the following commands to get the peer information:

Get node id

secretd tendermint show-node-id

ip r

Save your peer information, be sure to remember which are for sentries and which is for your validator, you'll need it later:

<your-node-id>@<your-public-ip>:26656

Setup Sentry Node

To setup basic sentry node architecture you can follow the instructions below:

Sentry Nodes should edit their config.toml:

First follow the Full Node Guide

Edit the full nodes config file you want to use as a sentry node:

nano /.secretd/config/config.toml

Proceed to add the peer id of your validator to the .secretd/config/config.toml:

# Comma separated list of peer IDs to keep private (will not be gossiped to other peers)
# Example ID: 3e16af0cead27979e1fc3dac57d03df3c7a77acc@1.4.7.7:26656
private_peer_ids = "node_ids_of_private_peers"

Now proceed to restart your secret node with the following command.

sudo systemctl restart secret-node

You now have a sentry node running!

Place Validator Behind Sentry Nodes

Validators nodes should add their sentry node peer information to their .secretd/config/config.toml:

nano .secretd/config/config.toml

Proceed to add the peer id of your sentry nodes to the persistent_peers list and set pex to false:

# Comma separated list of nodes to keep persistent connections to
# Do not add private peers to this list if you don't want them advertised
persistent_peers =[list of sentry nodes]

# Set true to enable the peer-exchange reactor
pex = false

Now proceed to restart your secret node with the following command.

sudo systemctl restart secret-node

You're now running your validator behind a sentry node!

Resources:

https://github.com/cosmos/gaia/blob/master/docs/validators/security.md

Archive Nodes

Creating Archives nodes is not possible as this time. Please use the provided API Archive nodes in API Endpoints Mainnet (Secret-4) if you need access to an Archive.

Archive All Blockchain Data.

Install latest `secretd`

To install secretd, please visit Install secretd.

Setup the Node

Setup the node using the Running a Full Node guide. You should stop at the Set minimum-gas-price Parameter step.

Do NOT begin syncing yet!

Install v1.2.0-archive `secretd`

Now that you have registered the node with the latest version, install v1.2.0-archive.

# Get the v1.2.0-archive binaries
wget "https://github.com/scrtlabs/SecretNetwork/releases/download/v1.2.0-archive/secretnetwork_1.2.0-archive_amd64.deb"

# Install the v1.2.0-archive binaries
sudo dpkg -i secretnetwork_1.2.0-archive_amd64.deb

Set Pruning Parameter

pruning="nothing"
sed -i -e "s/^pruning *=.*/pruning = \"$pruning\"/" $HOME/.secretd/config/app.toml

Begin Syncing

Note that the secret-node system file is created in a previous step.

sudo systemctl enable secret-node && sudo systemctl start secret-node

journalctl -f -u secret-node

-- Logs begin at Mon 2020-02-10 16:41:59 UTC. --
Nov 09 11:16:31 scrt-node-01 secretd[619529]: 11:16AM INF indexed block height=12 module=txindex
Nov 09 11:16:35 scrt-node-01 secretd[619529]: 11:16AM INF Ensure peers module=pex numDialing=0 numInPeers=0 numOutPeers=0 numToDial=10
Nov 09 11:16:35 scrt-node-01 secretd[619529]: 11:16AM INF No addresses to dial. Falling back to seeds module=pex
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF Timed out dur=4983.86819 height=13 module=consensus round=0 step=1
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF received proposal module=consensus proposal={"Type":32,"block_id":{"hash":"0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4","parts":{"hash":"58F6211ED5D6795E2AE4D3B9DBB1280AD92B2EE4EEBAA2910F707C104258D2A0","total":1}},"height":13,"pol_round":-1,"round":0,"signature":"eHY9dH8dG5hElNEGbw1U5rWqPp7nXC/VvOlAbF4DeUQu/+q7xv5nmc0ULljGEQR8G9fhHaMQuKjgrxP2KsGICg==","timestamp":"2021-11-09T11:16:36.7744083Z"}
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF received complete proposal block hash=0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4 height=13 module=consensus
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF finalizing commit of block hash=0AF9693538AB0C753A7EA16CB618C5D988CD7DC01D63742DC4795606D10F0CA4 height=13 module=consensus num_txs=0 root=E4968C9B525DADA22A346D5E158C648BC561EEC351F402A611B9DA2706FD8267
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF minted coins from module account amount=6268801uscrt from=mint module=x/bank
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF executed block height=13 module=state num_invalid_txs=0 num_valid_txs=0
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF commit synced commit=436F6D6D697449447B5B373520353520323020352032342031312032333820353320383720313137203133372031323020313638203234302035302032323020353720343520363620313832203138392032333920393920323439203736203338203131322035342032332033203233362034375D3A447D
Nov 09 11:16:36 scrt-node-01 secretd[619529]: 11:16AM INF committed state app_hash=4B371405180BEE3557758978A8F032DC392D42B6BDEF63F94C2670361703EC2F height=13 module=state num_txs=0
^C

You now have an Archive node running!

Execute upgrades

Syncing a node from scratch means that from time to time you'll need to perform an upgrade (at the block height that the upgrade was originally took place on mainnet).

You will need to use the designated archive-node binaries when available. For the rest of the upgrades, use the binaries for the respective version from the releases page.

As of the writing of these lines, the upgrade timing (in block-height) are:

v1.3.0 - block height 3,343,000 (binaries).
v1.4.0 - block height 5,309,200 (binaries).
v1.5.0 - block height 5,941,700 (binaries).
v1.6.0 - block height 6,537,300 (binaries).

For more detailed upgrade instructions, you can refer to the v1.5.0 upgrade instructions.

Mantlemint

Note: Mantlemint is currently in beta. This means some of these instructions may not work as expected, or could be subject to change

What is Mantlemint?

Mantlemint is a fast core optimized for serving massive user queries. A mantlemint node will perform 3-4x more queries than a standard Secret Node.

Mantlemint has been adapted for Secret Network from Terra.

Features

Superior LCD performance
- With the exception of Tendermint RPC/Transactions.
Super reliable and effective LCD response cache to prevent unnecessary computation for query resolving
Fully archival; historical states are available with ?height query parameter.
Useful default indexes

Prerequisites

Fully synced RPC Node with Websockets available

Minimum Requirements

1TB of storage (recommended SATA or NVMe SSD)
16 GB of RAM (recommended 32 GB)
2 available CPU cores (recommended 4 cores)

Mantlemint can only be ran as a full archive node. For this reason it requires a large amount of storage (as of August 2022 this is currently 450GB).

Setup

1a. Build from source

a. Clone the repository https://github.com/scrtlabs/mantlemint

git clone https://github.com/scrtlabs/mantlemint.git

b. If you haven't already, install golang

c. Run go build -mod=readonly -o build/mantlemint ./sync.go

1b. Run from Binary

If you don't want to compile yourself, you can just download the mantlemint executable built for Ubuntu 20.04

wget -O mantlemint https://github.com/scrtlabs/mantlemint/releases/download/v0.0.1-scrt/mantlemint

2. Install SGX

Install SGX the same way you would for a node, as described in the Node Setup section

3. Download and unpack the `secretd` package

wget "https://github.com/scrtlabs/SecretNetwork/releases/download/v1.3.1/secretnetwork_1.3.1_mainnet_goleveldb_amd64.deb"
sudo apt install -y ./secretnetwork_1.3.1_mainnet_*_amd64.deb

4. Register the node

To allow Mantlemint to sync blocks and run queries that contain encrypted data, we will need to register it.

export SCRT_ENCLAVE_DIR=/usr/lib
export SCRT_SGX_STORAGE=/opt/secret/.sgx_secrets
secretd auto-register

5. Create a directory for mantlemint data

This directory should be separate from other mantlemint instances or secretd instances

mkdir -p $home/.mantlemint

6. Create an app.toml file

Create a config/app.toml file in your mantlemint directory, and set it with a similar app.toml file to what a secretd node uses

mkdir -p $home/.mantlemint/config

Example app.toml file:

# This is a TOML config file.
# For more information, see https://github.com/toml-lang/toml

###############################################################################
###                           Base Configuration                            ###
###############################################################################

# The minimum gas prices a validator is willing to accept for processing a
# transaction. A transaction's fees must meet the minimum of any denomination
# specified in this config (e.g. 0.25token1;0.0001token2).
minimum-gas-prices = "0.0125uscrt"

# default: the last 100 states are kept in addition to every 500th state; pruning at 10 block intervals
# nothing: all historic states will be saved, nothing will be deleted (i.e. archiving node)
# everything: all saved states will be deleted, storing only the current and previous state; pruning at 10 block intervals
# custom: allow pruning options to be manually specified through 'pruning-keep-recent', 'pruning-keep-every', and 'pruning-interval'
pruning = "default"

# These are applied if and only if the pruning strategy is custom.
pruning-keep-recent = "0"
pruning-keep-every = "50"
pruning-interval = "0"

# HaltHeight contains a non-zero block height at which a node will gracefully
# halt and shutdown that can be used to assist upgrades and testing.
#
# Note: Commitment of state will be attempted on the corresponding block.
halt-height = 3343000
# HaltTime contains a non-zero minimum block time (in Unix seconds) at which
# a node will gracefully halt and shutdown that can be used to assist upgrades
# and testing.
#
# Note: Commitment of state will be attempted on the corresponding block.
halt-time = 0

# MinRetainBlocks defines the minimum block height offset from the current
# block being committed, such that all blocks past this offset are pruned
# from Tendermint. It is used as part of the process of determining the
# ResponseCommit.RetainHeight value during ABCI Commit. A value of 0 indicates
# that no blocks should be pruned.
#
# This configuration value is only responsible for pruning Tendermint blocks.
# It has no bearing on application state pruning which is determined by the
# "pruning-*" configurations.
#
# Note: Tendermint block pruning is dependant on this parameter in conunction
# with the unbonding (safety threshold) period, state pruning and state sync
# snapshot parameters to determine the correct minimum value of
# ResponseCommit.RetainHeight.
min-retain-blocks = 0

# InterBlockCache enables inter-block caching.
inter-block-cache = true

# IndexEvents defines the set of events in the form {eventType}.{attributeKey},
# which informs Tendermint what to index. If empty, all events will be indexed.
#
# Example:
# ["message.sender", "message.recipient"]
index-events = []

# IavlCacheSize set the size of the iavl tree cache.
# Default cache size is 50mb.
iavl-cache-size = 781250

###############################################################################
###                         Telemetry Configuration                         ###
###############################################################################

[telemetry]

# Prefixed with keys to separate services.
service-name = ""

# Enabled enables the application telemetry functionality. When enabled,
# an in-memory sink is also enabled by default. Operators may also enabled
# other sinks such as Prometheus.
enabled = false

# Enable prefixing gauge values with hostname.
enable-hostname = false

# Enable adding hostname to labels.
enable-hostname-label = false

# Enable adding service to labels.
enable-service-label = false

# PrometheusRetentionTime, when positive, enables a Prometheus metrics sink.
prometheus-retention-time = 0

# GlobalLabels defines a global set of name/value label tuples applied to all
# metrics emitted using the wrapper functions defined in telemetry package.
#
# Example:
# [["chain_id", "cosmoshub-1"]]
global-labels = [
]

###############################################################################
###                           API Configuration                             ###
###############################################################################

[api]

# Enable defines if the API server should be enabled.
enable = true

# Swagger defines if swagger documentation should automatically be registered.
swagger = true

# Address defines the API server to listen on.
address = "tcp://0.0.0.0:1317"

# MaxOpenConnections defines the number of maximum open connections.
max-open-connections = 1000

# RPCReadTimeout defines the Tendermint RPC read timeout (in seconds).
rpc-read-timeout = 10

# RPCWriteTimeout defines the Tendermint RPC write timeout (in seconds).
rpc-write-timeout = 0

# RPCMaxBodyBytes defines the Tendermint maximum response body (in bytes).
rpc-max-body-bytes = 1000000

# EnableUnsafeCORS defines if CORS should be enabled (unsafe - use it at your own risk).
enabled-unsafe-cors = true

###############################################################################
###                           Rosetta Configuration                         ###
###############################################################################

[rosetta]

# Enable defines if the Rosetta API server should be enabled.
enable = false

# Address defines the Rosetta API server to listen on.
address = ":8080"

# Network defines the name of the blockchain that will be returned by Rosetta.
blockchain = "app"

# Network defines the name of the network that will be returned by Rosetta.
network = "network"

# Retries defines the number of retries when connecting to the node before failing.
retries = 3

# Offline defines if Rosetta server should run in offline mode.
offline = false

###############################################################################
###                           gRPC Configuration                            ###
###############################################################################

[grpc]

# Enable defines if the gRPC server should be enabled.
enable = true

# Address defines the gRPC server address to bind to.
address = "0.0.0.0:9090"

###############################################################################
###                        gRPC Web Configuration                           ###
###############################################################################

[grpc-web]

# GRPCWebEnable defines if the gRPC-web should be enabled.
# NOTE: gRPC must also be enabled, otherwise, this configuration is a no-op.
enable = true

# Address defines the gRPC-web server address to bind to.
address = "0.0.0.0:9091"

# EnableUnsafeCORS defines if CORS should be enabled (unsafe - use it at your own risk).
enable-unsafe-cors = false

###############################################################################
###                        State Sync Configuration                         ###
###############################################################################

# State sync snapshots allow other nodes to rapidly join the network without replaying historical
# blocks, instead downloading and applying a snapshot of the application state at a given height.
[state-sync]

# snapshot-interval specifies the block interval at which local state sync snapshots are
# taken (0 to disable). Must be a multiple of pruning-keep-every.
snapshot-interval = 100

# snapshot-keep-recent specifies the number of recent snapshots to keep and serve (0 to keep all).
snapshot-keep-recent = 2

[wasm]
# The maximum gas amount can be spent for contract query.
# The contract query will invoke contract execution vm,
# so we need to restrict the max usage to prevent DoS attack
contract-query-gas-limit = "10000000"

# The WASM VM memory cache size in MiB not bytes
contract-memory-cache-size = "0"

# The WASM VM memory cache size in number of cached modules. Can safely go up to 15, but not recommended for validators
contract-memory-enclave-cache-size = "0"

7. Download Genesis File

wget -O $home/.mantlemint/config/genesis.json "https://github.com/scrtlabs/SecretNetwork/releases/download/v1.2.0/genesis.json"

8. Download a snapshot

To start mantlemint, we highly recommend using a snapshot. The earlier one starting from block 3340000. This will save having to switch out mantlemint binaries to account for network upgrades.

To download and unpack a snapshot, use the following command

wget -qO - https://engfilestorage.blob.core.windows.net/mm-snapshots/height_3340000.tar | tar -xvf - -C /path/to/mm/directory

Make sure the files are unpacked in your chosen mantlemint directory

Pro Tip: Currently Mantlemint is fully archival. That means snapshots are really large. This command will download and unpack the snapshot without having to use twice the storage amount

9. Finally, you run Mantlemint

Now we are ready to run Mantlemint. It's slightly awkward to run as you have to set multiple environment variables, but they're fairly straightforward. An example run command would be -

# Tell SGX we are running on a production chain
SGX_MODE=HW \

# Location of genesis file
GENESIS_PATH=$home/.mantlemint/config/genesis.json \

# Home directory for mantlemint.
# Mantlemint will use this to:
# - read $HOME/config/app.toml
# - create and maintain $HOME/mantlemint.db directory
# - create and maintain $HOME/data/* for wasm blobs; (unsafe to share with RPC!)
# - create and maintain $HOME/$(INDEXER_DB).db for mantle indexers
MANTLEMINT_HOME=./hd/mm \ 

# Chain ID 
CHAIN_ID=secret-4  \

# RPC Endpoint; used to sync previous blocks when mantlemint is catching up
RPC_ENDPOINTS=http://20.104.20.173:26657,http://20.104.20.173:26657 \

# Name of mantlemint.db, akin to application.db in standard cosmos/tendermint
MANTLEMINT_DB=mantlemint \ 
# Name of indexer db
INDEXER_DB=indexer \ 

# WS Endpoint; used to sync live block as soon as they are available through RPC websocket  
WS_ENDPOINTS=ws://20.104.20.173:26657/websocket,ws://20.104.20.173:26657/websocket \

# Flag to enable/disable mantlemint sync, mainly for debugging
DISABLE_SYNC=false \ 

# Flags that help mantlemint find the secret-specific libraries and secret keys
SCRT_SGX_STORAGE="/opt/secret/.sgx_secrets" 
SCRT_ENCLAVE_DIR="/usr/lib" \

./mantlemint --x-crisis-skip-assert-invariants

That's it!

Sentry and Archive nodes

Mantlemint

What is Mantlemint?

Features

Prerequisites

Minimum Requirements

Setup

1a. Build from source

1b. Run from Binary

2. Install SGX

3. Download and unpack the secretd package

4. Register the node

5. Create a directory for mantlemint data

6. Create an app.toml file

7. Download Genesis File

8. Download a snapshot

9. Finally, you run Mantlemint

Sentry Nodes

Make Nodes Resilient To DDoS Attacks

Get Node Peer IDs

Setup Sentry Node

Place Validator Behind Sentry Nodes

Resources:

Archive Nodes

Archive All Blockchain Data.

Install latest secretd

Setup the Node

Install v1.2.0-archive secretd

Set Pruning Parameter

Begin Syncing

Execute upgrades

Sentry Nodes

Make Nodes Resilient To DDoS Attacks

Get Node Peer IDs

Setup Sentry Node

Place Validator Behind Sentry Nodes

Resources:

Sentry and Archive nodes

Archive Nodes

Archive All Blockchain Data.

Install latest secretd

Setup the Node

Install v1.2.0-archive secretd

Set Pruning Parameter

Begin Syncing

Execute upgrades

Mantlemint

What is Mantlemint?

Features

Prerequisites

Minimum Requirements

Setup

1a. Build from source

1b. Run from Binary

2. Install SGX

3. Download and unpack the secretd package

4. Register the node

5. Create a directory for mantlemint data

6. Create an app.toml file

7. Download Genesis File

8. Download a snapshot

9. Finally, you run Mantlemint

3. Download and unpack the `secretd` package

Install latest `secretd`

Install v1.2.0-archive `secretd`

Install latest `secretd`

Install v1.2.0-archive `secretd`

3. Download and unpack the `secretd` package