I have been working on setting up a private IPFS cluster for our WeUseRTM Platform and figured I should document it since IPFS is such an integral part of not only the WeUseRTM platform but Raptoreum as well. IPFS is a peer-to-peer distributed file system and setting it up the way I will in this guide gives replication, and high availability of files added to assets on the WeUseRTM platform on a private network.

Here I will be setting up a three server IPFS cluster and using “raft” for consensus, with raft 50% of the cluster must be available at all times for it to continue functioning, so keep that in mind.

Installing IPFS Cluster

Pretty simple and straight forward, each server needs three components of IPFS:

1.) Main implementation of IPFS which is go-ipfs

2.) ipfs-cluster-service, this is the IPFS cluster peer

3.) ipfs-cluster-ctl needed for interaction with the cluster and cluster peer

These are are all their own system services and daemons. I recommend you don’t run as root, create a sudo user instead:

adduser username (follow the steps)
usermod -aG sudo

Change to user:

su - username

 

Grab IPFS, cluster-service, cluster-ctl Files And Wiggle Your Fingers

wget https://dist.ipfs.io/ipfs-cluster-service/v0.11.0/ipfs-cluster-service_v0.11.0_linux-amd64.tar.gz && tar -xzf ipfs-cluster-service_v0.11.0_linux-amd64.tar.gz
wget https://dist.ipfs.io/ipfs-cluster-ctl/v0.11.0/ipfs-cluster-ctl_v0.11.0_linux-amd64.tar.gz && tar -xzf ipfs-cluster-ctl_v0.11.0_linux-amd64.tar.gz
wget https://dist.ipfs.io/go-ipfs/v0.4.22/go-ipfs_v0.4.22_linux-amd64.tar.gz && tar -xzf go-ipfs_v0.4.22_linux-amd64.tar.gz
sudo cp ipfs-cluster-service/ipfs-cluster-service /usr/local/bin
sudo cp ipfs-cluster-ctl/ipfs-cluster-ctl /usr/local/bin
cd ~/go-ipfs
sudo ./install.sh

Confirm things are installed correctly:

ipfs-cluster-service help
ipfs-cluster-ctl help
ipfs help

 

Secret Key Setup

This is a private key and the secret key which is 32-bit hex encoded random string is what keeps it private. Only peers that have this key can communicate with the cluster. Generate it and display:

export CLUSTER_SECRET=$(od -vN 32 -An -tx1 /dev/urandom | tr -d ' \n')
echo $CLUSTER_SECRET

 

You will need this secret key for the other two peers so record it for now, we will use it in a bit. Now we need to initiate the ~/.ipfs-cluster folder:

ipfs-cluster-service init --consensus raft

Take note of the peer identity when running above command, you will need it when bootstrapping other peers.

Do the same for ipfs:

ipfs init

That will have created the needed folder and config file, we will come back to this. Let’s setup our firewall as well as Supervisor to monitor and restart the ipfs daemons if needed, such as after a reboot.

Install CSF (Config Server Firewall)

This is probably a little overkill but I prefer overkill rather than underkill with firewalls.

Few things required for CSF to be fully functional, on Ubuntu 18.04 fresh install this usually covers it:

apt install sendmail unzip dnsutils libwww-perl -y

CSF must be run with root so login as root or as sudo user do:

sudo su
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Test it with:

csf -r

It should restart without any errors or complaints, now we have some config to do to make sure the cluster works smoothly.

nano /etc/csf/csf.conf

– Change TESTING value from 0 to 1
– Scroll down to the ports section and remove all ports from TCP and UDP for both IPv6 and IPv4 except the following TCP ports 22, 80, 443 (inbound and outbound). 22 for ssh and 443 for grabbing updates.
– Search (cntrl-w) for “IGNORE_ALLOW” and change its value from 0 to 1

Now restart csf for effect:

csf -r

Instead of leaving open ports that is needed by the cluster we close everything except the absolute essential and each server we whitelist the other server IPs which allows them through the firewall. Whitelist the other two server IPs like:

csf -a IPhere

One more step is to tell CSF never to ban the other servers IPs so we add the IPs to csf.ignore:

nano /etc/csf/csf.ignore

Install Supervisor And Setup Daemon Monitoring

sudo apt install supervisor -y

Add some configs for ipfs-cluster-service and ipfs:

sudo nano /etc/supervisor/supervisord.conf

Add these two parts:

[program:ipfs-cluster-service]
environment=IPFS_CLUSTER_PATH=/home/youruser/.ipfs-cluster
command=/usr/local/bin/ipfs-cluster-service daemon

[program:ipfs]
environment=IPFS_PATH=/home/youruser/.ipfs
command=ipfs daemon

Now lets let Supervisor know what’s up, this will start the service daemon but we need it stopped which the last command does. Reason is we want to see what it is doing and if it is starting like it should.

sudo supervisorctl reread
sudo supervisorctl update
sudo supervisorctl stop ipfs-cluster-service

Let’s start in direct in our session and make sure it is starting properly:

ipfs-cluster-daemon

After a minute you should see output stop with * CLUSTER READY *. Everything is good if you see that and you can start the service again:

sudo supervisorctl start ipfs-cluster-service

We are ready to move on to bootstrapping another peer and adding to the cluster, but if your like me and you lost track of the secret key you can grab it again like this:

cat .ipfs-cluster/service.json | grep secret

Bootstrapping Additional Peers (adding them to cluster)

Install and verify install exactly the same as we did the first time, but when you get to the secret key part you do:

export CLUSTER_SECRET=your_secret_key_from_first_peer
ipfs-cluster-service init --consensus raft

Now we run the daemon in current session with –bootstrap:
ipfs-cluster-service daemon –bootstrap /ip4/first_node_IP/tcp/9096/ipfs/peer_id

The peer identity is shown when you first run ipfs-cluster-service, if you are not sure what it is do:

sudo supervisorctl stop ipfs-cluster-service
ipfs-cluster-service

If everything is good you will see ** IPFS Cluster is READY ** followed by “Current Raft Leader”, then joined cluster. Kill it with cntrl-c add it to your Supervisor along with ipfs same as first node. You do not need to include –bootstrap flag unless the peer has been removed from cluster and is being re-added. Fire it up as normal:

sudo supervisorctl start ipfs-cluster-service

 

Time To Take It For A Test Drive!

 

Create a testfile:

mkdir test_file
echo WeUseRTM is going to roxxor soxxors! > smelly_soxx.txt
ipfs add smelly_soxx.txt

Check to see if it is on the other peers:

ipfs cat files_hash

If it is there it will return the contents of the file, in this case that is “WeUseRTM is going to roxxor soxxors!”. Also in the screen you see that I ran a search for the file hash just as a check to make sure the cluster was indeed private.

raptoreum verify private ipfs cluster

Accessing IPFS Private Cluster API From External App

WeUseRTM runs outside of the IPFS cluster and the Cluster by default makes the needed API accessible only on 127.0.0.1. It took us a few tries to figure out just which API we wanted but we found that this was the one: (.ipfs-cluster/service.json)

"api": {
"ipfsproxy": {
"listen_multiaddress": "/ip4/127.0.0.1/tcp/9095",

Change 127.0.0.1 to your public IPv4 or to 0.0.0.0 to make it bind to all available IP, then restart the ipfs-ctl service. This SHOULD NOT be open to public make sure you whitelist only the needed IP for access to that port.

One Comment

Leave a Reply

Tweet
Share
Email