Introduce flag to enable sentry nodes to participate in grandpa gossip (#3018)

Given the following situation: A validator 'A' is not supposed to be
connected to the public internet to protect it from e.g. a DoS attack.
Instead it connects to a sentry node 'sentry-A' which connects to the
public internet. Validator 'B' can reach validator 'A' via sentry node
'sentry-A' and vice versa.

A sentry node needs to participate in the grandpa gossip without
becoming a validator itself in order to forward these message to its
validator. This commit adds a new command line flag (`--grandpa-voter`)
forcing a node to participate in the grandpa voting process even though
no `--key` was specified. Due to the fact that it does not have a key,
it does not become a validator in the network.

In order to simulate the above situation this commit also adds a Docker
Compose file (`scripts/sentry-node/docker-compose.yml`) with further
documentation.

substrate/scripts/sentry-node/docker-compose.yml

@@ -0,0 +1,138 @@
+# Docker compose file to simulate a sentry node setup.
+#
+#
+# Setup:
+#
+# Validator A is not supposed to be connected to the public internet. Instead it
+# connects to a sentry node (sentry-a) which connects to the public internet.
+# Validator B can reach validator A via sentry node A and vice versa.
+#
+#
+# Usage:
+#
+# 1. Build `target/debug/substrate` binary: `cargo build`
+#
+# 2. Start networks and containers: `sudo docker-compose -f scripts/sentry-node/docker-compose.yml up`
+#
+# 3. Reach:
+#   - polkadot/apps on localhost:3000
+#   - validator-a: localhost:9944
+#   - validator-b: localhost:9945
+#   - sentry-a: localhost:9946
+
+version: "3.7"
+services:
+
+  validator-a:
+    ports:
+      - "9944:9944"
+    volumes:
+      - ../../target/debug/substrate:/usr/local/bin/substrate
+    image: parity/substrate
+    networks:
+      - network-a
+    command:
+      # Local node id: QmRpheLN4JWdAnY7HGJfWFNbfkQCb6tFf4vvA6hgjMZKrR
+      - "--node-key"
+      - "0000000000000000000000000000000000000000000000000000000000000001"
+      - "--base-path"
+      - "/tmp/alice"
+      - "--chain=local"
+      - "--key"
+      - "//Alice"
+      - "--port"
+      - "30333"
+      - "--validator"
+      - "--name"
+      - "AlicesNode"
+      - "--bootnodes"
+      - "/dns4/validator-b/tcp/30333/p2p/QmSVnNf9HwVMT1Y4cK1P6aoJcEZjmoTXpjKBmAABLMnZEk"
+      # Not only bind to localhost.
+      - "--ws-external"
+      - "--rpc-external"
+      # - "--log"
+      # - "sub-libp2p=trace"
+      # - "--log"
+      # - "afg=trace"
+      - "--no-telemetry"
+      - "--rpc-cors"
+      - "all"
+
+  sentry-a:
+    image: parity/substrate
+    ports:
+      - "9946:9944"
+    volumes:
+      - ../../target/debug/substrate:/usr/local/bin/substrate
+    networks:
+      - network-a
+      - internet
+    command:
+      # Local node id: QmV7EhW6J6KgmNdr558RH1mPx2xGGznW7At4BhXzntRFsi
+      - "--node-key"
+      - "0000000000000000000000000000000000000000000000000000000000000003"
+      - "--base-path"
+      - "/tmp/sentry"
+      - "--chain=local"
+      # Don't configure a key, as sentry-a is not a validator.
+      # - "--key"
+      # - "//Charlie"
+      - "--port"
+      - "30333"
+      # sentry-a is not a validator.
+      # - "--validator"
+      - "--name"
+      - "CharliesNode"
+      - "--bootnodes"
+      - "/dns4/validator-a/tcp/30333/p2p/QmRpheLN4JWdAnY7HGJfWFNbfkQCb6tFf4vvA6hgjMZKrR"
+      - "--bootnodes"
+      - "/dns4/validator-b/tcp/30333/p2p/QmSVnNf9HwVMT1Y4cK1P6aoJcEZjmoTXpjKBmAABLMnZEk"
+      - "--no-telemetry"
+      - "--rpc-cors"
+      - "all"
+      # Not only bind to localhost.
+      - "--ws-external"
+      - "--rpc-external"
+      # Make sure sentry-a still participates as a grandpa voter to forward
+      # grandpa finality gossip messages.
+      - "--grandpa-voter"
+
+  validator-b:
+    image: parity/substrate
+    ports:
+      - "9945:9944"
+    volumes:
+      - ../../target/debug/substrate:/usr/local/bin/substrate
+    networks:
+      - internet
+    command:
+      # Local node id: QmSVnNf9HwVMT1Y4cK1P6aoJcEZjmoTXpjKBmAABLMnZEk
+      - "--node-key"
+      - "0000000000000000000000000000000000000000000000000000000000000002"
+      - "--base-path"
+      - "/tmp/bob"
+      - "--chain=local"
+      - "--key"
+      - "//Bob"
+      - "--port"
+      - "30333"
+      - "--validator"
+      - "--name"
+      - "BobsNode"
+      - "--bootnodes"
+      - "/dns4/validator-a/tcp/30333/p2p/QmRpheLN4JWdAnY7HGJfWFNbfkQCb6tFf4vvA6hgjMZKrR"
+      - "--no-telemetry"
+      - "--rpc-cors"
+      - "all"
+      # Not only bind to localhost.
+      - "--ws-external"
+      - "--rpc-external"
+
+  ui:
+    image: polkadot-js/apps
+    ports:
+      - "3000:80"
+
+networks:
+  network-a:
+  internet: