Installation

This guide takes a fresh server from nothing to a running, licensed Stratum node. The whole process is a few minutes.

Requirements

Requirement	Detail
OS	Debian 11+, Ubuntu 22.04+, RHEL 8+, Rocky Linux 8+, or AlmaLinux 8+
Kernel	5.8 or newer, with BTF (CONFIG_DEBUG_INFO_BTF=y) for eBPF/XDP
Architecture	x86-64 (amd64) or arm64
Privileges	root (the agent manages interfaces and loads eBPF)
Network	Outbound HTTPS to your management/license server
Interfaces	Two NICs — one for management, one for workload traffic

1. Get a license

You need a license key before you can download binaries or install. Get one from the website:

• Go to Get started, register, and place an order for one of the plans

(Starter, Professional, or Enterprise) with your node count. Follow the payment instructions shown, then submit your transaction id and proof. An admin verifies the payment and issues your license — it then appears in your account with its key.

• For air-gapped, custom-SLA, or bespoke deployments, contact sales for a

bespoke arrangement.

Licenses are never issued automatically — every one is tied to a verified order. See Licensing for the full model.

2. Run the installer

Run the installer with your license key — it gates the download. The installer fetches the single agent binary (which embeds the eBPF programs, watchdog, and DKMS kernel-module source), extracts those assets, writes a signed binary .shub config, and installs and starts the cenvero-stratum systemd service.

curl -sSL -H "X-License-Key: YOUR_LICENSE_KEY" \
  https://stratum.cenvero.com/install | bash

Use your real license key in place of YOUR_LICENSE_KEY (and your own panel host if you self-host). You can also pass the key in the URL as ?key=YOUR_LICENSE_KEY, or as an Authorization: Bearer YOUR_LICENSE_KEY header. The installer fetches a license-gated release manifest over TLS and verifies each downloaded artifact two ways before writing it to disk:

• sha256 — the artifact must hash to the value the (TLS-fetched) manifest

advertises.

• Ed25519 publisher signature — when the manifest carries a per-artifact

publisher signature, the installer verifies it over the downloaded bytes with openssl, using the compiled-in publisher public key. This is the same proof the agent's own self-updater requires on subsequent upgrades (see Upgrades), brought forward to the first install as defense-in-depth. A signature that is present but does not verify aborts the install. If the host has no openssl, or the manifest carries no signature for an artifact, the installer logs a warning and proceeds on the TLS-fetched sha256 alone — so the publisher-signature step hardens the install without ever blocking an otherwise-sound download.

The installer reads prompts from /dev/tty, so it works under curl … | bash; for an unattended install, supply every setting via CENVERO_* environment variables instead. It is idempotent — a prior install is detected and its /etc/cenvero-str and /var/lib/cenvero-str are preserved rather than destroyed. Set CENVERO_REINSTALL=1 to re-run over an existing install (config and state are still kept).

The config it writes is a real binary .shub produced by cenvero-str-ctl config encode — not plaintext — so the agent can load it directly. See Configuration.

3. Activate the node

Activation binds the license to this machine's hardware identity (CPU, motherboard, primary NIC MAC, and disk serial, hashed together) and pulls down the signed license bundle.

sudo cenvero-str-ctl license activate CNVR-XXXX-XXXX-XXXX-XXXX

The license key is positional — there is no --key flag. This sends an activation request for this machine; you then confirm it in your account. Once confirmed, the agent installs the signed license automatically and starts enforcing it. You can also pull it manually with cenvero-str-ctl license fetch CNVR-XXXX-XXXX-XXXX-XXXX.

4. Verify

The installer already enabled and started the cenvero-stratum service. Check it:

systemctl status cenvero-stratum
cenvero-str-ctl status

A healthy node reports the agent version, license state, both bridges (cnv-mgmt-br0 and cnv-user-br0) up, and the loaded eBPF programs:

agent       v2.4.0   running
license     active   plan=enterprise  expires in 27d
dataplane   10 programs loaded (xdp_global, xdp_bridge, xdp_firewall, xdp_conntrack, xdp_nat, xdp_fib, xdp_gateway, xdp_lb, xdp_vxlan, tc_egress)
bridges     cnv-mgmt-br0 up   cnv-user-br0 up
cluster     standalone (no peers configured)

File locations

Path	Contents
/etc/cenvero-str/	Signed .shub configuration
/var/lib/cenvero-str/	Local state, license bundle, CRL cache
/var/log/cenvero-str/	Agent logs
/run/cenvero-str/	Runtime sockets (including the CLI IPC socket)

Next steps

• Quick Start — define a network and attach an endpoint.
• Configuration — write your node's config.
• Clustering Overview — join this node to a cluster.