Skip to main content

🚀 Run the Operator with Docker

In this Guide:​

  1. Install dependencies
  2. Register your operator
  3. Create db directory
  4. Configure and Install Docker Compose files
  5. Start the drosera-operator docker compose service
  6. Configure the ufw firewall
  7. Add the Delegation Client (Whitelisted Testnet Operators Only)

Prerequisites​

  • General systems knowledge
  • General terminal knowledge
  • General cloud networking knowledge

Install dependencies​

sudo apt-get install -y ufw
sudo usermod -aG docker $USER
newgrp docker

Register your operator​

docker run ghcr.io/drosera-network/drosera-operator:latest register --eth-rpc-url https://ethereum-holesky-rpc.publicnode.com --eth-private-key <<YOUR_ETH_PRIVATE_KEY_HERE>>

Create db directory​

  • We want a persistent location that is accessible by the service runner.
  • These permissions are specific to your use case, so we will make the service runnable by root and the directory accessible by root. Adjust the permissions and the systemd user as needed.
sudo mkdir -p /var/lib/drosera-data
sudo chown -R root:root /var/lib/drosera-data
sudo chmod -R 700 /var/lib/drosera-data

Configure and Install Docker Compose files​

  • This step is probably the one that is nearly impossible to fully cover in a guide. The drosera-operator has many customizable features, and until you have determined your use case needs, it is impossible to make this guide fit all possible configurations.

  • That said, we will give a good starting configuration with reasonable defaults for the Ethereum Holesky testnet. Please refer to our Run the Node guide for all of the configurations, command line argument, and environment variable options and their effects on how the drosera-operator runs.

  • Before running the command below, we will explain the environment variables and what they configure. If you need an explanation of the anatomy of a docker-compose.yml file, Docker's documentation will get you there.

    • DRO_DB_FILE_PATH: The path to the database file to use for persistence when not in dev mode
    • DRO__DROSERA_ADDRESS: The address of the main Drosera proxy contract to interact with
    • DRO__LISTEN_ADDRESS: The network interface to bind the Operators RPC and P2P server to
    • DRO__DISABLE_DNR_CONFIRMATION: Disables the DNR confirmation. Only set this if you are running this node behind a NAT, and you are receiving a 'Failed to confirm DNR' error message. Verify the public address setting is correct and any firewall walls are opened for the configured ports before turning this setting on.
    • DRO__ETH__CHAIN_ID: The Ethereum chain id
    • DRO__ETH__RPC_URL: The node used for querying and sending transactions. You will want to set this to an Ethereum Holesky RPC that is not rate limited. Usually public nodes have significant rate limits that will cause your operator to fail RPC calls to the chain.
    • DRO__ETH__BACKUP_RPC_URL: A backup Ethereum RPC if the primary RPC node becomes unresponsive. This arg is optional. Again, this should also be a non rate-limited RPC
    • DRO__ETH__PRIVATE_KEY: The private key used to sign transactions. Please keep this secure.
    • DRO__NETWORK__P2P_PORT: The TCP port to bind the P2P server to
    • DRO__NETWORK__EXTERNAL_P2P_ADDRESS: The external address to reach the Operator node at for p2p communications. This is required for the Operator to be discoverable by other nodes. The public address can either be an IP address or a domain name. If a domain name is used, the domain must resolve to the public IP address of the Operator. It is important to note, that this is the public IPv4 address of your VPS.
    • DRO__SERVER__PORT: The TCP port to bind the rpc server to. This port is the port that must be properly allowed through the firewall in order for liveness data to be visible on the frontend.

  • At this point you're ready to run the command below. A good process is to copy this command into a text editor in order to replace <<YOUR_ETH_PRIVATE_KEY_HERE>> and <<YOUR_PUBLIC_VPS_IP_ADDRESS>> with the actual values. A more secure way of doing this would be to create the .env file in the drosera-operator directory and edit it with a terminal text editor like nano or vim. You can also run history -c in your terminal session after you're done, to clear the current terminal history so that the secrets don't show up.

mkdir drosera-operator
cd drosera-operator
tee .env > /dev/null <<EOF 
ETH_PRIVATE_KEY=<<YOUR_ETH_PRIVATE_KEY_HERE>>
VPS_PUBLIC_IP=<<YOUR_PUBLIC_VPS_IP_ADDRESS>>
EOF
tee docker-compose.yml > /dev/null <<'EOF' 
version: '3'
services:
  drosera-operator:
    image: ghcr.io/drosera-network/drosera-operator:latest
    container_name: drosera-operator
    environment:
      - DRO__DB_FILE_PATH=/data/drosera.db
      - DRO__DROSERA_ADDRESS=0xea08f7d533C2b9A62F40D5326214f39a8E3A32F8
      - DRO__LISTEN_ADDRESS=0.0.0.0
      - DRO__DISABLE_DNR_CONFIRMATION=true
      - DRO__ETH__CHAIN_ID=17000
      - DRO__ETH__RPC_URL=https://ethereum-holesky-rpc.publicnode.com
      - DRO__ETH__BACKUP_RPC_URL=https://1rpc.io/holesky
      - DRO__ETH__PRIVATE_KEY=${ETH_PRIVATE_KEY}
      - DRO__NETWORK__P2P_PORT=31313
      - DRO__NETWORK__EXTERNAL_P2P_ADDRESS=${VPS_PUBLIC_IP}
      - DRO__SERVER__PORT=31314
    ports:
      - "31313:31313"
      - "31314:31314"
    volumes:
      - /var/lib/drosera-data:/data
    command: ["node"]
    restart: always
EOF

Start the drosera-operator docker compose service​

  • Start the docker compose service
docker compose up -d
  • Check logs:
docker compose logs -f
  • NOTE: the WARN drosera_services::network::service: Failed to gossip message: InsufficientPeers warning can be ignored.
  • If your drosera-operator is not opted into any traps, you will not see very many logs. We will cover opting into traps in another section.

At this point, you can confirm that public RPC communication is properly configured on your drosera-operator with the following curl command. Run this command from a terminal that is not on the same network as the VPS.

curl --location 'http://${YOUR_EXTERNAL_ADDRESS}:${SERVER_PORT}' \
--header 'Content-Type: application/json' \
--data '{
    "jsonrpc": "2.0",
    "method": "drosera_healthCheck",
    "params": [],
    "id": 1
}'
  • In the command ${YOUR_EXTERNAL_ADDRESS} should be the same as what you set for the value of DRO__NETWORK__EXTERNAL_P2P_ADDRESS in the service file. And ${SERVER_PORT} should be what you set for the value of DRO__SERVER__PORT in the service file.

Configure the ufw firewall​

  • Finally, we need to secure the VPS with a software firewall. It should be noted that you can achieve similar security using your cloud provider's network firewall that is configured outside of the VPS. Since we don't know what cloud provider you are using, we will demonstrate the firewall using ufw as our software firewall.
  • Allow ssh traffic
sudo ufw allow ssh
sudo ufw allow 22
  • Allow drosera-operator ports
sudo ufw allow 31313/tcp
sudo ufw allow 31314/tcp
  • Enable the ufw firewall
sudo ufw enable
  • After you have enabled the ufw firewall, you can again confirm RPC connectivity with your drosera-operator using the following curl command. Run this command from a terminal that is not on the same network as the VPS.
curl --location 'http://${YOUR_EXTERNAL_ADDRESS}:${SERVER_PORT}' \
--header 'Content-Type: application/json' \
--data '{
    "jsonrpc": "2.0",
    "method": "drosera_healthCheck",
    "params": [],
    "id": 1
}'

Whitelisted Testnet Operators Only

Run the Delegation Client​

We have a closed set of whitelisted testnet operators that are running public traps. This section is for you, using systemd and a service file on a cloud VPS. The instructions for running the drosera-delegation-client are very similar to the instructions for running the drosera-operator as a systemd service, so we will spin through them pretty quickly without as much explanation of the configurations or possible scenarios you will encounter as we did in the drosera-operator section.

Prerequisites​

Configuring the docker-compose.yml file​

  • Again, this is a docker-compose.yml file with reasonable defaults, and the drosera-delegation-client is configured very similarly to the drosera-operator.
  • There is one variable that is different in this example than the drosera-operator:
    • DRO__DELEGATION_SERVER_URL: The value for this variable is the location of the Drosera Delegation Server which aids in opting in testnet operators automatically to public traps.
tee .env > /dev/null <<EOF 
ETH_PRIVATE_KEY=<<YOUR_ETH_PRIVATE_KEY_HERE>>
VPS_PUBLIC_IP=<<YOUR_PUBLIC_VPS_IP_ADDRESS>>
EOF
tee docker-compose.yml > /dev/null <<'EOF' 
version: '3'
services:
  drosera-operator:
    image: ghcr.io/drosera-network/drosera-operator:latest
    container_name: drosera-operator
    environment:
      - DRO__DB_FILE_PATH=/data/drosera.db
      - DRO__DROSERA_ADDRESS=0xea08f7d533C2b9A62F40D5326214f39a8E3A32F8
      - DRO__LISTEN_ADDRESS=0.0.0.0
      - DRO__ETH__CHAIN_ID=17000
      - DRO__ETH__RPC_URL=https://ethereum-holesky-rpc.publicnode.com
      - DRO__ETH__BACKUP_RPC_URL=https://1rpc.io/holesky
      - DRO__ETH__PRIVATE_KEY=${ETH_PRIVATE_KEY}
      - DRO__NETWORK__P2P_PORT=31313
      - DRO__NETWORK__EXTERNAL_P2P_ADDRESS=${VPS_PUBLIC_IP}
      - DRO__SERVER__PORT=31314
    ports:
      - "31313:31313"
      - "31314:31314"
    volumes:
      - /var/lib/drosera-data:/data
    command: ["node"]
    restart: always
  drosera-delegation-client:
    image: ghcr.io/drosera-network/drosera-delegation-client:latest
    container_name: drosera-delegation-client
    environment:
      - DRO__DELEGATION_SERVER_URL=https://delegation-server.testnet.drosera.io
      - DRO__DROSERA_ADDRESS=0xea08f7d533C2b9A62F40D5326214f39a8E3A32F8
      - DRO__ETH__CHAIN_ID=17000
      - DRO__ETH__RPC_URL=https://ethereum-holesky-rpc.publicnode.com
      - DRO__ETH__PRIVATE_KEY=${ETH_PRIVATE_KEY}
      - DRO__NETWORK__HTTP_PORT=32324
    ports:
      - "32324:32324"
    restart: always
EOF

Enable and start the drosera-operator service​

Start the drosera-operator docker compose service​

  • Start the docker compose service
docker compose up -d
  • Follow logs
docker compose logs -f drosera-delegation-client
  • Stop following logs
Ctrl+C
  • If your drosera-delegation-client is configured properly, you will see only this log, unless it finds a trap to opt into.
INFO drosera_delegation_client::delegation: Traps to opt into: []

Configure the ufw firewall​

  • Finally, we need to allow one more port through our firewall
  • Allow ssh traffic (if you haven't already)
sudo ufw allow ssh
sudo ufw allow 22
  • Allow drosera-delegation-client ports
sudo ufw allow 32324/tcp
  • Enable the ufw firewall 
sudo ufw enable
  • Or if it was already enabled, reload the configuration
sudo ufw reload
  • After you have enabled the ufw firewall, you should be completely setup as a testnet whitelisted operator.