SSV Mainnet Node Stack Setup
This guide deploys an SSV mainnet operator node with the official SSV Node stack. The default BlockNth flow starts ssv-key-generation, ssv-node, and ssv-dkg; it does not start Prometheus, Grafana, or Alertmanager.
Do not use plain docker compose up -d for the default setup in this guide. That command starts the full monitoring stack, including Prometheus and Grafana. Use docker compose --profile dkg up -d ssv-key-generation ssv-node ssv-dkg unless you explicitly want the monitoring services.
Prerequisites
System Requirements
- Operating System: Ubuntu 22.04/24.04 LTS x64
- CPU: 4 cores minimum
- Memory: 8GB RAM minimum
- Storage: 100GB SSD minimum for SSV data, logs, and slashing-protection database
- Docker: Docker Engine with Docker Compose plugin v2+
- Ethereum Endpoints: Reliable execution WebSocket and consensus HTTP endpoints
- Firewall: Open TCP
13001, UDP12001, and only expose API/metrics locally unless required
Network Information
| Component | Value | Description |
|---|---|---|
| Network | mainnet | SSV production network |
| Stack Repository | https://github.com/ssvlabs/ssv-stack.git | Official stack repository |
| SSV Node Image | docker.io/ssvlabs/ssv-node:latest | Image used by stack |
| SSV Node Release | v2.4.2 | Latest SSV node release checked on 2026-05-11 |
| P2P TCP | 13001 | Must be reachable by peers |
| P2P UDP | 12001 | Must be reachable by peers |
| SSV API | 16000 | Health endpoint |
| Metrics | 15000 | Bound to 127.0.0.1 by stack |
| Install Directory | /data/ssv/ssv-stack | Operational working directory used by this guide |
| Data Directory | /data/ssv/ssv-stack/ssv-node-data | Operator key, password, and SSV database |
The ssv-stack repository commit checked for this guide is 27b8159 from 2025-12-24. Re-check the official SSV docs and repository before production upgrades.
Step 1: Install Docker
sudo apt -q update
sudo apt -qy install ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt -q update
sudo apt -qy install docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo systemctl enable --now docker
docker compose version
Step 2: Clone SSV Stack
sudo mkdir -p /data/ssv
sudo chown -R $USER:$USER /data/ssv
cd /data/ssv
git clone https://github.com/ssvlabs/ssv-stack.git
cd /data/ssv/ssv-stack
Step 3: Configure Environment
cp ssv.example.env ssv.env
chmod 600 ssv.env
mkdir -p ssv-node-data
Edit ssv.env and set at least these values:
BEACON_NODE_ADDR=http://YOUR_CONSENSUS_ENDPOINT:5052
ETH_1_ADDR=ws://YOUR_EXECUTION_ENDPOINT:8546
NETWORK=mainnet
PRIVATE_KEY_FILE=/data/private_key
PASSWORD_FILE=/data/password
TCP_PORT=13001
UDP_PORT=12001
SSV_API_PORT=16000
DB_PATH=/data/db
LOG_LEVEL=info
If your execution or consensus clients run on the host machine, do not blindly use 127.0.0.1 inside ssv.env; inside Docker that points at the SSV container itself. Use a reachable LAN address, reverse proxy address, or Docker host gateway configuration.
ssv.env is a secret-bearing operational file. Keep it in /data/ssv/ssv-stack/ssv.env, do not commit it, and keep NETWORK=mainnet for SSV mainnet.
Step 4: Prepare Operator Key
The stack can generate a new encrypted operator key on first start. It stores the encrypted private key and password under /data/ssv/ssv-stack/ssv-node-data.
For a new operator key:
mkdir -p ssv-node-data
docker compose run --rm ssv-key-generation
ls -la ssv-node-data
For an existing operator key, place your files before starting. If your key file is named encrypted_private_key.json, copy it into the stack data directory as private_key unless you also change PRIVATE_KEY_FILE in ssv.env:
install -m 600 /secure/path/encrypted_private_key.json ./ssv-node-data/private_key
install -m 600 /secure/path/password ./ssv-node-data/password
Back up encrypted_private_key.json and password on a separate device. In this stack layout, that means backing up ssv-node-data/private_key and ssv-node-data/password. If either file is lost, you will permanently lose access to your Operator.
Step 5: Configure DKG
Edit /data/ssv/ssv-stack/dkg-data/operator.yaml before starting the stack. The upstream stack says only operatorID and ethEndpointURL normally need changing, but keep the file paths aligned with the mounted stack directories:
privKey: ./ssv-node-data/private_key
privKeyPassword: ./ssv-node-data/password
operatorID: YOUR_OPERATOR_ID
port: 3030
logLevel: info
logFormat: json
logLevelFormat: capitalColor
logFilePath: ./data/debug.log
outputPath: ./data/output
ethEndpointURL: http://YOUR_EXECUTION_ENDPOINT:8545
Use an HTTP execution endpoint for ethEndpointURL. This value is for ssv-dkg; keep the WebSocket execution endpoint in ssv.env as ETH_1_ADDR.
Open TCP 3030 on your firewall if this operator should expose DKG:
sudo ufw allow 3030/tcp
Step 6: Start SSV Node, Key Generation, and DKG
Do not run multiple SSV Node instances with the same Operator keys. This does not improve resiliency and could lead to validator slashing.
Start only the required SSV services:
docker compose pull ssv-node ssv-key-generation ssv-dkg
docker compose --profile dkg up -d ssv-key-generation ssv-node ssv-dkg
This starts ssv-key-generation, ssv-node, and ssv-dkg. It does not start prometheus, grafana, or alertmanager.
Verify the running services:
docker compose ps
docker compose logs -f ssv-node
docker compose logs -f ssv-dkg
Expected services for the default guide:
ssv-stack-ssv-node-1
ssv-stack-ssv-dkg-1
ssv-key-generation is started by the command, but it is a one-shot container. After it creates or confirms the key files, Docker Compose may show it as exited successfully instead of running. That is expected.
Step 7: Health Checks
curl -s http://127.0.0.1:16000/v1/node/health | jq .
curl -s http://127.0.0.1:15000/metrics | head
Check peer ports:
sudo ss -tulpn | grep -E '13001|12001|16000|15000|3030'
Step 8: Register Operator
After the node is running and the operator key is backed up, register the operator through the official SSV Operator Registration flow.
This guide covers infrastructure setup only. Follow the official SSV operator registration documentation before accepting validators or joining clusters. The registration flow uses the Operator public key generated during node setup, and the Operator key and owner address cannot be changed after registration.
Optional: Monitoring Stack
The upstream stack includes Prometheus, Grafana, and Alertmanager. They are intentionally not started by the default command in this guide.
Start monitoring only when you have reviewed passwords, bind addresses, firewall rules, and alertmanager secrets:
docker compose up -d prometheus grafana alertmanager
The upstream Grafana defaults are intended for examples. Change admin credentials and keep Prometheus/Grafana bound to trusted interfaces only.
Maintenance
Update the Stack
cd /data/ssv/ssv-stack
git pull
docker compose pull ssv-node ssv-key-generation ssv-dkg
docker compose --profile dkg up -d ssv-key-generation ssv-node ssv-dkg
Stop the SSV Services
docker compose stop ssv-node ssv-dkg
Restart the SSV Services
docker compose restart ssv-node ssv-dkg