privval: allow full node startup without a connection for improved failover

[tarcieri]

Right now the behavior of TCPVal (I think that's the right name?) is to wait for a TCP connection until a timeout, and then terminate the process if it doesn't receive one.

I'd like to suggest an alternative behavior I think would be helpful for validator failover while preserving double signing protection: have a node with priv_validator_laddr configured start up as if it were a normal full node if it does not receive a connection from the KMS. As soon as it does receive a KMS connection, it can flip over from being a full node to being a validator.

With this approach, it's possible to have several full nodes capable of being promoted to validators operating, but use the client connection to control which one is currently active.

In particular I think it'd be nice to have KMS connect to a virtual IP (a.k.a. VIP, e.g. single address NAT, or a TCP proxy) managed by a network device with its own built-in failover. This "VIP" can be pointed at the presently active validator. To flip it over, the VIP only needs to be pointed at a different "standby" validator, which can become active and start signing as soon as it receives a connection.

[liamsi]

cc @jleni

[jleni]

Btw, I recently pushed a PR for review, refactoring things a bit, removing heartbeat, etc.
Ismail was looking at it: #3370

Maybe it makes sense to consider what you are describing here as a continuation of that PR (or even do it at the same time). I definitely like the idea, but I am a bit worried about a bad/unstable connection toggling nodes too much.

In the current architecture, requests and connections are a bit unlinked. Signature requests do not trigger a connection request. Instead are required to wait for an incoming connection.

We need to study a bit more scenarios like:

• node A is upgraded,
• connection KMS<->A is dropped
• KMS upgrades node B
• B starts signing
• A is still waiting for a connection and considers itself a validator but sees B doing the same

Again, like I said some time ago, I think we need a good automated way of testing all these scenarios that involve node<->KMS interactions.

What is the state of the docker integration tests? I have not tried them yet.

[tarcieri]

I broke the integration tests for the KMS that run in CI in order to ship access control and chain state prior to launch. See tendermint/tmkms#207

I'm happy to help get them working again, however I need some pointers as to what specifically needs to be updated.

[jleni]

I would say we need some kind of CI test that can be shared between repos.
Maybe a submodule with the integration test + links to other projects head. Otherwise, we may find that changes here or there result in incompatibilities.

It would be nice to make a PR for tendermint or KMS and knowing that CI ensures that it will work with the other.

[tarcieri]

@jleni that was added in:

• Add remote signer test harness (KMS) #3149
• Add Tendermint test harness to KMS integration test tmkms#167

The KMS repo now contains a Dockerfile that runs an integration test.

Unfortunately, I can't run it locally because I don't have pull access to an image it depends on. Sounds like @thanethomson is looking into that.

[thanethomson]

Unfortunately, I can't run it locally because I don't have pull access to an image it depends on. Sounds like @thanethomson is looking into that.

Yeah, busy looking into it now. Right now there isn't actually a Docker repo for that particular image (it's an intermediate image built locally only from make -C ${GOPATH}/src/github.com/tendermint/tendermint/tools/tm-signer-harness docker-image). I'll ask about creating a repo now 👍 Should have it sorted out shortly.

[thanethomson]

Integration testing now re-integrated in tendermint/tmkms#227 and #3466

Still doesn't do peer ID validation during integration testing, but that will come when #3105 is addressed.

[tac0turtle]

With privval migrating to gRPC and Tendermint being the client there is one way I can think of to accomplish this.

All nodes make requests but the kms only responds to one of the nodes with the correct information. The other nodes receive a msg or error saying it's not their turn. With this approach you could change which node signs votes each block.

Only started thinking about this, would love to hear from others on different approaches or cons to the above idea.

[tarcieri]

TMKMS has semi-supported this sort of configuration for awhile, connecting to multiple validator nodes and accepting signing requests from all of them.

The somewhat scary part about this approach is it leans entirely on TMKMS's double signing detection (as opposed to the belt-and-suspenders approach of TMKMS acting as a secondary check on Tendermint's own built-in double signing protections), sending errors back to nodes making redundant signing requests, but my understanding is some people are running it in production.