Eth2 Validator

Introduction

This tutorial will allow anyone to set up an Ethereum Validator node as long as you have the sufficient hardware requirements and familiarity with the command line. This guide will use installation instructions for Ubuntu 20.04 but instructions to other operating systems will be linked.

Using Testnets

We highly recommend you use one of the following test networks before you attempt running a validator on Ethereum Mainnet to get familiarized with the process:
  • Ropsten
  • Kiln
Coming Soon
  • Sepolia
  • Goerli
We will go through the most important steps in the checklist and a general overview of the responsibilities of a validator provided by the Ethereum foundation.

Hardware and Network Requirements

You will need to run two pieces of software on your machine to run a validator. The two software have several different implementations maintained by different teams. Each implementation has their own hardware requirements, but generally you would need for mainnet:
  • Memory: 16 GB RAM
  • Processor: Intel Core i5–760 or better (CPUs made later than 2010 are usually fine)
  • Storage: 1 TB SSD
  • Network: Broadband connection (preferably wired)
Please consult the docs / website of the specific client software you choose to run the Ethereum chain with. Note that the hardware requirements are lower if you intend to run on testnets only.

Setup

Installing Prerequisites

The two pieces of software to run a node for proof of stake Ethereum are called the consensus client and the execution client. The consensus client maintains the proof of stake consensus mechanism while the execution client stores and validates transactions for the proof of stake layer.
Install these prerequisites before proceeding:
sudo apt -y install software-properties-common wget curl ccze
This guide will go through the Nethermind and Lighthouse client combination.

Installing Nethermind

Run the following command to install Nethermind:
sudo add-apt-repository ppa:nethermindeth/nethermind; sudo apt install nethermind
See here for docs for other ways to install Nethermind.

Installing Consensus Client

Lighthouse
Teku
Download the latest release from lighthouse. You can also install lighthouse through other methods by following their docs. To install v2.3.1 of lighthouse (latest release as of June 21 2022):
wget <https://github.com/sigp/lighthouse/releases/download/v2.3.1/lighthouse-v2.3.1-x86_64-unknown-linux-gnu.tar.gz>
tar xvf lighthouse-v2.3.1-x86_64-unknown-linux-gnu.tar.gz
rm lighthouse-v2.3.1-x86_64-unknown-linux-gnu.tar.gz
Install globally:
sudo cp ~/lighthouse /usr/local/bin
rm ~/lighthouse
You can install Teku following their docs. Quick guide how to install Teku using binary distribution:
Check if Java is already installed on Your machine:
Java --version
if not You can use this command to install it:
sudo apt install default-jdk
Then, download Teku and extract it (currently latest version is 22.8.1):
wget https://artifacts.consensys.net/public/teku/raw/names/teku.tar.gz/versions/22.8.1/teku-22.8.1.tar.gz
tar xvf teku-22.8.1.tar.gz
rm teku-22.8.1.tar.gz
Install globally:
sudo cp -r teku-22.8.1 /usr/local/bin
rm teku-22.8.1

Configuration

It is recommended to run the consensus and execution client as a systemd service, which will allow the two processes run in the background and start up again if your machine restarts, improving reliability and uptime of your validator. This is not as crucial for running testnet validators and you can follow this guide on how to connect to testnets with Nethermind and other consensus clients.
Create a dedicated user for Nethermind. This will set up the correct permissions and directory where the chain data is stored.
sudo useradd -m -s /bin/false nethermindeth
sudo mkdir -p /var/lib/nethermind
sudo chown -R nethermindeth:nethermindeth /var/lib/nethermind
sudo chown -R nethermindeth:nethermindeth /usr/share/nethermind
Create a JWT Token which will be used to communicate between consensus and execution clients. For more information about JWT Token please refer to this section.
openssl rand -hex 32 | tr -d "\n" > "/var/lib/nethermind/jwt-secret"
Create a systemd config file. This will run Nethermind as a systemd service on your machine.
sudo nano /etc/systemd/system/nethermind.service
Paste the following service configuration into the file
[Unit]
Description=Nethermind Ethereum Client
After=network.target
Wants=network.target
[Service]
User=nethermindeth
Group=nethermindeth
Type=simple
Restart=always
RestartSec=5
TimeoutStopSec=180
WorkingDirectory=/home/nethermindeth
ExecStart=/usr/share/nethermind/Nethermind.Runner \
--config mainnet \
--Init.BaseDbPath /var/lib/nethermind \
--JsonRpc.Enabled true \
--JsonRpc.EngineHost "0.0.0.0" \
--JsonRpc.EnginePort 8551 \
--JsonRpc.JwtSecretFile /var/lib/nethermind/jwt-secret
[Install]
WantedBy=default.target
To close and save the file, press Ctrl+ X, Y, Enter.
Reload systemd to reflect the changes and start the nethermind service. The status should say active in green text. If not, repeat the configuration steps and see if it resolves the problem
sudo systemctl daemon-reload
sudo systemctl start nethermind.service
sudo systemctl status nethermind.service
Press Q to quit viewing the status. Enable the nethermind service to automatically start on reboot:
sudo systemctl enable nethermind.service
To see the Nethermind logs:
sudo journalctl -f -u nethermind.service -o cat | ccze -A
Press Ctrl + C to stop showing those messages.
If any path from sample would be changed (like "Init.baseDbPath") please ensure that You set newly added user as a owner of this directory and execute "systemctl restart nethermind.service" command.
Now repeat the process to run a CL beacon chain:
Lighthouse
Teku
sudo useradd --no-create-home --shell /bin/false lighthousebeacon
sudo mkdir -p /var/lib/lighthouse
sudo chown -R lighthousebeacon:lighthousebeacon /var/lib/lighthouse
Add systemd file:
sudo nano /etc/systemd/system/lighthousebeacon.service
Paste the following in:
[Unit]
Description=Lighthouse Ethereum Client Beacon Node
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=lighthousebeacon
Group=lighthousebeacon
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/lighthouse bn \\
--network mainnet \\
--datadir /var/lib/lighthouse \\
--staking \\
--http-allow-sync-stalled \\
--merge \\
--execution-endpoints <http://127.0.0.1:8551> \\
--metrics \\
--validator-monitor-auto \\
--jwt-secrets="/var/lib/nethermind/jwt-secret"
[Install]
WantedBy=multi-user.target
The beacon node needs to share something called a JWT secret with Nethermind, so let the secret be accessible to all users:
sudo chmod +r /var/lib/nethermind/jwt-secret
Reload and start the lighthouse node. The status should say active in green text if running correctly. If not, repeat the configuration steps and see if it resolves the problem.
sudo systemctl daemon-reload
sudo systemctl start lighthousebeacon.service
sudo systemctl status lighthousebeacon.service
Enable the Lighthouse beacon node service to automatically start on reboot.
sudo systemctl enable lighthousebeacon.service
You can watch the logs from your Lighthouse beacon node using this command. Lighthouse may show errors if Nethermind is not synced, so wait until Nethermind is synced to see if the errors persist.
sudo journalctl -f -u lighthousebeacon.service -o cat | ccze -A
Press Ctrl + C to stop showing those messages.
sudo useradd --no-create-home --shell /bin/false tekubeacon
sudo mkdir -p /var/lib/teku
sudo chown -R tekubeacon:tekubeacon /var/lib/teku
Add systemd file:
sudo nano /etc/systemd/system/tekubeacon.service
Paste the following in (make sure to replace the 0x0000000000000000000000000000000000000000 address with your own Ethereum address where you want to receive the proceeds from transaction fees (post merge)):
[Unit]
Description=Teku Ethereum Client Beacon Node
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=tekubeacon
Group=tekubeacon
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/teku-22.8.1 \
--network mainnet \
--data-path /var/lib/teku/datadir-teku \
--ee-endpoint http://localhost:8551 \
--ee-jwt-secret-file /var/lib/nethermind/jwt-secret \
--rest-api-enabled
--validators-proposer-default-fee-recipient=0x0000000000000000000000000000000000000000
[Install]
WantedBy=multi-user.target
The beacon node needs to share something called a JWT secret with Nethermind, so let the secret be accessible to all users:
sudo chmod +r /var/lib/nethermind/jwt-secret
Reload and start the lighthouse node. The status should say active in green text if running correctly. If not, repeat the configuration steps and see if it resolves the problem.
sudo systemctl daemon-reload
sudo systemctl start tekubeacon.service
sudo systemctl status tekubeacon.service
Enable the Teku beacon node service to automatically start on reboot.
sudo systemctl enable tekubeacon.service
You can watch the logs from your Teku beacon node using this command. Teku may show errors if Nethermind is not synced, so wait until Nethermind is synced to see if the errors persist.
sudo journalctl -f -u tekubeacon.service -o cat | ccze -A
Press Ctrl + C to stop showing those messages.

Syncing your node

The execution client still stores the blockchain state from the old proof of work chain, so it can take days to weeks to fully sync with the network, depending on your sync mode, hardware and network. The consensus client will also typically take a few days to fully sync on mainnet.
Please ensure both processes are synced before running your validator. Without the latest state your validator will not be able to vote and earn rewards on the proof of stake chain.
Nethermind
Lighthouse
Teku
A Nethermind node should be synced if the logs no longer say it is downloading blocks. Post merge, new payloads from the consensus client should display VALID instead of SYNCING in the logs.
Lighthouse logs should show something similar, saying that the node is synced.

Running a Validator

Generating Validator Keys

You will need to generate keys for your validator. These keys are the ONLY way to withdraw your funds after staking your ETH, so you have to ensure you have backed up your keys. There are two options:
  • staking-deposit-cli - recommended for those comfortable with the command line
  • Wagyu Key Gen - desktop app, choose the correct network (mainnet, kiln) to generate your validator keys

Staking deposit cli

Copy the following commands into your terminal to download the cli and generate your keys. Change num_validators and chain to the number of validators and / or testnet name you want to run.
wget <https://github.com/ethereum/staking-deposit-cli/releases/download/v2.3.0/staking_deposit-cli-76ed782-linux-amd64.tar.gz>
tar xvf staking_deposit-cli-9ab0b05-linux-amd64.tar.gz
cd staking_deposit-cli-9ab0b05-linux-amd64/
./deposit new-mnemonic --num_validators 1 --chain mainnet
Above should result with small structure created:
  1. 1.
    main directory (starts with "staking_")
    1. 1.
      keys directory
      1. 1.
        keystore json file
      2. 2.
        deposit_data json file
    2. 2.
      deposit file
A keystore file will be used later on to start Validator client on machine.
A deposit_data file will be used for launchpad to confirm Identity and send 32 ETH which will be used for Validator purpose.

Wagyu Key Gen

Download wagyu from their website and select the download compatible with your operating system.
Clicking on the top right corner you can select the network you want to generate your keys for. If not connecting to a testnet, let the network default to mainnet.
Click on ‘Create New Secret Recovery Phrase’ and you will be taken through the process of generating a 24 word secret to generate your validator keys. The number of keys you generate should match the number of validators you intend to run.
When finished you should end up with a deposit file (starts with deposit_data-and ends with .json) and a keystore file (starts with keystore-and ends with .json) per validator from both methods.

Depositing ETH

Next you will need to deposit ETH into the deposit contract. One validator requires 32 ETH to run. Go to the mainnet launchpad to use your wallet and your deposit file to perform the deposit. The launchpad will go through similar instructions as this guide to ensure you have performed them.

Depositing on Testnets

You will need testnet ETH in order to run a validator.
Kiln
Ropsten
Goerli
Go to the official Kiln website and click on the Add network to MetaMask button.
Get testnet ETH:
Go to the launchpad and follow the instructions:
Check the status of your validator on the beacon chain:
Get testnet ETH:
The ethstaker community discord can provide testnet ETH if you don’t have enough to deposit 32 ETH.
Go to the launchpad and follow the instructions:
Check the status of your validator on the beacon chain:
Get testnet ETH:
Go to the launchpad and follow the instructions:
Check the status of your validator on the beacon chain:

Configuring a Validator

DO NOT run two validators with the same keys. This can lead to your validator signing two different blocks and lead to slashing which will significantly reduce your staked ETH.
Like configuring your consensus and execution client, create a dedicated user for your validator:
Lighthouse
Teku
sudo useradd --no-create-home --shell /bin/false lighthousevalidator
sudo mkdir -p /var/lib/lighthouse/validators
sudo chown -R lighthousevalidator:lighthousevalidator /var/lib/lighthouse/validators
sudo chmod 700 /var/lib/lighthouse/validators
sudo useradd --no-create-home --shell /bin/false tekuvalidator
sudo mkdir -p /home/tekuvalidator
sudo chown -R tekuvalidator:tekuvalidator /home/tekuvalidator
Also ensure that new user has access to keystore files:
sudo chown -R tekuvalidator:tekuvalidator /path/to/keystores
Below there is a description on how to start Validator service for various CL on Your machine.
Lighthouse
Teku
The keystore file (generated previously and starts with keystore- ) needs to be imported for the Lighthouse validator client. Replace /path/to/keystores with the absolute path you saved your keystore file.
sudo /usr/local/bin/lighthouse account validator import \\
--directory /path/to/keystores \\
--datadir /var/lib/lighthouse \\
--network mainnet
sudo chown -R lighthousevalidator:lighthousevalidator /var/lib/lighthouse/validators
The command will prompt for your keystore password.
Create the systemd file:
sudo nano /etc/systemd/system/lighthousevalidator.service
Paste the following configuration into the file. Make sure to replace the 0x0000000000000000000000000000000000000000 address with your own Ethereum address where you want to receive the proceeds from transaction fees (post merge).
[Unit]
Description=Lighthouse Ethereum Client Validator Client
Wants=network-online.target
After=network-online.target
[Service]
User=lighthousevalidator
Group=lighthousevalidator
Type=simple
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/lighthouse vc \\
--network mainnet \\
--datadir /var/lib/lighthouse \\
--metrics \\
--suggested-fee-recipient 0x0000000000000000000000000000000000000000
[Install]
WantedBy=multi-user.target
Reload systemd to reflect the changes and start the service. Check the status to make sure it’s running correctly.
sudo systemctl daemon-reload
sudo systemctl start lighthousevalidator.service
sudo systemctl status lighthousevalidator.service
Enable the Lighthouse validator client service to automatically start on reboot.
sudo systemctl enable lighthousevalidator.service
You can watch the live messages from your Lighthouse validator client logs using this command.
sudo journalctl -f -u lighthousevalidator.service -o cat | ccze -A
Press Ctrl + C to stop showing those messages
In Teku at first we need to create a file with password used during creation of Validator Keys. In order to do that, navigate to the path, where keys created on Generating Validator Keys are stored.
Then on keys directory level create a separate directory called passwords. Result should be two directories keys and passwords on the same level under staking main directory.
In passwords directory we need to create txt file which will have exactly the same name as keystore json file. Result should be:
  1. 1.
    keys
    1. 1.
      keystore.json
  2. 2.
    passwords
    1. 1.
      keystore.txt
Now, in keystore.txt user needs to put password used for creation of Validator Keys and save this file.
Then You can proceed to creation of Validator service. In order to do that, create systemd file:
sudo nano /etc/systemd/system/tekuvalidator.service
Paste the following configuration into the file. Make sure to replace the 0x0000000000000000000000000000000000000000 address with your own Ethereum address where you want to receive the proceeds from transaction fees (post merge).
Also make sure that You replace /path/to/keystores to path, where Validator Keys are stored.
[Unit]
Description=TekuEthereum Client Validator Client
Wants=network-online.target
After=network-online.target
[Service]
User=tekuvalidator
Group=tekuvalidator
Type=simple
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/teku-22.8.1/bin/teku validator-client \
--beacon-node-api-endpoint=http://127.0.0.1:5051 \
--validator-keys=/path/to/keystores/staking/keys/keystore.json:/path/to/keystores/staking/passwords/keystore.txt \
--network mainnet\
--validators-proposer-default-fee-recipient=0x0000000000000000000000000000000000000000
[Install]
WantedBy=multi-user.target
Reload systemd to reflect the changes and start the service. Check the status to make sure it’s running correctly.
sudo systemctl daemon-reload
sudo systemctl start tekuvalidator.service
sudo systemctl status tekuvalidator.service
Enable the Teku validator client service to automatically start on reboot.
sudo systemctl enable tekuvalidator.service
You can watch the live messages from your Teku validator client logs using this command.
sudo journalctl -f -u tekuvalidator.service -o cat | ccze -A
Press Ctrl + C to stop showing those messages

Validator Tips and Tricks

Go through the checklist by the Ethereum foundation for some ways to improve security and optimise your validator rewards. For example:
  • Setting up a firewall and forward ports 30303 (Nethermind P2P) and 9000 (Lighthouse P2P) to prevent malicious external actors accessing your node
  • Ensure the time on your node is synced
  • Adding monitoring dashboards for Nethermind and Lighthouse to view real time metrics of your consensus and execution client
  • Using a VPN to protect the privacy of your validator
  • Add an optional --graffiti flag that adds a message to the blocks your validator proposes, publicly viewable on the beacon chain

Monitoring

To maximise your validator rewards, ensure that your node is always running and online. Downloading the Beacon Chain mobile app will allow you to monitor and set up alerts when your validator is offline or not earning rewards. You can also make an account on the Beacon Chain explorer and set up email alerts.
If you receive an alert check your machine is connected to the internet and restart your services:
sudo systemctl restart nethermind.service
sudo systemctl restart lighthousebeacon.service
sudo systemctl restart lighthousevalidator.service

Credits

Based on ethstaker’s guide to connecting to kiln testnet.
Copy link
On this page
Introduction
Using Testnets
Hardware and Network Requirements
Setup
Installing Prerequisites
Configuration
Syncing your node
Running a Validator
Generating Validator Keys
Depositing ETH
Configuring a Validator
Validator Tips and Tricks
Credits