Polkadot Validator Task Service
Overview
The Polkadot Validator task service provides a production-ready installation and configuration of a Polkadot validator node. Validators are critical infrastructure components that secure the Polkadot network by producing blocks, participating in consensus, and finalizing transactions. This service includes comprehensive security hardening, monitoring, and operational tools.
Features
Validator Core Functions
- Block Production - Aura-based block authoring and validation
- ELVES Consensus - Ethereum-Like Validation Execution System support
- Network Finality - GRANDPA finality gadget participation
- Hybrid Consensus - Support for multiple consensus mechanisms
- Consensus Participation - Active participation in network consensus
- Session Key Management - Automated key generation, rotation, and backup
- Slashing Protection - Built-in protections against slashing conditions
Security & Hardening
- System Hardening - Comprehensive systemd security configuration
- Firewall Integration - Automatic UFW/firewalld configuration
- Fail2ban Protection - Intrusion detection and prevention
- Key Security - Encrypted key backup with Age/SOPS support
- Access Control - SSH restrictions and user isolation
Monitoring & Alerting
- Health Monitoring - Comprehensive system and validator health checks
- Prometheus Integration - Native metrics export for monitoring
- Block Production Tracking - Monitor validator performance
- Network Connectivity - Peer and network status monitoring
- Alerting System - Syslog integration with custom alerts
Operational Features
- Automated Setup - Complete validator deployment and configuration
- Session Rotation - Automated session key rotation with safety checks
- Backup & Recovery - Secure key backup and restoration procedures
- Performance Optimization - Validator-optimized configuration settings
- Multi-Chain Support - Polkadot, Kusama, and Westend support
Configuration
Basic Validator Configuration
validator: PolkadotValidator = {
name: "polkadot-validator"
version: "1.5.0"
run_user: {
name: "polkadot"
home: "/home/polkadot"
}
chain: "polkadot"
base_path: "/var/lib/polkadot"
ports: {
p2p_port: 30333
prometheus_port: 9615
}
validator_mode: true
telemetry_enabled: false
}
Production Validator Configuration
validator: PolkadotValidator = {
name: "polkadot-validator-prod"
version: "1.5.0"
run_user: {
name: "polkadot"
group: "polkadot"
home: "/opt/polkadot"
}
chain: "polkadot"
base_path: "/var/lib/polkadot"
ports: {
p2p_port: 30333
prometheus_port: 9615
}
validator_mode: true
consensus: {
type: "aura" # Options: "aura", "elves", "hybrid"
elves_support: true
hybrid_fallback: false
}
rpc: {
enabled: false # Disabled for validator security
}
security: {
firewall_enabled: true
fail2ban_enabled: true
ssh_restrictions: true
key_backup_enabled: true
backup_encryption_key: "/etc/polkadot/backup.key"
}
monitoring: {
enabled: true
prometheus_external: false
health_check_interval: 60
alert_thresholds: {
peer_count_min: 10
block_production_delay_max: 30
finalization_lag_max: 10
}
}
performance: {
database_cache: 2048
state_cache_size: 2147483648
max_peers: 50
sync_mode: "warp"
pruning: {
mode: "state"
blocks_to_keep: 256
}
}
session_keys: {
rotation_enabled: true
rotation_interval: "7d"
backup_enabled: true
}
reserved_nodes: [
"/ip4/10.0.1.10/tcp/30333/p2p/12D3KooW...",
"/ip4/10.0.1.11/tcp/30333/p2p/12D3KooW..."
]
bootnodes: [
"/dns/bootnode-0.polkadot.io/tcp/30333/p2p/12D3KooWEyoppNCUx8Yx66oV9fJnriXwCcXwDDUA2kj6vnc6iDEp"
]
log_level: "info"
telemetry_enabled: false # Disabled for validator privacy
}
High-Availability Validator Setup
validator: PolkadotValidator = {
name: "polkadot-validator-ha"
# ... base configuration
high_availability: {
enabled: true
backup_nodes: [
"validator-backup-1.company.com",
"validator-backup-2.company.com"
]
failover_timeout: 300
sync_check_interval: 30
}
monitoring: {
enabled: true
prometheus_external: true
prometheus_port: 9615
custom_metrics: true
alertmanager_webhook: "https://alerts.company.com/webhook"
}
security: {
firewall_enabled: true
fail2ban_enabled: true
ssh_restrictions: true
allowed_ssh_users: ["admin", "operator"]
key_backup_enabled: true
backup_encryption_key: "/etc/polkadot/backup.key"
auto_updates: true
}
network: {
external_addresses: [
"/ip4/203.0.113.1/tcp/30333"
]
reserved_only: true
reserved_nodes: [
"/ip4/10.0.1.10/tcp/30333/p2p/12D3KooW...",
"/ip4/10.0.1.11/tcp/30333/p2p/12D3KooW...",
"/ip4/10.0.1.12/tcp/30333/p2p/12D3KooW..."
]
max_peers: 25
}
}
ELVES Consensus Validator Configuration
validator: PolkadotValidator = {
name: "polkadot-elves-validator"
version: "1.5.0"
run_user: {
name: "polkadot"
group: "polkadot"
home: "/opt/polkadot"
}
chain: "polkadot"
base_path: "/var/lib/polkadot"
ports: {
p2p_port: 30333
prometheus_port: 9615
}
validator_mode: true
consensus: {
type: "elves"
elves_config: {
epoch_duration: 2400 # blocks per epoch
validators_per_epoch: 21
proposal_timeout: 3000
prevote_timeout: 3000
precommit_timeout: 3000
commit_timeout: 1000
ethereum_compatibility: true
}
finality: {
type: "grandpa"
grandpa_interval: 8
}
}
ethereum_compatibility: {
enabled: true
chain_id: 1
evm_runtime: true
}
session_keys: {
aura_key: "auto-generate"
grandpa_key: "auto-generate"
elves_key: "auto-generate"
rotation_enabled: true
rotation_interval: "7d"
}
monitoring: {
enabled: true
elves_metrics: true
ethereum_metrics: true
consensus_transition_alerts: true
}
performance: {
database_cache: 4096
state_cache_size: 4294967296
evm_cache_size: 1073741824
max_peers: 50
}
}
Usage
Deploy Validator
./core/nulib/provisioning taskserv create polkadot-validator --infra <infrastructure-name>
List Available Task Services
./core/nulib/provisioning taskserv list
SSH to Validator Server
./core/nulib/provisioning server ssh <validator-server>
Service Management
# Check validator status
systemctl status polkadot-validator
# Start/stop validator
systemctl start polkadot-validator
systemctl stop polkadot-validator
systemctl restart polkadot-validator
# View validator logs
journalctl -u polkadot-validator -f
# Check validator health
sudo -u polkadot /opt/polkadot/scripts/validator-monitor.sh
Session Key Management
# Generate new session keys
sudo -u polkadot /opt/polkadot/scripts/validator-keys.sh generate
# Backup session keys
sudo -u polkadot /opt/polkadot/scripts/validator-keys.sh backup
# Rotate session keys (with safety checks)
sudo -u polkadot /opt/polkadot/scripts/session-rotation.sh
# Verify keys on-chain
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "author_hasKey", "params":["aura", "0x..."]}' \
http://localhost:9933/
Validator Operations
# Check if validator is active
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "author_hasSessionKeys", "params":["0x..."]}' \
http://localhost:9933/
# Monitor block production
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "chain_getHeader", "params":[]}' \
http://localhost:9933/
# Check validator metrics
curl http://localhost:9615/metrics | grep polkadot_
# ELVES Consensus Operations
# Check ELVES consensus state
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "elves_getConsensusState", "params":[]}' \
http://localhost:9933/
# Monitor ELVES epoch information
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "elves_getCurrentEpoch", "params":[]}' \
http://localhost:9933/
# Check ELVES validator participation
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "elves_getValidatorParticipation", "params":[]}' \
http://localhost:9933/
# Monitor consensus transitions (hybrid mode)
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "elves_getConsensusTransitions", "params":[]}' \
http://localhost:9933/
Security Operations
# Check firewall status
sudo ufw status verbose
# or for RHEL/CentOS
sudo firewall-cmd --list-all
# Monitor fail2ban
sudo fail2ban-client status polkadot-validator
# Check SSH access logs
sudo journalctl -u ssh | grep polkadot
# Verify key backup integrity
sudo -u polkadot age -d -i /etc/polkadot/backup.key \
/var/backups/polkadot/keys-latest.age
Architecture
Validator Architecture
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Network │────│ Validator Node │────│ Monitoring │
│ Peers │ │ │ │ & Alerts │
│ │ │ • Block Author │ │ │
│ • Other Vals │────│ • Consensus │────│ • Prometheus │
│ • Full Nodes │ │ • Finality │ │ • Health Checks │
│ • Bootnodes │ │ • Key Mgmt │ │ • Alerting │
└─────────────────┘ └──────────────────┘ └─────────────────┘
Security Layers
┌─────────────────────────────────────────────────────────────┐
│ Security Hardening │
├─────────────────────────────────────────────────────────────┤
│ Network Security │ System Security │ Key Security │
│ │ │ │
│ • Firewall (UFW) │ • Systemd Hardening│ • Encrypted Keys │
│ • Fail2ban │ • User Isolation │ • Secure Backup │
│ • SSH Restrictions │ • Auto Updates │ • Key Rotation │
│ • Reserved Nodes │ • File Permissions │ • Age Encryption │
├─────────────────────────────────────────────────────────────┤
│ Monitoring & Alerting │
├─────────────────────────────────────────────────────────────┤
│ Polkadot Validator Process │
└─────────────────────────────────────────────────────────────┘
Network Ports
- P2P Port (30333) - Peer-to-peer validator network
- Prometheus Port (9615) - Metrics (internal access only)
- SSH Port (22) - Restricted administrative access
File Structure
/var/lib/polkadot/ # Main data directory
├── chains/ # Chain-specific data
├── keystore/ # Session keys (encrypted)
├── node.key # Node identity key
└── validator-state/ # Validator state data
/opt/polkadot/ # Validator tools
├── scripts/ # Management scripts
│ ├── validator-keys.sh # Key management
│ ├── session-rotation.sh# Key rotation
│ └── validator-monitor.sh# Health monitoring
└── backups/ # Key backups (encrypted)
/etc/polkadot/ # Configuration
├── validator.conf # Main configuration
├── backup.key # Backup encryption key
└── monitoring.conf # Monitoring configuration
/var/log/polkadot/ # Logs
├── validator.log # Validator logs
├── monitoring.log # Monitoring logs
└── security.log # Security events
Supported Operating Systems
- Ubuntu 20.04+ / Debian 11+
- CentOS 8+ / RHEL 8+ / Fedora 35+
System Requirements
Minimum Validator Requirements
- RAM: 16GB (32GB recommended)
- Storage: 200GB NVMe SSD (500GB+ recommended)
- CPU: 4 cores (8 cores recommended, high clock speed)
- Network: Dedicated server with excellent connectivity
- Uptime: 99.9%+ uptime requirement
Production Validator Requirements
- RAM: 32GB+ (64GB for optimal performance)
- Storage: 1TB+ NVMe SSD with high IOPS
- CPU: 8+ cores, 3.0GHz+ base clock
- Network: Dedicated bare metal server, multiple network paths
- Backup: Secondary server for failover
- Monitoring: 24/7 monitoring and alerting
Network Requirements
- Latency - Low latency to other validators (< 100ms)
- Bandwidth - High bandwidth with unlimited data
- Redundancy - Multiple network paths for reliability
- IP Address - Static public IP address
- DDoS Protection - DDoS mitigation service recommended
Troubleshooting
Validator Performance Issues
# Check validator health
sudo -u polkadot /opt/polkadot/scripts/validator-monitor.sh
# Monitor block production
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "author_hasSessionKeys", "params":["0x..."]}' \
http://localhost:9933/
# Check system resources
htop
iostat -x 1
df -h /var/lib/polkadot
# Analyze validator metrics
curl -s http://localhost:9615/metrics | grep -E "(block_height|finality|peers)"
Session Key Issues
# Check session keys status
sudo -u polkadot /opt/polkadot/scripts/validator-keys.sh status
# Verify keys in keystore
ls -la /var/lib/polkadot/keystore/
# Test key accessibility
sudo -u polkadot polkadot key inspect \
--keystore-path /var/lib/polkadot/keystore \
--keystore-uri file:///var/lib/polkadot/keystore
# Check if keys are set on-chain
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "session_nextKeys", "params":["0x..."]}' \
http://localhost:9933/
Network Connectivity Issues
# Check connected peers
curl -H "Content-Type: application/json" \
-d '{"id":1, "jsonrpc":"2.0", "method": "system_peers", "params":[]}' \
http://localhost:9933/
# Test P2P connectivity
telnet other-validator-ip 30333
# Check network configuration
ip route get 8.8.8.8
netstat -tlnp | grep :30333
# Monitor network traffic
sudo netstat -i
sudo iftop -i eth0
Security Issues
# Check firewall status
sudo ufw status numbered
sudo fail2ban-client status
# Review security logs
sudo journalctl -u polkadot-validator | grep -i security
sudo tail -f /var/log/auth.log
# Check for intrusion attempts
sudo fail2ban-client status ssh
sudo grep "Failed password" /var/log/auth.log
# Verify file permissions
ls -la /var/lib/polkadot/keystore/
sudo find /var/lib/polkadot -type f -perm /o+r
Backup and Recovery Issues
# Test backup integrity
sudo -u polkadot /opt/polkadot/scripts/validator-keys.sh verify-backup
# Restore from backup
sudo -u polkadot /opt/polkadot/scripts/validator-keys.sh restore /path/to/backup
# Check backup encryption
sudo -u polkadot age -d -i /etc/polkadot/backup.key \
/var/backups/polkadot/keys-latest.age | head -1
# Verify session key recovery
sudo systemctl stop polkadot-validator
# Restore keys
sudo systemctl start polkadot-validator
Security Best Practices
Validator Security
- Key Management - Never expose session keys, use secure backup
- Network Isolation - Use reserved nodes and firewall restrictions
- Regular Updates - Keep validator software and OS updated
- Monitoring - Implement comprehensive monitoring and alerting
- Physical Security - Secure physical access to validator hardware
Operational Security
- Access Control - Limit administrative access to essential personnel
- Change Management - Document and review all configuration changes
- Incident Response - Have clear incident response procedures
- Regular Audits - Perform regular security audits and reviews
- Backup Testing - Regularly test backup and recovery procedures
Network Security
- DDoS Protection - Use DDoS mitigation services
- VPN Access - Use VPN for administrative access
- Network Monitoring - Monitor for unusual network activity
- Peer Filtering - Use reserved nodes to control peer connections
- Traffic Analysis - Regular analysis of network traffic patterns
Performance Optimization
Hardware Optimization
- NVMe Storage - Use high-performance NVMe SSDs
- Memory - Sufficient RAM for database caching
- CPU - High clock speed processors for single-threaded performance
- Network - Low-latency network connections
Configuration Optimization
- Database Cache - Optimize database cache size
- State Cache - Configure appropriate state cache
- Peer Limits - Limit peers to reduce network overhead
- Pruning - Use state pruning to manage disk usage
System Optimization
- CPU Affinity - Pin validator process to specific cores
- I/O Scheduler - Use appropriate I/O scheduler for SSDs
- Network Tuning - Optimize TCP settings for low latency
- Memory Management - Configure memory management for validator workload
Monitoring and Alerting
Key Metrics to Monitor
# Block production rate
curl -s http://localhost:9615/metrics | grep polkadot_block_height
# Finalization lag
curl -s http://localhost:9615/metrics | grep polkadot_finality_
# Peer connections
curl -s http://localhost:9615/metrics | grep polkadot_peers
# System resources
curl -s http://localhost:9615/metrics | grep -E "(cpu|memory|disk)"
Prometheus Configuration
# prometheus.yml
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'polkadot-validator'
static_configs:
- targets: ['localhost:9615']
scrape_interval: 30s
metrics_path: '/metrics'
Alerting Rules
# validator-alerts.yml
groups:
- name: polkadot-validator
rules:
- alert: ValidatorDown
expr: up{job="polkadot-validator"} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Polkadot validator is down"
- alert: LowPeerCount
expr: polkadot_peers < 10
for: 5m
labels:
severity: warning
annotations:
summary: "Low peer count: {{ $value }}"
- alert: HighFinalizationLag
expr: polkadot_finality_lag > 10
for: 2m
labels:
severity: critical
annotations:
summary: "High finalization lag: {{ $value }}"
Resources
- Official Documentation: wiki.polkadot.network/docs/maintain-validator
- Validator Guide: guide.kusama.network/docs/mirror-maintain-guides-how-to-validate-kusama
- GitHub Repository: paritytech/polkadot
- Validator Community: matrix.to/#/#polkadot-validator-lounge:web3.foundation
- Telemetry (for testnets): telemetry.polkadot.io