FIPXXXX: Introducing sealerID #993
Conversation
This proposal introduced the sealerID. This is a new identifier created for parties that participate to the Filecoin network by creating replicas, which can then transferred to SPs. This fully enables the Sealing-as-a-Service scenario already introduced in FIP0090 (NI-PoRep). Discussion: #890
irenegia
requested review from
momack2,
arajasek,
jennijuju,
kaitlin-beegle,
anorth,
raulk,
jsoares and
TippyFlitsUK
as code owners
irenegia
changed the title
irenegia
changed the title
FIPS/fip-xxx-sealerid.md
Outdated
| 2. The list of SealerIDs is disjoint from the MinerID list | ||
| 3. Add a new map `SealerID -> [SectorNumber]` to the chain state (that is, we have a list of used sector numbers for each sealer); | ||
| 1. ie, the actor needs `SectorNumber` facilities. | ||
| 3. Modify the method `ProveCommitSectorsNI` to accept the sealerID to create `ReplicaID` . |
There was a problem hiding this comment.
If NI PoRep were accepted and shipped in an upgrade first, we will need to add a new method, ProveCommitSectorsNI2, for this change, given this is a breaking change.
There was a problem hiding this comment.
As this "fully enables" NI-Porep, does this make it worth considering folding this into that FIP?
There was a problem hiding this comment.
However we organize the FIPS I think it would be ideal to land both at the same time
There was a problem hiding this comment.
@ZenGround0 we are planning to ship NI-PoRep in nv23, but I don't think sealearID can make for it, unless we prioritise it now (fine with me)... what's your opinion on this?
cc @rjan90
There was a problem hiding this comment.
Personally I would prefer we ship them together so we can maintain the momentum from NI Porep and immediately unlock sealing as a service. But I don't know if filoz has the capacity to get both done on time.
FIPS/fip-xxx-sealerid.md
Outdated
| 4. [Access control, needed to avoid front-run attacks] | ||
| 5. Store in the Sealer Actor another address: this is an address to a proxy contract that can be used to implement ACL | ||
|
|
||
| When an SP onboards a sector (ie, call to method `ProveCommitSectorsNIParams` in the Miner Actor), then call to the Sealer Actor. If the ACL is enabled, then call the ACL contract. |
There was a problem hiding this comment.
Is the plan to ship an FRC for this hook/interface as well..?
|
Editor: I think we will need a bit more spec design work to do before it can be merged😄 would recommend to turn this FIP into a draft PR until them |
Co-authored-by: Jiaying Wang <42981373+jennijuju@users.noreply.github.com>
FIPS/fip-xxx-sealerid.md
Outdated
| 1. We add a new type of actor: the Sealer Actor (to be used for SaaS Providers); | ||
| 1. This can be a “disposable” actor, no need for an owner key. If something bad happens, create a new id. This is okay because no tokens are locked for this actor; | ||
| 2. Add the method to create and register `SealerID` | ||
| 2. The list of SealerIDs is disjoint from the MinerID list |
There was a problem hiding this comment.
As I understand it the SealerActor type should be a multiple instance type. Anyone can create a SealerActor and SealerID will simply be the actor ID. This ensures SealerIDs are disjoin from MinerIDs. If we wanted a singleton actor it would become quite difficult to ensure they are disjoint.
There was a problem hiding this comment.
Right, no singleton actor. We should go with the two separate actors. I'll update the spec with the details you suggested here 🙏 .
FIPS/fip-xxx-sealerid.md
Outdated
| 1. This can be a “disposable” actor, no need for an owner key. If something bad happens, create a new id. This is okay because no tokens are locked for this actor; | ||
| 2. Add the method to create and register `SealerID` | ||
| 2. The list of SealerIDs is disjoint from the MinerID list | ||
| 3. Add a new map `SealerID -> [SectorNumber]` to the chain state (that is, we have a list of used sector numbers for each sealer); |
There was a problem hiding this comment.
Concretely this sector number list would be a bitfield as is the case in the miner actor.
FIPS/fip-xxx-sealerid.md
Outdated
| 3. Add a new map `SealerID -> [SectorNumber]` to the chain state (that is, we have a list of used sector numbers for each sealer); | ||
| 1. ie, the actor needs `SectorNumber` facilities. | ||
| 3. Modify the method `ProveCommitSectorsNI` to accept the sealerID to create `ReplicaID` . | ||
| 4. Add the `SealerID` field to `SectorNIActivactionInfo` |
There was a problem hiding this comment.
Note we'll also need to add SealerSectorNumber to the activation info as this will generally need to be separately declared from the miner actor's sector number.
There was a problem hiding this comment.
We could use CBOR -1 or some well defined value <= current actor id to indicate EMPTY_SEALER_ID. SealerSectorNumber could either be ignored or enforced to be 0 if we have the EMPTY_SEALER_ID case.
There was a problem hiding this comment.
Or alternatively we could enforce SealerID is explicitly set as minerID in the empty case.
There was a problem hiding this comment.
If these are disjoint sets, your recent post would make the proposal simpler to code and verify: struct{sealerID, sectorNumber} would be a unique identifier, replacing struct{minerID, sectorNumber}
There was a problem hiding this comment.
👍 I agree with {sealerID, sectorNumber} for replica ID info. Annoyingly replica ID sector number and miner metadata sectorNumber will be different so we do have to handle that. Probably with {minerID, sectorNumber, minerSectorNumber} where last value can be -1.
| 5. Store in the Sealer Actor another address: this is an address to a proxy contract that can be used to implement ACL | ||
|
|
||
| When an SP onboards a sector (ie, call to method `ProveCommitSectorsNIParams` in the Miner Actor), then call to the Sealer Actor. If the ACL is enabled, then call the ACL contract. | ||
|
|
There was a problem hiding this comment.
An idea from @jennijuju: One design direction to consider is making the SealerActor an Fevm actor. We could do this by writing a user contract that enforces sector numbers are only claimed once. Then when calling sealer id from miner actor we check that we are 1) calling evm actor 2) the bytecode of the evm actor matches the expected contract.
Reasons for and against are pretty split so I don't know which to advocate for.
Reasons FOR
- Take advantage of solidity development tooling
- Less actor bundle overhead
- No migration overhead
- We can deploy and test out the contract before the upgrade
Reasons AGAINST
- Performance might suffer
- Probably a bit harder to develop for our team. Less copy past of rust code, more learning new stuff. Not in builtin actors repository. Miss out on builtin actors testing framework.
- Finding/building a performant analogue to the bitfield data type in solidity might be too much
@anorth @Kubuxu @Stebalien any thoughts?
There was a problem hiding this comment.
Moved design question to #890 (comment) so it’s more discoverable and trackable
There was a problem hiding this comment.
it seems to me that the conclusion here is to go with the original proposed design (sealer id in actor code and all other feature, as for example the ACL, in FEVM)
#890 (reply in thread)
|
|
||
|
|
||
| ## Backwards Compatibility | ||
|
|
There was a problem hiding this comment.
I've been looking into the use of prover_id and sector_number by the window post circuit. I think that these values do not need to match the prover_id and sector_number used by sealing as they are used for challenge generation independent of the sealing process.
However if these values do need to be the same across sealing and post we will have to change miner actor state to keep around enough information to reconstruct the sealer id and sector number.
There was a problem hiding this comment.
Are there any other instances where we need the inputs to the ReplicaID (original sector number and prover id) after commiting a sector? Are there any reasons we might want these in the future? If so it is important to identify them so we can make sure we have enough information in the miner actor state.
There was a problem hiding this comment.
I've been looking into the use of prover_id and sector_number by the window post circuit. I think that these values do not need to match the prover_id and sector_number used by sealing as they are used for challenge generation independent of the sealing process
Correct, they do not need to match.
There was a problem hiding this comment.
Are there any other instances where we need the inputs to the ReplicaID (original sector number and prover id) after commiting a sector?
@lucaniz and I checked for this, we did not find any
Are there any reasons we might want these in the future?
Nothing that come to mind to me now :)
added some spec details
| - The new actor needs `sectorNumber` facilities: There is a map `sealerID -> [sealerSectorNumber]` in the state (that is, we have a list of used sector numbers for each sealer); Concretely this sector number list would be a bitfield as is the case of the miner actor. | ||
|
|
||
| 2. Modify the method `ProveCommitSectorsNI` to accept the sealerID to create `ReplicaID` . | ||
| - Add a new field to `SectorNIActivactionInfo` for passing the sealerID info: |
There was a problem hiding this comment.
| - Add a new field to `SectorNIActivactionInfo` for passing the sealerID info: | |
| - Add a new field to `SectorNIActivationInfo` for passing the `SealerID`: |
There was a problem hiding this comment.
I see that FIP-0090 already has a SealerID in it, but it's not nullable / Option, is there some reconciliation that needs to happen between the two?
There was a problem hiding this comment.
@ZenGround0 could you help here please?
There was a problem hiding this comment.
Let's not allow these to be nullable. FIP 0090 needs to assert some constraints (SealerID == ActorID) but once the sealer actor shows up we won't need any constraints, we'll just check whatever actor is at SealerID for unused SealingNumber. If we don't rely on an external SealingActor the caller can set SealerID to ActorID
|
|
||
| 2. Modify the method `ProveCommitSectorsNI` to accept the sealerID to create `ReplicaID` . | ||
| - Add a new field to `SectorNIActivactionInfo` for passing the sealerID info: | ||
| - if empty, use the the minerID when creating the `ReplicaID` |
There was a problem hiding this comment.
| - if empty, use the the minerID when creating the `ReplicaID` | |
| - if null, use the the minerID when creating the `ReplicaID` |
alternatively 0?
| - if empty, use the the minerID when creating the `ReplicaID` | ||
| - if a value is passed, use this for `ReplicaID` (in the place of `minerID`) | ||
| - Add a new field to `SectorNIActivactionInfo` for passing `sealerSectorNumber`: | ||
| - again, if we are in the case EMPTY_SEALER_ID, then `sealerSectorNumber` could either be ignored or enforced to be 0, otherwis eit is used for `ReplicaID`; |
There was a problem hiding this comment.
introducing new terminology, maybe just keep it simple?
| - again, if we are in the case EMPTY_SEALER_ID, then `sealerSectorNumber` could either be ignored or enforced to be 0, otherwis eit is used for `ReplicaID`; | |
| - again, if `SealerID` is null, then `SealerSectorNumber` could either be ignored or enforced to be 0, otherwise it is used for `SectorNumber`; |
Co-authored-by: Rod Vagg <rod@vagg.org>
| - if a value is passed, use this for `ReplicaID` (in the place of `minerID`) | ||
| - Add a new field to `SectorNIActivactionInfo` for passing `sealerSectorNumber`: | ||
| - again, if we are in the case EMPTY_SEALER_ID, then `sealerSectorNumber` could either be ignored or enforced to be 0, otherwis eit is used for `ReplicaID`; | ||
| - note that the miner actor claims its own sector number in its internal state along side with the sealer's sector number. This means that the structure `{minerID, sectorNumber}` is replaced by `{minerID, sectorNumber, minerSectorNumber}` where last value can be 0. |
There was a problem hiding this comment.
I might be parsing this wrong, but I think the word "state" here might be misplaced, or suggesting something that it shouldn't? I think this might be referring to the internal way that the actor identifies a sector, via the SectorID compound structure: https://github.com/filecoin-project/ref-fvm/blob/31118cfad2e83dc3f6202f38ce7d96cd1c747aea/shared/src/sector/mod.rs#L54-L59
| - note that the miner actor claims its own sector number in its internal state along side with the sealer's sector number. This means that the structure `{minerID, sectorNumber}` is replaced by `{minerID, sectorNumber, minerSectorNumber}` where last value can be 0. | |
| - note that the miner actor identifies sectors internally using a `SectorID` structure with a `{minerID, sectorNumber}` pair. This is replaced by `{minerID, sectorNumber, minerSectorNumber}` where last value can be 0. |
Does that sound right?
This proposal introduced the sealerID. This is a new identifier created for parties that participate to the Filecoin network by creating replicas, which can then transferred to SPs.
This fully enables the Sealing-as-a-Service scenario already introduced in FIP0090 (NI-PoRep).
Discussion: #890