zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6643 Commits
183 Branches
291 MiB
Tree: 33b4617e9a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '33b4617e9a'
${ noResults }
tendermint/docs/architecture/adr-016-protocol-versions.md

301 lines
11 KiB
Raw Normal View History

adr: protocol versioning
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
adr: protocol versioning
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
adr: protocol versioning
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
adr: protocol versioning
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
adr: protocol versioning
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
adr: protocol versioning
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
adr: protocol versioning
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
adr: protocol versioning
6 years ago
 
  1. # ADR 016: Protocol Versions

  2. 

  3. ## TODO

  4. 

  5. - How to / should we version the authenticated encryption handshake itself (ie.
  6.   upfront protocol negotiation for the P2PVersion)
  7. 

  8. ## Changelog

  9. 

  10. - 03-08-2018: Updates from discussion with Jae:
  11.   - ProtocolVersion contains Block/AppVersion, not Current/Next
  12.   - signal upgrades to Tendermint using EndBlock fields
  13.   - dont restrict peer compatibilty by version to simplify syncing old nodes
  14. - 28-07-2018: Updates from review
  15.   - split into two ADRs - one for protocol, one for chains
  16.   - include signalling for upgrades in header
  17. - 16-07-2018: Initial draft - was originally joint ADR for protocol and chain
  18.   versions
  19. 

  20. ## Context

  21. 

  22. The Software Version is covered by SemVer and described elsewhere.
  23. It is not relevant to the protocol description, suffice to say that if any protocol version
  24. changes, the software version changes, but not necessarily vice versa.
  25. 

  26. Software version shoudl be included in NodeInfo for convenience/diagnostics.
  27. 

  28. We are also interested in versioning across different blockchains in a
  29. meaningful way, for instance to differentiate branches of a contentious
  30. hard-fork. We leave that for a later ADR.
  31. 

  32. Here we focus on protocol versions.
  33. 

  34. ## Requirements

  35. 

  36. We need to version components of the blockchain that may be independently upgraded.
  37. We need to do it in a way that is scalable and maintainable - we can't just litter
  38. the code with conditionals.
  39. 

  40. We can consider the complete version of the protocol to contain the following sub-versions:
  41. BlockVersion, P2PVersion, AppVersion. These versions reflect the major sub-components
  42. of the software that are likely to evolve together, at different rates, and in different ways,
  43. as described below.
  44. 

  45. The BlockVersion defines the core of the blockchain data structures and
  46. should change infrequently.
  47. 

  48. The P2PVersion defines how peers connect and communicate with eachother - it's
  49. not part of the blockchain data structures, but defines the protocols used to build the
  50. blockchain. It may change gradually.
  51. 

  52. The AppVersion determines how we compute app specific information, like the
  53. AppHash and the Results.
  54. 

  55. All of these versions may change over the life of a blockchain, and we need to
  56. be able to help new nodes sync up across version changes. This means we must be willing
  57. to connect to peers with older version.
  58. 

  59. ### BlockVersion

  60. 

  61. - All tendermint hashed data-structures (headers, votes, txs, responses, etc.).
  62.   - Note the semantic meaning of a transaction may change according to the AppVersion, but the way txs are merklized into the header is part of the BlockVersion
  63. - It should be the least frequent/likely to change.
  64.   - Tendermint should be stabilizing - it's just Atomic Broadcast.
  65.   - We can start considering for Tendermint v2.0 in a year
  66. - It's easy to determine the version of a block from its serialized form
  67. 

  68. ### P2PVersion

  69. 

  70. - All p2p and reactor messaging (messages, detectable behaviour)
  71. - Will change gradually as reactors evolve to improve performance and support new features - eg proposed new message types BatchTx in the mempool and HasBlockPart in the consensus
  72. - It's easy to determine the version of a peer from its first serialized message/s
  73. - New versions must be compatible with at least one old version to allow gradual upgrades
  74. 

  75. ### AppVersion

  76. 

  77. - The ABCI state machine (txs, begin/endblock behaviour, commit hashing)
  78. - Behaviour and message types will change abruptly in the course of the life of a chain
  79. - Need to minimize complexity of the code for supporting different AppVersions at different heights
  80. - Ideally, each version of the software supports only a _single_ AppVersion at one time
  81.   - this means we checkout different versions of the software at different heights instead of littering the code
  82.     with conditionals
  83.   - minimize the number of data migrations required across AppVersion (ie. most AppVersion should be able to read the same state from disk as previous AppVersion).
  84. 

  85. ## Ideal

  86. 

  87. Each component of the software is independently versioned in a modular way and its easy to mix and match and upgrade.
  88. 

  89. Good luck pal ;)
  90. 

  91. ## Proposal

  92. 

  93. Each of BlockVersion, AppVersion, P2PVersion is a monotonically increasing int64.
  94. 

  95. To use these versions, we need to update the block Header, the p2p NodeInfo, and the ABCI.
  96. 

  97. ### Header

  98. 

  99. Block Header should include a `Version` struct as its first field like:
  100. 

  101. ```
  102. type Version struct {
  103.     CurrentVersion ProtocolVersion
  104.     ChainID string
  105. 

  106.     NextVersion ProtocolVersion
  107. }
  108. 

  109. type ProtocolVersion struct {
  110.     BlockVersion int64
  111.     AppVersion int64
  112. }
  113. ```
  114. 

  115. Note this effectively makes BlockVersion the first field in the block Header.
  116. Since we have settled on a proto3 header, the ability to read the BlockVersion out of the serialized header is unanimous.
  117. 

  118. Using a Version struct gives us more flexibility to add fields without breaking
  119. the header.
  120. 

  121. The ProtocolVersion struct includes both the Block and App versions - it should
  122. serve as a complete description of the consensus-critical protocol.
  123. Using the `NextVersion` field, proposer's can signal their readiness to upgrade
  124. to a new Block and/or App version.
  125. 

  126. ### NodeInfo

  127. 

  128. NodeInfo should include a Version struct as its first field like:
  129. 

  130. ```
  131. type Version struct {
  132.     P2PVersion int64
  133. 

  134.     ChainID string
  135.     BlockVersion int64
  136.     AppVersion int64
  137.     SoftwareVersion string
  138. }
  139. ```
  140. 

  141. Note this effectively makes P2PVersion the first field in the NodeInfo, so it
  142. should be easy to read this out of the serialized header if need be to facilitate an upgrade.
  143. 

  144. The SoftwareVersion here should include the name of the software client and
  145. it's SemVer version - this is for convenience only. Eg.
  146. `tendermint-core/v0.22.8`.
  147. 

  148. The other versions and ChainID will determine peer compatibility (described below).
  149. 

  150. ### ABCI

  151. 

  152. Since the ABCI is responsible for keeping Tendermint and the App in sync, we
  153. need to communicate version information through it.
  154. 

  155. On startup, we use Info to perform a basic handshake. It should include all the
  156. version information.
  157. 

  158. We also need to be able to update versions in the life of a blockchain. The
  159. natural place to do this is EndBlock.
  160. 

  161. #### Info

  162. 

  163. RequestInfo should add support for protocol versions like:
  164. 

  165. ```
  166. message RequestInfo {
  167.   string software_version
  168.   int64 block_version
  169.   int64 p2p_version
  170. }
  171. ```
  172. 

  173. Similarly, ResponseInfo should return the versions:
  174. 

  175. ```
  176. message ResponseInfo {
  177.   string data
  178. 

  179.   string software_version
  180.   int64 app_version
  181. 

  182.   int64 last_block_height
  183.   bytes last_block_app_hash
  184. }
  185. ```
  186. 

  187. #### EndBlock

  188. 

  189. Updating the version could be done either with new fields or by using the
  190. existing `tags`. Since we're trying to communicate information that will be
  191. included in Tendermint block Headers, it should be native to the ABCI, and not
  192. something embedded through some scheme in the tags.
  193. 

  194. ResponseEndBlock will include a new field `version_updates`:
  195. 

  196. ```
  197. message ResponseEndBlock {
  198.   repeated Validator validator_updates
  199.   ConsensusParams consensus_param_updates
  200.   repeated common.KVPair tags
  201. 

  202.   VersionUpdates version_updates
  203. }
  204. 

  205. message VersionUpdates {
  206.   ProtocolVersion current_version
  207.   ProtocolVersion next_version
  208. }
  209. 

  210. message ProtocolVersion {
  211.     int64 block_version
  212.     int64 app_version
  213. }
  214. ```
  215. 

  216. Tendermint will use the information in VersionUpdates for the next block it
  217. proposes.
  218. 

  219. ### BlockVersion

  220. 

  221. BlockVersion is included in both the Header and the NodeInfo.
  222. 

  223. Changing BlockVersion should happen quite infrequently and ideally only for extreme emergency.
  224. 

  225. Note Ethereum has not had to make an upgrade like this (everything has been at state machine level, AFAIK).
  226. 

  227. ### P2PVersion

  228. 

  229. P2PVersion is not included in the block Header, just the NodeInfo.
  230. 

  231. P2PVersion is the first field in the NodeInfo. NodeInfo is also proto3 so this is easy to read out.
  232. 

  233. Note we need the peer/reactor protocols to take the versions of peers into account when sending messages:
  234. 

  235. - don't send messages they don't understand
  236. - don't send messages they don't expect
  237. 

  238. Doing this will be specific to the upgrades being made.
  239. 

  240. Note we also include the list of reactor channels in the NodeInfo and already don't send messages for channels the peer doesn't understand.
  241. If upgrades always use new channels, this simplifies the development cost of backwards compatibility.
  242. 

  243. Note NodeInfo is only exchanged after the authenticated encryption handshake to ensure that it's private.
  244. Doing any version exchange before encrypting could be considered information leakage, though I'm not sure
  245. how much that matters compared to being able to upgrade the protocol.
  246. 

  247. XXX: if needed, can we change the meaning of the first byte of the first message to encode a handshake version?
  248. this is the first byte of a 32-byte ed25519 pubkey.
  249. 

  250. ### AppVersion

  251. 

  252. AppVersion is also included in the block Header and the NodeInfo.
  253. 

  254. AppVersion essentially defines how the AppHash and Results are computed.
  255. 

  256. ### Peer Compatibility

  257. 

  258. Restricting peer compatibility based on version is complicated by the need to
  259. help old peers, possibly on older versions, sync the blockchain.
  260. 

  261. We might be tempted to say that we only connect to peers with the same
  262. AppVersion and BlockVersion (since these define the consensus critical
  263. computations), and a select list of P2PVersions (ie. those compatible with
  264. ours), but then we'd need to make accomodations for connecting to peers with the
  265. right Block/AppVersion for the height they're on.
  266. 

  267. For now, we will connect to peers with any version and restrict compatibility
  268. solely based on the ChainID. We leave more restrictive rules on peer
  269. compatibiltiy to a future proposal.
  270. 

  271. ### Future Changes

  272. 

  273. It may be valuable to support an `/unsafe_stop?height=_` endpoint to tell Tendermint to shutdown at a given height.
  274. This could be use by an external manager process that oversees upgrades by
  275. checking out and installing new software versions and restarting the process. It
  276. would subscribe to the relevant upgrade event (needs to be implemented) and call `/unsafe_stop` at
  277. the correct height (of course only after getting approval from its user!)
  278. 

  279. ## Consequences

  280. 

  281. ### Positive

  282. 

  283. - Make tendermint and application versions native to the ABCI to more clearly
  284.   communicate about them
  285. - Distinguish clearly between protocol versions and software version to
  286.   facilitate implementations in other languages
  287. - Versions included in key data structures in easy to discern way
  288. - Allows proposers to signal for upgrades and apps to decide when to actually change the
  289.   version (and start signalling for a new version)
  290. 

  291. ### Neutral

  292. 

  293. - Unclear how to version the initial P2P handshake itself
  294. - Versions aren't being used (yet) to restrict peer compatibility
  295. - Signalling for a new version happens through the proposer and must be
  296.   tallied/tracked in the app.
  297. 

  298. ### Negative

  299. 

  300. - Adds more fields to the ABCI
  301. - Implies that a single codebase must be able to handle multiple versions