Nyzo Node Deployment Guide

:face_with_tears_of_joy_emoji:
10 min readDec 8, 2018

--

Nyzo is a new, unique, and highly efficient blockchain coded from scratch which uses a Proof of Diversity algorithm in order to distribute tokens. Instead of grinding your processor at full blast, the only thing Nyzo requires of participants is having a unique IPv4 address and some patience, that’s it!

Perhaps the most cost effective VPS (virtual private server, a home for your Nyzo Verifier) hosting is available through buying Amazon Web Services coupons on Ebay, where you can get discounts up to 80% off regularly, although these are becoming less and less readily available:

A typical AWS coupon available on Ebay

If you happen to get an AWS server, the setup procedure is very similar to the one found below, the only variation is how the server is created, and that port 9444 (inbound, TCP) must be opened on the Amazon Security Group that applies to your instance.

Amazon credits aren’t for everyone, and for those people, the best value provider I have found in my years of sysadmin is Vultr. They provide the best CPU performance for the price, and include a generous amount of bandwidth usage per month, whereas larger providers tend to nickle-and-dime for bandwidth to a shocking degree. Vultr’s pricing schedule is very reasonable, and the Nyzo Verifier is not as demanding on the CPU as typical crypto mining software to run, but it can be resource intensive through network and I/O.

We need to choose from the available Vultr servers, the $10 option should be considered the minimum at this point

Click here to head over to Vultr to sign up for an account, add a billing method to sign up.

Have a Mac? No problem! Follow this short guide to generate keys in your terminal, and skip ahead to where we hand them to Vultr.

To lock down your server, you will also want to generate an SSH key. For this, download PuttyGen and open it up. You’ll be met with a blank window saying “No key”, and some options. Hit “Generate” and move the mouse around a bit so the crypto algorithm has a good source for entropy.

Save the private key without a passphrase to an easy to locate folder:

Passphrases exist to add an optional extra layer of local security

Save the public key along with it in a similar location. Leave the main PuttyGen window open for now. Return to Vultr in your web browser, and under the “Servers” tab, find the blue + button to create a new server:

Feel free to pick any server location you want, but bear in mind that the network benefits more from more diversity.

Tokyo does not have some of the cheap server options.
Choose the latest version of Ubuntu
Copy the key you generated earlier from Puttygen window that you either still have open, or by clicking Load and navigating to the ppk file created earlier.
Click “Add New” and paste in your SSH key from the previous step. It’s a good idea to clear your clipboard after having any sensitive information on it.

And press deploy! Your server(s) will be instantly activated.

At this point, you’ll need SSH software to connect to your servers. Putty, available here, is capable and robust software and it does exactly what we need. Download it and run it.

Paste the IP of your server into the “Host Name” field, enter a profile name in “Saved Sessions”, and hit “Save” to create a profile

From the “Servers” page in your browser still on the Vultr website, click on one of the servers you have just created. Copy the IP from this page into the “Host Name” field.

Press “Open” in the Putty window to connect to your server. You will be prompted to accept the host upon your first connected, just press “Yes”

If you're on a Mac, this is where you'd open the terminal and type in 'ssh root@127.0.0.1' where 127.0.0.1 is the IP of the Vultr server you've just created.

The user you want to log in as is “root” and the password is obtained from your server’s page within Vultr.

Press the 👁 icon to view the root password, you can paste into Putty by right clicking.

You’re now connected and one step closer to having a running Nyzo Verifier node, it’s not much further now. You will be greeted with a black terminal and a login message, people familiar with linux should be right at home. Your first moves should be to create a user account named “ubuntu” and to secure your server by changing the SSH settings. Enter the following commands one line at a time, pressing enter and reading the output that each one gives. It is not necessary to add metadata like a name upon creating a new user, you can just press the Enter key 5 times to skip through the metadata steps and leave them blank. Keep in mind that the commands and arguments are case sensitive!

adduser ubuntu
usermod -aG sudo ubuntu
su ubuntu
sudo -S true

You are now logged in as the user “ubuntu” instead of the root account. Notice how the prompt has changed to reflect this.

The beginning of the prompt should now read “ubuntu” instead of “root”

Vultr, by default, allows simple password logins like the one you just used, which are vastly inferior in a security sense to using private key encryption as strong as the one you just created in the earlier step. Enter the following command to copy the SSH key from root’s account into the newly created ‘ubuntu’ account:

cd && mkdir .ssh && chmod 700 .ssh && cd .ssh && sudo cp /root/.ssh/authorized_keys . && sudo chown ubuntu authorized_keys && chmod 644 authorized_keys

This also gives your public key file the appropriate permissions so that you can securely log in later. You should now close this Putty window and re-open a new connection dialogue, and reload the profile you created.

Under the “Connection -> Data” section, enter “ubuntu” as the auto-login username
Under the “Connection -> SSH -> Auth” section, browse to the .ppk private key file you created in the earlier step with PuttyGen and select it
Be sure to save your server profile after editing those options!

Upon pressing “Open” this time in Putty, you should be able to connect without even having to type anything in. If your key isn’t accepted, it’s because your authorized_keys file is incorrect. Go back and make sure it’s exactly correct and that you can log in using just your key before proceeding.

Now you have to edit the SSH Daemon config file to lock down the server.

sudo nano /etc/ssh/sshd_config

Use the arrow keys to scroll the cursor through the file (or press Ctrl+W to search by string) and find the following lines, change them to the following settings:

PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication noPermitRootLogin prohibit-passwordUsePAM no

None of these lines should have a # at the start of them, if there is one, remove it. Some people also change the port from port 22 to another higher port, although this is really just icing on the cake and not necessary. Press Ctrl+X and then Y and then Enter to save the config file.

You now have to restart the SSH daemon in order to apply these new settings.

sudo systemctl restart sshd.service

At this point your server is relatively secure and you can proceed with storing private keys and other information on it without worrying.

There is one last step before we can get the Nyzo Verifier up and running properly, and that’s making sure that the system has enough resources to handle it. The way to do this is to increase size of the swapfile, allowing more virtual memory to exist on the system. Run the following commands:

sudo swapoff /swapfile
sudo fallocate -l 4G /swapfile && sudo chmod 600 /swapfile
sudo mkswap /swapfile &&sudo swapon /swapfile
echo /swapfile none swap sw 0 0 | sudo tee -a /etc/fstab

Now you will have 4 gigabytes of swap space as a safety net if the Verifier needs it, to avoid Out of Memory issues. You next need to open port 9444 to listen for TCP connections in order for the verifier to work, to do this, enter:

sudo ufw allow 9444/tcp

Next, update your server and download all of the requirements for Nyzo with the following line:

sudo apt update && sudo apt upgrade -y && sudo apt install haveged openjdk-8-jdk supervisor -y

Getting the latest copy of the Nyzo Verifier from Github:

git clone https://github.com/n-y-z-o/nyzoVerifier.git

Building the Nyzo Verifier from the source files:

cd nyzoVerifier && ./gradlew build

Copying all of the required files in order for the verifier to run properly:

sudo mkdir -p /var/lib/nyzo/production && sudo cp trusted_entry_points /var/lib/nyzo/production && sudo cp nyzoVerifier.conf /etc/supervisor/conf.d/

Give your verifier a unique nickname to distinguish itself on the mesh, be sure to edit “VERIFIER_NICKNAME” to something else:

echo "VERIFIER_NICKNAME" | sudo tee /var/lib/nyzo/production/nickname

Finally, to run your verifier, enter:

sudo supervisorctl reload

Congratulations!

You now have a Nyzo Verifier up and running, as long as nothing went wrong! You should be able to find your server on the Nyzo Mesh page with the nickname that you gave it (try Ctrl+F)

The remainder of this article is dedicated to helpful resources and ways to find out what is going wrong, if anything.

To find out the private key of the verifier you just created, a file will have been created on your server that you can read with the following command — remember that you can highlight text in Putty to copy it to the clipboard

cat /var/lib/nyzo/production/verifier_private_seed

Keep your private key private! If you don’t control the private keys to your crypto, then it’s not yours! Be careful out there.

To view the uptime of your verifier, enter the following command. You will enter a console-mode program that will take control of the prompt once you enter it, be aware that commands are different inside of this program.

sudo supervisorctl
Giving supervisorctl two commands; ‘status’ and ‘exit’ (which returns to the main bash prompt — you can also use Ctrl+C to exit out of this program)

In order to view the output of your verifier as it’s running, enter:

tail -f /var/log/nyzo-verifier-stdout.log

and in order to view the error messages of the Nyzo Verifier (if any), enter:

tail -f /var/log/nyzo-verifier-stderr.log

These commands will open a running log of the current output or any error messages produced respectively from the Nyzo Verifier. They can be useful for keeping track of healthy behavior. You can use Ctrl+C to cancel out of watching the logs.

In order to update your Nyzo Verifier to the latest version (keep an eye on the What’s New page from time to time) when a new release comes out, enter the following series of commands:

cd /home/ubuntu/nyzoVerifier
git reset — hard git pull origin master
./gradlew build
sudo supervisorctl reload

In order to copy your private key from an old, inactive node, to a new node after installing enter the following, replacing PRIVATE_KEY with your own:

echo "IMPORTED_PVTKEY" | sudo tee /var/lib/nyzo/production/verifier_private_seed

To set the Nyzo Verifier to a higher process priority (analogous to changing CPU process scheduling priorty in Windows) to a higher priority value:

sudo renice -n -5 -p $(pgrep ^java$)

If you’re noticing that your Verifier is having trouble starting up properly if the server happens to be rebooted, add the following line to your cron file so that the verifier gets an extra reload upon startup:

echo “@reboot sudo supervisorctl reload” >> mycron
crontab mycron
rm mycron

To check your Nyzo balance, first go to the Nyzo tool to create QR codes from your private ID. Then, go to the secure browser based wallet and submit the private key image you just generated to check your balance.

To confirm that your server is accessible from the rest of the internet, go to this page which lets you test whether ports are open on remote servers. Port 9444 should be open on your server, meaning that the Verifier is running and listening for connections on that port, and the firewall is allowing inbound TCP connections on this port.

The green flag and “port is open” is what you want to see

Be aware that it can take a considerable amount of time to actually join the mesh from the queue, this is normal. Nodes are voted into the mesh in a democratic process based on many factors. The amount of time it takes scales up with the amount of verifiers in the queue along with you. Patience is key. If your verifier is red or yellow on the mesh page, it means that it is unhealthy or failing. You need to take action to attempt to get it to white in order for it to have a chance of joining the mesh. Reloading supervisorctl and checking for any errors in stderr is a typical course of action. Of course, you can always ask for help in the Nyzo Discord or in the BitcoinTalk thread.

Welcome to the Nyzo network!

--

--