You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

128 lines
5.6 KiB

  1. Application Architecture Guide
  2. ==============================
  3. Overview
  4. --------
  5. A blockchain application is more than the consensus engine and the
  6. transaction logic (eg. smart contracts, business logic) as implemented
  7. in the ABCI app. There are also (mobile, web, desktop) clients that will
  8. need to connect and make use of the app. We will assume for now that you
  9. have a well designed transactions and database model, but maybe this
  10. will be the topic of another article. This article is more interested in
  11. various ways of setting up the "plumbing" and connecting these pieces,
  12. and demonstrating some evolving best practices.
  13. Security
  14. --------
  15. A very important aspect when constructing a blockchain is security. The
  16. consensus model can be DoSed (no consensus possible) by corrupting 1/3
  17. of the validators and exploited (writing arbitrary blocks) by corrupting
  18. 2/3 of the validators. So, while the security is not that of the
  19. "weakest link", you should take care that the "average link" is
  20. sufficiently hardened.
  21. One big attack surface on the validators is the communication between
  22. the ABCI app and the tendermint core. This should be highly protected.
  23. Ideally, the app and the core are running on the same machine, so no
  24. external agent can target the communication channel. You can use unix
  25. sockets (with permissions preventing access from other users), or even
  26. compile the two apps into one binary if the ABCI app is also writen in
  27. go. If you are unable to do that due to language support, then the ABCI
  28. app should bind a TCP connection to localhost (127.0.0.1), which is less
  29. efficient and secure, but still not reachable from outside. If you must
  30. run the ABCI app and tendermint core on separate machines, make sure you
  31. have a secure communication channel (ssh tunnel?)
  32. Now assuming, you have linked together your app and the core securely,
  33. you must also make sure no one can get on the machine it is hosted on.
  34. At this point it is basic network security. Run on a secure operating
  35. system (SELinux?). Limit who has access to the machine (user accounts,
  36. but also where the physical machine is hosted). Turn off all services
  37. except for ssh, which should only be accessible by some well-guarded
  38. public/private key pairs (no password). And maybe even firewall off
  39. access to the ports used by the validators, so only known validators can
  40. connect.
  41. There was also a suggestion on slack from @jhon about compiling
  42. everything together with a unikernel for more security, such as
  43. `Mirage <https://mirage.io>`__ or
  44. `UNIK <https://github.com/emc-advanced-dev/unik>`__.
  45. Connecting your client to the blockchain
  46. ----------------------------------------
  47. Tendermint Core RPC
  48. ~~~~~~~~~~~~~~~~~~~
  49. The concept is that the ABCI app is completely hidden from the outside
  50. world and only communicated through a tested and secured `interface
  51. exposed by the tendermint core </docs/specs/rpc>`__. This interface
  52. exposes a lot of data on the block header and consensus process, which
  53. is quite useful for externally verifying the system. It also includes
  54. 3(!) methods to broadcast a transaction (propose it for the blockchain,
  55. and possibly await a response). And one method to query app-specific
  56. data from the ABCI application.
  57. Pros: \* Server code already written \* Access to block headers to
  58. validate merkle proofs (nice for light clients) \* Basic read/write
  59. functionality is supported
  60. Cons: \* Limited interface to app. All queries must be serialized into
  61. []byte (less expressive than JSON over HTTP) and there is no way to push
  62. data from ABCI app to the client (eg. notify me if account X receives a
  63. transaction)
  64. Custom ABCI server
  65. ~~~~~~~~~~~~~~~~~~
  66. This was proposed by @wolfposd on slack and demonstrated by
  67. `TMChat <https://github.com/wolfposd/TMChat>`__, a sample app. The
  68. concept is to write a custom server for your app (with typical REST
  69. API/websockets/etc for easy use by a mobile app). This custom server is
  70. in the same binary as the ABCI app and data store, so can easily react
  71. to complex events there that involve understanding the data format (send
  72. a message if my balance drops below 500). All "writes" sent to this
  73. server are proxied via websocket/JSON-RPC to tendermint core. When they
  74. come back as deliver\_tx over ABCI, they will be written to the data
  75. store. For "reads", we can do any queries we wish that are supported by
  76. our architecture, using any web technology that is useful. The general
  77. architecture is shown in the following diagram:
  78. Pros: \* Separates application logic from blockchain logic \* Allows
  79. much richer, more flexible client-facing API \* Allows pub-sub, watching
  80. certain fields, etc.
  81. Cons: \* Access to ABCI app can be dangerous (be VERY careful not to
  82. write unless it comes from the validator node) \* No direct access to
  83. the blockchain headers to verify tx \* You must write your own API (but
  84. maybe that's a pro...)
  85. Hybrid solutions
  86. ~~~~~~~~~~~~~~~~
  87. Likely the least secure but most versatile. The client can access both
  88. the tendermint node for all blockchain info, as well as a custom app
  89. server, for complex queries and pub-sub on the abci app.
  90. Pros: \* All from both above solutions
  91. Cons: \* Even more complexity \* Even more attack vectors (less
  92. security)
  93. Scalability
  94. -----------
  95. Read replica using non-validating nodes? They could forward transactions
  96. to the validators (fewer connections, more security), and locally allow
  97. all queries in any of the above configurations. Thus, while
  98. transaction-processing speed is limited by the speed of the abci app and
  99. the number of validators, one should be able to scale our read
  100. performance to quite an extent (until the replication process drains too
  101. many resources from the validator nodes).
  102. Example Code
  103. ------------
  104. - `TMChat <https://github.com/wolfposd/TMChat>`__