-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent accidental change of network-key for active authorities #3852
Conversation
Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
As it makes the life of first-time node starters harder, could we include the node key generation logic in the post-install pipeline of the .deb package and Docker image? |
Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
Done, although, I'm still concerned if it is wise to generate automatically keys at install, I've seen pipelines where part of producing your docker image for deployment you install all the required tooling, so in this case when operators would produce their v2 of the image they will get key on the filesystem and if they use the same image to run multiple nodes they might get into trouble because they would use the same key. |
Co-authored-by: Dmitry Markin <dmitry@markin.tech>
Co-authored-by: Dmitry Markin <dmitry@markin.tech>
Co-authored-by: s0me0ne-unkn0wn <48632512+s0me0ne-unkn0wn@users.noreply.github.com>
Co-authored-by: s0me0ne-unkn0wn <48632512+s0me0ne-unkn0wn@users.noreply.github.com>
@paritytech/release-engineering could you help me test the generated Deb and Rpm files after this PR. Thank you! |
Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just misses a prdoc for Node operators
, otherwise looks good.
Ty!
Co-authored-by: Bastian Köcher <git@kchr.de>
Done, merging ... |
Because of https://github.com/paritytech/polkadot-sdk/blob/299aacb56f4f11127b194d12692b00066e91ac92/cumulus/client/cli/src/lib.rs#L318 #3852 wrongly enforces that the network key is present for collators started with polkadot-parachain binary, instead of generating it on the fly. That is not necessary and created some small friction for collators, since they have to pass `--unsafe-force-node-key-generation` or generate the key with the `generate-node-key` command. This PR fixes that since the change was intended to apply only for relaychain authorithies. Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
Because of https://github.com/paritytech/polkadot-sdk/blob/299aacb56f4f11127b194d12692b00066e91ac92/cumulus/client/cli/src/lib.rs#L318 #3852 wrongly enforces that the network key is present for collators started with polkadot-parachain binary, instead of generating it on the fly. That is not necessary and created some small friction for collators, since they have to pass `--unsafe-force-node-key-generation` or generate the key with the `generate-node-key` command. This PR fixes that since the change was intended to apply only for relaychain authorithies. Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
As discovered during investigation of #3314 and #3673 there are active validators which accidentally might change their network key during restart, that's not a safe operation when you are in the active set because of distributed nature of DHT, so the old records would still exist in the network until they expire 36h, so unless they have a good reason validators should avoid changing their key when they restart their nodes.
There is an effort in parallel to improve this situation #3786, but those changes are way more intrusive and will need more rigorous testing, additionally they will reduce the time to less than 36h, but the propagation won't be instant anyway, so not changing your network during restart should be the safest way to run your node, unless you have a really good reason to change it.
Proposal
Add an explicit parameters for nodes that do want to change their network despite the warnings or if they run the node for the first time.
--unsafe-force-node-key-generation
For
polkadot key generate-node-key
add two new mutually exclusive parametersbase_path
anddefault_base_path
to help with the key generation in the same path the polkadot main command would expect it.Modify the installation scripts to auto-generate a key in default path if one was not present already there, this should help with making the executable work out of the box after an instalation.
Notes
Nodes that do not have already the key persisted will fail to start after this change, however I do consider that better than the current situation where they start but they silently hide that they might not be properly connected to their peers.
TODO