Proposal: Use Raft (or other) for fault-tolerant validator processes

[nickray]

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST

This is a somewhat complementary or even orthogonal to issue 1136.

A validator node can fail in many ways, at least two are:

• network connectivity loss (minor protocol penalty for being offline). This could be fixed via issue 1136
• machine breaks (major protocol penalty if double signing, or maybe even for not respecting prevote-the-lock). Issue 1136 does not really resolve this validator obligation.

Is there a promise in the implementation that the state in /data is always correct, in the sense of being able to restart a copied node with this serialized state? If so, what are the current conditions of this promise?

Additionally, the production validator node may want to store state on an SDD (which would be lost under machine failure), not some kind of "safe but slow" NAS. A poor man's version could be running on the SSD, but using something like "minio mirror" to sync the SSD to backup. This has failure modes as well though...

So I'm wondering if the idea of "raftifying" the validator node has been thought through. I think it would certainly be feasible. The basic idea is:

• run 3 validator node instances (each with a copy of the HSM key)
• one of them is the leader, participating in Tendermint as "the" validator
• if it fails then another one takes over via Raft
• perhaps additional nodes not participating in the Raft leader/candidate mechanism could listen and store the state onto backup NAS.

I have been thinking about forking the repo and trying to implement this as an experiment. One problem is that it is not clear to me what exactly the "internal state" of a validator node is (that would be replicated via Raft), as opposed to the "external state" it is involved in according to the Tendermint BFT protocol.

For inspiration, here is a project doing this for SQLite.

[tarcieri]

This approach sounds roughly analogous to how Google operates their CT logs: they run multiple replicas of the same log in geographically distributed datacenters and use Chubby to elect one to be active at a given point in time.

I've heard mixed opinions on using Raft for generalized leader election, though: even though Raft runs an internal leader election protocol, the real goal of Raft is to come to distributed consensus on a log.

There are several important considerations for something like this, like how this will interact with the prospective KMS service I'm working on and how this could be leveraged to prevent double signing.

All of that said, overall I think running multiple validators/signers in an active/standby(/standby/...) configuration and using a consensus protocol to select an active signer and track e.g. the current block height / last signed block is a good idea.

[ebuchman]

This is a nice idea, but I'm not sure if it's something to be implemented in Tendermint or in eg the Validator Signer process that Tony is working on.

[tarcieri]

For double signing prevention, I think it'd be ideal to have it in the KMS service itself, since (based on my conversations with @ebuchman) the threat model we'd like to address with the KMS is that it will not double sign at the same block height even if the validator is compromised.

To accomplish that all running KMS instances need consensus on what block was signed last.

[nickray]

If it's not to be implemented in Tendermint itself, it needs a clean interface for wrapping, which seems to be lacking.

Regarding "mixed opinions on using Raft", I suggested this only as it's the most well-known approach; I consider this an implementation detail ;)

Not sure what that an external (?) KMS service has to do with this issue. The question I'm raising here (which applies to everyone running a validator I think) is how to handle the various forms of node failure.

Perhaps that KMS service is intended to make Tendermint more stateless and move more responsibility to the signing part of the validator? Are there any docs on this?

I'd be more than willing to discuss this via call or chat.

[tarcieri]

Regarding "mixed opinions on using Raft"

It's not "mixed opinions on using Raft", but whether Raft is the best primitive to build a leader election system on top of. Don't get me wrong: Raft is great, I'm just not sure it's the right tool for this particular job.

Not sure what that an external (?) KMS service has to do with this issue. The question I'm raising here (which applies to everyone running a validator I think) is how to handle the various forms of node failure.

The problems of node failure/failover and double signing are related: if there is not a consistent view among signers as to what the last signed block was, i.e. if the signers go split brain and have inconsistent views about the last signed block, this can be exploited by an attacker to pull off a double-signing attack.

My opinion is the same mechanism should be used for electing a leader for the current active signer and tracking the current block height / last signed block, in order to ensure that a message from a partitioned signer is not returned without the rest of the signers' knowledge, as this could lead to double signing. Instead I think information about the last signed block should be committed to the consensus log before it is ever returned from the KMS.

I'd be more than willing to discuss this via call or chat.

Sure, we can chat in the validator channel?

[zmanian]

This should be post launch IMO

[tarcieri]

Yeah, I think launch should support an active/standby configuration, as I doubt most people will have enough KMS nodes to even run a consensus algorithm

[xla]

@tarcieri Should tendermint node be responsible for the failover between active and passive?

[tarcieri]

There are several options we can explore with different tradeoffs regarding availability and double-sign defense, some of which may leverage the validators:

• validators select any healthy backend: KMS cannot prevent the validators from double-signing, but HA
• standby takes over if partitioned from the primary. primary fails closed if partitioned from the standby. Tolerates primary failure, but otherwise primary fails if standby fails, barring manual intervention
• completely manual failover. can double sign if both instances are set active simultaneously