Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Delegated staking on Constellation Network allows any $DAG holder to participate in network security and validation by staking their tokens with validators without needing to run a node. This enables more users to contribute to decentralization and governance while earning staking incentives. By choosing a validator, you help secure the network, support metagraph projects, and receive $DAG incentives for your participation. Some metagraph validators even offer additional L0 token rewards, increasing your potential incentives.
$DAG holders who participate in delegated staking may choose your node based on the commission percentage you set. This allows you, as a Node Operator, to generate additional rewards revenue from delegations.
This section explains how to use the Constellation Network Command Line Interface (CLI) utility, which provides a simplified way to run a node without requiring technical expertise or in-depth knowledge of the Tessellation Protocol’s architecture and operation.
Pronounced node control, node-c-t-l, or node-cuttle.
nodectl is a command-line utility designed to simplify the deployment and management of Constellation Network Validator nodes.
It eliminates the need for deep technical knowledge of the Tessellation Protocol, allowing both technical and non-technical users to run and maintain a Validator node on the Hypergraph and/or metagraph networks.
The utility is packed with powerful features that abstract away the complexities of node management.
These documents are specifically tailored for deploying Constellation Network nodes according to the configuration and integration requirements of each provider’s dashboard setup.
🚧Build AWS EC2 Instance🚧Build DigitalOcean Droplet🚧Build Hetzner ServerNode Operator's guide to enable delegated staking on your node.
To offer your node for delegation on the Constellation Network, you must complete the delegated staking configuration.
This process allows Node Operators to make their nodes available for delegation.
Follow the steps in this guide to properly set up and enable delegation.
Delegated Staking Requirements
Delegated staking is supported by nodectl starting with version v2.17.0.
Issue the version command to output the current version of nodectl.
Please follow the correct upgrade path to ensure your node remains manageable by nodectl and does not encounter compatibility issues.
If there are multiple versions between your current version and v2.17.0, you must follow the correct upgrade path.
Take note of each intermediate version and run the upgrade_nodectl command sequentially for each version step using the -v <version> option.
Upgrade one version at a time. Do not skip versions until you reach v2.17.0.
This ensures compatibility and prevents potential issues with configuration or functionality.
Example: sudo nodectl upgrade_nodectl -v v2.13.0
When you reach a version that can be directly upgraded to the latest v2.17.0 you may exclude the -v option.
If you are requested to upgrade the node, issue a Y and allow nodectl to upgrade the node so that all the features, changes, and updates can be properly applied.
This is important to ensure that all features of nodectl are enabled.
As a Node Operator, you can offer your node for delegation by following these steps:
The nodectl utility automates these steps for you. Follow this guide to complete the setup.
P12 Keystore
Delegated staking is tied to your node’s wallet public key (node ID).
If you rebuild or create a new node, your delegated staking status will remain unaffected as long as you retain your current p12 keystore, which holds the private and public keys designated for the Constellation Network Hypergraph or metagraph.
Since delegated staking is a financial decision, the configurator will not automatically commit your node to become available for delegated staking.
To stay fully informed and connected, you must join the Constellation Network Official Discord server.
This is the central hub for:
✅ Cluster update announcements
✅ Scheduled network restarts
✅ Operational instructions and technical alerts
✅ Validator program updates and governance notices
nodectl requires you to create a configuration file with the necessary parameters to properly enable delegated staking according to your preferences and requirements.
Regardless of whether this is your first time configuring your node for delegation, you must create or update the configuration file to define the specific parameters you want to use when offering your node for delegation.
If you wish to change any delegated staking parameters in the future, you must update the configuration file first before submitting a request to apply those changes to your node’s delegated staking settings.
Reference explanations and Reference Guides specifically associated with node operations.
In order to view your current delegated staking status, you may issue a status command at any time.
For a valid configuration, your node should report all parameter matches as True.
If any match is not True, please review your desired configuration and issue an as needed to ensure your desired settings and consistency with the cluster.
In the event that you have already issued an update with your current settings (no changes were necessary), nodectl will prevent an unnecessary cluster update, and decline your request.
If the nodectl utility responds without applying any changes, the most likely reason is that your node is already configured with the delegated staking settings you specified.
If this is not the case, review and and submit another to ensure your desired changes are applied.
All the steps necessary to join the program before you attempt to build your node.
This resource will provide everything you need to successfully deploy and operate your validator node within the Dor metagraph.
A brief overview of the types of rewards a Dor Validator Node Operator can expect.
As a Dor Validator Node Operator, you are eligible to earn rewards for supporting the Dor metagragh.
Dor validator Node Operators are eligible for two types of rewards.
Consensus
Continuous per consensus round
As your node actively participates in the Dor metagraph, it will earn rewards at the conclusion of each consensus round. These rewards are granted when your node successfully validates data in compliance with the network cluster requirements.
Tax
Daily
During data processing and validation within the Dor Metagraph cluster, a network tax is applied and paid by the principals utilizing the metagraph’s services.
This tax is collected into a distribution wallet, which serves as a shared rewards pool. At the end of each day, a portion of the accumulated funds in the distribution wallet is distributed to all active validator nodes, based on their participation and contribution to the network during that period.
Description of a VPS (Virtual Private Server
A Virtual Private Server (VPS) is a virtualized computing environment that runs on a physical server hosted in the cloud. It functions like a standalone server but shares physical hardware with other VPS instances.
Virtualized Environment A VPS runs independently with its own operating system, file system, allocated CPU, RAM, and storage; despite being hosted on a shared physical machine.
Cloud-Hosted The underlying infrastructure is managed by a cloud provider, meaning you do not need to maintain or understand the physical server itself.
Private and Isolated Your VPS instance operates in isolation from other virtual machines on the same host, offering consistent performance and greater security than shared hosting.
In the context of running a Constellation Network Validator Node, the VPS:
Hosts the full node stack, including Tessellation binaries, keystores, and supporting services
Connects directly to the Constellation Hypergraph or metagraph cluster
Acts as your validator’s public-facing presence on the network
A VPS offers a reliable, flexible, and cost-effective way to run your node 24/7 without managing physical hardware, making it ideal for decentralized infrastructure participation.
This section is dedicated to IntegrationNet Node Operator specific documentation.
Update configuration? [n]: ysudo nodectl delegate statusDELEGATED UPDATE REQUEST CANCELLEDsudo nodectl versionsudo nodectl upgrade_pathsudo nodectl upgrade_nodectl -v <next_version_in_path>sudo nodectl upgrade_nodectlPress Y then [ENTER] to upgrade or N then [ENTER] to cancel: YDelegated staking is permanent and cannot be disabled once it has been enabled.
There are no downsides to enabling delegated staking it simply allows you to earn additional rewards without impacting your existing node operations.
This is the logical flow of how delegation works on your node.
✅ Key Point: Collateral Requirement
To operate a node, you are required to allocate 250,000 $DAG as collateral. You will earn 100% of the rewards generated by your own collateral—these rewards are exclusively yours and are not shared.
👥 Delegators and Additional $DAG
When other community members choose to delegate their $DAG to your node, the total amount delegated is added to your node's effective stake, increasing your node's influence and overall earning potential.
💰 Example: Understanding Rewards from Delegation
Let’s say delegators collectively point X $DAG at your node.
Your node will now earn additional rewards based on this delegated stake.
You will receive a commission (a percentage you set between 5–10%) from the rewards generated by the delegated X $DAG.
The remaining rewards go back to the delegators, proportional to their contribution.
In Our Example
Let's say: 800 $DAG was earned in total from X $DAG delegated to your node for you and your delegators. This does not include rewards earned from your original 250,000 $DAG staked as collateral on your node.
You set a 10% commission charge.
Delegated Staking
800 $DAG
10%
80 $DAG
720 $DAG
Your Node's Collateral
600 $DAG
0%
600 $DAG
0 $DAG
✅ Peer collaboration and troubleshooting with other Node Operators
Participation in the Discord server ensures that you:
Receive real-time updates that may affect your node's performance or connectivity.
Get immediate access to official support channels and team leads.
Can coordinate with other Validators for best practices and knowledge sharing.
Make sure to verify your account and introduce yourself in the general channel once inside.
Configuring delegated staking does not automatically commit your node to accept delegations.
The process involves two steps:
Create or update the configuration with your desired delegation parameters.
Manually submit the configuration to the Metagraph to activate delegated staking.
Rebuild a Constellation Network node with an existing P12 keystore.
One of the lesser defining characteristics of a Constellation Network Validator Node is its ephemeral nature. This means that nodes are designed to be easily rebuildable, making re-deployment a cleaner and often more efficient solution compared to deep troubleshooting.
Whether you're:
Experiencing inconsistent OS behavior,
Choosing to upgrade your distribution via a fresh VPS (rather than an inline upgrade),
Switching cloud providers,
Or facing any other scenario that requires spinning up a new instance,
Rebuilding your node is not only possible, it’s encouraged.
.p12 KeystoreThis guide will walk you through the process of reinstalling your existing .p12 keystore on a new VPS instance so your validator node can resume operation quickly and securely.
By the end of this process, your new instance will be configured with your existing wallet, allowing you to seamlessly rejoin the network without starting from scratch.
Connect to your OLD VPS and backup ( obtain ) your current p12 keystore.
This step is critical for a successful reinstallation.
If you no longer have access to your old VPS and do not possess a valid backup of your .p12 keystore, please contact a system administrator immediately. In this case, you will need to rebuild a new node from scratch and follow the instructions in the .
$DAG tokens can still be accessed and recovered through your Stargazer Wallet, provided you retain access there. See the guide for further details.
Rebuild your VPS
Restore your p12 to the new VPS prior to begin an installation.
Follow either the Quick Install or Normal Installation guide up to the migration section.
At that point:
When prompted, select y to proceed with the keystore migration.
nodectl will automatically scan your VPS for any available .p12 keystore files.
In this scenario, it should detect only one .p12 file, the one you uploaded during the earlier step.
Select the identified .p12 keystore and continue following the installation guide as normal to complete your validator node setup.
This guide is intended for restarting your Validator node following a Hypergraph or metagraph cluster restart.
Cluster restarts may occur for a variety of operational reasons, including:
✅ Network upgrade
✅ Seed list access updates
✅ Cluster-wide error resolution
If you have the auto_restart feature , your node may have already recovered automatically.
inbound
9000
Layer0
public API
inbound
9001
Layer0
peer to peer API
inbound
The public and p2p ports mentioned above are customizable if desired to fit your needs. The default port settings are listed to adhere to the default settings used by nodectl and recommended by the protocol.
Secure Shell Concept and Guides
When a Node Operator (Administrator) builds a VPS (Virtual Private Server) in the cloud, they need a secure method to access and administer that instance. This is typically done by connecting to the VPS from a local machine (e.g., a laptop or desktop) over the Internet.
Data traveling across the Internet is vulnerable to interception by malicious actors who may attempt to steal, monitor, or manipulate the connection. To defend against this, we use encryption to create a secure tunnel between the local and remote systems.
SSH keys are a pair of cryptographic keys:
A public key, which is shared with the remote server
A private key, which is kept securely on your local machine
These keys are used to:
Authenticate your identity
Establish an encrypted connection
Securely transmit commands and data
In the context of connecting to a cloud VPS:
The public key (stored on the VPS) is used to encrypt the data
The private key (on your local machine) is used to decrypt it
This ensures that only your local machine—with the private key—can access and interpret the data sent by the server.
🛡️ SSH key authentication is significantly more secure than using a password alone and is the standard method for managing Constellation Network nodes in cloud environments.
This guide will help you create your node using nodectl.
The following documentation will help guide a new Node Operator understand the differences between turning a newly created VPS into a Constellation Network validator node with the use of nodectl.
There are three options:
A normal installation is a more detailed and interactive method of installing nodectl on your VPS. The process will guide you through each step of the installation interactively with details on each step, along the way.
This installation method installs nodectl with minimal prompts or user interaction. You will only be asked a few questions:
Which cluster you would like your node to join
Whether you want to migrate an existing .p12 keystore
Passphrase for the .p12 keystore:
This new installation can be preformed if desired by advanced users.
nodectl is recommended.
You should now have access to the Constellation Network Official Discord server via an invite provided for Node Operators.
At this point, your VPS should be fully configured and operating as a Constellation Validator Node.
If you believe any steps were missed, please revisit the previous documents to ensure all required tasks are completed before moving forward.
To update your current delegated staking parameters or to commit them for the first time to the metagraph, you will need to implement an update.
This command finalizes your configuration by submitting it to the metagraph, making your node available for delegated staking based on the parameters you've set.
If this is NOT your first time configuring delegated staking, and you are looking for a way to update your delegating staking parameters, you may skip to the .
If this is your first time configuring delegated staking on your node, you will be presented with a CONFIGURATION NOTICE screen.
Simply read through the notice and press any key to continue.
Total
1,400 $DAG
680 $DAG
720 $DAG
9010
Layer1
public API
inbound
9011
Layer1
peer to peer API
outbound
all
Tune to your needs
SSH
22
Enable remote access to your VPS or server to manage your node effectively. For enhanced security, consider configuring SSH to use a custom port instead of the default port 22. This adds an extra layer of obscurity, reducing exposure to automated scanning and brute-force attempts.
Enter the passphrase if using an existing keystore
New password for the Node Administrator
Your password or passphrase will require:
At least 10 characters
At least one number
At least on upper case character
At least one lower case character
At least on special character ( ! @ # % ^ & * ( ) _ + - = )
Do NOT use " (double quotes)
Do NOT use ' (single quotes)
Do NOT use $ (dollar sign)
Do NOT use § (sectional sign)
You should be:
Connected to your VPS remotely
VPS is updated, upgraded, and rebooted
nodectl is installed.
In the context of the Constellation Network's Hypergraph or metagraph clusters, the concepts of majority fork and minority fork relate to how the network reaches consensus during discrepancies, synchronization issues, or splits in transaction history.
A majority fork occurs when the majority of validator nodes in the network agree on a particular version of the transaction history. This version becomes the canonical chain and is recognized as the valid state of the network.
Unlike traditional linear blockchains, Constellation uses a Directed Acyclic Graph (DAG) architecture. In this system, the majority fork represents the most widely accepted state of the DAG, ensuring consistency, correctness, and security.
Majority forks typically occur during routine operations—such as when one of the three source nodes in a cluster is restarted during an upgrade or maintenance cycle.
Examples:
Tessellation is upgraded from version vX.0.0 to vX.0.1.
Two conflicting transaction histories emerge, and the one accepted by most validators becomes part of the official ledger.
A minority fork occurs when a smaller subset of nodes deviates from the consensus and follows an alternate transaction history. This version of the DAG is generally considered invalid or non-authoritative because it lacks sufficient validator support.
Minority forks may arise due to:
Network partitioning
Incomplete upgrades
Misconfigurations
Malicious behavior
In the Constellation Network, these forks are automatically disregarded by consensus protocols, as they fail to meet the quorum thresholds for validation.
Example:
Tessellation is upgraded to vX.0.1, but one or more nodes remain on vX.0.0, resulting in those nodes temporarily diverging into a minority fork.
Transactions included in a minority fork may temporarily appear valid to affected nodes.
Once consensus re-aligns with the majority, those transactions are rejected and excluded from the network’s official state.
Prioritizing the majority fork ensures that only the most secure and validated version of the ledger is retained, which protects against double spending and preserves network reliability.
The network includes automated mechanisms to reconcile forks. Nodes on a minority path are guided back to the consensus-approved chain, restoring full alignment across the network.
The majority fork represents the unified, authoritative state of the Constellation Network. The minority fork is a temporary divergence, typically caused by upgrades or desynchronization, and is automatically corrected through the network’s consensus process.
This is universal whether Windows or Macintosh
Do not copy your private key, only the .pub file.
Sharing your private key will compromise the security of your node.
If you have auto_restart enabled only:
You should see messages indicating that nodectl is disabling the auto_restart feature at the beginning of the restart process and re-enabling it once the restart is complete.
If you believe the auto_restart feature did not restart for any reason—for example, if you did not see the related messages—you may manually restart it to ensure it is functioning correctly.
If you're running a single-layer Validator (Layer0 or Layer1 only), you can skip directly to the Confirm Status step below.
If your node operates in hybrid mode (participating in both Layer0 and Layer1):
You must wait for the Layer0 profile to reach the Ready state before attempting to connect Layer1.
Layer1 cannot join the cluster until the full Layer0 chain is downloaded and synchronized.
If you have the auto_restart feature enabled:
Your node will detect when Layer0 reaches Ready state.
It will automatically initiate the Layer1 connection.
tar (Tape Archive) utility, which packages multiple files and directories into a single file. This simplifies:File distribution
Backup operations
Transfers between systems
.tar — A basic archive without compression
.tar.gz or .tgz — A tar archive that has been compressed using gzip
These formats are frequently used for distributing software packages, source code, configuration bundles, or backup snapshots in a compact and portable form.
To create a tarball:
To extract a tarball:
Tarballs are widely used in open-source environments and DevOps workflows, and are considered a standard for packaging files in Unix-like ecosystems.
updateYou may skip this step if this is not your first update.
The nodectl utility will attempt to retrieve your current delegated staking parameters and determine whether this is your first update attempt.
If it detects a first-time update, you will receive a warning and be asked to confirm. If you have previously updated your node and still receive this prompt, it may indicate a potential issue (see warning).
Warning
If this is your first time updating the delegated staking settings on your node and you do not receive the first-time confirmation notice, please contact a Constellation Network representative via our official Discord server for assistance.
Likewise, if this is not your first time updating and you do receive a first-time warning, please report the issue as soon as possible through the same channel.
If you are confident that this is the first delegated staking update for this node, you may proceed with acknowledging the prompt.
During the initial update to the metagraph, your reference to your last update (none) will be set to all zeros.
The default option is n so we will change it to y and hit enter.
cat ~/.ssh/constellation_network_keypair.pubssh-ed25519 AAAA13z1d63... Constellation Networksudo nodectl configure -e -cb -dD) Setup/Update Delegated Stakingsudo nodectl restart -p allsudo nodectl statusJOIN STATE Ready
IN CONSENSUS Truessh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address> -p <port>sudo nodectl upgrade --nisudo nodectl status -p dag-l0 -w 120sudo nodectl join -p dag-l0sudo nodectl statusJOIN STATE Ready
IN CONSENSUS Truessh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address> -p <port>tar -czvf archive-name.tar.gz /path/to/directorytar -xzvf archive-name.tar.gzPlease enter your p12 passphrase:sudo nodectl delegate updateIs this your first update? [n]: yReturn to or join the Constellation Network Discord server, and reach out to a Discord Administrator who holds the Admin or Team Lead role (visible next to their username).
Important Security Reminder
An Admin or Team Lead will never message you first, ask for money, request that you connect your wallet to third-party sites, or make any financial requests.
When contacting an Admin or Team Lead, be prepared to present your Node ID so they can submit it to the internal team for processing. You may be required to confirm your email, this should only be confirmed by an Official Constellation Network Team Member.
You will need to create and own a Stargazer Wallet
In order to qualify to run a node on Constellation Network's production MainNet Hypergraph cluster, or Dor metagraph cluster, you will need to collateralize your node through your Stargazer wallet.
MainNet
Hypergraph
$DAG
250,000
IntegrationNet
Hypergraph
$DAG
250,000
Dor
metagraph
$DOR
Please follow this guide to import your node’s wallet into your Stargazer Wallet, and transfer $DAG and or $DOR before attempting to join the cluster.
This step is required to meet the staking threshold and ensure your node is eligible for cluster participation.
You should now be in the configurator and at the section where you're prompted to enter the necessary parameters to enable delegation.
These parameters will define how your node appears to other delegated staking participants, allowing them to discover and delegate to your node based on the options you set.
Your configuration will be created or updated to match your requested parameters and final instructions will appear.
Press any key and you will be returned the main menu of the configurator.
Your configuration is complete, you may issue a q to exit the configurator and return to your node's command line interface.
Resolve Issues When Upgrading Older Versions of nodectl
As nodectl evolves, the upgrade process also changes.
This guide helps bring your outdated nodectl installation up to the current recommended version using a versioned, step-by-step upgrade path.
Resolve IPv6-related Connection Issues on Your Validator Node
The EdgePointDown status typically indicates a failure in establishing communication between your node and the network’s edge points.
A known root cause is the system resolving outbound connections using IPv6 instead of IPv4, which can happen in scenarios such as:
The cloud provider defaults to IPv6 or uses IPv6-to-IPv4 translation
The network infrastructure between your VPS and Constellation’s edge points mishandles IPv6
DNS resolution or routing forces IPv6 where IPv4 is required for compatibility
⚠️ This guide addresses IPv6-related causes only.
As new root causes are discovered, this document will be updated.
⚠️ If either status is already
disabled, your issue is not IPv6-related. Stop here and seek assistance from a Team Lead via the .
To ensure the monitoring service is in sync with the updated configuration:
✅ Your node should now resume connection attempts using IPv4.
If the EdgePointDown issue was caused by IPv6, it should be resolved.
If problems persist, please reach out to the Constellation Network support team or a Team Lead in Discord.
Expert level walk through on how to build a node to run on Constellation Network's MainNet or IntegrationNet.
This guide assumes expert level knowledge with little to no details.
For a more descriptive build guide, please start here:
Build Your NodeAre you going to run this node via a Cloud Provider using a VPS, A dedicated cloud based server, or bare metal system.
Choose your hardware to match our or Cloud Provider that offers systems that meet out .
We will assume you are using a VPS for the remainder of this guide.
Upgrade your node control utility.
This guide provides a streamlined process to upgrade your nodectl utility to the latest supported version, while following the recommended upgrade path.
Your node is now running the latest version of nodectl, fully updated and ready for continued participation in the Constellation Network.
You can confirm your version using:
This guide outlines how to enable nodectl's auto-restart feature along with auto-upgrade support.
Enabling this configuration allows your node to:
Automatically monitor and restart services if they become unresponsive or disconnected from the cluster
Automatically check for and apply updates via nodectl when new versions of Tessellation are available (based on your configuration preferences)
This ensures your node remains healthy, up-to-date, and engaged in network operations with minimal manual intervention.
Turn your VPS into a node using quick install guide
To qualify as a Dor Validator Node Operator, you will need to complete a few administrative tasks as part of the onboarding process.
Please refer to the following document for detailed instructions on how to become a Dor Validator Node Operator:
📄
This guide outlines the necessary steps, requirements, and submission process to get started. Be sure to review it thoroughly to ensure a smooth and successful onboarding experience.
1,000,000
To begin setting up your Dor validator node, you’ll first need to select a VPS provider.
Refer to the Constellation Network Setup Guides for recommendations and considerations when choosing a provider that meets the node requirements.
Before setting up your Dor Validator Node, ensure your VPS meets the minimum specifications required for proper performance and stability.
📄 Refer to the official specification document for detailed validation requirements.
Debian based Linux distribution.
Ubuntu 24.04 (Recommended)
Debian 12
Ubuntu 20.04 and lower.
Debian 11 and lower
Once your VPS is built and provisioned, you may return to this Quick Start Guide to continue with the installation and configuration process.
We will choose the R from the Edit Menu.
Choose y to enable auto_restart
Choose y to enable auto_upgrade
Choose y to enable on_boot
Choose y to confirm selections.
Choose Q to exit back to the command line interface.
The nodectl utility includes several optional features designed to automate node recovery, version compliance, and startup behavior. These options help ensure your Validator node remains online, up-to-date, and resilient without requiring constant manual intervention.
When auto_restart is enabled, nodectl continuously monitors the health and cluster status of your node.
Key Functionality:
Detects if your node drops off the cluster due to issues such as network interruptions, process failures, or misconfigurations.
Automatically attempts to restart and rejoin the node to the cluster without user involvement.
Automatically attempts to return your node to consensus if it stops participating for a variety of reason.
This is especially helpful for maintaining high availability and reducing downtime.
Constellation Network requires all active Validator nodes to run the same version of Tessellation. If your node is not running the correct version during a cluster upgrade, it will be rejected from joining, regardless of its other credentials (e.g., collateral, seed list status).
nodectl will monitor the current cluster version.
If a version mismatch is detected, it will automatically upgrade your node to match the active cluster version.
This ensures version compliance and minimizes the risk of node rejection due to outdated software.
Enabling on_boot ensures that nodectl's auto-recovery features are initialized automatically when your VPS starts up, such as after:
A manual system reboot
An unexpected crash
Cloud maintenance or hardware restarts
On system boot, nodectl launches the auto_restart process.
If necessary, auto_upgrade also activates to bring the node back in sync with the cluster version.
This setup enables your node to recover and reconnect unattended after the VPS completes its boot sequence.
These automation features are highly recommended for production Validator nodes, as they enhance stability, uptime, and operational efficiency across the Constellation Network.
Concise – keep it short and simple
Descriptive – reflect your identity or purpose
Unique – avoid names that could be confused with other nodes
A clear and recognizable name will help users quickly identify and delegate to your node within the Constellation Network ecosystem.
You’ll need to provide a brief description of your node that will be publicly displayed on the DAG Explorer within the Delegated Staking section.
Keep it short and clear, highlighting your node’s strengths, unique features, or anything that sets it apart. This description is your opportunity to attract community members interested in delegated staking to delegate their $DAG to your node.
%You may use floating point values. 5, 5.1,5.2 ... 9.9, 10.
Choose a rate that aligns with your operational strategy, encourages community participation, and reflects the value your node offers.
Open a new local terminal and attempt a second SSH remote connection to your node using your nodeadmin user and passphrase as created in the SSH into Your VPS.
Supply and request to have your node ID appended to the MainNet Hypergraph access seed list.
The last known upgrade path version
⚠️ Important: Select the version that follows the recommended upgrade path. Skipping versions may result in misconfiguration or compatibility issues.
Press the corresponding number key (no need to press Enter).
Press y to confirm your selection.
✅ If required: Press y and follow the prompts
You may optionally refer to the full Tessellation upgrade guide for details before continuing
Recommended: 16 GB or more for optimal performance
Storage:
At least 100 GiB of SSD storage
CPU:
Minimum: 2 vCPU
Recommended: 4 vCPU
This node runs inside a Docker container, so you’ll need the following installed on your local machine or cloud instance:
Ensure Docker is installed and running. Installation instructions can be found in the official documentation:
Docker Compose is required to manage multi-container setups. You can install it by following this guide:
Java is required to run the JARs. You can install it by following this guide:
Before proceeding, you need to create a .p12 file and get your Node ID so we can add you to the seed list.
1.1 Download the required tools
Download the following files from the latest Tessellation release:
cl-keytool.jar
cl-wallet.jar
🔗 You’ll find them under Assets here: 👉 Tessellation Releases on GitHub
1.2 Set your environment variables
1.3 Generate your .p12 file
1.4 Get your Node ID
1.5 Share your Node ID
Tag the team on Discord and send your Node ID so it can be added to the seed list.
⚠️ Only proceed to the next step after your Node ID has been confirmed in the seed list.
To install and run a Metagraph validator node, follow the steps below:
1. Create your working directory
2. Create the shared-data directory with the metagraph-l0 subdirectory
3. Copy your .p12 keystore file into this directory
If you haven’t created a .p12 file yet, follow the official guide:
Working with .p12 files
4. Return to the root of your my-node directory Ensure you’re back in my-node before the next steps:
5. Create a docker-compose.yml file
Use the appropriate template for your network (e.g. docker-compose.integrationnet.yml) and paste it into a new file:
6. Create a .env file Use the corresponding .env template (e.g. .env.integrationnet) and paste it into a new file:
7. Edit the .env file with your node’s configuration
Make sure to update the following values:
NODE_IP: Your instance’s public IP
METAGRAPH_L0_CL_KEYSTORE: Full path to your .p12 file (e.g. /app/shared-data/metagraph-l0/my_file.p12)
METAGRAPH_L0_CL_KEYALIAS: Your keystore alias (e.g. my_file)
METAGRAPH_L0_CL_PASSWORD: Your keystore password (e.g. my_password)
8. Verify your folder structure
Your my-node directory should now contain:
9. Start your node 🚀 Run the following command to bring your node up:
This command will:
Stop any running container
Pull the latest image
Start the node in detached mode
Stream the logs
Important
The alerting module is a community extension of nodectl and not officially supported.
Use at your own risk. Limited support is available, and advanced troubleshooting may not be provided.
Start by clearing the alerting module’s internal cache:
This resets any internal flags that may be preventing alert dispatch.
To test if the daily reporting mechanism works:
Check your inbox for the report. If not received, continue with the next steps.
Trigger an alert manually:
This simulates a node failure alert. Verify that the message is received by the configured email or SMS gateway.
Check the nodectl logs for any errors related to alert dispatch:
Look for entries that may indicate connection failures, authentication errors, or message rejection.
If alerts are routed to a standard email inbox:
Check your Spam or Junk folders
Add the configured sender (e.g., your Gmail alert account) to your email whitelist or safe senders list
Create filter rules in your email settings to allow all mail from that address to reach your inbox
Confirm your email provider hasn’t rate-limited or blacklisted your alerting Gmail account
If you’re routing alerts to a mobile number via email-to-SMS/MMS:
✅ Ensure MMS is supported and enabled on your phone
✅ Test sending a manual email to your mobile email address (e.g., [email protected])
⚠️ Contact your mobile carrier and request approval to receive messages from your node’s Gmail address—some providers block automated or high-frequency alerts
🚫 Mobile providers may "black hole" repetitive or unauthenticated email messages to prevent spam
If you've exhausted all basic troubleshooting steps:
Join the Constellation Network Official Discord
Navigate to the appropriate validator support channel
Provide details such as:
Your nodectl version
Email provider used for alerts
Mobile provider (if applicable)
Relevant error logs or symptoms
sudo nodectl configure -e -cb -dsudo nodectl auto_restart statusQ) Quitsudo nodectl install --quick-installsudo nodectl upgrade_nodectlSUCCESS - AUTHENTIC NODECTLINVALID SIGNATURE - WARNINGsudo nodectl auto_restart restartnodectl versionexport CL_KEYSTORE="my_node.p12"
export CL_KEYALIAS="my_node"
export CL_PASSWORD="your_secure_password"java -jar cl-keytool.jar generatejava -jar cl-wallet.jar show-idmkdir my-node
cd my-nodemkdir -p shared-data/metagraph-l0cp /path/to/your/file.p12 shared-data/metagraph-l0/cd my-nodenano docker-compose.ymlnano .envmy-node/
├── docker-compose.yml
├── .env
└── shared-data/
└── metagraph-l0/
└── your_file.p12docker-compose down && docker-compose pull && docker-compose up -d && docker-compose logs -fsudo nodectl auto_restart clear_alertssudo nodectl auto_restart send_reportsudo nodectl auto_restart alert_testsudo nodectl logs -l nodectlLocate the version you want to install.
This procedure modifies your VPS’s system configuration. If a misstep occurs, you may lose node connectivity.
For advanced users, if you prefer one-command install, supply any of these flags:
--p12-passphrase <pass>
--p12-alias <alias>
--user <username>
--user-password <password>
--p12-destination-path <path>
--p12-migration-path <path>
--confirm (auto-accept warnings)
Warning: If you use any of the options/flags to supply a password or passphrase at the command line, these sensitive flags end up in your shell's history.
It is strongly advised to clear your history after the installation completes with the history -c command ( -c= clear )
If you node meets all the proper specifications you may press any key to continue.
You may enter n or just press Enter to accept the default [n] option.
If you are performing a New Node Installation with .p12 Migration, you may press y at this prompt to allow nodectl to automatically scan your VPS for any available .p12 keystore files.
Once detected, you will be presented with a list to select from, choose the appropriate file to continue the installation.
You will be prompted to create a password for the nodeadmin user, which will serve as the default user on this VPS/node. This password will be required to execute administrative commands using nodectl going forward.
Enter and confirm the .
You will be prompted to enter a passphrase for your node’s .p12 keystore (wallet). This passphrase is required to perform signing requests and access your node’s hot wallet on the blockchain.
Enter and confirm the .
The nodectl utility will finish by displaying a final instructional page.
Review it carefully, record any important information in your notes.
The following instructions will be explained in greater detail in the post-seeding documents available on our documentation hub.
Now that your VPS has been successfully configured as a Constellation Network node, there are a few final steps to complete before proceeding to the First-Time Connection Guide to bring your node online.
This guide walks you through connecting a Validator Node to a Constellation Network Hypergraph or metagraph cluster for the first time.
This guide assumes that you have properly created and connected to your VPS successfully and installed the nodectl utility.
Build Your Node💽The nodectl utilityBefore beginning, ensure you’ve reviewed the full checklist and profile documentation.
This guide uses dag-l0 as the profile name.
Replace dag-l0 with your node’s actual profile name if it differs.
For example dor-dl1 for Dor data layer1 validator nodes.
Use the following command to connect to your VPS via SSH:
To confirm that your node is recognized by the network, run:
Expected Output:
🛑 If you are not on the seed list, stop here and contact a Discord Administrator Team Lead via the Constellation Network Official Discord. You must wait for the next cluster restart that includes a seed list update before continuing.
Use the upgrade command to prepare your node for the cluster connection:
The
-niflag enables non-interactive mode, accepting default values automatically.
If you're operating a Layer1-only Metagraph Validator, you may skip directly to the Join Layer1 step at the bottom of this guide.
Hybrid nodes must reach a Ready state on Layer0 before joining Layer1.
⚠️ Expected Behavior:
After your node completes Layer0 connection steps, it will attempt to join the Layer1 profile and fail. This is expected and not a concern at this stage.
This happens because Layer1 participation is blocked until your node fully syncs the Layer0 snapshot chain.
During this period, your node will transition through the following statuses:
SessionStarted
DownloadInProgress
After upgrading, verify your node has reached the correct syncing phase:
Expected Output:
If you see SessionStarted, continue running the command periodically until it transitions to DownloadInProgress.
Your node will now download the entire snapshot chain from the Layer0 cluster. This process may take several days.
You have two options:
Wait for your node to reach the Ready state.
Proceed to the optional next step to speed up the snapshot process using the Starchiver utility.
To accelerate snapshot syncing:
👀 Monitor your node closely to ensure the process completes without error.
🚧 Caution:
Starchiveris a community-supported tool and not officially supported by Constellation Network. Use at your own risk. For issues, contact the tool's maintainer via GitHub or seek help on the Constellation Discord.
Once your node has completed downloading the snapshot chain, it will enter the Ready state and begin participating in consensus.
To verify:
Look for the following:
For Layer1:
🔄 To monitor the transition in real time:
Use the q key to exit the watch command gracefully.
If Layer1 displays ReadyToJoin, you may initiate the join process:
If your node is in any other state, restart the profile before retrying:
Once the above steps are complete and your node is fully synced and participating in consensus, your first-time connection process is complete.
This guide outlines the steps required to collateralize your node’s hot wallet, meeting the staking requirements needed to join the Constellation Network Hypergraph or a metagraph.
Follow the connection guide to connect to your node.
You may begin transferring your $DAG or $DOR tokens to your newly imported wallet.
🚧 Proceed with caution
Start by sending a small test amount to ensure the transfer is successful before committing to a full transfer.
You can continue with multiple transfers or a single lump-sum transfer after the test is confirmed. There should be no fees associated with these transfers.
How to download nodectl for the first time.
From now on, all instructions will be executed on your remote VPS, not on your local system.
Please make sure to set up and connect to your remote VPS before continuing.
Build Your Node🚉First Time Connection GuideManually download all the elements needed to run a node for advanced Node Operators.
If you’ve chosen to use nodectl to create your node, excellent choice! You should skip this section of the instructions.
Users leveraging nodectl do not need to perform any of the steps outlined here, as nodectl handles all of them dynamically and automatically.
To leave the cluster after a process has been started and joined.
Find the process(es) associated with your node
Kill the process(es)
Maintaining an up-to-date and secure backup of your .p12 file is essential for protecting access to your Validator node and wallet. This guide will walk you through securely backing up and restoring your .p12 file using a macOS or Windows system.
Expert level walk through on how to build a node to run on Constellation Network's IntegrationNet.
When building your Validator node, it’s important to understand the key distinction between IntegrationNet and MainNet from a node operator perspective.
While both environments serve critical roles in the Constellation ecosystem, the primary difference during setup is related to collateral staking.
Note:
This statement is primarily to understand the distinctions between a Node Operator operating a node on IntegrationNet verses MainNet.
NOT DISTRINCTIONS BETWEEN THE PURPOSE OF THESE TWO HYPERGRAPH CLUSTERS
IntegrationNet is a non-production environment used for development.
It operates on a separate, non-economic Hypergraph cluster.
$DAG tokens used in IntegrationNet have no monetary value and cannot be transferred to MainNet.
The hot wallet on an IntegrationNet node does not hold real $DAG tokens.
As such, collateral staking is not required or validated directory from the node, in this environment.
This allows new Constellation specific metagraphs, Enterprise metagraphs, and Eco-system develped metagraphs test metagraph functionality and behaviors, before moving into production.
To operate a node on IntegrationNet:
Create an account on the .
Connect a DAG wallet address through the IntegrationNet Node Operator Program.
This wallet is used for tracking your staking collateral.
Build your IntegrationNet node, using the guide options presented below.
Understanding this distinction will help you correctly prepare your node for the appropriate environment and avoid unnecessary confusion during setup.
To build your IntegrationNet node, you may either use two options:
Detailed Build your Node guide (recommended).
Expert minimalistic guide
Monitor Your Validator Node and Receive Email Alerts
This page provides a step-by-step guide on how to create SSH (Secure Shell) keys for securely accessing your VPS or server. SSH keys are a more secure alternative to password-based authentication and are essential for managing your Constellation Network validator node.
You’ll learn how to generate a key pair. This guide is ideal for both new and experienced operators looking to establish a secure and reliable connection to their node infrastructure.
We will learn now to set proper permissions, and copy your public key to the remote server later in the documentation.
Validator Node Operator Security with SSH
In traditional, centralized server infrastructures, critical systems that require direct internet access are protected by layered security controls.
These environments typically include a full suite of professionals; System Administrators, Site Reliability Engineers, Network Engineers, Security Engineers, and others. These experienced professionals are responsible for hardening systems and defending them from external threats.
sudo nodectl upgrade_nodectl -v <version_you_found_here>sudo nodectl upgrade --nisudo nodectl upgrade --nisudo nodectl versionsudo nodect upgrade_pathsudo nodectl versionsudo nodectl ipv6 status--------- * IPV6 STATUS * ---------
Interface found ................... eth0
IPv6 sysctl Status IPv6 GRUB Status
enabled enabledsudo nodectl ipv6 disable --ni --sysctlsudo nodectl auto_restart restartsudo nodectl install --quick-install ========================================
= CONSTELLATION NETWORK HYPERGRAPH =
= VERIFY NODECTL SPECS =
= PRE-INSTALLATION TOOL =
========================================
Code Name: Princess Warrior
Please choose node type to test:
H)ybrid Dual Layer
D)or Validator
Q)uit
KEY PRESS an option HYPERGRAPH or METAGRAPH
predefined choices
-------------------------------------------
1) mainnet [HyperGraph]
2) integrationnet [HyperGraph]
3) testnet [HyperGraph]
4) dor-metagraph-mainnet [metagraph]
Q)uit
KEY PRESS an option ------ * INSTALLATION COMPLETE * -------
CONGRATULATIONS!
Below you will find your nodeid which
was derived from your p12 file
Please report this nodeid to administrative
staff to gain access to the network via the
access list permissions.
HyperGraph/metagraph ..................... hypergraph
Environment .............................. mainnet
P12 Location ............................. /home/nodeadmin/tessellation
P12 Name ................................. nodeadmin-node.p12
P12 Alias ................................ nodeadmin-alias
----- * CHECK SEED LIST REQUEST * ------
NODE ID
<your_node_id_here>
NODE ID FOUND ON SEED LIST
False
DAG WALLET ADDRESS
<your_dag_wallet_address_here>You should not export your private key when participating on IntegrationNet. The $DAG tokens used on IntegrationNet hold no intrinsic value.
Collateral requirements for this TestNet are validated through a connected wallet within your Lattice account that contains the required 250,000 $DAG collateral.
ssh -i /path/to/ssh/private/key root@<vps_ip_address>sudo nodectl check_seedlist -p dag-l0NODE ID FOUND ON SEED LIST
Truesudo nodectl upgrade -nisudo nodectl status -p dag-l0JOIN STATE
DownloadInProgresssudo nodectl execute_starchiver -p dag-l0 --restartsudo nodectl status -p dag-l0Layer0
JOIN STATE Ready
IN CONSENSUS TrueLayer1
JOIN STATE ReadyToJoinsudo nodectl status -p dag-l0 -w 120sudo nodectl join -p dag-l1sudo nodectl restart -p dag-l1sudo nodectl export-private-key -p dag-l0
This command requires manual re-entry of your p12 passphrase
You may press q + <enter> to quit
You will not see the q echoed to the screen.
Please enter your p12 passphrase to validate config_file:
WARNING THIS IS YOUR PRIVATE KEY
DO NOT EXPOSE TO ANYONE, AS YOUR HOT WALLET AND NODE CAN BE COMPROMISED!
PRIVATE KEY FOR [constellation-node01.p12]
=============================================================================================
13abcdef13abcdef13abcdef13abcdef13abcdef13abcdef13abcdef13abcdef
=============================================================================================suod nodectl export-private-key -p dor-dl1On the Releases page you’ll see direct wget commands for various distros.
For example, for Ubuntu 22.04 and Debian 12 or Ubuntu 24.04.
Please ensure you download the correct version for your Linux distribution. The background libraries required to compile and run nodectl differ between Ubuntu 22.04 and Ubuntu 24.04. Downloading the wrong version will result in an inoperable nodectl utility and numerous error messages.
Paste the command into your remote VPS terminal session. This command is a combination of several commands linked together with the Linux's bash ; to indicate sequential commands that will be executed in order.
The commands executed will perform the following:
Attempt to disable nodectl's auto restart feature if nodectl may already be installed on the system to avoid conflicts when attempting to download the nodectl utility. This command will produce an expected that we can safely ignore.
The next command will use wget to download the nodectl utility and place it in the appropriate directory for seamless execution.
Next, the permissions of the nodectl binary will be set to executable, allowing you to run the command.
Finally, the last command in the sequence will run the version check, allowing you to verify that nodectl was successfully downloaded, placed in the correct location, has the proper permissions, and is running the expected version.
To avoid this issue, you must disable the auto_restart feature before attempting to overwrite the binary. The command to do this is provided on the releases page. It is safe to run, even if the nodectl binary is not present. It will simply return a harmless error message.
Please ensure your VPS meets the required specifications to run on Constellation's Hypergraph or metagraph networks.
Proper sizing is essential for performance, stability, and successful participation in consensus.
Please replace the download version with the latest available version, as version numbers may have changed between the time this document was written and when you are accessing it.
cl-dag-l1.jar - Layer1 Data or Currency jar
cl-node.jar - Global Layer0 Node jar
cl-keytool.jar - Key tool utility specific to Constellation Network's Tessellation
The values shown below are examples only. Do not use them as-is. Refer to the Environment Variable Chart for explanations of each variable.
CL_L0_PEER_HTTP_HOST
<layer0_peer_ipv4>
This is recommended to be your node's external IP address. Your node will be participating on both Layer0 and Layer1. The Layer1 should link through your Layer0 connection. Your node will be the most reliable node to be UP at the time your attempt to join the Hypergraph.
CL_L0_PEER_ID
<layer0_peer_nodeidr>
he node ID of the node you will be linking with on Layer0.
CL_L0_PEER_HTTP_PORT
<public_port>
The public port of the node you are linking to through Layer0.
CL_EXTERNAL
<public_facing_ipv4>
Our node's remote IP address
CL_KEYSTORE
<name_of_keystore>
This will be placed at the end of the path CL_KEYSTORE line in the file.
CL_PASSWORD
<p12_keystore_passphrase>
The password/passphrase you will use for your p12 keystore.
CL_KEYALIAS
<your_keystore_alias>
Do not use this example, come up with your own.
.p12 file offline, minimizing exposure to unauthorized access or system vulnerabilities. Acceptable storage methods include:Encrypted USB drives
Hardware wallets with secure storage
Air-gapped systems
Secured Encrypted Software Vaults
cd ~/constellation-backups
rm -f my-p12file.p12cd ~/constellation-backup
rm my-p12file.p12Copy your backed-up p12 keystore file to your local Macintosh or Windows system.
mkdir ~/constellation-backup
cp /Volumes/ColdStorage/my-p12file.p12 ~/constellation-backup/
cd ~/constellation-backup
ls -lConnect your backup device or connect to your backup medium to your Windows 11 system.
Use File Explorer to copy the file into your constellation backup directory under your local user's home directory.
Verify that you see your p12 file listed.
Wallet Usage
Node identity only
Node identity + Staking
Environment Type
Non-Production Development
Live Production
$DAG Token Value
No real-world value
Real, staked assets required
Collateral Required
✅ Required - External through Lattice
✅ Required
Lattice Account
✅ Required
❌ Not Required
You are now ready to continue to connect to your node for the first time, install nodectl and turn your EC2 instance (VPS) into a Constellation Network Validator Node!
The nodectl utility's alerting feature depends on your node being reachable. If the VPS goes offline or loses internet access, alerts cannot be transmitted and will not be delivered.
nodectl must be installed and running on your node.
A Gmail account with:
2-Step Verification enabled
A dedicated App Password (email token) created for nodectl
Check your inbox. If it ends up in spam, mark it as "not spam."
If you are sending alerts to a mobile provider email, ( sending an email to your mobile phone number in order to obtain text (SMS/MMS) message alerts ). It is important to make sure your carrier allows the message through to your phone. Some carriers may silently block messages they flag as suspicious. This may require contacting your mobile provider support with a request to allow the emails, and remove any flags as non-nefarious.
If you don’t receive emails:
Confirm your App Password was entered correctly
Ensure your Gmail account is not blocking outbound activity
Double-check that your time zone string matches the official naming convention
Use a secondary email address to confirm if messages are being blocked by your provider
Once configured, your Validator node will monitor its cluster participation status and email you alert messages and daily status reports; helping you stay informed, even when you’re away.
e.g.) nodeadmin
✅ Check your SSH key pair file names
Private key must match the server's authorized key.
✅ Confirm correct permissions
private key should be read-only: chmod 400
✅ Ensure the public key exists on the server in the correct location
✅ Confirm the private key file exists locally
Is it correctly referenced by your SSH command.
Many ISPs assign dynamic IP addresses to customer routers.
A change in your IP may cause your cloud provider’s firewall to block your SSH attempts.
Your SSH terminal or remote connection application sits idle and eventually shows Connection timed out messages.
Terminal or remote terminal application will how a blank screen only
No password or key prompts appear
Not entering the SSH connection string and attempting to run commands locally instead of through your SSH tunnel.
💡 Example:
Try connecting again after updating the rules.
Ensure the private key file:
Still exists in the expected location
Has not been renamed or moved
Is intact and not corrupted
Has the proper permissions
Important: Once resolved, create a backup of your SSH keys if you haven’t already.
If you can still access your VPS through your cloud provider's web console:
Re-Attempt to create an SSH connection to your node.
Visit your cloud provider’s main dashboard
Look for service alerts
If the console is also unreachable, check external outage reports
From the cloud console, check the status of your VPS instance
Ensure it’s running and not reporting hardware or OS-level errors
If you cannot connect to any external site or service, confirm your own network is online
Restart your router/modem if necessary and try again later
local
This refers to the system you are currently using to administer all commands. It is typically a Macintosh, Windows 11 PC, mobile phone, or tablet. It is the physical device directly in front of you.
remote
This is the VPS or cloud-based server that you are attempting to connect to in order to perform administrative tasks.
VPS
Virtual Private Server (a server in the cloud). If you are not using a VPS, a bare metal or dedicated server can be used as a substitute for all references to a VPS in these guides.
IP address
The Internet Protocol (IP) address is assigned independently to both your local and remote systems. This address is similar to a mailing address like 123 Main Street, CA 94015, it tells network devices how to locate and communicate with each other.
tcp port
Transmission Control Protocol (TCP) can be thought of like a dedicated channel on your TV or streaming service. In this guide, we’ll focus on port 22, which is the default "channel" used for SSH (Secure Shell) remote access. It’s similar to switching your remote to channel 22 to securely connect to your VPS. On the other end of the connection, your VPS is actively listening on port 22 for incoming requests from your local machine to establish a secure session. ( note this port is configurable; does not need to be port 22 )
Public Key
This is an encryption key that we share with others, which can decrypt any communication between our local and remote systems. It can only decrypt messages that were encrypted using our private key.
Private Key
We use this encryption key that is never shared with anyone. The SSH protocol uses this private key to encrypt data on the local system before transmitting it over the Internet to the remote system, which holds the corresponding public key. Only this public key can decrypt messages that originate from our private key.
We will need to identify a few things (parameters) before we connect to our VPS.
See terminology for references.
We should have our notes accessible to identify the parameters below:
private key name
What did we use when we our VPS originally?
private key location
We need to know the full system path to the private key we created so that we can instruct the SSH protocol utility (which is installed by default on most systems) where to locate and use it.
remote username
When we created our VPS, which non-root user account did we set up?
IP address
What is the IP address of our remote VPS?
Did we configure a unique custom port or use the default SSH assigned TCP Port?
You most likely have not configured a custom TCP port to connect to your VPS; however, using a as it can provide an additional layer of security for your VPS.
13.13.13.13You are using Debian Ubuntu as your distribution. If you are not, please substitute ubuntu for root throughout this document.
The username alice or Alice should be replaced with your actual local username on your Windows or Macintosh system.
We are using an ed25519 SSH key pair ( replace with rsa otherwise )
🪟 Launch Windows Terminal and select a PowerShell tab (or Command Prompt if you prefer).
You may also decide to use remote access applications tools such as Termius or PuTTy
Termius: /
PuTTy:
🍎 Press ⌘ Space, type Terminal and hit Enter.
🐧 From the GUI launch a terminal app.
If on the command line, no action needed.
This step assumes root as the default username created by the cloud provider for first time access. Depending on the cloud provider this username may be different. You may need to try all three options through process of elimination to gain initial access.
Just to make sure everything is nicely updated on your Linux VPS, we will perform some updates and upgrades.
During the upgrade process, you may encounter a PURPLE dialog box asking you to select a few options. Since our node doesn’t require any special Debian configuration, just keep the default settings.
If you receive a purple box, on your keyboard hit the tab to move to the OK
Keep your private key secure: Never share it, and use a strong passphrase.
Use Keychain (macOS) or ssh-agent (Windows) to avoid re-entering the passphrase each session. ( Out of scope of this document ).
Regularly update your local OpenSSH client and your VPS’s OpenSSH server to the latest stable versions.
Before starting the setup process, it is strongly recommended that you create a dedicated backup file to store critical information. This file should be securely saved on a USB stick (thumb drive), a remote secure location, or even printed and stored physically for safekeeping.
Store this file securely and offline.
If it is compromised, it could lead to unauthorized access to your validator node and potentially result in financial losses.
Treat it with the same level of caution as you would sensitive personal or banking information.
Windows 11 (fully updated)
OpenSSH client (comes pre-installed on Windows 11)
Access to Windows Terminal, PowerShell, or Command Prompt
You can use any of the following:
Command Prompt
PowerShell
💡 To open: Press
Win + X→ choose Terminal.
By default, Windows will open PowerShell when launching a terminal session. For the purposes of this guide, we will use PowerShell as the default, as it should not make a difference for the steps involved.
If you're more comfortable using Command Prompt or another terminal, feel free to do so, just ensure any command syntax aligns accordingly.
Run the following command to generate a new ED25519 SSH key:
Explanation:
-t ed25519 → use ED25519 algorithm (modern, fast, and secure)
-C "comment" → optional label (typically your email address)
For anonymity purposes, it is recommended not to include personal information (such as your name or email address) in the comment section when creating your SSH key.
Instead, you may choose to use a descriptive comment that helps you identify the key’s purpose later.
You’ll see a prompt like:
Options:
Press Enter to save in the default location:
C:\Users\YourName\.ssh\constellation_network_keypair
Or type a custom path and filename if you want. Leaving the key in the default location will help us later in the documentation and is best practice.
⚠️ Remember the location. Update your with the location now.
You’ll be prompted to enter a passphrase:
You can press Enter to skip this step (absolutely not recommended).
Or type a secure passphrase and press Enter.
⚠️ Remember the passphrase! You’ll need it every time you use the key. Update your with the location now.
By default, two files are created in C:\Users\YourName\.ssh:
Private key → constellation_network_keypair
Public key → constellation_network_keypair.pub
⚠️ Remember the file names! You will need to remember your private key every time you attempt to connect to your node. Update your with the location now.
When the time comes for your to upload your public key to your VPS, you can return to this section to remind yourself how to do so.
Firewalls
Intrusion Detection and Prevention Systems (IDS/IPS)
Email spam filters
Endpoint protection
Credential management systems
These measures are in place to prevent unauthorized access, data breaches, or misuse of system resources.
Unlike enterprise-grade infrastructure, as a Constellation Node Validator Operator, you're responsible for a single VPS instance that connects directly to the public internet, often without intermediary security devices or professional oversight.
This makes your system a high-value target for attackers. Once compromised, malicious actors can:
Steal your wallet credentials
Hijack your node resources
Use your system as a pivot point to exploit other services
To prevent this, you must manually enforce best-practice security configurations.
When defining firewall rules to restrict access to your VPS, you’ll need to specify your current public IPv4 address.
Steps:
Open your web browser.
Navigate to: https://www.whatismyip.com
Look for the section labeled "My Public IPv4:"
Record this IP address. This is the address you’ll allow through your VPS firewall.
🔁 Repeat this process for each trusted location from which you plan to access your node (e.g., home, office, mobile hotspot).
If you plan to use mobile apps to connect to your VPS:
Be aware that mobile IP addresses often change and are part of large, dynamic subnet ranges.
For security, avoid allowing full open access unless absolutely necessary.
Alternatively, you can configure two firewall rule sets:
Locked-down mode (only allows known IPs)
Travel mode (temporarily opens access when you’re on the move)
Subnet-based access control from mobile networks is more advanced and outside the scope of this document. Only use this approach if you understand the implications.
By proactively applying these security best practices, you help safeguard your node from attacks and maintain your reliability as a participant in the Constellation Network.
Constellation Network's Node Spec Requirements.
View specs starting here.
As with any cryptographic ecosystem, there are specific hardware requirements that must be met to ensure your node operates securely, efficiently, and reliably within the Constellation Network’s ecosystem.
Meeting these requirements is essential for maintaining node performance, ensuring compatibility with consensus protocols, and avoiding issues related to resource limitations.
Constellation Network currently supports two distinct types of nodes across its Hypergraph and metagraph infrastructure:
Constellation Network Hybrid Validator Node
Dor Validator Data Layer 1 Node
A VPS (Virtual Private Server) is a virtualized environment running on a physical machine that shares resources (tenancies) with other instances. This makes it a more cost-effective option for operators who are just getting started.
A group of these VPS instances forms what is commonly referred to as the "cloud."
In contrast, a dedicated bare metal server is a physical machine allocated to a single tenant. It offers exclusive access to all hardware resources and typically provides higher performance and configurability. Many cloud providers offer both VPS and dedicated server options, depending on your needs.
Constellation Network does not require or prefer one over the other.
You are free to choose the infrastructure that best fits your technical experience, performance expectations, and budget.
A bare metal server is a physical machine designed to run dedicated services for a single tenant. Unlike virtualized environments, bare metal servers provide full access to the underlying hardware, offering maximum performance, control, and customization.
You can run a bare metal server from various environments, including:
A personal data center
A colocation facility
A private office
Even from your home, if conditions allow
Because you have full control over both hardware and software, this setup is best suited for advanced operators who need:
Greater resource allocation
Custom system configurations
Specialized networking or storage requirements
Due to the complexity and responsibility involved, bare metal servers are not recommended for beginners or casual operators
A Hybrid Node is required to operate on both the:
Global Layer 0 – the global consensus and infrastructure layer
DAG Layer 1 – the native currency and transaction layer for the $DAG token
This dual-role node type is commonly referred to as a Hybrid Validator Node.
To ensure reliable and efficient performance hybrid nodes must meet the following minimum hardware specifications:
A Dor Node is required to operate on both the:
Data Layer 1 Metagraph – the data validation layer for the Dor metagraph
To ensure reliable and efficient performance hybrid nodes must meet the following minimum hardware specifications:
Linux Debian-based distribution
Ubuntu 24.04
Debian 12
Java 11
Constellation Network's Tessellation is developed to run on any Debian distribution with Java 11 installed.
The nodectl utility was developed to run specifically on Ubuntu 24.04 and Ubuntu 22.04.
Ubuntu uses the convention of .04 to represent versions of their Debian distribution that is LTS (long term support), and .10 for their more "experimental" short term support releases.
It is highly recommended to use a .04 version release.
Build a Hetzner specific Cloud Resource Server
Please make sure you created your SSH key pairs prior to starting these steps.
SSH Remote AccessCreating your account on Hetzner is a simple process similar to all other SaaS model services. At the current time, we will leave this process up to you.
You are now ready to continue to connect to your node for the first time, install nodectl and turn your VPS into a Constellation Network Validator Node!
This is a generic guide created to assist you in building a Constellation Network validator node.
If you are going to build your VPS on a cloud provider that we offer a specific guide to follow, skip this document and move directly to one of those guides
AWS
Digital Ocean
Hetzner
This guide does not include cloud provider-specific steps or images. You may use the specific cloud provider documentation .
There are many cloud providers available to choose from, and unfortunately, we cannot cover each one in these tutorials and guides.
We encourage you to research and select a provider that best fits your needs in terms of performance, pricing, reliability, and regional availability.
You may also:
Adapt an existing setup guide by intuitively translating the steps to match your chosen provider’s interface.
Ask for advice or recommendations in the Constellation Network Official Discord channel, where community members and team members can share their experience and guidance.
The right provider is the one that aligns best with your technical comfort level and validator node requirements.
While this guide provides generic, provider-agnostic steps to help you build a VPS on any cloud service, it is designed so you can follow along using intuitive actions regardless of the platform.
However, if you prefer a more tailored experience, you may choose to opt into service-specific guides that have been prepared for popular providers. These offer more detailed, platform-specific instructions to streamline the setup process.
Choose the path that best fits your comfort level and desired level of guidance.
It's recommended to create your firewall policy (also known as a Security Group) before launching your VPS. Doing this upfront allows you to immediately assign the correct firewall rules when the VPS is created, ensuring proper and secure access from the start.
Do NOT rely on software firewalls such as UFW (Uncomplicated Firewall) or IP Tables for securing your validator node.
Because your node will have
If your cloud provider of choice does not offer built-in firewall or security group features, it is strongly advised not to use that provider for hosting your validator node.
This checklist is intended for advanced users who are not following a pre-configured cloud provider guide.
If you’re building your Validator node manually on a custom VPS or bare-metal environment, use this sequence to ensure a complete and secure setup.
These steps assumes familiarity with manual system setup, firewall management, and node operations. Be sure to follow official documentation closely when applying any configurations related to the Tessellation protocol or node lifecycle.
Convert a Version 1 p12 keystore to Version 2 for operations on Constellation Network.
Constellation Network has introduced a new version 2 standard for .p12 keystore files. These updated keystores are now required to access the Hypergraph and metagraph clusters.
Version 1 .p12 files are no longer supported.
This guide is intended to help Node Operators still using version 1 .p12 files migrate their private key to the updated version 2 format, ensuring compatibility with current network requirements.
nodectlIf you already have nodectl running:
Upload your version 1 .p12 file using the restore process.
Refer to platform-specific steps:
Restore .p12 from macOS
⚠️ Caution: Do not overwrite an existing or active
.p12file in a running Validator node environment.
If you don’t have an existing node:
Provision a new Linux VPS (Debian-based preferred).
Upload your version 1 .p12 file.
Install nodectl following the official documentation.
💡 Note: This VPS will not be used to run a Validator node. Its purpose is solely to install the required tools for migration.
✅ Minimum Requirements:
30GB of disk space
Internet connectivity
SSH access
Alternatively, install the required components manually:
java
haveged
cl-keytool.jar
cl-wallet.jar
📎 Still ensure the VPS or machine has at least 30GB of available disk space.
Once setup is complete, proceed with the following steps.
.p12 FilePlace your original version 1 .p12 file (from macOS or Windows) into the working directory of your VPS.
Example path:
Export the following environment variables using your .p12 file details. Be precise—use double quotes and match spacing exactly.
Confirm the exports:
Expected output:
Run the following command to migrate the .p12 file to version 2 format:
✅ If successful, no output will appear. If there's an issue, an error will be printed.
List the directory to verify that a new version 2 .p12 file has been created:
Expected output (example):
.p12 FileUpdate your CL_KEYSTORE variable to point to the new file:
Now display the public key to confirm the file is valid:
Example output:
Your .p12 file is now migrated from version 1 to version 2.
🔒 Important: Store the original version 1 file in a secure, offline (air-gapped) location temporarily.
To fully validate your new .p12 file:
Connect to the appropriate Constellation cluster (Layer0 or Layer1).
Export and verify the private key.
Use the new file in your validator setup or wallet integration.
If you want to use the original filename, rename your new file:
nodectl Configuration (If Applicable)If you're using nodectl and kept the _v2 filename, make sure to update the configuration:
This ensures
nodectlreferences the correct.p12file for all future operations.
You have now successfully migrated and verified your .p12 keystore to the latest version, ensuring your validator remains compatible with Constellation Network's current infrastructure.
This page is a dedicated procedure specifically for upgrading your Constellation Network node from Tessellation v2 to Tessellation v3.
With the exciting announcement that the Constellation Network's MainNet will be upgraded to a stable release of v3, this documentation provides a straightforward guide to help you through the process.
It outlines what to expect and the steps required to upgrade from v2 to v3, ensuring a smooth and successful transition.
The latest version of Tessellation is a major upgrade that introduces breaking changes
[email protected]:~# sudo nodectl version
VERSION MAJOR MINOR PATCH CONFIG
vX.XX.X X X X vX.X.Xsudo apt -y update && sudo apt -y upgrade
sudo apt -y install haveged
sudo apt -y install default-jdksudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/mainnet-seedlist -P /var/tessellation; sudo chmod +x /var/tessellation/cl-wallet.jar -O /var/tessellation/seed-list -o /dev/nullexport CL_EXTERNAL_IP=113.113.113.113
export CL_KEYALIAS="myConstellationAlias"
export CL_KEYSTORE="/home/nodeadmin/tessellation/myconstellation.p12"
export CL_APP_ENV="testnet"
export CL_PUBLIC_HTTP_PORT=9000
export CL_P2P_HTTP_PORT=9001
export CL_PASSWORD="my_p12_keystore_pass"java -jar /var/tessellation/cl-keytool.jar generatechmod 600 ~/tessellation/myconstellation.p12/usr/bin/java -jar '-Xms1024M' '-Xmx7G' '-Xss256K' /var/tessellation/cl-node.jar run-validator --seedlist /var/tessellation/seed-list & /usr/bin/java -jar '-Xms1024M' '-Xmx3G' '-Xss256K' /var/tessellation/cl-dag-l1.jar run-validator --public-port 9010 --p2p-port 9011 --cli-port 9012 &curl -X POST http://127.0.0.1:<private_cli_port>/cluster/leaveps -efkill <process_no>cd ~
mkdir constellation-backup
cd ~/constellation-backupsftp -i ~/.ssh/my-node-ssh-keyname [email protected]cd /home/nodeadmin/tessellation
ls -l-rw-r--r-- 1 nodeadmin nodeadmin 31 Jun 11 14:28 my-p12file.p12get my-p12file.p12100% 31 0.3KB/s 00:00exitsftp -i ~/.ssh/my-node-ssh-keyname [email protected]cd /home/nodeadmin/tessellationput my-p12file.p12Uploading my-p12file.p12 to /home/nodeadmin/tessellation/my-p12file.p12
100% 31 0.6KB/s 00:00exitsudo nodectl auto_restart alert_testssh -i ~/.ssh/my_identity_file [email protected]
ssh: connect to host 13.13.13.13 port 22: Operation timed outsudo nodectl configure -n -cb -dnodectl utility will automatically configure basic SSH restrictions, including disabling root login and enabling IP-based access control.
However, you must manually obtain and configure your IP address during the firewall setup process to complete this protection.Instead, always use your cloud provider’s built-in firewall or security group features to manage port access and protect your server at the network level.
Choose a provider or hardware setup that meets or exceeds the minimum system requirements.
constellation-backup
Bandwidth
2 TB/month
10 TB/month
OS
Ubuntu 22.04 LTS (64-bit)
Ubuntu 24.04 LTS (64-bit)
Architecture
x86_64
x86_64
Bandwidth
1 TB/month
5 TB/month
OS
Ubuntu 22.04 LTS (64-bit)
Ubuntu 24.04 LTS (64-bit)
Architecture
x86_64
x86_64
CPU
8 vCPUs
Greater than 8 vCPUs
RAM
16 GB
32 GB
Disk
320Gb
500Gb
Storage Type
SSD
CPU
2 vCPUs
Greater than 2 vCPUs
RAM
2 GB
4 GB
Disk
40Gb
80Gb
Storage Type
SSD
NVMe / NVM
NVMe / NVM
cl-wallet.jar - Wallet tool utility specific to Constellation Network's Tessellation
Click the right-arrow (>) to open
Under Select app, choose Other (Custom name)
Enter a name (e.g., constellation_alerts)
Click Create
Copy the generated app password (token) and store it securely
⚠️ This password will only be shown once.
If lost, delete and recreate it.
Do not use shortcuts like EST or CET.
token
The App Password (token) you generated
send method
Use multi (recommended) or single
recipient emails
Comma-separated list of emails ([email protected],[email protected])
time zone
Your exact timezone string (e.g., America/Los_Angeles)
begin alerting hour
Start time for alerts in UTC (e.g., 0 for always)
end alerting hour
End time for alerts in UTC (e.g., 0 for always)
send report hour
Hour (UTC) to receive daily report (e.g., 13 for 1 PM UTC)
gmail account
The Gmail address used to send alerts
DigitalOcean: Update Firewall settings
Hetzner: Follow DigitalOcean-style firewall update workflow
Refer to the Cloud Provider Specific Guides.
🔐 Important:
If your passphrase is encrypted, it will not be visible. Ensure you have the passphrase securely stored before proceeding.
If disabled, skip to Update OS Packages step.
auto_restart
auto_upgrade
on boot
Choose q to exit.
If prompted to migrate your node configuration, select:
y to confirm migration
n if asked to upgrade nodectl again immediately after migration
Preserve global .p12 details: y
Remove old service files: y
🏗️ The nodectl utility will automatically build your new service files for you.
Restore .p12 from Windows
1
Live Constellation Validator Node
Utilize an existing Constellation Network validator node with all components already installed.
2
Ephemeral VPS with nodectl
Build a temporary VPS, install nodectl, use its utility to migrate your p12 from version 1 to version 2.
3
Load utilities necessary only
Use an existing or build a temporary VPS and only install the utilities necessary to complete this guide.
root
Digital Ocean or Hetzner may use this as the default.
ubuntu
AWS may use this as default.
admin
Debian 12 users may need to use the admin username as the default for initial connections.
Remember we are using generic names, locations and IP address for your SSH key and VPS external IP address.
ssh -i C:\Users\Alice\.ssh\node_private_key [email protected]ssh -i /Users/alice/.ssh/node_private_key [email protected]ssh -i /home/alice/.ssh/node_private_key [email protected]Compare that value against what your SSH client displays.
In most cases, because you are manually making this connection, you can be confident you’re connecting to the correct host. However, when handling remote connections, always exercise extra caution.
CONTINUECONFIRMCommand + Space to open Spotlight Search.Type Terminal and hit Enter.
To generate a new key using the Ed25519 algorithm (recommended):
You'll see something like:
Options:
Press Enter to save in the default location:
/Users/yourname/.ssh/constellation_network_keypair
Or type a custom path and filename if you want. Leaving the key in the default location will help us later in the documentation and is best practice.
⚠️ Remember the location. Update your notes with the location now.
You can press Enter to skip this step (absolutely not recommended).
Or type a secure passphrase and press Enter.
⚠️ Remember the passphrase! You’ll need it every time you use the key. Update your notes with the location now.
By default, two files are created in /Users/yourname/.ssh/:
Private key → constellation_network_keypair
Public key → constellation_network_keypair.pub
⚠️ Remember the file names! You will need to remember your private key every time you attempt to connect to your node. Update your notes with the location now.
sudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/cl-node.jar -P /var/tessellation; sudo chmod +x /var/tessellation/cl-node.jar
sudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/cl-dag-l1.jar -P /var/tessellation; sudo chmod +x /var/tessellation/cl-dag-l1.jar
sudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/cl-wallet.jar -P /var/tessellation; sudo chmod +x /var/tessellation/cl-wallet.jar
sudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/cl-keytool.jar -P /var/tessellation; sudo chmod +x /var/tessellation/cl-keytool.jarssh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address>sudo nodectl configure -e -cb -dN) Setup AlertingQ)uitsudo nodectl auto_restart send_reportcd ~/.ssh
ls -lls -l /root/.ssh/
ls -l /home/ubuntu/.ssh/
ls -l /home/admin/.ssh/sudo nodectl enable_root_sshsudo cp /root/.ssh/mypublickey.pub /home/nodeadmin/.ssh/mypublickey.pubsudo chown nodeadmin:nodeadmin /home/nodeadmin/.ssh/mypublickey.pubsudo nodectl disable_root_sshssh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address>sudo nodectl view_config --section global_p12sudo nodectl auto_restart statussudo nodectl configure -e -cb -dsudo nodectl upgrade_vpssudo nodectl rebootsudo nodectl check_versionsNODECTL VERSION MATCH: Truesudo nodectl upgrade_nodectlsudo nodectl stop -p intnet-l0 --leave
sudo nodectl stop -p intnet-l1 --leavesudo nodectl execute_starchiver -p dag-l0 --restartsudo nodectl upgrade --ni/home/nodeadmin/tessellation/export CL_KEYALIAS="myConstellationAlias"
export CL_KEYSTORE="/home/nodeadmin/tessellation/myconstellation.p12"
export CL_PASSWORD="my_password"
export CL_STOREPASS="my_storepass_passphrase"
export CL_KEYPASS="my_keystore_passphrase"env | grep CL_CL_KEYALIAS=myConstellationAlias
CL_KEYSTORE=/home/nodeadmin/tessellation/myconstellation.p12
CL_PASSWORD=my_password
CL_STOREPASS=my_storepass_passphrase
CL_KEYPASS=my_keystore_passphrasejava -jar /var/tessellation/cl-keytool.jar migratels -l-rw-r--r-- 1 nodeadmin nodeadmin 1094 May 26 12:17 myconstellation_v2.p12export CL_KEYSTORE="/home/nodeadmin/tessellation/myconstellation_v2.p12"java -jar /var/tessellation/cl-wallet.jar show-public-keyEC Public Key [ee:ff:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99:aa:bb:cc]
X: abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890
Y: 111222333444555666777888999101010111111121212131313141414151515amv /home/nodeadmin/tessellation/myconstellation_v2.p12 /home/nodeadmin/tessellation/myconstellation.p12sudo nodectl configureThe authenticity of host '13.13.13.13 (13.13.13.13)' can't be established.
ECDSA key fingerprint is SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890+=.
Are you sure you want to continue connecting (yes/no)?The authenticity of host '13.13.13.13 (13.13.13.13)' can't be established.
ECDSA key fingerprint is SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890+=.
Are you sure you want to continue connecting (yes/no)? yesubuntu@your-vps-name:~$sudo nodectl update && sudo nodectl upgradessh-keygen -t ed25519 -C "constellation network"Enter file in which to save the key (/c/Users/YourName/.ssh/id_ed25519):Enter passphrase (empty for no passphrase):Microsoft Windows [Version 10.0.22631.5189]
(c) Microsoft Corporation. All rights reserved.
C:\Users\MyUser>cd .ssh
C:\Users\MyUser\.ssh>dir
Volume in drive C is Windows-SSD
Volume Serial Number is ZZZZ-ZZZZ
Directory of C:\Users\MyUser\.sshssh-keygen -t ed25519 -C "constellation network"Enter file in which to save the key (/Users/yourname/.ssh/id_ed25519):Enter passphrase (empty for no passphrase):Rest your mouse over EC2 Virtual Services in the Cloud
Click on Dashboard in the top features section.
Decide on a key pair name that you will use to identify your key pair later.
You should have already created your SSH KEYS, if not, please do so and return to this step.
Click the Browse to navigate to your public key on your local system, select that key and choose Open
Import key pair
You will be returned to the Key pairs console and should see your key pair in the list (table) of the console with details about the key.
Create a new security group.
Leave the VPC at the default.
Select Type SSH
Please refer to Wide Open SSH Access document for details on the security implications of allowing any system that is connected to the internet to have access to your SSH port. This document contains instructions on how to determine your local IP address for entry in this section.
Destination choose Custom
We will assume you decided to use a static IP address, in this example our static IP address is 13.13.13.13/32 ( Do NOT use this address, it is an example only. ) Type in 13.13.13.13/32 into the box and the blue CIDR block item will auto-populate, select it.
Choose the Add rule again.
This rule is designed for both a Hypergraph hybrid layer validator DAG layer1 and a Dor data layer 1 nodes.
Select Type Custom TCP
Port Range 9010-9011
Destination Anywhere-IPv4
Hypergraph Hybrid Nodes ONLY
This rule is designed for validator Hypergraph layer0 nodes.
Choose the Add rule again
Select Type Custom TCP
Port Range 9000-9001
Destination Anywhere-IPv4
Click the Create security group button
You will be returned to the security group console and you should see your security group in the list table.
24.04 Leave the default options
Private Key Location
windows
Macintosh
VPS username
nodeadmin
Local username
MyUser
Remote IP address
13.13.13.13
SSH Port
22 ( default port )
Macintosh
Custom port ( example: port 2222 )
Private Key Name
my_private_key
Select x86 (Intel/AMD)
Once selected a table of resource types will populate. You may choose a resource name from the list that best meets the specs requirements for your type of validator node.
Hypergraph Hybrid Nodes
CPX51 is recommended
CX52 is also recommended is aviable
CPX41 may suffice however, you will run into disk space issues so be cautious.
Dor Data Layer 1 Nodes
CX22
CPX11
Rest your mouse over the 🏠 button on the left side panel.
Choose Firewalls.
From the Inbound rules section, you should see a TCP ➡️ 22 rule.
Please refer to document for details on the security implications of allowing any system that is connected to the internet to have access to your SSH port. This document contains instructions on how to determine your local IP address for entry in this section.
If you decide to leave your SSH access wide open you can skip to the next step.
Click on Any IPv4 it will turn red, click the delete to remove it.
Click on Any IPv6 it will turn red, click the delete to remove it.
Type in the IP address you retrieved that is allocated to your local system into the same box to replace the Any IPv4 and Any IPv6 entries, and hit enter.
Replace the Add description with SSH
Dor data layer1 nodes do not use these port settings. Open these ports will offer attackers an open port to your VPS without a service listening on the inside. This is not recommended.
Repeat the previous step to add a rule for Layer0.
Ports 9000 and 9001.
Click on the Create Resource button.
Choose Servers.
These requirements ensure that all operators are properly aligned with the Dor metagraph’s standards for security, performance, and community involvement.
To qualify as a Dor metagraph Validator, you must accumulate and prepare the required staking collateral.
This collateral is essential to participate in validation activities and maintain eligibility within the Dor metagraph network cluster.
Set Up a Stargazer Wallet
If you don’t already have a Stargazer wallet, create one by following the
Confirm $DOR Token collateral
Having the required collateral is a critical prerequisite for qualifying to operate a Dor validator node on the Dor metagraph.
The below 👇 procedures and steps will be fully covered in the technical procedures section of the documentation website.
At this stage, you are only expected to read and understand theses steps, do not attempt to perform them yet.
Familiarizing yourself with the process in advance will help ensure a smoother experience when it is time to begin the technical setup.
Once your application is approved, you can begin the technical steps to build and activate your Dor validator node.
Once the Lattice team receives your node ID, they will update the necessary permissions to authorize your node to join the Dor Metagraph cluster.
This step is essential to grant your node access and allow it to begin participating in the network. Make sure your node ID is submitted accurately to avoid delays in onboarding.
Your validator node will operate using a hot wallet.
This means that if your P12 keystore is accessed or compromised, it could have serious operational and financial consequences.
In most cases, you will not be able to directly export your existing wallet for use on your Dor validator node.
If you are an advanced user with experience in wallet management and security, you may choose to:
Export the private key from your existing wallet
Import it into the P12 keystore configured on your node
This process requires a solid understanding of key management and security best practices. Improper handling can compromise your wallet and jeopardize the integrity of your node.
From a Node Operator’s perspective, the Constellation Network Team has worked diligently to ensure that all necessary components are in place for a simple and seamless migration from version 2 to version 3.
If you plan to upgrade manually using Constellation Network's nodectl utility, you should disable auto-restart and auto-upgrade features before the cluster upgrade (restart) begins.
Failing to do so may break your manual upgrade sequence, as the auto upgrade could interfere with the manual intervention process.
In order to utilize the nodectl utility to run Tessellation v3 you will need to be running version v2.15.2 or newer of nodectl. Version v2.17.3 is recommended.
These steps will be covered in this guide.
Please follow the nodectl upgrade path properly to ensure you do not run into any inconsistencies or issue later.
The nodectl utility v2.15 will be the final version to support the following Debian-based distributions:
Ubuntu 20.04 and earlier
Debian 11 and earlier
You may safely upgrade nodectl to 2.15.2 and continue using the listed Debian-based distributions.
If mission-critical updates (hotfixes) are required, they will be supported for this version until June 2025.
Do not upgrade to nodectl v2.16.0 (or higher) if you are running any version of Debian or Ubuntu listed above.
Starting with v2.16.0 and beyond, support for these operating systems is officially removed.
To continue receiving updates, improvements, and full support, please upgrade your operating system to a supported version.
Please follow the correct upgrade path to ensure your node remains manageable by nodectl and does not encounter compatibility issues.
You may replace v2.17.3 with v2.15.2 if necessary ().
If there are multiple versions between your current version and v2.17.3, you must follow the correct upgrade path.
If you have auto-upgrade enabled on your node, nodectl will automatically detect the upgrade and attempt to perform all necessary migration steps as outlined in the next section.
However, it's important to keep two key points in mind when relying on auto-upgrade:
The migration may take time. Interrupting it can cause the node to fail the migration, leading to recovery behavior where the node attempts to download all snapshots from genesis. This introduces two major issues:
⏳ It may take days to download all snapshots.
💾 You may retain residual v2 snapshots, which could consume excessive disk space and potentially cause your node to run out of storage.
If you're returning to check the results of an upgrade hours after it occurred, simply run the following command to verify that your node is in Ready state.
If you plan to be actively available during the upgrade, follow these steps to ensure your node re-joins the cluster properly and to avoid any unexpected issues:
Allow the upgrade process to complete without interruption
Alternatively, monitor the node closely during the process.
If you have auto restart with auto upgrade enabled, and the cluster has already restarted, do not attempt to upgrade. This may cause unexpected behavior.
You will perform the upgrade as normally done, no additional steps required. The nodectl utility will disable auto restart if it is engaged, and reengage upon completion.
or
use the --ni option ( non-interactive )
This option will choose all the default options for any questions normally asked by nodectl during the installation process.
Before downloading the latest Tessellation binaries and attempting to rejoin the network cluster, it is strongly recommended to migrate your snapshot data directories from the old v2 structure to the new v3 structure.
The Constellation Network team has provided a data migration script to assist with this process, located here.
⚠️ Failure to migrate will result in your node attempting to redownload and install all snapshots from genesis, which can lead to delays and increased resource usage.
Before launching your validator node on DigitalOcean, it is recommended to add a valid payment method to your account.
You are now ready to continue to connect to your node for the first time, install nodectl and turn your Droplet (VPS) into a Constellation Network Validator Node!
Turn your VPS into a node using a normal installation.
This guide will walk you through the steps required to convert a VPS or bare-metal server into a Constellation Validator Node.
A normal installation provides more customization options during setup, whereas the quick installation only prompts for essential inputs and uses recommended defaults for all other settings outlined in this guide.
🚩Node PrerequisitesYou will be prompted to specify the name of the Node Administrator account you will use for SSH remote access after installation.
The default username is nodeadmin, and all subsequent documentation will reference this default.
Enter the a custom user and press Enter
In 99% of the cases, your Constellation Validator Node will have direct access to the Internet.
To enhance security, it is recommended to disable access for commonly known default accounts, such as the root user and other special system users ( default ubuntu or admin accounts common preconfigured on default VPS images ).
You will be offered the ability to create a specific name for you p12 keystore that will be used to hold your private and public keys used for signature requests, wallet administration, and other validator node operations.
You may choose a name of your choosing and press Enter.
Important notes to help remind us about the concepts of the three different passphrase/passwords we need to maintain and use on a daily basis to manage our node.
The following pages are essential reading before proceeding to any technical implementation. They are designed to help you organize your notes, confirm your virtual server specifications, and understand cloud provider requirements. Reviewing this information will ensure a smooth setup process and reduce the likelihood of configuration errors.
These sections are especially helpful for first-time Node Operators. However, experienced or technically proficient users may choose to skim or skip them as needed.
Topics covered in this section:
This section is dedicated to the processes and procedures specific to validator nodes being built on a Constellation Network metagraph.
ssh-i C:/Users/MyUser/.ssh/my-private_key [email protected]ssh-i /Users/MyUser/.ssh/my-private_key [email protected]ssh-i C:/Users/MyUser/.ssh/my-private_key [email protected] -p 2222
ssh-i /Users/MyUser/.ssh/my-private_key [email protected] -p 2222The authenticity of host '13.13.13.13' port <22>: can't be established.
ECDSA key fingerprint is SHA256:<<abcedf1234568910abcdef>>.
Are you sure you want to continue connecting (yes/no)? sudo nodectl versionsudo nodectl statussudo nodectl quick_status -p intnet-l0 -w 120sudo nodectl logs -l app -p dag-l0sudo nodectl upgradesudo nodectl upgrade --ni
--p12-alias <alias>
--user <username>
--user-password <password>
--p12-destination-path <path>
--p12-migration-path <path>
--confirm (auto-accept warnings)
If you are performing a New Node Installation with .p12 Migration, you may press y at this prompt to allow nodectl to automatically scan your VPS for any available .p12 keystore files.
Once detected, you will be presented with a list to select from, choose the appropriate file to continue the installation.
If you choose to use a custom username, please substitute it wherever nodeadmin is mentioned after completing this step.
Reminder to use proper password requirements.
Enter and confirm the password.
You will also be prompted to choose whether to disable root access via SSH, enhancing your server’s security.
Using the strongest security practices is essential in these scenarios to protect your node and its associated wallet.
We will choose y or just press Enter.
Local Bare Metal Server may use advanced methods for access control and should decided accordingly
Allow nodectl a moment to encrypt your passphrase.
upgrade_nodectl command sequentially for each version step using the -v <version> option.Upgrade one version at a time. Do not skip versions until you reach v2.16.0. This ensures compatibility and prevents potential issues with configuration or functionality.
Example: sudo nodectl upgrade_nodectl -v v2.13.0
If you are requested to upgrade the node, issue a Y and allow nodectl to upgrade the node so that all the features, changes, and updates can be properly applied.
This is important to ensure that all features of nodectl are enabled.
When you reach a version that can be directly upgraded to the latest v2.17.3 you may exclude the -v option.
sudo nodectl install ========================================
= CONSTELLATION NETWORK HYPERGRAPH =
= VERIFY NODECTL SPECS =
= PRE-INSTALLATION TOOL =
========================================
Code Name: Princess Warrior
Please choose node type to test:
H)ybrid Dual Layer
D)or Validator
Q)uit
KEY PRESS an option HYPERGRAPH or METAGRAPH
predefined choices
-------------------------------------------
1) mainnet [HyperGraph]
2) integrationnet [HyperGraph]
3) testnet [HyperGraph]
4) dor-metagraph-mainnet [metagraph]
Q)uit
KEY PRESS an option ------ * INSTALLATION COMPLETE * -------
CONGRATULATIONS!
Below you will find your nodeid which
was derived from your p12 file
Please report this nodeid to administrative
staff to gain access to the network via the
access list permissions.
HyperGraph/metagraph ..................... hypergraph
Environment .............................. mainnet
P12 Location ............................. /home/nodeadmin/tessellation
P12 Name ................................. nodeadmin-node.p12
P12 Alias ................................ nodeadmin-alias
----- * CHECK SEED LIST REQUEST * ------
NODE ID
<your_node_id_here>
NODE ID FOUND ON SEED LIST
False
DAG WALLET ADDRESS
<your_dag_wallet_address_here>C:/User/MyUser/.ssh/Users/MyUser/.ssh/sudo nodectl upgrade_pathsudo nodectl upgrade_nodectl -v <next_version_in_path>Press Y then [ENTER] to upgrade or N then [ENTER] to cancel: Ysudo nodectl upgrade_nodectlBe sure to double-check all details during the transfer to avoid any issues, such as lost of funds.
$DOR
1,000,000
320GbRecommended: 32Gb Memory configuration ( available with Premium Intel/AMD )
If the Name field does not populate, create a name for the key that will help you identify it later.
Click the Add SSH key button.
Select your SSH key if not already checked.
13.13.13.13/32Once you enter the IP address you will see an Add "13.13.13.13/32 ( similar ) which you will need to click on to populate the Sources for your SSH remote access.
Please refer to Wide Open SSH Access document for details on the security implications of allowing any system that is connected to the internet to have access to your SSH port. This document contains instructions on how to determine your local IP address for entry in this section.
9010-9011Leave the Sources as All IPv4 and All IPv6
9000-9001Leave the Sources as All IPv4 and All IPv6
hostname during the Finalize Details step above begin to type in that hostname and it should auto populate into the provided box. If you left the hostname as default type in u and wait for the box to auto populate with default ubuntu name
Select the droplet to populate the Apply to Droplets box.
Setting Up Your Notes — Guidance on preparing and organizing the information you'll need throughout the node setup process.
Understanding Your VPS Specifications — Ensure that your virtual server meets the required hardware and system configuration.
Cloud Provider Specific Guides — Reference materials tailored to specific providers like AWS, DigitalOcean, and Heztner.
Take the time to review this material thoroughly before beginning any technical work.
This document suggests a method for keeping notes and tips accessible when preparing to or operating your node.
We hope that referring back to your notes for reminders on managing your node and recalling necessary passphrases or passwords will be time-saving, useful, and efficient.
There are 3 main passwords that we must have an understand and control of the concepts to make the administration of our nodes simple and less aggravating.
Password used to confirm authorization.
When issuing administrative commands on your node, you will be required to enter your sudo password associated with the nodeadmin user whenever a privileged action is executed or your session times out.
The nodectl utility operates with elevated privileges and therefore requires
PKCS#12, or PFX
The P12 keystore (also referred to as PKCS#12 or PFX) contains your cryptographic key pair, both the private and public keys. it is used for signing transactions on the node. These keys also serve as authentication credentials for managing your node’s hot wallet.
The passphrase protecting this keystore is critical: it is required to authorize actions related to rewards, collateral
The following mediums are a good start to where you should record and maintain your notes.
Secured Software Manager
There are password managers that allow for keeping passwords, passphrases, notes, and documents. From LastPass, 1Password, Bitwarden, Dashlane, KeePass, to others.
USB Stick
Placing your information on a USB stick that is stored in a secure location such as a safe.
Physical Piece of Paper
Writing down your notes and storing in a secure location such as a safe.
Make sure to create backups that will be stored in a safe location.
🚑 PLEASE DO NOT 🚒
Do not use the same passphrases or other sensitive values/information as shown in this example.
These examples are public facing and may be used by a nefarious actor as a first attempt to access your node in a penetration attack.
The example values in these notes are fictitious, please replace usernames, passwords, passphrases, etc. with your own.
Just in Case
If you are using a Command Prompt verses PuTTy, you may want to copy the Macintosh notes 👆and replace Terminal with Command Prompt as necessary.
Description of a p12 keystore.
.p12 Keystore File?A .p12 keystore file—also known as a PKCS#12 file is a secure, encrypted container that stores multiple cryptographic keys and certificates within a single file. It is commonly used to bundle private keys, public keys, and certificates in a portable, protected format.
Within the context of running a Validator Node on the Constellation Network, the .p12 keystore file plays several critical roles:
Network Authentication (Public Key) Contains a public key used to authenticate your Validator Node against the Constellation Network's seed list, allowing it to join the network cluster.
Transaction Signing (Private Key) Contains a private key used to sign and authorize transactions, making it your node’s hot wallet. This key can also be imported into a wallet like Stargazer to provide proof of staking, receive validator rewards and hold supported cryptocurrencies.
Consensus Participation (Private Key) Used to digitally sign consensus proofs, which is a core function of Validator Nodes participating in Hypergraph or metagraph consensus rounds.
Because the .p12 file contains sensitive keys, it must be handled with extreme care:
Never share your .p12 file with untrusted individuals or systems.
Always protect it with a strong passphrase.
Maintain offline backups in secure, air-gapped locations (i.e., systems not connected to the internet).
Losing access to your .p12 file or having it fall into the wrong hands can result in loss of funds, node compromise, or inability to participate in network validation. Treat it as a critical asset.
Constellation Validator Node Notes:
To access our node:
open a terminal and enter:
ssh -i /home/myuser/.ssh/myprivatekey [email protected]
This command will attempt to SSH into our VPS/node
We will be challenged for access to supply the passphrase.
passphrase: efg6abc13efg6
If the command hangs or an error message stating
"refused" check to make sure that our firewall
on the VPS is properly setup to use the local
IP address of our system. During installation,
we restricted this down to a specific IP of our
local system, that may have changed.
www.whatismyip.com
To issue commands using nodectl we use sudo
We need to use our nodeadmin password here:
passphrase: efg6abc13efg6
If we need to access our p12 file (hot wallet)
passphrase: abc13efg6abc13
Reminders:
----------
ssh private key: myprivatekey
ssh public key: mypublickey.pub
ssh passphrase: efg6abc13efg6
location of keys:
- on this USB stick
- local mac directory: /home/myuser/.ssh/
p12 keystore name (hot wallet): myp12name.p12
p12 keystore passphrase: abc13efg6abc13
VPS IP: 113.113.113.113
VPS SSH port: 22
VPS username: mynodeadmin
VPS sudo password:
Access My Node
--------------
1. Open Terminal Session
2. ssh -i /Users/yourname/.ssh/myprivatekey [email protected]
* After typing in: sudo nodectl
you can double-tap the tab key for a list
of commands.
Key Commands
------------
sudo nodectl status
sudo nodectl restart -p all
sudo nodectl upgrade
sudo nodectl check_versions
sudo nodectl check_consensus
sudo nodectl dag -p dag-l0Constellation Validator Node Notes:
To access our node:
open PuTTy
select our saved session from the
PuTTy main menu, load, and then open
(or double click)
This command will attempt to SSH into our VPS/node
We will be challenged for access to supply the passphrase.
passphrase: efg6abc13efg6
If the command hangs or an error message stating
"refused" check to make sure that our firewall
on the VPS is properly setup to use the local
IP address of our system. During installation,
we restricted this down to a specific IP of our
local system, that may have changed.
www.whatismyip.com
To issue commands using nodectl we use sudo
We need to use our nodeadmin password here:
passphrase: hij678hij678&*()
If we need to access our p12 file (hot wallet)
passphrase: abc123abc123!@#
Reminders:
----------
ssh private key: myprivatekey
ssh public key: mypublickey.pub
ssh passphrase: efg345efg$%%^
location of keys:
- on this USB stick
- <enter saved location here>
p12 keystore name (hot wallet): myConstellationP12File.p12
p12 keystore passphrase: abc123abc123!@#
VPS IP: 113.113.113.113
VPS SSH port: 22
VPS username: nodeadmin
VPS sudo password: hij678hij678&*()
Access My Node
--------------
1. Open Terminal Session
2. ssh -i C:\Users\myuser\.ssh\myprivatekey [email protected]
* After typing in: sudo nodectl
you can double-tap the tab key for a list
of commands.
Key Commands
------------
sudo nodectl status
sudo nodectl restart -p all
sudo nodectl upgrade
sudo nodectl check_versions
sudo nodectl check_consensus
sudo nodectl dag -p dag-l0 (intnet-l0) (dor-dl1)If you have previously imported your node’s private key into the Stargazer wallet, it is possible to recover access to your funds even if the P12 keystore is lost or the keystore passphrase is forgotten. This is because the private key alone is sufficient to restore control over the associated wallet and its assets.
DAG Wallet Address Derivation (Public Key) Contains the public key required to derive your wallet’s DAG address, used in transactions and rewards distribution.
This document will guide you through step-by-step instructions for upgrading your node to the latest version of Tessellation.
In some cases, when a new feature is introduced, it may require updating nodectl’s main configuration file, cn-config.yaml.
If the upgrade in progress does not require this step, you will not see any messages and can skip to the next step.
The migration ensures that nodectl can support the new features while preserving your existing configuration settings.
Similar to the backups you may have some files that were created in order to upload for diagnostics, logging, accounting, etc. We can clean up these files as well.
In the event that your node has files located in this special directory, you will be given a list of the files that will be removed and a confirmation prompt.
In most cases it is a good idea to clear your uploads. If you are in the mist of troubleshooting, you may want to retain these files.
Similar to backups, you may have accumulated a large number of log files.
Over time, these logs can consume significant disk space on your node.
Since your node also stores incremental history data and the tip of the blockchain, maintaining sufficient disk space is essential.
In most cases, it is a good idea to clear old logs; however, if you are actively troubleshooting an issue, you may want to retain these files.
The nodectl utility will attempt to determine whether the passphrase for your P12 keystore is encrypted within the cn-config.yaml configuration file.
If it detects the passphrase in plaintext, you will be prompted to encrypt it to enhance your node's security.
While encrypting your P12 passphrase is optional, it is strongly recommended.
Once a successful join is achieved, the node will begin catching up on any historical snapshots that were created while it was offline. It will complete the accumulation of historical data and retrieve the tip of the blockchain, ensuring the node's current state aligns with the cluster.
During the upgrade process, the system will attempt to join the DAG L1 (currency layer) profile to the cluster.
As explained in the previous step, the Layer 1 profile is configured to link to your local Layer 0 (dag-l0) profile. In order for this to succeed, your Layer 0 profile must first reach the
y.You will see nodectl backup your current configuration before continuing.
DANGER
If you did not encrypt you p12 keystore passphrase within the nodectl configuration file, the backup configuration yaml file MAY CONTAIN A CLEAR TEXT P12 PASSPHRASE.
FOR SECURITY PURPOSES, PLEASE REMOVE AS NECESSARY!
It is recommended to backup your p12 after the migration and upgrade completes.
Determine if nodectl is using global references.
Obtain the nodeid from the p12 file.
MainNet
IntegrationNet
TestNet
DOR
During an upgrade process, nodectl allows you to upgrade one environment at a time. This ensures consistency and reduces risk when applying updates across network types.
Most validator nodes only have one environment configured, making the process straightforward.
When you initiate an upgrade, nodectl will display a summary showing:
The environment name
The list of associated profiles under that environment
Review this printout carefully before proceeding to ensure you’re upgrading the correct environment.
Example) dag-l1 profile.
Reduce unnecessary load on the rest of the cluster
Maintain overall network health and stability
The nodectl utility automates this process by:
Issuing an internal API call to gracefully leave the cluster
Stopping the service(s) associated with the selected profile(s)
Bringing the node offline in a controlled and orderly fashion
This ensures your node exits the cluster cleanly and avoids disrupting consensus or data synchronization.
Removes outdated or unused internal files from previous versions
Rebuild essential configuration and support files
Ensures that all components are aligned with the latest version's requirements
Apply system-level updates
Installs the latest updates available for your current distribution
⚠️ Note: This does not upgrade the entire Linux distribution
Install or update required 3rd-party utilities
Adds or refreshes tools that nodectl depends on for proper operation
These steps help ensure that your node environment is clean, consistent, and fully prepared to run the latest version of nodectl effectively.
dag-l1 (Hypergraph Currency DAG L1) profile has a disabled seed list.Auto-restart services
Versioning services
WaitingForObserving
Observing
WaitingForReady
Once your node completes these transitional stages, it will enter the Ready state.
At this point, your node is fully integrated into the network and eligible to begin participating in consensus and earning rewards.
Layer1 : DAG L1 currency layer
In this configuration, it's recommended to link the L1 profile to the local L0 profile. This is beneficial because, in a trustless environment, you can confidently trust the L0 node you control; essentially trusting yourself.
By linking locally in this way, you take advantage of trusted internal communication between layers while maintaining protocol integrity and minimizing external risk.
In most cases, the Layer 0 profile takes longer to complete its startup and synchronization steps.
This means:
The Layer 1 profile may not detect the Layer 0 profile as Ready in time
As a result, it may fail to join automatically during the upgrade window
To accommodate this, nodectl will:
Present a menu prompt asking whether you’d like to continue waiting or
Skip the join process and allow the upgrade to complete without joining Layer 1
If You Choose to Skip:
You can manually complete the join process later:
Use the following command to check the Layer 0 status:
Wait until it reaches Ready.
Once ready, you can either:
Run a manual join command for Layer 1:
Or rely on auto_restart (if enabled) to detect readiness and automatically join Layer 1 when conditions are met
This flexible design ensures your node upgrades cleanly, even if the timing of the Layer 0 readiness introduces delays.
Restart the auto_restart feature, if it was enabled prior to the upgrade
This ensures your node continues to be monitored and automatically maintained moving forward
This final step confirms that your upgrade and cluster rejoin were successful, and your node is once again operating in a self-managed, resilient state.
sudo nodectl status -p dag-l0sudo nodectl join -p dag-l1ssh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address> -p <port>sudo nodectl upgradeAre you sure you want to continue this upgrade? [y]: yUsing environment ............................. mainnetUsing environment ............................. integrationnetBacking up configuration ......................complete
Backup Date: YYYY-MM-DD-HH:MM:SSZ
Backup Location: /var/tessellation/backups/
Backup File Name: backup_cn-config_YYY-MM-DD-HH:MM:SSZ---- * VERIFY NODE UPGRADE * -----
Verify upgrade paths .......................... completeCheck permissions & versioning ................ warning
This is not a current stable version of nodectl.
Recommended to:
- Cancel this upgrade of Tessellation.
- Issue: sudo nodectl upgrade_nodectl
- Restart this upgrade of Tessellation.
WARNING non-interactive mode was detected, developer mode, or extra parameters were supplied to this upgrade.
It will continue at the node Operator's own risk and decision.Press enter to accept the default value between [] brackets.
Please enter version to upgrade to.........[v3.0.0] :Are you sure you want to clear the selected uploads? [n]: yAre you sure you want to clear the selected logs? [n]: y--------- * HANDLE PACKAGES * ----------
Download Tessellation Binaries................. running
backup files .................................. complete
Download version .............................. v3.0.0
Fetch [cl-keytool.jar -> global] .............. complete
Fetch [cl-wallet.jar -> global] ............... complete
Fetch [cl-node.jar -> dag-l0] ................. complete
Fetch [cl-dag-l1.jar -> dag-l1] ............... completeFetch [mainnet-seedlist -> dag-l0] ............ completed
Fetch [seedlist for -> dag-l1] ................ disabledStart request initiated [node_l0] ............. complete
Fetching Status [dag-l0] ......................Attempt update and migrate configuration file? [y]: yBacking up cn-config yaml ..................... completeVerify upgrade paths .......................... complete
p12 validated [dag-l0] ........................ using global
p12 validated [dag-l1] ........................ using global
Global p12 validated .......................... True
Obtaining node ID from p12 [global] ........... 11111....11111
Node IP address ............................... 113.113.113.113WARNING Tessellation is already on the latest known version.
If you are only upgrading the node's internal components because your node is exhibiting undesirable or unexpected behavior, you should accept the default and upgrade your node's version to the same version level by simply hitting <enter> here.====================
PROFILE: dag-l1
ENVIRONMENT: mainnet
METAGRAPH: hypergraph
Cluster mainnet for profile dag-l1 using v3.0.0Are you sure you want to clear the selected backups? [n]: yDo you want to encrypt the passphrase in your cn-config.yaml configuration file?
Enable encrypt? [y]:Reload the Node's services .................... complete
Starting versioning updater ................... completeThis document serves as a companion to the nodectl help command reference, which is available when running the nodectl utility on your node.
In nodectl, a command-line option is a modifier added to the end of a command to customize its behavior.
It follows the syntax:
An option may be accompanied by one or more parameters, which are specific values or instructions the option uses to perform its task.
Examples
sudo nodectl <command> <option> <parameter>
sudo nodectl <command> <option> <parameter> <option> <parameter>
sudo nodectl <command> <option> <parameter> <option> <option>
Some options do not require a parameter be supplied afterwards. The option may need to be supplied alone.
| As a simple example, the command
The status is the command
The -p is a option
The dag-l0 is a parameter.
When accessing your node via a remote shell, some commands may produce output that exceeds the visible height of your terminal window.
In such cases, nodectl uses pagination, which pauses the output once it fills the screen, allowing you to view it in manageable sections.
You’ll be prompted with options to continue or quit the output stream.
Press any key to continue scrolling
Press q to quit and return to the command prompt
If you prefer to display the full output without pauses, many paginated commands support the -np (no pagination) option to disable this behavior.
Example:
If an option requires a parameter, it must be entered directly after the option is supplied on the command line. However, the order of the options that do not require parameters does not matter.
option1 requires parameter1, option2 does not require a parameter.
Is the same as:
The getting_started command will display a simple readme file with the most used commands found within the nodectl utility.
Examples
Show getting started readme.
The help command will offer help for most commands available by the nodectl utility.
Node Operators can issue the help command by itself to see a basic rundown of all options and parameter requirements.
Issuing the help command with the actual command you are seeking help from, will show a more detailed explanation of that command. Similar to this document, except from the command line itself.
The start command takes a single option.
This command requires the <profile_name> to be provided and will not execute without it.
Examples
Help screen
Start profile named dag-l0
The stop command takes a single parameter.
Stop the service related to a configured profile name. This command will not work without the <profile_name> supplied.
Examples
Show the help screen.
Stop profile named dag-l0.
Stop profile named dag-l0 and force a leave.
The restart command takes a single parameter and is used to restart the service associated with a specified profile.
This command requires either a specific <profile_name> or the special parameter all. It will not function without one of these.
Leave the cluster
Stop the service
Start the service
Re-join the cluster
Examples
Help screen
Restart all the profiles configured on the node, in proper order of operations.
Restart profile named dag-l0
Restart but do not join dag-l0
The leave command takes a single parameter.
Leave the Hypergraph or metagraphs related to a configured profile name. This command will not work without the <profile_name> parameter supplied.
Issuing a leave against your node will allow your node to complete any processes on the Hypergraph or metagraph that it may be involved in before your node exits the cluster.
It is appropriate and will improve your node's PRO score to leave the cluster before you issue a stop command.
Examples
Help screen
Leave profile named dag-l0
The join command takes a single required parameter and is used to join a Hypergraph or metagraph network using a configured profile.
The <profile_name> must be supplied—this command will not function without it.
The associated profile must be started.
The node's status must be ReadyToJoin before issuing the command.
Examples
Help screen
Join profile named dag-l0
The auto_restart command takes several parameters.
This feature is disabled, by default. You can enable this feature by issuing:
Option r
The auto_restart feature in nodectl is a specialized background service that continuously monitors your node to ensure all configured profiles. Whether on the Hypergraph or metagraphs, auto_restart attempts to remain connected to the cluster.
If a profile is detected to be offline or in an undesirable state, auto_restart will attempt to automatically recover and rejoin the profile to its respective network, helping to maintain uptime and stability.
list of monitoring
timing
Manual interoperability
auto_upgrade
Do not rely entirely on the auto_restart feature. While auto_restart is a useful tool for keeping your node consistently up, it is not foolproof. You should still manually monitor your node to ensure it stays online and connected to the correct cluster session.
Help screen
Manual enable auto_restart services
Manual enable auto_restart services with auto_upgrade
Manual disable auto_restart services
Manual restart auto_restart services
Check if auto_restart is running by searching for the process ID (pid) of the auto_restart service. The command will also show status of auto features set in the configuration.
The clean_files command will offers the Node Operator the ability to clear specified logs or special stored files that may not be needed anymore.
Once the command is executed the Node Operator will be offered a CLI menu of removal options to choose.
The option will be carried out and the Node Operator will be offered a visual confirmation of the files:
To be removed
number of files
Size to be freed by their removal.
Help file
Clean logs of type logs
or
The check_minority_fork command will execute a check against your node's status on the cluster in an attempt to determine if the node is in a minority fork.
If node shows MINORITY FORK True
You should restart your node in order to return of the majority fork. auto_restart has the ability to automatically detect a minority fork and restart your node for you.
Examples
Help menu
Check the Hypergraph profile dag-l0 for a minority fork
The check_connection command performs a diagnostic check on the currently connected Hypergraph or metagraph cluster.
It compares the list of nodes discovered from a source peer against those found on an edge peer, helping to identify connectivity inconsistencies or potential issues in peer discovery.
The -s option may be supplied to request a lookup on a specific peer. If not specified, nodectl will pick a random peer on the cluster; specified by the -p profile (required) parameter.
The -e option may be supplied to request a lookup on a specific peer edge device that is not the local node. If not specified, nodectl will pick a random peer on the cluster; specified by the -p profile (required) parameter.
If the nodes connected to each do not match, the command will display those nodes that are missing between the two.
Dictionary
If node shows False
There may be circumstances where your node is showing a False positive. The network may still be converging or another node may be causing your node to show False.
In some cases you may need to wait a little longer and then check again if:
Your node is showing False.
If you are seeing many nodes "missing".
The node may be off the network and a restart is required. You can use the restart command to attempt to restart and join the network.
Troubleshooting
You may review your log files to see if you can find an issue
You can contact a System Administrator to review log files which may help to figure out if your issue is correctable. They may request you send_logs feature.
Examples
Scenario for help
<profile_name> will be dag-l0
Node you joined to originally (source) : 10.1.1.1
Check random "source" against the local "edge" node
Check random "source" node against "other" node
Check "any other node" against "any other node"
The check_consensus command will execute a check against your node's status on the cluster in an attempt to determine if the node participating in consensus rounds.
If the -p parameter is not supplied, nodectl will offer you a menu of known profiles to choose from.
The --file command expects a csv (comma separated values) file that is populated with node IDs. Each node ID must be on its own line.
If node shows IN CONSENSUS False
You should restart your node in order to return of the majority fork. auto_restart has the ability to automatically detect a node that is out of consensus and restart your node for you.
Examples
Help menu
Check if the Hypergraph profile dag-l0 is in consensus
Execute consensus check against node with profile name dag-l0 and IP address 10.10.10.10.
Execute consensus check against list of node IDs with profile name dag-l0 and file containing the node ID list called test.csv located in the the '/tmp/' directory on the node.
Execute consensus in brief format.
Execute consensus in brief format refreshing and checking again every 120 seconds.
The check_source_connection command takes a profile parameter.
When executed the check_source_connection command will attempt to find a random node on the current known Hypergraph or metagraph cluster.
The random node needs to be joined into the consensus of the cluster, and must be on the cluster and in Ready state.
nodectl should take care of this for us.
example output
Examples
Help screen
Execute the check_source_connection command
The check_seedlist command takes one parameter.
check_seedlist will pull your node ID out of your p12 file and compare it to the seedlist downloaded from Constellation Network's authorized list.
Examples
Help screen
Execute the check_seedlist command
The check_seedlist_participation command does not take any parameters.
| Command | Shortcut | Version | | :---: | :---: | :---: | >v2.7.x | | check_seedlist_participation | -cslp |
This command can be used to review seed list access-list participation for any/all given profile(s) in the configuration that has a seed-list setup.
Examples
Help screen
Execute the check_seedlist_participation command
The check_tcp_ports command performs a diagnostic test on your node’s external network interface card (NIC) to detect network activity on your node’s API TCP ports.
This tool is especially useful during troubleshooting to determine if there may be a firewall or connectivity issue.
nodectl will do:Extract the public and peer-to-peer API ports from your node’s configuration
Sniff the NIC for a short duration to observe traffic on these ports
Report the results without interfering with or modifying any traffic
If the node does not have the protocol up and running for a given profile, nodectl will not see any traffic and If the protocol is not actively running for the specified profile, nodectl will not detect any traffic on the associated ports.
As a result, the check_tcp_ports command will report a failure, indicating no observed network activity.
This does not necessarily mean there is a firewall issue—it could simply mean the node is not currently active on the network for that profile.
The console command does not take any parameters.
This is a special utility command that allows you to use a menu driven methodology towards issuing the most common commands on your node. There are three (opinionated) menus of commands.
Main Menu: Hold the most common commands.
General Menu: Holds commands that are commonly useful.
Troubleshooting Menu: Holds common commands used for troubleshooting purposes.
Simply issue the console command, select the letter corresponding to the predefined commands, and that command will execute. After completion, nodectl will terminate the process and return the Node Operator to the terminal prompt.
The mobile command is synonymous with the console command; however, it will return to the main menu and allow the Node Operator to issue "the next" command, as needed, in an iterative fashion.
The download_status command is experimental and may not always be accurate.
The download_status command is experimental and may not always be accurate.
It makes a best-effort attempt to review the node's logs in real time to estimate the progress of the DownloadInProgress state and how long it may take to complete.
When a node begins the process of joining the cluster for the configured profile(s), it undergoes a series of essential initialization tasks to ensure proper integration and functionality as a peer in the cluster.
After your node completes the initial phases of authentication and becomes a peer on the cluster, it must synchronize and gather knowledge of the existing blockchain before it can actively participate in consensus and earn rewards.
Constellation Network uses an incremental snapshot strategy to minimize the "cost" of downloading blockchain snapshots. When a new node joins the cluster, it undergoes an extended one-time process of learning the entire blockchain. For an existing node rejoining the cluster, the node calculates the differences between its previous state and the current blockchain state.
is a community created and supported tool.
IMPORTANT
Constellation Network does not support this tool.
This tool is highly useful and has been integrated into nodectl to assist with proper execution with a single command, without any extra steps. It can expedite your node’s ability to join the cluster, potentially reducing download times from days to just hours or less.
When executed on a node via nodectl
Help screen
Execute Starchiver-Extractor using the most recommended command options.
The find command takes several parameters.
This command will attempt to find the requested peer on the current connected Hypergraph or metagraph.
The find command offers insight into the
number of nodes on the cluster
number of nodes in Observing state
number of nodes in WaitingForObserving state
It will show you the profile searched (required) and offer you confirmation that your node is seen on the cluster.
You may specify a source node that will be used as the reference point to lookup the target node (either your node default or a specified target) on the cluster and return a True or False depending on whether or not it is found.
You may use the self keyword for either the source ( -s ) or target ( -t ) parameters.
Help screen
Check if your node is listed/seen on the cluster using a random source node that is already found on the cluster.
Check if your node is listed/seen on the cluster using a specific source node.
Check if your node is listed/seen on the cluster using a specific source node and a specific target node (other then your own.
other find examples
If our node is 10.1.1.1 check if 10.1.1.1 is listed/seen by another random node on the cluster we are connected to identified by the profile dag-l0.
look for a node by node ID
If our node is 10.1.1.1 check if 10.1.1.1 is listed/seen by a node identified by the -s option (10.2.2.2) on the cluster we are connected to.
Examples using self keyword
In this example we are asking 10.2.2.2 (our source) if it is able to identify the target 10.1.1.2 on the network cluster.
The health command does not take any parameters.
It displays the basic health elements of your node.
Examples
Help screen
Execute the health command
The list command does not take any parameters and displays the details of the profiles found in the cn-config.yaml file. You can update the cn-config.yaml file with the configure command.
Help screen
Execute the list command
The market command does not take any parameters.
Performs a quick lookup for crypto markets via CoinGecko's public API.
The command will list the Top 10 Crypto markets at the current moment in time. In the event that Constellation Network is not in the top ten, it will list it's current position in relation to the rest of the known markets.
warning
This command is for recreation purposes only.
Constellation Network is not a financial advisor. Information is sourced from CoinGecko and does not represent the opinions or financial advice of Constellation Network.
The node_last_snapshot command takes a single option.
This command reviews the Tessellation app.log to find the last instance of a downloaded snapshot for the specified <profile_name>.
Examples
Help screen
Review snapshots for profile named dag-l0
The peers command will attempt to list all the peers found on the cluster; as well as, list their IP addresses for review.
Normal output from the peers command will show all the peers seen on a given metagraph or the Hypergraph (profile dependent) this will include:
node IP with public port
10.10.10.10:1000 = 10.10.10.10 with public TCP port of 1000
node ID (shortened to first 8 hex values, ...., last 8 hex values)
You can utilize the --basic option to force nodectl to only show the PEER IP:TCP PORT column.
You can utilize the --extended option to force nodectl to only show all fields in long format.
If you do not use the --basic or --extended options, the output will be in shorten form for all elements (ip:port, dag address, node ID).
Dictionary
Examples
Help screen
Show nodes on cluster from random peer on the cluster from a specific profile
Show YOUR nodes's peers
Show peers on the cluster utilizing a specific target ip address.
Show count of peers your node is able to see. (synonymous with find command) show peers on the cluster utilizing a specific.
Source target ip address to count against.
Other examples
Example usage for a profile called dag-l0
Example usage for --basic
Create a csv file
The price command does not take any parameters.
This command performs a quick lookup for crypto prices via CoinGecko's public API.
warning
This command is for recreation purposes only.
Constellation Network is not a financial advisor. Information is sourced from CoinGecko and does not represent the opinions or financial advice of Constellation Network.
Examples
Help screen
Execute the price command
The refresh_binaries command does not take any parameters.
This command will download and overwrite the existing Tessellation binaries files that are required to run your node. The result of this command will be to download the binaries from the latest release and is independent of a system upgrade.
This command can be used to refresh your binaries in the event that you have a corrupted or missing binary files.
This command should be accompanied by the restart command in order to allow your node to utilize the new binary files.
This includes a refresh of the latest local seed-list access list file.
Examples
Help screen
Execute the refresh_binaries command
The quick_status command takes a single optional parameter.
quick_status will review the current status of your node and offer a single output of the found state of your node's known clusters, as quickly as possible.
If the -p option is used with the <profile_name>, only that profile's status will appear. If the quick_status command is called without the -p option, all profiles will be shown.
The difference between quick_status and status are two-fold:
quick_status will only show the state of the node's known active profile(s)
quick_status will review the state of your node's known active profile(s) via the local API on the node. This should be understood and used with caution, as if your node is in Ready state but not on the proper cluster, you may receive a false positive. The status command; although more time costly (expensive), will offer a better outlook on your node by providing metics such as sessions.
Examples
Help screen
Show all profiles
Show status of profile named dag-l0
The sec command does not take any parameters.
sec = security
It displays the basic security elements of your node. It displays parsed elements from the auth.log file on your Debian operating system.
Following the table formatted output, nodectl will display a list of date -> ip address of external access requests against your node.
example output
Examples
Help screen
Execute the sec command
The show_cpu_memory command does not take any parameters.
nodectl will assess the CPU and memory to determine the percentage of usage detected.
To provide more reliable results, nodectl will perform 10 iterations of checking CPU and memory usage before averaging the results and displaying them.
Examples
Help screen
Execute the show_cpu_memory command.
The show_current_rewards command takes several parameters.
Search the Constellation Backend explorer and pull the last 50 global snapshots.
The command will output a paginated list of DAG addresses and the amount of DAG accumulated per DAG address over the course of the time between the START SNAPSHOT timestamp listed and the END SNAPSHOT timestamp listed.
The --output option can only be a filename. If you would like to have your output saved to an alternate location, you can update the configuration file via the configure command.
sudo nodectl configure
If a wallet address is not specified the first known wallet address obtained from the configuration will be used. If a -p <profile> is specified, the defined profile wallet address will be used for the lookup against the profile specified.
If a -s <snapshot_history_size> is specified:
The history size entered will be used.
Must be between 10 and 375 snapshots.
The default value is 50.
Examples
Help screen
If the -p <profile> if not specified, nodectl will use the first known profile.
If the -w <dag_address> is specified, nodectl will the requested DAG address against the MainNet explorer.
If the -np is not specified nodectl will attempt to paginate the output to the current known screen height. create a csv file
Create a csv file and put in the designated uploads directory with specified name.
The show_node_proofs command will display the current known snapshot proofs that this node is working on.
The command will display the SnapShot Transaction ID and SnapShot Transaction Signature for all proofs in the current consensus round that the node is participating in.
Examples
Help screen
Execute show_node_proofs.
Execute show_node_proofs without pagination.
The show_node_states command does not take any parameters.
This command displays the list of the known node States that you may find on the Cluster or that nodectl defines when not on the cluster.
nodectl only states
Examples
Help screen
Execute the show_node_states command
Execute using shortcut option command
The status command takes a single optional parameter.
Status will review the current status of your node.
If the -p option is used with the <profile_name>, only that profile's status will appear. If the status command is called without the -p option, all profiles will be shown.
Examples
Help screen
Show all profiles
Show status of profile named dag-l0
The sync_node_time command will update the node's underlining Linux Debian distribution's datetime clock. It will use the NTP service installed during nodectl installation to force an update of the node's clock.
This command displays the list of the known node States that you may find on the Cluster or that nodectl defines when not on the cluster.
Examples
Help screen
Execute the sync_node_time command
Execute using verbose mode
The update_seedlist command does not take any parameters.
The update_seedlist command retrieves the latest seed list from the Constellation Network repositories. This command can be used if your node is unable to authenticate and, therefore, cannot connect to the network.
Using the check_seedlist command, a node Operator can confirm if the node is seen on the access lists; if not, issue the update_seedlist command to attempt to correct the issue.
caution
If you update the seed list and still receive a False, you may need to contact a Constellation Network support Administrator for further help. This can be done by accessing the Constellation Network official Discord server.
Examples
Help screen
Execute the update_seedlist command
The nodectl utility maintains a version object file in the background, running as a service and updating every 2 minutes.
Examples
Help screen
Force an update to the versioning object.
Verify the versioning object.
Print the versioning object.
The verify_nodectl command is a special command that attempts to authenticate the nodectl binary with a signature file located on the official GitHub repository of nodectl.
This command will fetch the public key, digital signature file, and digital signature hash from the official Github repository. It will then use those files to hash the nodectl binary and produce a binary hash file to compare with that found on the Github respository.
If the hashes match, we are rest assured our nodectl is authentic.
caution
A man-in-the-middle (MITM) attack occurs when a hacker secretly intercepts communication between two parties or systems. The hacker, acting as a "middleman," can intercept the information and potentially impersonate files from nodectl's GitHub repository.
To avoid a MITM attack, it is crucial to manually access the GitHub repository and review the public key and digital signature files for verification.
Examples
Verify the nodectl binary
The change_ssh_port command is a special command that works on the Debian distribution level. For added security, it is recommended that your run your SSH remote access through a non-commonly known port number. In the case of the ssh protocol, a port that is different from port 22.
You should use an unused port between 1024 and 65535.
Examples
Help file
Change SSH TCP port to port 4242
The disable_root_ssh command is a special command that works on the Debian distribution level. It will disable the ability for access to the root user, via remote access.
SECURITY
It is recommended to have the root user's remote access (inbound/ingress) disabled. The only way the root user should be accessed is through the nodeadmin user account.
This is done by issuing a sudo in front of the nodectl command.
Example
The enable_root_ssh command is a special command that works on the Debian distribution level. It will enable the ability for access to the root user, via remote access.
SECURITY
It is recommended to have the root user's remote access (inbound/ingress) disabled. The only way the root user should be accessed is through the Node Administrator's user account.
This command can be used to reverse this security setting configured via nodectl's installation process.
Example
The reboot command does not take any parameters and offers the Node Operator the ability to reboot their physical or VPS (Virtual Private Server in the cloud) via a warm boot.
Recommended
For node Operation this command is preferred/recommended over normal operating system reboot command.
When issued, the nodectl reboot command will gracefully leave the profiles defined in the nodectl configuration file before rebooting the node.
dictionary
Help screen
Execute the reboot command
The upgrade_vps command provides a more user-friendly, non-technical way to ensure your VPS (or bare metal server) is up-to-date with the latest packages, utilities, security patches, and core distribution elements (such as kernels, services, etc.).
The feature will offer you instructions on how to handle any interactive requirements, including handling purple boxes.
caution
During an upgrade, the Debian distribution may require the Node Operator to handle certain service configurations interactively.
If this occurs, a purple box will appear with options and default settings already selected for you. Since we do not modify any default Debian distribution settings to run our node, you can accept the defaults. To do this, use the Tab key to navigate to the OK or Confirm boxes and then press Enter to accept.
Examples
Help screen
Execute an update and upgrade.
Execute an update and upgrade in non-interactive mode.
Execute an update and upgrade with a reboot.
The uptime command provides the amount of time the cluster, the node itself, and the system supporting the node has been up and running.
Examples
Help screen
Execute an uptime request
Execute an uptime request against the profile named dag-l0.
The whoami command displays the external ip address of your node.
Optionally, you can use the optional -id option to map a node ID to an IP address on a cluster.
The external IP of your node is the address that allows your node to communicate with the rest of the systems on the Internet.
This is the address your node will use to communicate with the other decentralized nodes that make up the Hypergraph and/or metagraphs. Your node will attempt to establish communications with other nodes through peer-to-peer (p2p) connections and public API requests.
warning
The -id option followed by the full node ID requested, will lookup the node ID and return its IP address. This command will require the -p with the profile name of the network you are searching.
Examples
Help file
Show external ip
Show ip address of a node by node ID from a cluster via a profile this node is connected to
The create_p12 command will create a p12 file and place it on the system in a location of the Operator's choosing.
If a location is not supplied, the global p12 configured location will be used by default.
If a username is not supplied, the global p12 username will be used by default.
Examples
show help screen
Build a new p12 file using the global configured Node Administrator username:
Build a new p12 file using a keystore named test.p12 and the file location /tmp/my_new_p12_files.
The dag command will retrieve your node's wallet information for your local node.
You can specify another node by supplying the -w (wallet) option followed by the dag_wallet of the node on the cluster that is targeted.
Following general output details about your wallet, nodectl will query the DAG explorer API and retrieve details of the last 350 snapshot entries. This level of detail can be excluded by using the -b option.
The --output option can only be a filename. If you would like to have your output saved to an alternate location, you can update the configuration file via the configure command.
Examples
Help Screen
Retrieve local dag wallet details.
Retrieve dag wallet information of a node on the cluster with the DAG wallet address of DAG0911111111111111111111111111111111111
(fake address for demonstration purposes only).
Retrieve dag wallet information of a node on the cluster without snapshot details.
Retrieve the node's dag wallet without pagination.
The export_private_key command does not take any parameters.
export_private_key will expose your private key from your p12 file and print it to the screen.
danger
Do not share this private key with anyone that you do not completely trust with your financial assets.
nodectl is designed to work with p12 private key files that support Constellation Network v2 keys. If you are running an older node, please refer to the v1 to v2 migration document.
Import the private key produced by this command into your StarGazer wallet (or other) in order to control your node's wallet.
Examples
Help screen
Expose your private key
The nodeid command will retrieve your node's public key (nodeid) for either your local node or another node by supplying the -t (target) option followed by the ip_address of the node on the cluster that is targeted.
Examples
Help Screen
Retrieve local node ID
Retrieve node ID of a node on the cluster with the IP address of 113.113.113.113.
The nodeid2dag command will take in a required public node id or public key ( 128 byte hexadecimal string ) and converts it into its associated Constellation Network DAG wallet address.
warning
The <node_id> is required and does not have a related option.
Examples
Help file
Convert node ID to DAG wallet
The passwd12 command does not take any parameters.
This command offers the Node Operator the ability to change their p12 keystore file's passphrase through an interactive experience.
warning
passwd12 will not update the cn-config.yaml file.
Please run the sudo nodectl configure command to update your passphrase (if necessary) after completing the passphrase update utility command.
IMPORTANT
BACKUP your p12 prior to using the passwd12 command
Examples
Help File
Go through the p12 passphrase change process
The show_p12_details command will show the nodes p12 keystore details.
Examples
Help File
View p12 details for the profile dag-l0.
The configure command will attempt to guide the Node Operator through the creating or editing the cn-config.yaml file.
The cn-config.yaml file is an extremely important file that nodectl uses to determine how it should control and configure your Constellation Network Validator Node.
The configure command will offer a relatively detailed explanation of all configuration options, unless the -a (advanced) option is used.
nodectl will confirm if you want to enter advanced mode if not specified.
In new configuration mode, nodectl will offer you two (2) options
Predefined Profile settings
Manual Configuration
In edit configuration mode, nodectl will offer you several options
Edit Profiles
Edit Global Settings
See the configuration guide document for more details on this command.
Examples
Help screen
Enter default configuration
Enter configurator directly to new config options
Enter configurator directly to edit config options
Enter configurator directly to edit config options in advanced mode
Enter configurator directly to edit config options in detailed mode while confirming the backup location at the same time.
The install command will build a new node for you from a blank fresh new VPS.
See the installation guide document(s) for more details on this command.
Examples
Default installation
Default normal installation
Default quick installation
Default installation supplying the user password and p12 passphrase on the command line.
Default quick install installation supplying the user password and p12 passphrase on the command line.
Default quick install installation supplying the user, user password, p12 name, p12 alias, and p12 passphrase on the command line.
Default quick install installation supplying the user, user password, existing p12 for migration, and p12 passphrase on the command line.
The ipv6 command handles enablement, disablement, and the ability to review the status of the IPv6 network configuration stack on the VPS that your node is running on.
There are three optional parameters; however, one of the three options is required.
When the enable or disable options are used, the GRUB and sysctl IPv6 configuration files will be altered.
DANGER
This command will manipulate non-Tessellation Constellation Network files on your VPS.
If the VPS was built without IPv6 during instantiation, this command will have no effect.
Examples
Help screen
View the status of the IPv6 stack on the VPS.
Enable IPv6.
Disable IPv6.
The restore_config command does not accept any options or parameters.
When executed, restore_config provides a list of previously backed-up configuration files, allowing you to select and restore the desired configuration.
caution
Please be diligent and exercise caution when restoring a configuration, as an invalid or incompatible configuration could corrupt your node or cause issues with nodectl's functionality.
nodectl will display the contents of your backup directory, identify any configuration files, and provide a list of available configurations for you to choose from.
Examples
Help screen
Stop profile named dag-l0
The uninstall command does not accept any options or parameters.
When executed, uninstall will remove all elements required to make your VPS into a Constellation Network node.
You will be provided the option to retain your p12 keystore file. If this option is taken, the p12 keystore file(s) will be moved to a temporary directory for the Node Operator to use or backup as necessary, after the uninstallation is completed.
caution
This command will not remove non-Tessellation dependencies as they may be utilized by other programs or features on the VPS.
If you would like to remove these dependencies they will have to be removed manually.
Examples
Help screen
uninstall the node.
The upgrade command is used to upgrade both Tessellation and nodectl backend files.
The upgrade_nodectl command is a dedicated command used to upgrade the nodectl binary file.
Please see the upgrade_nodectl documentation for a detailed explanation of the command.
Examples
Help file
Copy
Upgrade nodectl
Copy
Upgrade nodectl to version
v2.15.2
The upgrade_path command does not take any parameters and offers the Node Operator the ability to check their node's current nodectl version for upgrade path requirements.
If the node is not at the most current version of nodectl, this command will produce a warning. The warning will let the Node Administrator know what the next necessary upgrade version should be, and will show you upgrade path requirements.
See the upgrade path document for more details.
Example Usage
Help screen
Copy
Execute the upgrade_path command
The validate_config command will attempt to review your cn-config.yaml file for errors that may cause unexpected results when attempting to run your node.
In the event that nodectl finds discrepancies or errors in the cn-config.yaml, a table of errors and possible resolutions will be displayed as output.
The view_config command will show a paginated view of the current cn-config.yaml file.
With the check_versions command, nodectl will go out and review the latest versions of both Constellation Network Tessellation and nodectl.
nodectl will review the current GitHub repo and compare it to the versions running on the node.
It will report back True or False based on whether the versions match.
Examples
Help menu
Execute the check_versions command
The display_snapshot_chain command is an advanced command that will review your node's snapshots and verify that every snapshot hash has an accompanying hard link to the ordinal that it is associated with. If you have an invalid snapshot chain, your node will not function properly.
The logs command will print out the contents of the logs that have been requested.
Example
Request to follow the log app.log from the dag-l0 profile filtering out the word "error" from each line.
Request to view the nodectl logs
The nodectl log is a command request that carries an exception. This request to view the logs does not take the -p <profile> option.
This command instructs nodectl to prepare your p12 keystore or another file of your choosing to be downloaded directly by the Node Administrator’s non-root account. This is a useful command for backup procedures.
Your p12 file(s) or the specified file will be located, copied to the root (beginning) of the Node Administrator’s user directory, and have its permissions changed to allow retrieval directly from the Node Administrator’s account.
Nodes built with recommended security practices cannot retrieve a p12 file or other files created by nodectl using the non-root user. This command provides a solution to this restriction.
Recommended
--cleanup
It is highly recommended to use the --cleanup <path_to_file> command once you have completed downloading the requested file.
This is especially important when handling p12 keystore files, as they should be kept secure.
When --cleanup is used with --type p12, you do not need to specify the p12 file names; nodectl will automatically remove all p12 files from the local Administrator’s root directory.
Examples
Show the help screen
Move all known p12 files to the root of the Node Administrator's user and update permissions for access.
Move only p12 files associated with the profile dag-l0 to the root of the Node Administrator's user and update permissions for access.
Migrate a file called mylogs.tar.gz that is located in the /var/tessellation/uploads for download from the root of the Node Administrator's user directory.
Remove the p12 files associated with all profiles including global.
Remove the file named mylogs.tar.gz that is located in the Node Administrator's home username's directory.
The send_logs command is a tool to allow uploading of logs to help debugging analysis. It may be used to help accumulate log files to send to Administrators, Developers or System Engineering to dissect; to improve the code base.
The command will upload to a file share service with an expiry date for download.
During the execution you will be offered a menu to upload:
current logs
singular - will offer a choice of nodectl or app log.
all - will offer ability to accumulate and upload all logs including rolling and archived logs.
Once you follow the prompts a tarball gzip file will appear in the uploads directory and the system will offer you the ability to upload the results to the a public (non Constellation Network supported) file transfer service.
Examples
Help screen
Execute a log preparation for upload
The show_dip_error command is designed to help identify the root cause error that was logged prior to the node being placed in a state where it is stuck in WaitingForDownload.
Examples
Help screen
Execute show_dip_error.
The show_profile_issues command is designed to help identify possible causes for connection errors. It will review the node's log file and attempt to categorize the resulting errors in the order of importance.
Examples
Help screen
Execute show_profile_issues.
The show_service_log command is designed to help identify possible causes for service errors. It will review the node's service file log file of a given profile.
This command will search the Debian distribution based journal specifically for the service logs associated with the requested profile which launches to allow the profile to connect to its configured cluster.
Examples
Help screen
Execute show_service_log of a profile by the name of dag-l0.
The show_service_status command will review the processes running on the node, and display their current known state.
This command does not accept any options.
Examples
Help screen
Execute show_service_status.
-p is the option (profile selector)
dag-l0 is the parameter (the profile you want to review)
status
display the auto_restart and auto_upgrade feature status
no
check_pid
display the process ID of the process that is currently running the auto_restart feature.
no
--auto_upgrade
enable the auto_upgrade feature with the auto_restart service. Must be accompanied by the enable option.
no
wfd
WaitingForDownload State
wfr
WaitingForReady State
dip
DownloadInProgress State
ob
Observing State
Ready
l
Leaving State
o
Offline State
ar
ApiNotReady State (nodectl only)
anr
ApiNotResponding State (nodectl only)
10.2.2.2The IP of another node (other) : 10.3.3.3
The IP of another node (other) : 10.4.4.4
Help menu
--id
<node_id>
nodectl will check the node ID supplied instead of the localhost.
no
--brief
Offer output in a more simplified form.
no
--file
<path_to_csv_file>
option is requested the consensus will be checked against the file that contains at least one node ID public key or multiple node IDs formatted in one line per node ID public key. The --file command cannot coincide with the -w option.
no
--restart
Once the Starchiver-Extractor is complete, automatically restart the node's profile.
no
DownloadInProgress statenumber of nodes in WaitingForReady state
number of nodes in Ready state
ATH
All Time High price of the token
-c
None
count the peers on the network.
no
-np
None
no pagination.
no
--csv
None
create csv (comma separated values) output file instead of print out to the screen.
no
--output
<file_name>
requires --csv --> this can only be a filename. If you would like to have your output saved to an alternate location, you can update the configuration file's upload location, via the configure command.
no
--basic
None
show only the ip address and public port.
no
--extended
None
show full node ID and dag address.
no
abcd1234....efgh4567
DAG wallet (shortened)
DAG12345...78910111
o
Offline State
-np
None
no pagination.
no
--csv
None
create csv (comma separated values) output file instead of printing output to the screen.
no
--output
<file_name>
requires --csv --> this can only be a filename. If you would like to have your output saved to an alternate location, you can update the configuration file's upload location, via the configure command.
no
Current Session
What is the session number being reported on the cluster.
Found Session
What is the session number seen by the node. If it does not match the Current Session, the node is not properly connected to the actual cluster.
On Network
Shows True or False if the node is found on the cluster.
The apt update and apt upgrade commands will be executed through nodectl, eliminating the need for the user to run them directly from the Linux distribution.
-b
if the brief option is included a detailed view of the wallet transactions will be excluded from the command's output.
no
-np
By default, the dag command will paginate the output, the -np flag will force no pagination during command output printing.
no
--csv
Export the file to default dated file name to the default uploads (see configuration file) or based on the --output option (below).
no
--output
<file_name>
requires --csv --> this can only be a filename. If you would like to have your output saved to an alternate location, you can update the configuration file's upload location, via the configure command.
no
$DAG Price
Current value of a $DAG token in USD
-cb
automatically c)onfirm that we understand the location of the b)ackup and that it was backed up. nodectl wants to make sure you know that there is a copy of your configuration on the node for security purposes.
no
-n
enter directly into new configuration mode.
no
--confirm
Auto confirm default options.
optional
--override
Install nodectl over itself, do not remove existing files prior to installation.
optional
--username
<user_name>
Setup your new node with the supplied username verses the default username of nodeadmin.
optional
--user-password
<string>
Setup your new node with the following VPS username password. You will not be prompted for it during the installation.
optional
--p12-name
<string>
Setup your new node with the following p12 keystore name, verses the default p12 name of nodeadmin.p12.
optional
--p12-passphrase
<string>
Setup your new node with the following p12 keystore passphrase. You will not be prompted for it during the installation.
optional
--p12-alias
<string>
Setup your new node with the following p12 keystore alias, verses the default alias of nodeadmin-alias.
optional
--p12-destination-path
<path-to-directory>
Setup your new node to place the newly created p12 keystore in the fully qualified path location provided, verses the default location equal to /home/<username>/tessellation/.
optional
--p12-migration-path
<path-to-directory-and-file>
Setup your installation to migrate in an existing p12 keystore file. This should include the full path to the file and the file name
optional
--ni
When used in conjunction with a required option, this will force the feature into non-interactive mode by-passing any questions and instead using the default options/answers
no
-f
follow the log line by line. As a new line is added to the log during execution of user or program initiated elements that might print to the log file being monitored. To cancel out of the "-f" command you will simultaneously press and hold the control ctrl key on your keyboard and press the c key.
no
--cleanup
file <path/tofile>
The option is recommended to be used after the file has been properly downloaded and can now be removed from the local system administrators account. If used with the --type p12 this command does not need the <path_to_file> and will remove all p12 files located in the root of the Node Administrator's home directory.
no
specific date logs
date range logs
archived logs
getting_started
None
>v2.14.0
-p
<profile_name>
starts the service related to the profile name supplied.
yes
-p
<profile_name>
stops the service related to the profile name supplied.
yes
--leave | -l
none
You may use -l or the long option --leave to force a leave against a cluster (recommended) in the event that the profile's cluster is in a state where it is recommended to leave the cluster first.
no
-p
<profile_name> | all
restarts the service related to the profile name in question.
yes
--slow-restart
functions similarly to the restart command, but with a deliberate 10-minute delay (600 seconds) built into the process.
The --slow_restart is designed to help resolve issues where a node is:
Stuck in an undesirable or unstable state
Unresponsive to cluster activity
Experiencing other unexpected behavior.
no
--restart-only
Noe
Use --restart_only when you want to restart a profile’s service without immediately rejoining the cluster. This is useful for performing maintenance or troubleshooting before re-establishing cluster participation. After execution, the profile will end in a ReadyToJoin state.
-p
<profile_name>
leaves the cluster related to the profile parameter supplied.
yes
-p
<profile_name>
join the cluster related to the profile name parameter supplied.
yes
enable
enable the auto_restart feature.
no
disable
disable the auto_restart feature.
no
restart
disable and then enable the auto_restart feature
clean_files
-cf
>v2.7.x
-t
<log_type>
enter the log type that is desired.
yes
logs
clear logs located in the default or specified log directories. Logs command handles json_logs and archived logs.
uploads
clear uploads located in the default or specified log directories.
backups
clear backups located in the default or specified log directories.
check_minority_fork
-cmf
>v2.12.0
-p
<profile_name>
which cluster related to the profile name in question do we want to review.
yes
check_connection
-cc
>v1.x.x
-p
<profile_name>
which cluster related to the profile name in question do we want to review.
yes
-s
<ip_address or hostname>
identify a source node to use specifically by the check_connection command, to test against the edge node.
no
-e
<ip_address or hostname>
identify an edge node to compare against the source node.
*
Indicates the ip searched against was either the edge and source ip
i
Initial State
rtj
ReadyToJoin State
ss
StartingSession State
s
SessionStarted State
rtd
ReadyToDownload State
check_consensus
-con
>v2.12.0
-p
<profile_name>
which cluster related to the profile name in question do we want to review.
no
-s
<ip_address>
nodectl will check the ip address supplied instead of the localhost.
no
-w
<seconds>
watch mode: nodectl will continuously check if the node is in consensus every X seconds, until the q if hit to exit watch mode.
check_source_connection
-csc
>v1.x.x
-p
<profile_name>
which cluster related to the profile name in question do we want to review.
yes
Full Connection
Both the source node picked by nodectl and the local edge node that executed the check_source_connection command can see each other True or cannot False.
Profile
The profile that this command was run against.
Source -> State
Can the SOURCE node see the edge node True or False. The source node's state is in Ready state.
Edge -> State
Can the EDGE node see itself True or False. The edge node's state is in Ready state.
check_seedlist
-csl
>v2.x.x
-p
<profile_name>
related to the profile to verify access permissions.
yes
-id
<node_id>
node ID of the node you would like to verify seed list participation (if not local to the node)
no
ip address
The ip address of the node in question
p12 filename
The name of the p12 file on the local node
p12 location
The location of the p12 file on the local node
node ID
The p12 public key ( node ID ).
node ID found on seed list
This will be a True or False. In the event of a False please contact an administrator on the Constellation Network official Discord server.
chcheck_seedlist_participation
-cslp
>2.7.x
-p
<profile_name>
related to the profile to verify access permissions.
yes
-t
<seconds>
How long would you like to sniff each of the TCP ports found? default 10 seconds.
no
console | mobile
>v2.15.0
download_status
-ds
>v2.10.0
-p
<profile_name>
monitor the cluster that relates to the requested profile.
no
--estimate
This is a develper_mode option that will attempt to estimate how much time is left before the DownloadInProgress stage may complete.
no
execute_starchiver
>v2.13.0
-d
Delete all snapshots before continuing.
no
-o
Override any snapshots as necessary.
no
--datetime
<datetime_stamp>
If you do not include a parameter after the --datetime option, Starchive-Extractor will automatically attempt to determine what date and time is best to begin the archival downloads. Omitting a <datetime_stamp> is recommended.
find
>v1.x.x
-s
<source_node>
Node on the cluster you want to use to lookup other nodes.
no
-t
<target_node>
Node on the cluster (ip address, hostname, or node ID) you want to look up on the cluster.
no
ok
Falls within normal operating parameters
low
Falls outside of normal operating parameters - minimum
warn
Falls outside of normal operating parameters - upper threshold
15M CPU
Average usage of CPU over 15 minute intervals.
Disk Usage
How much hard drive (DISK) space is in use.
Uptime Days
How long the operating system has been running since the last boot/reboot.
Memory
RAM usage.
Swap
SWAP space HD usage.
Profile Name
Name of the profile on display as defined by the cn-config.yaml.
Profile Description
Node Operator defined description of the profile.
Public API TCP
The TCP port configured that is open to the public for API calls.
P2P API TCP
The TCP port configured that is used for gossip peer to peer API communications.
CLI API TCP
The TCP port configured that is used for internal API calls only.
Rank
Ranking 1 Best, > x+1 Worst
Name
Token name
Symbol
Token symbol
Price
Current price at time of execution.
Market Cap
Market Capitalization
Total Supply
Total supply of tokens
-p
<profile_name>
The profile name to review in order to locate the latest downloaded snapshot.
yes
-p
<profile_name>
review the cluster that relates to the requested profile.
yes
-t
<target_node>
Node on the cluster (ip or hostname) that you would like to use as your target (The node to use as reference.) for finding peers.
no
--state
<dip, ob, wfd, wfr, wfo, wfd>
filter the peers output to only nodes that are in the requested cluster state: dip: DownloadInProgress, ob: Observing, wfr: WaitingForReady, wfo: WaitingForObserving, wfd: WaitingForDownload
*
Indicates the ip found was either the edge and source ip as indicated by the -t option or the node that was randomly selected when the command was executed.
i
Initial State
rtj
ReadyToJoin State
ss
StartingSession State
l
Leaving State
s
SessionStarted State
$DAG
Constellation Network
$LTX
Lattice Exchange
$DOR
Dor Technologies
$BTC
Bitcoin
$ETH
Ethereum
$QNT
check_source_connection
-rtb
>v1.x.x
quick_status
-qs
>2.9.x
-p
<profile_name>
supply profile name parameter to show quick_status.
no
-w
<seconds>
watch command. will continuously check the status of your node until q is pressed. Note: You should not use the ctrl-c to exit as it may cause your keyboard to stop echoing output to your terminal. If this does happen, you can simply exit the terminal session and log back in to correct the display issues.
no
Log Errors
How many ERROR statements were found.
Access Accepted
Count of how many logins were requested and accepted.
Access Denied
Count of how many Invalid logins were found.
Max Exceeded
Count of how many Invalid logins were blocked due to excessive attempts.
Port Range
What the minium and maximum port range for the denied attempts were identified.
Since
The creation date of the last auth.log that was reviewed.
show_cpu_memory
-scm
>v2.13.x
CURRENT CPU
The averaged results of all iterations.
CURRENT MEMORY
The averaged results of all iterations.
CPU
Is there a PROBLEM with the CPU utilization or is the utilization OK
MEMORY
Is there a PROBLEM with the memory utilization or is the utilization OK
THRESHOLD
The current percentage that may be utilized on the system before changing the value of the CPU or MEMORY header from OK to PROBLEM.
Individual Iterations Results
Static values found before averaging the results
show_current_rewards
-scr
>v2.x.x
-p
<profile_name>
review the cluster related to the profile name in question.
yes
-w
<dag_wallet_address>
DAG wallet on the cluster. Use this option if you are interested in an alternative node that is not the local node.
no
-s
<snapshot_history_size>
default: 50, The amount of snapshots to review.
show_node_proofs
-snp
>v2.10.x
-p
<profile_name>
which profile are you attempting to display the current node proofs from.
required
-ni | --ni
none
By default, the dag command will paginate the output, the -np flag will force no pagination during command output printing.
no
show_node_states
-sns
>2.x.x
ApiNotReady
ar
shown if nodectl can not reach the node's internal API server.
ApiNotResponding
anr
show if the node running Tessellation is unable to send or receive API requests.
SessionNotFound
snf
shown if nodectl can not read the node's session via the internal API server.
SessionIgnored
si
shown if nodectl is not online and there is not a session to display.
status
-s
>1.x.x
-p
<profile_name>
supply profile name parameter to show status.
no
-w
<seconds>
watch command. will continuously check the status of your node until q is pressed. Note: You should not use the ctrl-c to exit as it may cause your keyboard to stop echoing output to your terminal. If this does happen, you can simply exit the terminal session and log back in to correct the display issues. Available in version >v2.9.0
no
Service
What is the status of the service that runs this profile.
Join State
The state that the node is seen by the cluster when online.
Profile
Which profile is being reported on.
Public API TCP
The TCP port configured that is open to the public for API calls.
P2P API TCP
The TCP port configured that is used for gossip peer to peer API communications.
CLI API TCP
The TCP port configured that is used for internal API calls only.
sync_node_time
>2.14.x
-v
none
Sync the node's time in verbose mode.
no
update_seedlist
-usl
v2.x.x
-p
<profile_name>
which profile are you seeking the update seed list.
yes
update_version_object
v2.x.x
-v
This option can be used to verify that the contents of the versioning object is valid and contains the proper key pair values..
optional
--force
The version object will not be updated if it has already been updated within the last 2 minutes from when the command was issued. If the --force option is utilized, the version object file will be forced to update regardless of timing.
optional
--print
This option will print the contents of the version object to the console.
PULBIC KEY
The publicly available key used to decrypt the signature file that was created by a private key. The private key is owned by Constellation Network and not available or accessible.
BINARY HASH
The hash created by using the public key to hash the nodectl binary.
DIGITAL SIGNATURE
A copy of the hash value that should be identical to the BINARY HASH if the nodectl binary is valid.
VERIFICATION RESULT
This will either be a green success or red failure.
--port
<port number>
Which port number would you like to change your SSH port for use?
yes
warm boot
restart your entire system via software
cold boot
physical start and stop of your Server or VPS
upgrade_vps
v2.14.x
--ni
Issue an upgrade in non-interactive mode. nodectl will not ask any questions and will automatically select the default recommended options. This does not apply to options marked in purple boxes.
no
--reboot
Force nodectl to reboot the node (if required) without interaction from the Node Operator.
no
uptime
v2.14.x
-p
<profile_name>
The profile to review the uptime parameters from.
no
Cluster
How long the cluster the profile(s) are connected to has been up.
Node
How long has the node been on the cluster for the given profile(s).
System
How long has the VPS been up and running.
-p
<profile_name>
In order to use the -id option, nodectl will need to know which profile to review the node ID from.
no
-id
<full_node_id>
p12 public key node ID to lookup.
no
create_p12
>v2.12.0
--file
<string>
What would you like to call the new p12 keystore file?
no
--location
<file_path>
which profile are you seeking the update seed list.
no
-p
<profile_name>
which profile are you seeking the wallet information from.
yes
-w
<dag_wallet>
retrieve remote by target wallet address.
no
--balance
Noe
show balance of DAG wallet only
IP ADDRESS
External IP address of the node
P12 Filename
Name of the p12 private key file that details were extracted from
P12 Location
Directory location of the p12 file that details were extracted from
DAG Address
DAG address extracted from the p12 file requested
$DAG Balance
Balance of DAG tokens found connected to this wallet
$USD Value
$DAG Balance converted to USD
Timestamp
The snapshot timestamp
Ordinals
The ordinal of the snapshot
Rewards
$DAG reward found for this wallet in the snapshot data
Total Rewards
Accumulation of the rewards found during this period of time
-p
<profile_name>
which profile are you seeking the private key from.
yes
nodeid
id
>v2.x.x
-p
<profile_name>
which profile are you seeking the nodeid from.
yes
-t
<ip_address
retrieve remote by target IP address.
no
-l
Display the node ID in long format.
None
<node_id>
128 byte node ID (public key) to derive DAG wallet from.
yes
show_p12_details
-spd
>v2.12.x
-p
<profile_name>
which profile are you seeking the private keystore details from.
yes
-a
enable advanced mode.
no
-e
enter directly into edit configuration mode for existing configurations.
no
-ep
enter directly into edit profile configuration mode for existing configurations. >v2.9.0
--normal
If this option is supplied, during the interactive installation process, nodectl will skip the request to utilize the --quick-install option and confirm a normal installation only.
optional
--quick-install
If this option is supplied, during the interactive installation process, nodectl will skip the request to utilize the --normal option and confirm a quick-install installation only.
optional
--cluster-config
mainnet, integrationnet, testnet, dor-metagraph-mainnet
Setup your new node to connect with one of the several pre-defined configurations.
ipv6
>v2.15.x
status
Show the status of the IPv6 network stack on the VPS.
yes
enable
Enable IPv6 on the VPS.
yes
disable
Disable IPv6 on the VPS.
-w
watch mode. This creates an upgrade that is less verbose, and saves time by not forcing the Node Operator to wait for all peer to peer connections to be established, instead once the node reaches a state where it is able to participate on the network, nodectl will skip watching for the remaining peers to connect and simply and safely continue the upgrade process, therefore saving time.
no
--pass
<passphrase>
If the Node Operator chose to hide their passphrase by excluding it from the configuration file, you will need to supply it at the command line using this option.
no
--ni
Non-Interactive. If you want to use the upgrade command with all the defaults chosen, nodectl will not ask any interactive questions.
upgrade_nodectl
N/A
>v2.7.x
-v
<version>
statically set the version you would like to upgrade or downgrade to.
no
upgrade_path
-up
>v2.7.x
validate_config
-val
>v2.7.x
view_config
-vc
>v2.7.x
-np
By default, the view_config command will paginate the output, the -np flag will force no pagination during command output printing.
no
check_versions
-cv
>v2.x.x
Tess installed
What version of Tessellation was found on the node.
Tess latest
What version of Tessellation was found in the current repository.
Tess version match
Does the node match up to the repository?
nodectl installed
What version of nodectl was found on the node.
nodectl latest
What version of nodectl was found in the current repository.
nodectl version match
Does the node match up to the repository?
display_snapshot_chain
>v2.14.0
-p
<profile_name>
Identify the appropriate layer0 profile to check against. nodectl will offer a list of known profiles if not supplied.
no
-y
automatically confirm the request to check the snapshot chain
no
logs
log
-p
<profile_name>
The name of the profile. This is important because (for example) the app.log shares the same log name for each profile. The Node Operator will need to specify which profile to review.
yes
-l
<log_name>
Name of the log that you would like to review. see log types
yes
-g
<word>
filter out (grep) the word <word>. This is case insensitive.
app
http
nodectl
prepare_file_download
>v2.14.x
--type
<p12_file>
This option will locate all p12 files associated with your node. If the optional -p parameter is included with the command, only the p12 associated with the profile requested will be moved and setup for access.
yes
file <path/tofile>
This option will locate the file on our node identified by the succeeding path, move the file, and setup access.
yes
-p
<profile_name>
Used in conjunction with the --type p12 option, this will allow you to retrieve the p12 file associated specifically with the profile requested.
send_logs
-sl
>v2.x.x
-p
<profile_name>
which profile are you attempting to glean logs from.
no
show_dip_error
-sde
>v2.10.x
-p
<profile_name>
which profile are you attempting to glean logs from.
required
show_profile_issues
None
>v2.14.x
-p
<profile_name>
Which profile are you attempting review for issues.
yes
Profile
profile used to lookup error(s).
Error
What error was found?
Possible Cause
What is the most common or likely reason for this error?
Result
Possible result of this error message.
Time
Timestamp of the error in question.
show_service_log
None
>v2.14.x
-p
<profile_name>
Which profile are you attempting review service issues.
yes
show_profile_status
None
>v2.14.x
Owner
What profile on the node owns the process being displayed.
PID
Process ID of the service as assigned by the Debian systemd system manager, used to handle the logging and various utilities for the assigned process.
Status Code
The code returned by the systemd manager. These codes can be standard codes or custom codes for a particular process in use.
Status
Human friendly translation of the status code.
0
What profile on the node owns the process being displayed.
256
Process exited with error.
768
Process not running.
active
running.
inactive
not running (dead).
no
no
no
no
no
no
Quant Network
no
optional
no
no
no
optional
yes
no
no
no
sudo nodectl <command> <option>sudo nodectl status -p dag-l0sudo nodectl status -p dag-l0sudo nodectl peers -npsudo nodectl -option1 parameter1 -option2sudo nodectl -option2 -option1 parameter1sudo nodectl getting-started sudo nodectl helpNODECTL INSTALLED: [v2.7.1]
TESSELLATION INSTALLED: [v2.8.0]
Code Name: Princess Warrior
----------------------sudo nodectl status helpsudo nodectl start -p dag-l0 help sudo nodectl start -p dag-l0sudo nodectl stop help sudo nodectl stop -p dag-l0sudo nodectl stop -p dag-l0 --leavesudo nodectl restart -p dag-l0 help sudo nodectl restart -p allsudo nodectl restart -p dag-l0sudo nodectl restart --restart-only -p dag-l0sudo nodectl leave -p dag-l0 help sudo nodectl leave -p dag-l0sudo nodectl join -p dag-l0 help sudo nodectl join -p dag-l0sudo nodectl configure -e -cb -dsudo nodectl auto_restart help
sudo nodectl auto_upgrade helpsudo nodectl auto_restart enablesudo nodectl auto_restart enable --auto_upgradesudo nodectl auto_restart disablesudo nodectl auto_restart restartsudo nodectl auto_restart check_pid
sudo nodectl auto_restart statussudo nodectl clean_files helpsudo nodectl clean_files -t logssudo nodectl -cf -t logssudo nodectl check_minority_fork help
sudo nodectl -cmf help sudo nodectl check_minority_fork -p dag-l0sudo nodectl check_connection help sudo nodectl check_connection -p dag-l0sudo nodectl check_connection -p dag-l0 -e 10.3.3.3sudo nodectl check_connection -p dag-l0 -s 10.3.3.3 -s 10.4.4.4sudo nodectl check_consensus help sudo nodectl -con help sudo nodectl check_consensus -p dag-l0sudo nodectl check_consensus -p dag-l0 -s 10.10.10.10 sudo nodectl check_consensus -p dag-l0 --file /tmp/test.csv sudo nodectl check_consensus -p dag-l0 --brief sudo nodectl check_consensus -p dag-l0 --brief -w 120 States: Initial, ReadyToJoin, StartingSession, SessionStarted,
ReadyToDownload, WaitingForDownload, DownloadInProgress, Observing,
WaitingForReady, WaitingForObserving, Ready, Leaving,
Offline, ApiNotReady, SessionIgnored, SessionNotFound,
Source: Server this node is joined to
Edge: This node
Note: If the SOURCE is on a different network it will show ApiNotReady
FULL CONNECTION PROFILE
True dag-l0
SOURCE -> STATE EDGE -> STATE
True | Ready True | Ready
Node restart service does not need to be restarted because pid
[4157840] was found already. sudo nodectl check_source_connection helpsudo nodectl check_source_connectionsudo nodectl check_seedlist helpsudo nodectl check_seedlistsudo nodectl check_seedlist_participation helpsudo nodectl check_seedlist_participation -p <profile_name>sudo nodectl execute_starchiver helpsudo nodectl execute_starchiver -p <profile_name> --datetime --restartsudo nodectl find helpsudo nodectl find -p <profile_name>sudo nodectl find -p <profile_name> -s <source_ip_host>sudo nodectl find -p <profile_name> -s <source_ip_host> -t <target_ip_host>sudo nodectl find -p dag-l0
sudo nodectl find -p dag-l0 -s 10.2.2.2 -t 10.1.1.1sudo nodectl find -p dag-l0 -t <node ID>sudo nodectl find -p dag-l0 -s 10.2.2.2
sudo nodectl find -p dag-l0 -s 10.2.2.2 -t 10.1.1.1sudo nodectl find -p dag-l0 -s self -t 10.2.2.2
sudo nodectl find -p dag-l0 -s 10.2.2.2 -t selfsudo nodectl find -p dag-l0 -s 10.2.2.2 -t 10.1.1.2sudo nodectl health helpsudo nodectl healthsudo nodectl list helpsudo nodectl listsudo nodectl node_last_snapshot -p dag-l0 help sudo nodectl node_last_snapshot -p dag-l0sudo nodectl peers helpsudo nodectl peers -p <profile_name>sudo nodectl peers -p <profile_name> -t selfsudo nodectl peers -p <profile_name> -t <ip_address or hostname>sudo nodectl peers -p <profile_name> -csudo nodectl peers -p <profile_name> -t <ip_address or hostname> -csudo nodectl peers -p dag-l0sudo nodectl peers -p dag-l0 --basic
sudo nodectl peers -p dag-l0 --extendedsudo nodectl peers -p <profile_name> --csv
sudo nodectl peers -p <profile_name> --csv --output test.csvsudo nodectl price helpsudo nodectl pricesudo nodectl refresh_binaries helpsudo nodectl refresh_binariessudo nodectl quick_status help sudo nodectl quick_statussudo nodectl quick_status -p dag-l0 LOG ERRORS ACCESS ACCEPTED ACCESS DENIED MAX EXCEEDED PORT RANGE
10 31 41 39 1024-4000sudo nodectl sec helpsudo nodectl secsudo nodectl show_cpu_memory help
sudo nodectl -scm helpsudo nodectl show_cpu_memorysudo nodectl show_current_rewards help
sudo nodectl -scr helpsudo nodectl show_current_rewards
sudo nodectl show_current_rewards -p <profile_name>sudo nodectl show_current_rewards -w <dag_address>sudo nodectl show_current_rewards --csvsudo nodectl show_current_rewards --csv --output test.csvsudo nodectl show_node_proofs help
sudo nodectl -snp helpsudo nodectl show_node_proofs -p <profile_name>
sudo nodectl -snp -p <profile_name> sudo nodectl show_node_proofs -p <profile_name> --ni
sudo nodectl -snp -p <profile_name> --ni sudo nodectl show_node_states helpsudo nodectl show_node_statessudo nodectl -snssudo nodectl status help sudo nodectl statussudo nodectl status -p dag-l0sudo nodectl sync_node_time helpsudo nodectl sync_node_timesudo nodectl sync_node_time -vsudo nodectl update_seedlist helpsudo nodectl update_seedlistsudo nodectl update_version_oject helpsudo nodectl update_version_object --force sudo nodectl update_version_object -v sudo nodectl update_version_object --printsudo nodectl verify_nodectlsudo nodectl change_ssh_port helpsudo nodectl change_ssh_port --port 4242sudo nodectl disable_root_sshsudo nodectl enable_root_sshsudo nodectl reboot helpsudo nodectl rebootsudo nodectl upgrade_vps helpsudo nodectl upgrade_vpssudo nodectl upgrade_vps --nisudo nodectl upgrade_vps --rebootsudo nodectl uptime helpsudo nodectl uptimesudo nodectl uptime -p dag-l0sudo nodectl whoami helpsudo nodectl whoamisudo nodectl whoami -p <profile> -id <node_id>sudo nodectl create_p12 helpsudo nodectl create_p12 sudo nodectl create_p12 --file test.p12 --location /tmp/my_new_p12_files/ sudo nodectl dag -p dag-l0 help sudo nodectl dag -p dag-l0sudo nodectl dag -w DAG0911111111111111111111111111111111111 -p dag-l0sudo nodectl dag -p dag-l0 -bsudo nodectl dag -p dag-l0 -np sudo nodectl export_private_key helpsudo nodectl export_private_key -p <profile_name>sudo nodectl nodeid help sudo nodectl nodeidsudo nodectl nodeid -t 113.113.113.113sudo nodectl nodeid2dag helpsudo nodectl nodeid2dag <node_id>sudo nodectl passwd12 helpsudo nodectl passwd12sudo nodectl show_p12_details helpsudo nodectl show_p12_details -p dag-l0
sudo nodectl -spd -p dag-l0sudo nodectl configure help sudo nodectl configure sudo nodectl configure -n sudo nodectl configure -e sudo nodectl configure -a -e sudo nodectl configure -a -e -cbsudo nodectl install sudo nodectl install --normal sudo nodectl install --quick-installsudo nodectl install --user bob --password mypasswordsudo nodectl install --quick-install --user bob --password mypasswordsudo nodectl install --quick-install --user bob --password mypassword --p12-name myp12name.p12 --p12-passphrase myp12passphrase --p12-alias myp12aliasnamesudo nodectl install --quick-install --user bob --password mypassword --p12-passphrase myp12passphrase --p12-alias myp12aliasname --p12-migration-path /home/ubuntu/myp12migrationfile.p12sudo nodectl ipv6 help sudo nodectl ipv6 statussudo nodectl ipv6 enablesudo nodectl ipv6 disablesudo nodectl restore_config help sudo nodectl restore_configsudo nodectl uninstall help sudo nodectl uninstallsudo nodectl upgrade_nodectl helpsudo nodectl upgrade_nodectlsudo nodectl upgrade_path helpsudo nodectl upgrade_pathsudo nodectl check_versions helpsudo nodectl check_versionssudo nodectl logs -p <profile_name> <log_name> [-g <grep_value>] [-f]sudo nodectl logs -p dag-l0 -l app -g error -fsudo nodectl logs -l nodectlsudo nodectl prepare_file_download helpsudo nodectl prepare_file_download --type p12sudo nodectl prepare_file_download --type p12 -p dag-l0sudo nodectl prepare_file_download --type file /var/tessellation/uploads/mylogs.tar.gzsudo nodectl prepare_file_download --type p12 --cleanupsudo nodectl prepare_file_download --type file mylogs.tar.gz --cleanupsudo nodectl send_logs help
sudo nodectl -sl helpsudo nodectl send_logs -p <profile_name> sudo nodectl -sl -p <profile_name> sudo nodectl show_dip_error help
sudo nodectl -sde helpsudo nodectl show_dip_error -p <profile_name>
sudo nodectl -sde -p <profile_name> sudo nodectl show_profile_issues helpsudo nodectl show_profile_issues -p <profile_name> sudo nodectl show_service_log helpsudo nodectl show_service_log -p dag-l0sudo nodectl show_service_status helpsudo nodectl show_service_statussudo nodectl upgrade_nodectl -v v2.15.2