Hosting a Splinter Node
Choosing a Hosting Environment
Currently, Splinter is packaged as Docker images hosted on Docker Hub. This means Splinter can be deployed anywhere a Docker image can run. Most examples will focus on Docker Compose.
Starting with 0.5.1
Splinter can also be installed using apt
.
Details can be found on the
0.5 releases page and
Installing Splinter on Ubuntu.
Hosting a Splinter Node
Detailed information about planning your Splinter deployment can be found in Planning a Splinter Deployment how-to document. This section summarizes some especially important information.
Network Configuration
Other nodes must be able to connect to your node on port 8044. Applications and CLIs used to manage Splinter will connect to the Splinter REST API on port 8080.
While it is technically possible to run the Splinter daemon without port
8044 open, it is not recommended. If the daemon cannot accept incoming
connections, it will not be able to receive circuit management requests from new
peers. Also, if an existing peer has disconnected, the peer will try to
reestablish a connection to splinterd
behind the firewall, which will be
unsuccessful.
If running behind a firewall without an open port is absolutely necessary, peers
can be explicitly set with the splinterd --peer
option on startup or with the
splinter configuration setting peers = [ ]
. This will cause splinterd
to try
to establish a connection with another Splinter node, whether there is a
shared circuit defined or not, and assumes that the other node will accept
incoming connections.
Persistent Volumes
Due to the ephemeral nature of Docker containers, any data not explicitly
persisted to a volume outside the container will be lost when the container is
restarted or stopped. Persisting application data will depend on the design of
the application running on Splinter, but all deployments will need to persist
splinterd’s data directory, /var/lib/splinter
. Splinter’s directories are
described in the next section.
Important splinterd Directories
/etc/splinter/
:
Default location for the Splinter configuration directory. Note: If
$SPLINTER_HOME
is set, the default location is $SPLINTER_HOME/etc/
.
/etc/splinter/certs/
:
Default location for the TLS certificate directory, which stores CA certificates
and the associated keys. Note: If SPLINTER_HOME
is set, the default location
is $SPLINTER_HOME/certs/
.
/etc/splinter/keys/
:
Default location for splinterd keys generated with splinter keygen --system
.
/var/lib/splinter/
:
Default location for the Splinter state directory, which stores the circuit
state SQLITE database (unless --database
is set). Note: If
$SPLINTER_HOME
is set, the default location is $SPLINTER_HOME/data/
.
Logging
Currently, splinterd only logs to stdout and stderr. Logging levels can
be increased by starting splinterd with -v
for INFO
logging, -vv
for
DEBUG
logging or -vvv
for TRACE
. Future versions will have configurable
file logging and ability to change the log level without needing to restart
splinterd
.
Splinter Keys
There are two common types of keys used with Splinter.
Keys for splinterd
(generated by running splinter keygen --system
)
used in a challenge authorization.
User keys are used for signing transactions in applications and smart contracts that run on Splinter.
Splinter Registry
A Splinter registry is used to locate Splinter nodes for the purpose of creating circuits. Registries can be local, remote, or both. For the differences between the two types of registries, instructions for configuring a registry, and recommendations, see the Splinter Registry page.
Security Concerns
REST API
See the Ports and REST API Connections section of the “Security Considerations” document for details about REST API security.
Certificates
In order to run splinterd
and create circuits over TLS, you’ll need to provide
valid X.509 certificates and the associated private keys. Any splinter node you
will be creating circuits with will need to trust the CA that signs your
certificates.
splinterd
uses both a client and a server certificate for TLS
connections.
-
The generated server certificate should have the Extended Key Usage OID for Server Authentication (1.3.6.1.5.5.7.3.1).
-
The generated client certificate should have the Extended Key Usage OID for Client Authentication (1.3.6.1.5.5.7.3.2).
For development or non-production uses, Splinter can be run in “insecure” mode with self-signed certificates. For the instructions on generating these certificates and enabling insecure mode, see Generating Insecure Certificates for Development.
Authorization
When Splinter nodes connect, they must go through a “handshake” to verify the identity of the other node. Challenge Authorization requires a node’s ID to be tied to a public key/private key pair and a node must prove they have access to that key by signing a random nonce, providing the resulting signature and their public key.
For development or non-production uses, trust authorization can be used. Trust authorization takes the identity provided from the node without further verification.
The required authorization type is set in the circuit.
Available Docker Hub Images
Splinter images are published to splintercommunity on Docker Hub.
The Splinter project produces artifacts for multiple branches compiled with different features, which can be confusing at times. This table lists the image tags and explains what each tag means.
image tag | description |
---|---|
0.3 | Most recent 0.3 release |
0.3.x | Exact 0.3 release |
latest | Alias for 0.4 |
0.4-dev | Most recent build of 0-4 branch |
0.4 | Most recent 0.4 release |
0.4-experimental | Most recent build of 0-4 branch, features=experimental |
main | Most recent build of main branch, features=default |
experimental | Most recent build of main branch, features=experimental |
0.5 | Most recent 0.5 release |
0.5.x | Exact 0.5 release |
Upgrading Splinter
Upgrading Splinter is usually as simple as updating the version number of the Splinter images in your Docker Compose file, then redeploying. However, breaking changes will be introduced from time to time. Comprehensive upgrade instructions for each version can be found in the Upgrading section of the Splinter website.
Troubleshooting
Circuit Creation:
Error message: T["actix-rt:worker:1"] DEBUG [splinter::admin::rest_api::actix::submit] validation failed: 02f953633bafafe622ebdec3d6d5a309cc5dd967793dexample3d2312ed4ccb599 is not registered for the requester node: alpha
This error message suggests that the key provided as the circuit admin key in the circuit proposal isn’t the key listed for this node in the node registry. Look at your Splinter registry file and make sure that the correct key is being used.