Operating a node
This page explains how to setup and run a builder node.
If would like to participate as an operator, please fill out this form to register your interest.
System requirements
- Intel TDX-capable CPU
- 16 cores
- 32 GiB RAM
- 2 TB disk storage, min 30K IOPS read/write, 1200MiB/s sequential read/write
- 1 Gbps Internet access
Cloud hosting
Currently only Microsoft Azure is supported for hosting, since it's the only provider with an end-to-end working TEE attestations. We are actively working with Google, OVH and other providers, and expect to expand the list of supported cloud providers soon.
Microsoft Azure Cloud
For Azure, we recommend the Standard_EC16es_v5 instance type. You'll need to request a quota for "Standard ECEV5 Family vCPUs" (16 vCPUs).
The Azure infrastructure can be created with this Terraform module: https://github.com/flashbots/terraform-module-azure-confidential-vm
Notes on the setup:
- Storage account: no redundancy necessary
- Disk:
- 2TB Premium SSD v1 (not v2!) with toggled "Performance Plus" and read-only host cache
- Need to support 20k IOPS read/write, 900MiB/s sequential read/write
Bare metal hosting
Bare metal hosting is not yet supported. We are currently working with providers including Google and OpenMetal to resolve any remaining issues with measurements, attestations and BIOS upgrades. We expect bare-metal hosting to be available in the near future (Q3/4 2025).
This presentation contains more details about the challenges of TDX attestations on bare-metal servers.
Securing the Operator API
After initial startup of the instance, you need to secure the Operator API by setting a password:
curl -k -v --data "<PASSWORD>" https://<INSTANCE_IP>:3535/api/v1/set-basic-auth
Store the password in a safe place. If it is lost, the instance is not recoverable, and you will need to redeploy the instance.
You can update the password at any time by running the same command with a new password and the old auth secret:
curl -k -v --user "admin:<OLD_PASSWORD>" --data "<NEW_PASSWORD>" https://<INSTANCE_IP>:3535/api/v1/set-basic-auth
Now ensure it works by testing the /logs
API call:
curl -k --user "admin:<PASSWORD>" https://<INSTANCE_IP>:3535/logs
Metrics and dashboards
Builder nodes provide metrics in Prometheus format.
Grafana dashboard downloads: