> ## Documentation Index > Fetch the complete documentation index at: https://docs.berachain.com/llms.txt > Use this file to discover all available pages before exploring further. # Production Checklist > Actionable pre-support checks for Beacon Kit (beacond) and Bera-Reth: versions, peering, launch flags, and ops hygiene. ## Recommended releases [Current versions of Beacon Kit and Bera-Reth are listed here.](/nodes/architecture/evm-execution) ## Peering If you are running in a containerized environment, ensure your services are properly advertising their real network address, and that traffic is being directed into the container, both for Beacon Kit and your execution client. Both the CL and EL should have **no static or persistent peers** set up, unless they are for your internal network or business partners you want permanent connections to. Review the following sections for specific peering advice for Beacon-Kit and Bera-Reth. *** ## Beacon Kit (`beacond`) The [diagnosis script](https://github.com/berachain/guides/tree/main/apps/node-scripts/node-diagnostic.sh) inspects **`beacond`** only. It does not check Bera-Reth, JWT paths, or EL peering. ```bash theme={null} /path/to/node-diagnostic.sh -d /var/beacond/ -p /opt/bin/beacond ``` Use your Beacon Kit home (the directory with `config/` and `data/` inside it) and your `beacond` binary. Attach the full output when asking for support. ### Consensus-layer peering | Topic | Action | | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Firewall** | Open **TCP 26656** to the internet (or publish correctly through your load balancer / host networking). | | **`p2p.external_address`** | Set in `config.toml` to the **routable** IP and port peers should dial. Required behind NAT or in containers; without it `beacond` advertises an internal address. | | **Bootnodes** | `beacond` uses the seed list in `config.toml`. Confirm you are on a current release with the [recommended list](https://github.com/berachain/beacon-kit/blob/main/testing/networks/80094/config.toml#L199). | | **Peer limits** | **40 inbound + 10 outbound** is recommended to cap memory use. | ```toml theme={null} max_num_inbound_peers = 40 max_num_outbound_peers = 10 ``` *** ## Bera-Reth ### Execution-layer peering The execution layer needs excellent peering so transactions reach your validator for block sealing. Open **TCP** and **UDP** on the devp2p port (default **30303**). | Topic | Action | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **`--bootnodes`** | Build from one current [mainnet `el-bootnodes.txt`](https://github.com/berachain/beacon-kit/blob/main/testing/networks/80094/el-bootnodes.txt) or [Bepolia](https://github.com/berachain/beacon-kit/blob/main/testing/networks/80069/el-bootnodes.txt). Do not merge legacy files or paste third-party **`enode://`** lines. Prefer an env var (**`BOOTNODES`**) and **`--bootnodes "$BOOTNODES"`**. | | **`--nat extip:`** | Required on cloud or NAT hosts without UPnP (example: **`--nat extip:203.0.113.50`**). Value must be the IPv4 peers dial. | | **`--trusted-peers`** | Omit unless you need a **private** mesh. Never duplicate public bootnodes here. | ### Reth flags you need **Minimal example** — only flags you really should set. Relies on secure and reasonable Bera-Reth defaults (see table below). Set PUBLIC\_IPV4 to your node's external address. ```bash theme={null} bera-reth node \ --chain /srv/bera/reth/genesis.json \ --datadir /srv/bera/reth/data \ --full \ --authrpc.jwtsecret /srv/bera/beacond/config/jwt.hex \ --log.file.directory /var/log/bera-reth \ --metrics 127.0.0.1:9090 \ --nat extip:PUBLIC_IPv4 \ --engine.persistence-threshold 0 ``` **Full example** — every flag stated explicitly, useful when you need non-default ports or want a self-documenting unit file. \\ ``` bera-reth node \ --chain /srv/bera/reth/genesis.json \ --datadir /srv/bera/reth/data \ --full \ --port 30303 \ --discovery.port 30303 \ --http \ --http.addr 127.0.0.1 \ --http.port 8545 \ --ipcpath /tmp/reth.ipc \ --authrpc.addr 127.0.0.1 \ --authrpc.port 8551 \ --authrpc.jwtsecret /srv/bera/beacond/config/jwt.hex \ --log.file.directory /var/log/bera-reth \ --metrics 127.0.0.1:9090 \ --nat extip:PUBLIC_IPv4 ``` If a flag's default already matches your deployment, omit it. Shorter unit files are easier to audit and less likely to drift from upstream changes: | Flag(s) | Default | Verify | | ----------------------------------------- | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | | **`--chain`** | `mainnet` | Must point at the EL genesis JSON for this network. Always set explicitly. | | **`--datadir`** | OS data dir | Must point at the datadir you initialized. Always set explicitly. | | **`--full`** | off (archive) | **Set** for pruned / non-archive validators. Omit only for a deliberate full-archive EL. | | **`--port`** | `30303` | Omit if 30303 is fine. Open **TCP+UDP** at the firewall. | | **`--discovery.port`** | same as **`--port`** | Omit unless you split discovery to a different UDP port. | | **`--http`** | off | **Set** to enable HTTP JSON-RPC. | | **`--http.addr`** | `127.0.0.1` | Default is safe. Only change if providing RPC service internally or externally. | | **`--http.port`** | `8545` | Omit if 8545 is fine. | | **`--ipcpath`** | `/tmp/reth.ipc` | Change when running multiple Reth instances. | | **`--authrpc.addr`** | `127.0.0.1` | Default is safe. Do not change unless you are splitting beacon and reth machines. | | **`--authrpc.port`** | `8551` | Must match Beacon Kit **`rpc-dial-url`**. Omit if 8551 matches. | | **`--authrpc.jwtsecret`** | none | **Always set.** Must be the same JWT file **`beacond`** uses. | | **`--log.file.directory`** | OS cache dir | **Set** to a path you manage with **`logrotate`** (or equivalent). Default buries logs in a platform cache directory. | | **`--metrics`** | off | **Set** to an interface and port that Prometheus can scrape. Do not expose publicly. See [Monitoring](/nodes/operations/monitoring). | | **`--nat`** | `any` (UPnP) | **Set `extip:`** on cloud/NAT hosts where UPnP does not work. Value must be the routable IPv4. | | **`--engine.persistence-threshold`** | `2` | **Set `0`** for Beacon Kit alignment. | | **`--engine.memory-block-buffer-target`** | `0` | Already correct. Omit or set explicitly for clarity. | ### Reth flags you may not need | Optional flag | When to add | | --------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | **`--bootnodes`** | Bera-Reth bakes in our recommended defaults. | | **`--trusted-peers`** | Omit unless you have a private mesh among multiple nodes you operate. | | **`--ws`** | Omit unless a local consumer needs WebSocket RPC. | | **`--http.corsdomain '*'`** | Only when you accept browser callers from any domain. | | **`--http.api`** | Default is secure and reasonable. Only override if you need to. Never put **`admin`** or **`debug`** on a publicly-reachable RPC. | *** ## Set your validator name and logo on the Hub Validators should identify themselves so ops can reach you. Send a PR to [Validator Metadata](https://github.com/berachain/metadata), then ping **`#node-support`** on [Discord](https://discord.gg/berachain) so we can let you into dedicated validator support channels. ## Operational hygiene See **[Monitoring](/nodes/operations/monitoring)** for full Prometheus and Grafana setup.