Bare Metal

Get the Binary

Download

Download the latest release from GitHub:

curl -L -o containment-chamber \
  https://github.com/unforeseen-consequences/containment-chamber/releases/latest/download/containment-chamber-linux-amd64

chmod +x containment-chamber

Binaries are available for linux-amd64 and linux-arm64.

Build from source

Build an optimized production binary:

just build-maxperf

The binary is at target/maxperf/containment-chamber. It is statically linked — no runtime dependencies required.

cp target/maxperf/containment-chamber .

Create a System User

Create a dedicated unprivileged user with no home directory and no login shell:

sudo useradd --system --no-create-home --shell /usr/sbin/nologin containment-chamber

Install Binary and Config

# Install the binary
sudo install -m 755 containment-chamber /usr/local/bin/

# Create directories
sudo mkdir -p /etc/containment-chamber /var/lib/containment-chamber/keystores

# Install config file
sudo cp config.yaml /etc/containment-chamber/config.yaml
sudo chmod 600 /etc/containment-chamber/config.yaml

# Set ownership
sudo chown -R containment-chamber:containment-chamber \
  /etc/containment-chamber \
  /var/lib/containment-chamber

Copy your validator keystores into /var/lib/containment-chamber/keystores/ and update the key_sources.filesystem.paths in your config:

server:
  listen_address: "0.0.0.0"
  listen_port: 9000

metrics:
  listen_address: "0.0.0.0"
  listen_port: 3000

network: mainnet

key_sources:
  filesystem:
    paths:
      - /var/lib/containment-chamber/keystores

antislashing:
  backend: postgres
  url: "postgresql://user:password@localhost:5432/slashing"

systemd Service Unit

Create /etc/systemd/system/containment-chamber.service:

[Unit]
Description=Containment Chamber — Ethereum Remote Signer
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=containment-chamber
Group=containment-chamber
ExecStart=/usr/local/bin/containment-chamber -c /etc/containment-chamber/config.yaml
Restart=on-failure
RestartSec=5s

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ReadOnlyPaths=/
ReadWritePaths=/var/lib/containment-chamber

[Install]
WantedBy=multi-user.target

Enable and Start

sudo systemctl daemon-reload
sudo systemctl enable containment-chamber
sudo systemctl start containment-chamber
sudo systemctl status containment-chamber

Logs

# Follow logs
journalctl -u containment-chamber -f

# Last 100 lines
journalctl -u containment-chamber -n 100

# Since last boot
journalctl -u containment-chamber -b

Tip

Set RUST_LOG=containment_chamber=info in the systemd unit for structured logging. Add it under [Service]:

Environment=RUST_LOG=containment_chamber=info

Use containment_chamber=debug for troubleshooting key loading or signing issues.

Verify

# Health check
curl http://localhost:9000/upcheck

# List loaded keys
curl http://localhost:9000/api/v1/eth2/publicKeys

# Check metrics
curl http://localhost:3000/metrics

Upgrading

For detailed upgrade procedures including zero-downtime and rollback, see the Upgrade Guide.