Recover nodes requesting ChangeView when possible#579
Recover nodes requesting ChangeView when possible#579jsolman merged 153 commits intoconsensus/improved_dbftfrom
Conversation
|
By keeping the signatures from the change view that moved to the current view, we will be able to allow nodes to always accept regeneration messages to a newer view. I'm working on making that change now. |
…en accepting regeneration.
…end the regenration message in response to change view.
vncoelho
left a comment
There was a problem hiding this comment.
Nice, Jeff, It looks like going in the precise and right direction.
I still did not revise it, just looked at the main variables.
|
@erikzhang May want to take a look at b938f96 . In some testing where I had killed one CN node after sending commit, it got stuck on start-up after attempting once to send the commit. May want to cherry-pick b938f96 directly from here into |
…a network issue..
|
Since the regeneration message knows the change view witness signatures, it should be possible to send recovery even if the |
…/neo-project/neo into consensus/regenerateOnChangeView
|
My last commit message should have said |
|
I updated the top overview again. |
|
Oops didn't mean to delete your comment. I agree with the change from 3c801dc |
|
It's looking pretty clean. Shall I give it one more round of testing now? |
* Add commit phase to consensus algorithm (#534) * Add commit phase to consensus algorithm * fix tests * Prevent repeated sending of `Commit` messages * RPC call gettransactionheight (#541) * getrawtransactionheight Nowadays two calls are need to get a transaction height, `getrawtransaction` with `verbose` and then use the `blockhash`. Other option is to use `confirmations`, but it can be misleading. * Minnor fix * Shargon's tip * modified * Allow to use the wallet inside a RPC plugin (#536) * Clean code * Clean code * Minor fix on mempoolVerified * Add MemoryPool Unit tests. Fix bug on initital start of Persisting the Genesis block. * Prevent `ConsensusService` from receiving messages before starting (#573) * Prevent `ConsensusService` from receiving messages before starting * fixed tests - calling OnStart now * Consensus recovery log (#572) * Pass store to `ConsensusService` * Implement `ISerializable` in `ConsensusContext` * Start from recovery log * Fix unit tests due to constructor taking the store. * Add unit tests for serializing and deserializing the consensus context. * Combine `ConsensusContext.ChangeView()` and `ConsensusContext.Reset()` * Add `PreparationHash` field to `PrepareResponse` to prevent replay attacks from malicious primary (#576) * Fixed a problem where `PrepareResponse.PreparationHash` was not assigned. * Load context from store only when height matches * Recover nodes requesting ChangeView when possible (#579) * Fixes bug in `OnPrepareRequestReceived()` * Send `RecoveryMessage` only when `message.NewViewNumber <= context.ViewNumber` * Fix and optimize view changing (#590) * Allow to ignore the recovery logs * Add `isRecovering` (#594) * Fix accepting own prepare request (#596) * Pick some changes from #575. * Fixes `Prefixes` * Restore transactions from saved consensus context (#598) * Refactoring * AggressiveInlining (#606) * Reset Block reference when consensus context is initialized after block persist. (#608) * Change `ConsensusPayload` for compatibility (#609)
* update consensus fix minor issues and change the formatting * minor issues
Recovery messages can be used in response to
ChangeViewmessages in order to bring nodes back to the current state of the consensus. This is achieved safely by keeping the payloads from the network messages and including pertinent parts along with the witness invocation scripts in a recovery message. The recovery messages facilitate regenerating the network messages and reprocessing them.The recovery is all encompassing, including:
ChangeViewmessagesPrepareRequestmesage if it was presentPrepareResponsemessages were present.Commitmessages.Considering
n = 3f + 1, onlyfnodes generally must respond to theChangeViewmessage with the recovery message; the exception is in the case that a node has theirCommitSentflag set; in which case they will always reply toChangeViewmessages with a recovery message.Nodes that have committed
CommitSentare not allowed to change views.Some complications arise from needing to accept a previously generated prepare request if the primary is being recovered when coming from another view, or the same view having not yet sent the prepare request. In these cases the primary will act as a accept its own previously generated prepare request, but won't send any prepare response.
Since
ChangeViewmay result in recovery messages being sent each time they are received, it is necessary to prevent replay of such messages from generating a duplicate recovery message response to prevent the potential for DDOS. This is achieved by causingChangeViewmessages to always generate a new timestamp so each request will have a unique hash. In this wayChangeViewmessages are only replied to once by broadcasting a recovery message.The code has been tested for a number of scenarios and is ready for thorough review and subsequent merge.
Here are some of the cases I tested:
Closes #426