Besu

Last updated 7 months ago

Besu

Generate the JWT file

We first need to create a JSON Web Token (JWT) that will allow the execution layer software (Besu) and the consensus layer software to talk to each other.

Run the following commands one line at a time to create a folder on the server to store the JWT file and generate the JWT file:

sudo mkdir -p /var/lib/jwtsecret
openssl rand -hex 32 | sudo tee /var/lib/jwtsecret/jwt.hex > /dev/null

We will be pointing the configuration files of the execution and consensus clients to this JWT file later.

Install dependencies - JRE & Jemalloc

sudo apt-get update
sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get -y install openjdk-21-jre libjemalloc-dev

Download Besu and configure the service

the latest version of Besu and run the checksum verification process to ensure that the downloaded file has not been tampered with.

cd
curl -LO https://github.com/hyperledger/besu/releases/download/24.10.0/besu-24.10.0.tar.gz
echo "0648e108614861b04537a4017d63bddf5bae88c738bccd5942f76c6d544dcac2 besu-24.10.0.tar.gz" | sha256sum --check

Each downloadable file comes with it's own checksum (see below). Replace the actual checksum and URL of the download link in the code block above.

Make sure to verify the correct checksum according to the downloaded version. Right click on the linked text and select "copy link address" to get the URL of the download link to curl.

Expected output: Verify output of the checksum verification

besu-24.10.0.tar.gz: OK

If checksum is verified, extract the files and move them into the (/usr/local/bin) directory for neatness and best practice. Then, clean up the duplicated copies.

tar xvf besu-24.10.0.tar.gz
sudo cp -a besu-24.10.0 /usr/local/bin/besu
sudo rm -r besu*EL

Create an account (besu) without server access for Besu to run as a background service. This type of user account will not have root access so it restricts potential attackers to only the Besu service in the unlikely event that they manage to infiltrate via a compromised client update.

sudo useradd --no-create-home --shell /bin/false besu

Create a directory for Besu to store the blockchain data of the execution layer. Then set the owner of this directory to Besu so that this user can read and write to the directory.

sudo mkdir -p /var/lib/besu
sudo chown -R besu:besu /var/lib/besu

Create a systemd configuration file for the Besu service to run in the background.

sudo nano /etc/systemd/system/besu.service

Paste the configuration parameters below into the file:

[Unit]
Description=Besu Execution Client (Holesky)
Wants=network-online.target
After=network-online.target

[Service]
User=besu
Group=besu
Type=simple
Restart=always
RestartSec=5
Environment="JAVA_OPTS=-Xmx6g"
ExecStart=/usr/local/bin/besu/bin/besu \
  --network=holesky \
  --sync-mode=X_SNAP \
  --data-path=/var/lib/besu \
  --data-storage-format=BONSAI \
  --engine-jwt-secret=/var/lib/jwtsecret/jwt.hex \
  --Xplugin-rocksdb-high-spec-enabled \
  --p2p-port=30303 \
  --rpc-ws-enabled \
  --rpc-ws-host=<internal_IP_address> \
  --rpc-ws-port=8547 \
  --rpc-http-enabled=true \
  --metrics-enabled=true
  
[Install]
WantedBy=multi-user.target

Once you're done, save with Ctrl+O and Enter, then exit with Ctrl+X. Understand and review your configuration summary below, and amend if needed.

Besu configuration summary:

--network: Run the on the Holesky testnet
--sync-mode: Uses the recommended Snap Sync mode to speed up syncing time. Checkpoint Sync is still an early access feature.
--data-path: The directory for Besu to store the blockchain data of the execution layer.
--data-storage-format: Bonsai Tries is a data storage layout policy designed to reduce storage requirements and increase read performance.
--engine-jwt-secret: The directory pointing to the JWT secret we generated earlier.
--Xplugin-rocksdb-high-spec-enabled: Speeds up sync time and performance. Use only if you have 32GB of RAM or more.
--p2p-port: Sets the port used for peer-to-peer communication. Defaults to 30303.
--rpc-ws-enabled: Enables the JSON-RPC service on websocket. This is so that DVT clients can connect to your execution client
--rpc-ws-host: Sets the IP address to connect to the JSON-RPC service that will be used by the DVT client. Use the internal IP address of your device here (check by running ip a) - e.g. 192.168.x.x. Defaults to 127.0.0.1 otherwise
--rpc-ws-port: Sets the port to connect to the JSON-RPC service. You may choose any unused port number but remember to allow incoming connections into your chosen port in your firewall (ufw) rules. Defaults to 8546
--rpc-http-enabled: Enables the JSON-RPC service over http. This allows you to query the execution client endpoint directly to test for sync status and overall health. Default IP address (host) = 127.0.0.1; Default port = 8545
--metrics-enabled: Enable monitoring metrics on the besu service

Start Besu

Reload the systemd daemon to register the changes made, start Besu, and check its status to make sure its running.

sudo systemctl daemon-reload
sudo systemctl start besu.service
sudo systemctl status besu.service

Expected output: The output should say Besu is “active (running)”. Press CTRL-C to exit and Besu will continue to run. It should take just a few minutes for Besu to sync on Holesky.

Use the following command to check the logs of Besu’s syncing process. Watch out for any warnings or errors.

sudo apt install ccze -y
sudo journalctl -fu besu -o cat | ccze -A

Expected output:

Press CTRL-C to exit.

If the Besu service is running smoothly, we can now enable it to fire up automatically when rebooting the system.

sudo systemctl enable besu.service

Expected output:

Created symlink /etc/systemd/system/default.target.wants/besu.service → /etc/systemd/system/besu.service.

Resources:

PreviousNethermind NextGeth

Last updated 7 months ago

Generate the JWT file

We first need to create a JSON Web Token (JWT) that will allow the execution layer software (Besu) and the consensus layer software to talk to each other.

Run the following commands one line at a time to create a folder on the server to store the JWT file and generate the JWT file:

sudo mkdir -p /var/lib/jwtsecret
openssl rand -hex 32 | sudo tee /var/lib/jwtsecret/jwt.hex > /dev/null

We will be pointing the configuration files of the execution and consensus clients to this JWT file later.

Install dependencies - JRE & Jemalloc

sudo apt-get update
sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get -y install openjdk-21-jre libjemalloc-dev

Download Besu and configure the service

the latest version of Besu and run the checksum verification process to ensure that the downloaded file has not been tampered with.

cd
curl -LO https://github.com/hyperledger/besu/releases/download/24.10.0/besu-24.10.0.tar.gz
echo "0648e108614861b04537a4017d63bddf5bae88c738bccd5942f76c6d544dcac2 besu-24.10.0.tar.gz" | sha256sum --check

Each downloadable file comes with it's own checksum (see below). Replace the actual checksum and URL of the download link in the code block above.

Make sure to verify the correct checksum according to the downloaded version. Right click on the linked text and select "copy link address" to get the URL of the download link to curl.

Expected output: Verify output of the checksum verification

besu-24.10.0.tar.gz: OK

If checksum is verified, extract the files and move them into the (/usr/local/bin) directory for neatness and best practice. Then, clean up the duplicated copies.

tar xvf besu-24.10.0.tar.gz
sudo cp -a besu-24.10.0 /usr/local/bin/besu
sudo rm -r besu*EL

sudo useradd --no-create-home --shell /bin/false besu

Create a directory for Besu to store the blockchain data of the execution layer. Then set the owner of this directory to Besu so that this user can read and write to the directory.

sudo mkdir -p /var/lib/besu
sudo chown -R besu:besu /var/lib/besu

Create a systemd configuration file for the Besu service to run in the background.

sudo nano /etc/systemd/system/besu.service

Paste the configuration parameters below into the file:

[Unit]
Description=Besu Execution Client (Holesky)
Wants=network-online.target
After=network-online.target

[Service]
User=besu
Group=besu
Type=simple
Restart=always
RestartSec=5
Environment="JAVA_OPTS=-Xmx6g"
ExecStart=/usr/local/bin/besu/bin/besu \
  --network=holesky \
  --sync-mode=X_SNAP \
  --data-path=/var/lib/besu \
  --data-storage-format=BONSAI \
  --engine-jwt-secret=/var/lib/jwtsecret/jwt.hex \
  --Xplugin-rocksdb-high-spec-enabled \
  --p2p-port=30303 \
  --rpc-ws-enabled \
  --rpc-ws-host=<internal_IP_address> \
  --rpc-ws-port=8547 \
  --rpc-http-enabled=true \
  --metrics-enabled=true
  
[Install]
WantedBy=multi-user.target

Once you're done, save with Ctrl+O and Enter, then exit with Ctrl+X. Understand and review your configuration summary below, and amend if needed.

Besu configuration summary:

--network: Run the on the Holesky testnet
--sync-mode: Uses the recommended Snap Sync mode to speed up syncing time. Checkpoint Sync is still an early access feature.
--data-path: The directory for Besu to store the blockchain data of the execution layer.
--data-storage-format: Bonsai Tries is a data storage layout policy designed to reduce storage requirements and increase read performance.
--engine-jwt-secret: The directory pointing to the JWT secret we generated earlier.
--Xplugin-rocksdb-high-spec-enabled: Speeds up sync time and performance. Use only if you have 32GB of RAM or more.
--p2p-port: Sets the port used for peer-to-peer communication. Defaults to 30303.
--rpc-ws-enabled: Enables the JSON-RPC service on websocket. This is so that DVT clients can connect to your execution client
--rpc-ws-host: Sets the IP address to connect to the JSON-RPC service that will be used by the DVT client. Use the internal IP address of your device here (check by running ip a) - e.g. 192.168.x.x. Defaults to 127.0.0.1 otherwise
--rpc-ws-port: Sets the port to connect to the JSON-RPC service. You may choose any unused port number but remember to allow incoming connections into your chosen port in your firewall (ufw) rules. Defaults to 8546
--rpc-http-enabled: Enables the JSON-RPC service over http. This allows you to query the execution client endpoint directly to test for sync status and overall health. Default IP address (host) = 127.0.0.1; Default port = 8545
--metrics-enabled: Enable monitoring metrics on the besu service

Start Besu

Reload the systemd daemon to register the changes made, start Besu, and check its status to make sure its running.

sudo systemctl daemon-reload
sudo systemctl start besu.service
sudo systemctl status besu.service

Expected output: The output should say Besu is “active (running)”. Press CTRL-C to exit and Besu will continue to run. It should take just a few minutes for Besu to sync on Holesky.

Use the following command to check the logs of Besu’s syncing process. Watch out for any warnings or errors.

sudo apt install ccze -y
sudo journalctl -fu besu -o cat | ccze -A

Expected output:

Press CTRL-C to exit.

For more details on interpreting the Besu journalctl logs, head .

If the Besu service is running smoothly, we can now enable it to fire up automatically when rebooting the system.

sudo systemctl enable besu.service

Expected output:

Created symlink /etc/systemd/system/default.target.wants/besu.service → /etc/systemd/system/besu.service.

Resources:

Releases:
Documentation:
Discord: (Select the Besu channel)