Files
pezkuwi-subxt/polkadot
Alexandru Gheorghe 2bc4ed1153 Prevent accidental change of network-key for active authorities (#3852)
As discovered during investigation of
https://github.com/paritytech/polkadot-sdk/issues/3314 and
https://github.com/paritytech/polkadot-sdk/issues/3673 there are active
validators which accidentally might change their network key during
restart, that's not a safe operation when you are in the active set
because of distributed nature of DHT, so the old records would still
exist in the network until they expire 36h, so unless they have a good
reason validators should avoid changing their key when they restart
their nodes.

There is an effort in parallel to improve this situation
https://github.com/paritytech/polkadot-sdk/pull/3786, but those changes
are way more intrusive and will need more rigorous testing, additionally
they will reduce the time to less than 36h, but the propagation won't be
instant anyway, so not changing your network during restart should be
the safest way to run your node, unless you have a really good reason to
change it.

## Proposal
1. Do not auto-generate the network if the network file does not exist
in the provided path. Nodes where the key file does not exist will get
the following error:
```
Error: 
   0: Starting an authorithy without network key in /home/alexggh/.local/share/polkadot/chains/ksmcc3/network/secret_ed25519.
      
       This is not a safe operation because the old identity still lives in the dht for 36 hours.
      
       Because of it your node might suffer from not being properly connected to other nodes for validation purposes.
      
       If it is the first time running your node you could use one of the following methods.
      
       1. Pass --unsafe-force-node-key-generation and make sure you remove it for subsequent node restarts
      
       2. Separetly generate the key with: polkadot key generate-node-key --file <YOUR_PATH_TO_NODE_KEY>
```

2. Add an explicit parameters for nodes that do want to change their
network despite the warnings or if they run the node for the first time.
`--unsafe-force-node-key-generation`

3. For `polkadot key generate-node-key` add two new mutually exclusive
parameters `base_path` and `default_base_path` to help with the key
generation in the same path the polkadot main command would expect it.
 
4. Modify the installation scripts to auto-generate a key in default
path if one was not present already there, this should help with making
the executable work out of the box after an instalation.

## Notes

Nodes that do not have already the key persisted will fail to start
after this change, however I do consider that better than the current
situation where they start but they silently hide that they might not be
properly connected to their peers.

## TODO
- [x] Make sure only nodes that are authorities on producation chains
will be affected by this restrictions.
- [x] Proper PRDOC, to make sure node operators are aware this is
coming.

---------

Signed-off-by: Alexandru Gheorghe <alexandru.gheorghe@parity.io>
Co-authored-by: Dmitry Markin <dmitry@markin.tech>
Co-authored-by: s0me0ne-unkn0wn <48632512+s0me0ne-unkn0wn@users.noreply.github.com>
Co-authored-by: Bastian Köcher <git@kchr.de>
2024-04-15 06:23:35 +00:00
..

Polkadot

Implementation of a https://polkadot.network node in Rust based on the Substrate framework.

The README provides information about installing the polkadot binary and developing on the codebase. For more specific guides, like how to run a validator node, see the Polkadot Wiki.

Installation

Using a pre-compiled binary

If you just wish to run a Polkadot node without compiling it yourself, you may either:

  • run the latest binary from our releases page (make sure to also download all the worker binaries and put them in the same directory as polkadot), or
  • install Polkadot from one of our package repositories.

Debian-based (Debian, Ubuntu)

Currently supports Debian 10 (Buster) and Ubuntu 20.04 (Focal), and derivatives. Run the following commands as the root user.

# Import the security@parity.io GPG key
gpg --recv-keys --keyserver hkps://keys.mailvelope.com 9D4B2B6EB8F97156D19669A9FF0812D491B96798
gpg --export 9D4B2B6EB8F97156D19669A9FF0812D491B96798 > /usr/share/keyrings/parity.gpg
# Add the Parity repository and update the package index
echo 'deb [signed-by=/usr/share/keyrings/parity.gpg] https://releases.parity.io/deb release main' > /etc/apt/sources.list.d/parity.list
apt update
# Install the `parity-keyring` package - This will ensure the GPG key
# used by APT remains up-to-date
apt install parity-keyring
# Install polkadot
apt install polkadot

Installation from the Debian repository will create a systemd service that can be used to run a Polkadot node. This is disabled by default, and can be started by running systemctl start polkadot on demand (use systemctl enable polkadot to make it auto-start after reboot). By default, it will run as the polkadot user. Command-line flags passed to the binary can be customized by editing /etc/default/polkadot. This file will not be overwritten on updating Polkadot. You may also just run the node directly from the command-line.

Building

Since the Polkadot node is based on Substrate, first set up your build environment according to the Substrate installation instructions.

Install via Cargo

Make sure you have the support software installed from the Build from Source section below this section.

If you want to install Polkadot in your PATH, you can do so with:

cargo install --git https://github.com/paritytech/polkadot-sdk --tag <version> polkadot --locked

Build from Source

Build the client by cloning this repository and running the following commands from the root directory of the repo:

git checkout <latest tagged release>
cargo build --release

Note: if you want to move the built polkadot binary somewhere (e.g. into $PATH) you will also need to move polkadot-execute-worker and polkadot-prepare-worker. You can let cargo do all this for you by running:

cargo install --path . --locked

Build from Source with Docker

You can also build from source using Parity CI docker image:

git checkout <latest tagged release>
docker run --rm -it -w /shellhere/polkadot \
                    -v $(pwd):/shellhere/polkadot \
                    paritytech/ci-linux:production cargo build --release
sudo chown -R $(id -u):$(id -g) target/

If you want to reproduce other steps of CI process you can use the following guide.

Networks

This repo supports runtimes for Polkadot, Kusama, and Westend.

Connect to Polkadot Mainnet

Connect to the global Polkadot Mainnet network by running:

../target/release/polkadot --chain=polkadot

You can see your node on [telemetry] (set a custom name with --name "my custom name").

telemetry: https://telemetry.polkadot.io/#list/Polkadot

Connect to the "Kusama" Canary Network

Connect to the global Kusama canary network by running:

../target/release/polkadot --chain=kusama

You can see your node on [telemetry] (set a custom name with --name "my custom name").

telemetry: https://telemetry.polkadot.io/#list/Kusama

Connect to the Westend Testnet

Connect to the global Westend testnet by running:

../target/release/polkadot --chain=westend

You can see your node on [telemetry] (set a custom name with --name "my custom name").

telemetry: https://telemetry.polkadot.io/#list/Westend

Obtaining DOTs

If you want to do anything on Polkadot, Kusama, or Westend, then you'll need to get an account and some DOT, KSM, or WND tokens, respectively. Follow the instructions on the Wiki to obtain tokens for your testnet of choice.

Hacking on Polkadot

If you'd actually like to hack on Polkadot, you can grab the source code and build it. Ensure you have Rust and the support software installed.

Then, grab the Polkadot source code:

git clone https://github.com/paritytech/polkadot-sdk.git
cd polkadot

Then build the code. You will need to build in release mode (--release) to start a network. Only use debug mode for development (faster compile times for development and testing).

cargo build

You can run the tests if you like:

cargo test --workspace --profile testnet
# Or run only the tests for specified crated
cargo test -p <crate-name> --profile testnet

You can start a development chain with:

cargo run --bin polkadot -- --dev

Detailed logs may be shown by running the node with the following environment variables set:

RUST_LOG=debug RUST_BACKTRACE=1 cargo run --bin polkadot-- --dev

Development

You can run a simple single-node development "network" on your machine by running:

cargo run --bin polkadot --release -- --dev

You can muck around by heading to https://polkadot.js.org/apps and choose "Local Node" from the Settings menu.

Local Two-node Testnet

If you want to see the multi-node consensus algorithm in action locally, then you can create a local testnet. You'll need two terminals open. In one, run:

polkadot --dev --alice -d /tmp/alice

And in the other, run:

polkadot --dev --bob -d /tmp/bob --bootnodes '/ip4/127.0.0.1/tcp/30333/p2p/ALICE_BOOTNODE_ID_HERE'

Ensure you replace ALICE_BOOTNODE_ID_HERE with the node ID from the output of the first terminal.

Monitoring

Setup Prometheus and Grafana.

Once you set this up you can take a look at the Polkadot Grafana dashboards that we currently maintain.

Using Docker

Using Docker

Shell Completion

Shell Completion

Contributing

Contributing Guidelines

Contribution Guidelines

Contributor Code of Conduct

Code of Conduct

License

Polkadot is GPL 3.0 licensed.