Create a sentry node configuration for Polkadot validators with guide #122
Comments
Issue Status: 1. Open 2. Started 3. Submitted 4. Done This issue now has a funding of 150.0 DAI (150.0 USD @ $1.0/DAI) attached to it.
|
Issue Status: 1. Open 2. Started 3. Submitted 4. Done Workers have applied to start work. These users each claimed they can complete the work by 12 months from now. 1) gutsal-arsen has applied to start work (Funders only: approve worker | reject worker). Create 2-nodes configuration (sentry and validator), create a deployment guide. Learn more on the Gitcoin Issue Details page. |
@Web3Foundation applied on Gitcoin. Could you approve? |
Hey @agutsal gitcoin is down at the moment once services resume will review! |
Issue Status: 1. Open 2. Started 3. Submitted 4. Done Work has been started. These users each claimed they can complete the work by 9 months, 1 week from now. 1) gutsal-arsen has been approved to start work. Create 2-nodes configuration (sentry and validator), create a deployment guide. Learn more on the Gitcoin Issue Details page. |
@agutsal you've been approved to start work. |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
4 similar comments
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
@gitcoinbot alive, will update soon |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
@agutsal great look forward to it! :) |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
@gitcoinbot wait abit |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
@gitcoinbot working |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
1 similar comment
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
@Web3Foundation tried to build using polkadot Dockerfile. Tried twice - same result. |
@agutsal Are you building from the master branch or v0.4 branch? It might be better to build from Please reach out to @logan:web3.foundation on Riot for more immediate communication. |
@lsaether what is Riot? Gimme the link plz |
This looks like you are not compiling the Wasm binary before running |
@lsaether I'm just running |
@gutsal-arsen Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days |
Probably @lsaether @fgimenez are both on vacation, @Web3Foundation ? ;) |
Will ping again now, @agutsal things have just been super busy, apologies again for the wait. |
Correct, two nodes, one running "behind" the other. The sentry node is facing the public network (and connects to the rest of the p2p network). The validator node is behind a firewall and can only communicate with the sentry node. *** public network *** <---> Sentry node <-- firewall --> Validator node https://guide.kusama.network/en/latest/try/secure-validator-setup/ Feel free to ping me if you have other questions. |
@laboon once again - we're both speaking about Compose private network configuration. |
Apologies, I just got pointed to this and misunderstood your question. Federico, who I believe put this request together, is on vacation this week. "is docker-compose custom virtual network configuration what you expect to have 2 nodes running one behind another?"" Using Docker Compose to make an isolated private network is certainly one way to do it and should be acceptable. I don't know if that was the original expectation, however (I don't see anything to the contrary here - not sure if you have private communications elsewhere). Feel free to let me know if I didn't answer your question. |
@agutsal as I see it the overlay networks created by docker-compose are not enough to isolate a validator node from the rest of the polkadot network; as soon as the validator connects to its boot nodes it will be known by the network, and if you don't put in place any additional measure other peer nodes will be able to connect to it. You can verify all this by starting the network with a docker compose file like this:
This single node has an internal ip address, doesn't declare any p2p port to be accessed from outside and doesn't have any additional peer in the local overlay network. When i start the node:
You can see that other peers can connect to it easily right after start. However, i think the overlay network is a good step in the right direction, it creates a network address space only known by the members of the network, and you could configure the validator and the public nodes to restrict access, maybe using the polkadot binary options |
@fgimenez as mentioned here wouldn't this work:
|
@fgimenez well, I'd consider that approach after few days of silence |
@agutsal sure sorry for the late response, combining reserved-nodes and bootnodes is a good option. As stated in my previous comment I would also introduce listen-addr in the validator with the validator ip in the docker compose overlay network, so that you make sure that the validator only accepts connections from peers in that address space. |
Thanks for your reply. From what I see they use Basically should I follow this: If that's correct where to pass |
As i see it you should not use any externel discovered address, instead if you should use a multiaddr that includes the ip of the public node on the docker compose overlay network. Not sure if you can know it before the docker compose network is launched. I only mentioned bootnodes because they appeared in the example you l8nked, you only need them if you are going to create a local network. If you are going to join alex or (what would be better imo) kusama, the bootnodes are already defined in the chainspec. |
@fgimenez as per requirenment validator node should connect to sentry node. I need to know how to do that. That's it. |
Yes, this is done by setting |
@fgimenez ;) could be, just don't know the format of |
sure, something like this You should set the private ip as the one assigned to the public node in the docker compose overlay network. The peer id is randomly assigned on boot if you don't specify a node key with So, for each public node:
and start the validator with one Let me know if you need anything else. |
@fgimenez I"m currently thinking how to make this 2 step process in a single Something like that: |
You can use one of the libp2p libraries for generating the peer id and associated keypair, for instance https://github.com/libp2p/js-peer-id node-key is the private key, with 256 bits of length. |
Sure will take a look next week 👍 |
@agutsal looks good, it's pretty similar to https://github.com/paritytech/substrate/blob/master/scripts/sentry-node/docker-compose.yml, right? What's the benefit of adding it to polkadot's repo? |
Well @fgimenez, it's actually based on
This is a must to run sentry/validator with unique NODE_KEY, RESERVED_NODES/BOOTNODES URI on public (not local) chain. which is OK for testing but not for production. Also some redundant parameters been cleared. |
Issue Status: 1. Open 2. Started 3. Submitted 4. Done Work for 150.0 DAI (150.0 USD @ $1.0/DAI) has been submitted by: @Web3Foundation please take a look at the submitted work:
|
Issue Status: 1. Open 2. Started 3. Submitted 4. Done The funding of 150.0 DAI (150.0 USD @ $1.0/DAI) attached to this issue has been approved & issued to @gutsal-arsen.
|
@Web3Foundation Thanks for your payment. However, I think I also have to fix docs in scope of current project. Current repository does not contain docs, should I clone https://github.com/w3f/polkadot-wiki and fix them there? |
@agutsal sure; there was a bit of a repeated effort as @fgimenez had created a tool that maybe more successfully solves this problem. We paid out because of your repeated efforts in the ecosystem and the ongoing respective time you've taken in past bounties & this one. Feel free to amend documentation and leave any comments for review. |
Thanks for letting me know. Would work on that today and let you know @fgimenez @Web3Foundation. |
Closing since sentry nodes have been deprecated. |
Sentry nodes are one way to protect validators from a DOS attack by not exposing them directly to the internet. Sentry nodes are full nodes which connect to other validators and the peer-to-peer network and insulate the validator. The validator node (the one with the signing keys) is kept isolated from the rest of the gossip network and is only connected to the sentry node(s).
This task is to create a sentry node configuration and script which can launch two separate nodes and have them connected to each other so that one is public-facing to the p2p network (the sentry) and the other only connects to the sentry (the validator). The validator should still be able to participate in Polkadot consensus on the Alexander testnet. When everything is working, write a short guide on how someone would deploy it. You can base the guide on the current validator guide for Polkadot. However, do not repeat content already written there, instead write your guide as an “extension” to this already existing one.
The text was updated successfully, but these errors were encountered: