Installing Canton¶
This guide will guide you through the process of setting up your Canton nodes to build a distributed Daml ledger. You will learn
- How to setup and configure a domain
- How to setup and configure one or more participant nodes
Note
As no topology is the same, this guide will point out different configuration options as notes wherever possible.
The guide assumes that you have followed the download instructions in order to obtain your copy of the Community or Enterprise edition of Canton.
This guide uses the example configurations you can find in the release bundle under example/03-advanced-configuration
and explains you how to leverage these examples for your purposes. Therefore, any file named in this guide
will refer to subdirectories of the advanced configuration example.
Your Topology¶
The first question we need to address is what the topology is that you are going after. The Canton topology is made up of parties, participants and domains, as depicted in the following figure.
The Daml code will run on the participant node and expresses smart contracts between parties. Parties are hosted on participant nodes. Participant nodes will synchronise their state with other participant nodes by exchanging messages with each other through domains. Domains are nodes that integrate with the underlying storage technology such as databases or other distributed ledgers. As the Canton protocol is written in a way that assumes that Participant nodes don’t trust each other, you would normally expect that every organisation runs only one participant node, except for scaling purposes.
If you want to build up a test-network for yourself, you need at least a participant node and a domain.
Environment Variables¶
For our convenience in this guide, we will use a few environment variables to refer to a set of directions. Please set the environment variable “CANTON” to point to the place where you have unpacked the canton release bundle.
cd ./canton-X.Y.Z
export CANTON=`pwd`
And then set another variable that points to the advanced example directory
export CONF="$CANTON/examples/03-advanced-configuration"
Selecting your Storage Layer¶
In order to run any kind of node, you need to decide how and if you want to persist the
data. You currently have three choices: don’t persist and just use in-memory stores which will be deleted if you restart
your node, persist using H2-file based stores, or persist to Postgres
databases.
For this purpose, there are three storage mixin configurations (storage/
) defined. These storage mixins
can be used with any of the node configurations. The H2 and in-memory configurations just work out of the
box without further configuration. The Postgres based persistence will be explained in a subsequent section,
as you first need to initialise the database.
The mixins work by defining a shared variable which can be referenced by any node configuration
storage = ${_shared.storage}
storage.config.url = ${?_shared.url-prefix}"participant1"${?_shared.url-suffix}
The storage.config.url
will define the filename for the H2 persistence and the
database name for Postgres (participant1
in the above example).
If you ever see the following error: Could not resolve substitution to a value: ${_shared.storage}
, then
you forgot to add the persistence mixin configuration file.
Note
Please also consult the more detailed section on persistence configurations.
Persistence using Postgres¶
While in-memory and H2 are great for testing and demos, for more serious tasks, we recommend you to use Postgres. For this, make sure that you have a running Postgres server and you need to create one database per node. The recommended Postgres version to use is 11, as this is tested the most thoroughly.
The Postgres storage mixin is provided by the file storage/postgres.conf
.
If you just want to experiment, you can use Docker to get a Postgres database up and running quickly. Here are a few commands that come in handy.
First, pull Postgres and start it up.
docker pull postgres:11
docker run --rm --name pg-docker -e POSTGRES_PASSWORD=docker -d -p 5432:5432 postgres:11
Then, let’s define a shortcut to invoke psql
:
docker exec -it pg-docker psql -U postgres -d postgres
This will invoke psql
interactively. You can exit the prompt with Ctrl-D. If you want to just cat commands, change -it
to -i
in
above command.
Then, create a user for the database using the following SQL command
create user canton with encrypted password 'supersafe';
and create a new database for each node, granting the newly created user appropriate permissions
create database participant1;
grant all privileges on database participant1 to canton;
These commands create a database named participant1
and grant the user named canton
access to it using the
password supersafe
. These are the default unsafe settings that the storage mixins use. You can and should use
other credentials by either setting them as environment variables (inspect (storage/postgres.conf
) for details) or
by changing the configuration file directly. If you want to run also other nodes with Postgres, you need to create
additional databases, one for each.
You can reset the database by dropping then re-creating it:
drop database participant1;
create database participant1;
grant all privileges on database participant1 to canton;
Note
The storage mixin provides you with an initial configuration. Please consult the more extended documentation for further options.
Setting up a Participant¶
Now that you have made your persistence choice (assuming Postgres here), you could start your participant just by using
one of the example files such as $CONF/nodes/participant1.conf
and start the Canton process using the Postgres
persistence mixin:
$CANTON/bin/canton -c $CONF/storage/postgres.conf -c $CONF/nodes/participant1.conf
While this would work, we recommend that you rename your node by changing the configuration file appropriately.
Note
By default, the node will initialise itself automatically using the identity commands Topology Administration. As a result, the node will create the necessary keys and topology transactions and will initialise itself using the name used in the configuration file. Please consult the identity management section for further information.
This was everything necessary to startup your participant node. However, there are a few steps that you want to take care of in order to secure the participant and make it usable.
Secure the APIs¶
- By default, all APIs in Canton are only accessible from localhost. If you want to connect to your node from other
machines, you need to bind to
0.0.0.0
instead of localhost. You can do this by settingaddress = 0.0.0.0
within the respective API configuration sections. - The participant node is managed through the administration API. If you use the console, almost all requests will go through the administration API. We recommend that you setup mutual TLS authentication as described in the TLS documentation section.
- Applications and users will interact with the participant node using the ledger API. We recommend that you secure your API by using TLS. You should also authorize your clients using either JWT or TLS client certificates. The TLS configuration is the same as on the administration API.
- In the example set, there are a set of additional configuration options which allow you to define various JWT based authorizations checks, enforced by the ledger API server. The settings map exactly to the options documented as part of the Daml SDK.
Configure Applications, Users and Connection¶
Canton distinguishes static configuration from dynamic configuration. Static configuration are items which are not supposed to change and are therefore captured in the configuration file. An example is to which port to bind to. Dynamic configuration are items such as Daml archives (DARs), domain connections or parties. All such changes are effected through the administration API or the console.
Note
Please consult the section on the console commands and administration APIs.
If you don’t know how to connect to domains, onboard parties or provision Daml code, please read the getting started guide.
Setting up a Domain¶
In order to setup a domain, you need to decide what kind of domain you want to run. We provide integrations for different domain infrastructures. These integrations have different levels of maturity. Your current options are
- In-Process Postgres based domain (simplest choice)
- Hyperledger Fabric based domain
- Secure enclave based domain
- Ethereum based domain (demo)
This manual will explain you how to setup an in-process based domain using Postgres. All other domains are a set of microservices. However, in any case, you will need to operate the main domain process which is the point of contact where participants connect to for the initial handshake and parameter download. The details of how to set this up for other domains than the in-process based Postgres domain are covered by the individual documentations.
Note
Please contact us at sales@digitalasset.com to get access to the Fabric, Ethereum or enclave based integration.
The domain requires independent of the underlying ledger a place to store some governance data (or also the messages in transit in the case of Postgres based domains). The configuration settings for this storage are equivalent to the settings used for the participant node.
Once you have picked the storage type, you can start the domain using
$CANTON/bin/canton -c $CONF/storage/postgres.conf -c $CONF/nodes/domain.conf
Secure the APIs¶
- As with the participant node, all APIs bind by default to localhost. You need to bind to
0.0.0.0
if you want to access the APIs from other machines. - The administration API should be secured using client certificates as described in TLS documentation section.
- The public API needs to be properly secured using TLS. Please follow the corresponding instructions.
Next Steps¶
The above configuration provides you with an initial setup. Without going into details, the next steps would be:
- Configure who can join the domain by setting an appropriate permissioning strategy (default is “everyone can join”).
- Configure domain parameters
- Setup a service agreements which any client connecting has to sign before using the domain.
Multi-Node Setup¶
If desired, you can run many nodes in the same process. This is convenient for testing and demonstration purposes. You can either do this by listing several node configurations in the same configuration file or by invoking the Canton process with several separate configuration files (which get merged together).
$CANTON/bin/canton -c $CONF/storage/postgres.conf -c $CONF/nodes/domain.conf,$CONF/nodes/participant1.conf