-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tools to export/import swing-store to/from genesis block #6527
Comments
If our "plan A" for state-sync works out, this should be nearly trivial. |
@FUDCo and I think that the existing swing-store import/export support (added for state-sync) should be sufficient. So the task is to somehow glue it to the cosmos genesis import/export code. We'll definitely need @JimLarson 's help here. The swing-store export process generates two chunks of data: the "export data" records, and the binary "artifacts" blobs. To support state-sync, we continually mirror the export-data records into IAVL, so those are already covered by genesis export. The artifact blobs are only generated on-demand, and must be requested before the swing-store has committed any data beyond the block of interest (a condition that is trivial to meet if the node has halted). During During BTW #7225 is the PR where the golang code for state-sync import/export landed, it might provide some clues to how we should proceed for genesis import/export. And I think https://github.com/agoric-labs/cosmos-sdk/blob/Agoric/server/export.go is the entry point for the If we were sufficiently motivated, we could make the genesis export somewhat easier to edit, by breaking out the transcript spans into separate entries, each in their own section of the export JSON. If we did this, we'd want to remove the span hashes from the export data records, as well as the span artifact blobs. We'd need to change the importer to reconstruct those artifacts (from whatever items were in the genesis export JSON, which could then be edited just like you might edit the IAVL balance or delegation data). I think it's most important to be able to do a genesis export-edit-import that edits IAVL keys. Second importance is editing swingstore |
I don't like the idea of trying to shoehorn the Why not have entirely new Then the next |
Huh, I didn't realize that was an option.. I figured a single file of JSON was necessary so there'd be something canonical and easy to hash, so everybody could discuss the edits and agree on the new contents. We could dump the SQL to its own file, but ensuring that it's in a canonical order (and only contains in-consensus fields, excluding things like local no-consensus stats) would be required to get a consistent hash, and we're already doing most of that work for the state-sync export machinery (and the kvStore contents are already in IAVL, also for that support). I definitely agree that |
If everything can be done from the JS side, it would be extremely easy to write a standalone utility that would pull the data out using the export API and write it to one or more files. |
The cosmic-swingset import / export JS files are already CLI apps that can do just that. No need to implement anything new. At worst you can have the agd app forward to them. |
@mhofman is going to write up the recipe for validators / emergency state editors:
The process should somewhat resemble the original plain-cosmos-chain |
As discussed in the kernel meeting and detailed above, I will write a script / recipe that allows doing an export and import based off the tools that currently exist in the repo/vault release. In particular the steps would likely be:
I believe a suggestion to support not changing the chain id would be to change the block height in the genesis file. We will likely need to also patch the swingstore export manifest to keep the block height in sync. In general I don't know much about genesis export, so testing this will be interesting, and I'll need help. |
In my experience, |
I think @arirubinstein mentioned something like having block height a hundred block or so in the future compared to export height to avoid potential double signing issues. |
What is the Problem Being Solved?
A subset of the state-sync problem is to support emergency chain upgrades in which an old validator (which has halted) performs a "genesis block export", basically copying the contents the IAVL tree (only the most recent blockHeight/version) into a big JSON file. People can then edit the file manually (e.g. removing validators which are known to be wedged), then start a new chain from this modified genesis data. The new chain has a different name, and starts at a few blocks higher than the old one (to guard against accidental double-signs by validators who didn't stop at quite the right time). The cosmos operations for this are just
agd export
andagd import
(or something similar).Our chain keeps a lot of state outside the IAVL tree, so
agd export
won't automatically get enough state to launch a new validator.Description of the Design
The idea would be to add a swing-store API to dump the entire state of the swing-store out as key-value pairs. Basically we'd iterate through the
kvStore
and emitkv-${key}: ${value}
for each entry, then walk thestreamStore
(transcript entries) and emitstream-${vatID}-${transcriptNum}: ${transcriptEntry}
for each, then walk thesnapStore
(XS heap snapshots) and emit base64-encoded compressed snapshot files as strings.This iteration must be in-consensus, which means:
snapStore
might have extra snapshots that aren't being used by any vats (which will be deleted soon, but there are race conditions), so maybe the tool should be aware of thekvStore
entries that indicate which snapshots are used by which vats, and only emit the within-consensus used oneskvStore
also containslocal.*
keys which are defined to be outside consensus, these should be omittedThen we'd have a second API which can take these key-value pairs and initialize a new swing-store from them.
Then we modify
agd export
andimport
to use these APIs when building/consuming the genesis block.This is like what we need for state-sync, but easier, because:
Security Considerations
Genesis export is a manual consensus operation: everybody can perform their own export and compare hashes, but there's no automatic staking/evidence/slashing taking place. On the plus side, any validators who launch from a different genesis block than the majority will fall out of consensus immediately.
Test Plan
Unit tests in
packages/swing-store
, probably some unit tests incosmic-swingset
if we can come up with a good scheme.cc @arirubinstein @JimLarson @michaelfig @FUDCo @mhofman
The text was updated successfully, but these errors were encountered: