zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6268 Commits
183 Branches
291 MiB
Tree: 715ec19c96
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '715ec19c96'
${ noResults }
tendermint/docs/tendermint-core/running-in-production.md

244 lines
8.4 KiB
Raw Normal View History

Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
Peng/deprecate aib data (#1926) * include ecosystem.json * update changelog * also include zarko's interview
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
revert back to Jae's original payload size limit except now we calculate the max size using the maxPacketMsgSize() function, which frees developers from having to know amino encoding details. plus, 10 additional bytes are added to leave the room for amino upgrades (both making it more efficient / less efficient)
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
remove doc. about no longer existing config option
6 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
limit number of open connections Refs #1740 also, expose limit option for number concurrent streams for gRPC (unlimited by default)
7 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
lint markdown
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
7 years ago
limit number of open connections Refs #1740 also, expose limit option for number concurrent streams for gRPC (unlimited by default)
7 years ago
 
  1. # Running in production

  2. 

  3. ## Logging

  4. 

  5. Default logging level (`main:info,state:info,*:`) should suffice for
  6. normal operation mode. Read [this
  7. post](https://blog.cosmos.network/one-of-the-exciting-new-features-in-0-10-0-release-is-smart-log-level-flag-e2506b4ab756)
  8. for details on how to configure `log_level` config variable. Some of the
  9. modules can be found [here](./how-to-read-logs.md#list-of-modules). If
  10. you're trying to debug Tendermint or asked to provide logs with debug
  11. logging level, you can do so by running tendermint with
  12. `--log_level="*:debug"`.
  13. 

  14. ## DOS Exposure and Mitigation

  15. 

  16. Validators are supposed to setup [Sentry Node
  17. Architecture](https://blog.cosmos.network/tendermint-explained-bringing-bft-based-pos-to-the-public-blockchain-domain-f22e274a0fdb)
  18. to prevent Denial-of-service attacks. You can read more about it
  19. [here](../interviews/tendermint-bft.md).
  20. 

  21. ### P2P

  22. 

  23. The core of the Tendermint peer-to-peer system is `MConnection`. Each
  24. connection has `MaxPacketMsgPayloadSize`, which is the maximum packet
  25. size and bounded send & receive queues. One can impose restrictions on
  26. send & receive rate per connection (`SendRate`, `RecvRate`).
  27. 

  28. ### RPC

  29. 

  30. Endpoints returning multiple entries are limited by default to return 30
  31. elements (100 max).
  32. 

  33. Rate-limiting and authentication are another key aspects to help protect
  34. against DOS attacks. While in the future we may implement these
  35. features, for now, validators are supposed to use external tools like
  36. [NGINX](https://www.nginx.com/blog/rate-limiting-nginx/) or
  37. [traefik](https://docs.traefik.io/configuration/commons/#rate-limiting)
  38. to achieve the same things.
  39. 

  40. ## Debugging Tendermint

  41. 

  42. If you ever have to debug Tendermint, the first thing you should
  43. probably do is to check out the logs. See ["How to read
  44. logs"](./how-to-read-logs.md), where we explain what certain log
  45. statements mean.
  46. 

  47. If, after skimming through the logs, things are not clear still, the
  48. second TODO is to query the /status RPC endpoint. It provides the
  49. necessary info: whenever the node is syncing or not, what height it is
  50. on, etc.
  51. 

  52. ```
  53. curl http(s)://{ip}:{rpcPort}/status
  54. ```
  55. 

  56. `dump_consensus_state` will give you a detailed overview of the
  57. consensus state (proposer, lastest validators, peers states). From it,
  58. you should be able to figure out why, for example, the network had
  59. halted.
  60. 

  61. ```
  62. curl http(s)://{ip}:{rpcPort}/dump_consensus_state
  63. ```
  64. 

  65. There is a reduced version of this endpoint - `consensus_state`, which
  66. returns just the votes seen at the current height.
  67. 

  68. - [Github Issues](https://github.com/tendermint/tendermint/issues)
  69. - [StackOverflow
  70.   questions](https://stackoverflow.com/questions/tagged/tendermint)
  71. 

  72. ## Monitoring Tendermint

  73. 

  74. Each Tendermint instance has a standard `/health` RPC endpoint, which
  75. responds with 200 (OK) if everything is fine and 500 (or no response) -
  76. if something is wrong.
  77. 

  78. Other useful endpoints include mentioned earlier `/status`, `/net_info` and
  79. `/validators`.
  80. 

  81. We have a small tool, called `tm-monitor`, which outputs information from
  82. the endpoints above plus some statistics. The tool can be found
  83. [here](https://github.com/tendermint/tools/tree/master/tm-monitor).
  84. 

  85. Tendermint also can report and serve Prometheus metrics. See
  86. [Metrics](./metrics.md).
  87. 

  88. ## What happens when my app dies?

  89. 

  90. You are supposed to run Tendermint under a [process
  91. supervisor](https://en.wikipedia.org/wiki/Process_supervision) (like
  92. systemd or runit). It will ensure Tendermint is always running (despite
  93. possible errors).
  94. 

  95. Getting back to the original question, if your application dies,
  96. Tendermint will panic. After a process supervisor restarts your
  97. application, Tendermint should be able to reconnect successfully. The
  98. order of restart does not matter for it.
  99. 

  100. ## Signal handling

  101. 

  102. We catch SIGINT and SIGTERM and try to clean up nicely. For other
  103. signals we use the default behaviour in Go: [Default behavior of signals
  104. in Go
  105. programs](https://golang.org/pkg/os/signal/#hdr-Default_behavior_of_signals_in_Go_programs).
  106. 

  107. ## Hardware

  108. 

  109. ### Processor and Memory

  110. 

  111. While actual specs vary depending on the load and validators count,
  112. minimal requirements are:
  113. 

  114. - 1GB RAM
  115. - 25GB of disk space
  116. - 1.4 GHz CPU
  117. 

  118. SSD disks are preferable for applications with high transaction
  119. throughput.
  120. 

  121. Recommended:
  122. 

  123. - 2GB RAM
  124. - 100GB SSD
  125. - x64 2.0 GHz 2v CPU
  126. 

  127. While for now, Tendermint stores all the history and it may require
  128. significant disk space over time, we are planning to implement state
  129. syncing (See
  130. [this issue](https://github.com/tendermint/tendermint/issues/828)). So,
  131. storing all the past blocks will not be necessary.
  132. 

  133. ### Operating Systems

  134. 

  135. Tendermint can be compiled for a wide range of operating systems thanks
  136. to Go language (the list of \$OS/\$ARCH pairs can be found
  137. [here](https://golang.org/doc/install/source#environment)).
  138. 

  139. While we do not favor any operation system, more secure and stable Linux
  140. server distributions (like Centos) should be preferred over desktop
  141. operation systems (like Mac OS).
  142. 

  143. ### Miscellaneous

  144. 

  145. NOTE: if you are going to use Tendermint in a public domain, make sure
  146. you read [hardware recommendations (see "4.
  147. Hardware")](https://cosmos.network/validators) for a validator in the
  148. Cosmos network.
  149. 

  150. ## Configuration parameters

  151. 

  152. - `p2p.flush_throttle_timeout` `p2p.max_packet_msg_payload_size`
  153.   `p2p.send_rate` `p2p.recv_rate`
  154. 

  155. If you are going to use Tendermint in a private domain and you have a
  156. private high-speed network among your peers, it makes sense to lower
  157. flush throttle timeout and increase other params.
  158. 

  159. ```
  160. [p2p]
  161. 

  162. send_rate=20000000 # 2MB/s
  163. recv_rate=20000000 # 2MB/s
  164. flush_throttle_timeout=10
  165. max_packet_msg_payload_size=10240 # 10KB
  166. ```
  167. 

  168. - `mempool.recheck`
  169. 

  170. After every block, Tendermint rechecks every transaction left in the
  171. mempool to see if transactions committed in that block affected the
  172. application state, so some of the transactions left may become invalid.
  173. If that does not apply to your application, you can disable it by
  174. setting `mempool.recheck=false`.
  175. 

  176. - `mempool.broadcast`
  177. 

  178. Setting this to false will stop the mempool from relaying transactions
  179. to other peers until they are included in a block. It means only the
  180. peer you send the tx to will see it until it is included in a block.
  181. 

  182. - `consensus.skip_timeout_commit`
  183. 

  184. We want `skip_timeout_commit=false` when there is economics on the line
  185. because proposers should wait to hear for more votes. But if you don't
  186. care about that and want the fastest consensus, you can skip it. It will
  187. be kept false by default for public deployments (e.g. [Cosmos
  188. Hub](https://cosmos.network/intro/hub)) while for enterprise
  189. applications, setting it to true is not a problem.
  190. 

  191. - `consensus.peer_gossip_sleep_duration`
  192. 

  193. You can try to reduce the time your node sleeps before checking if
  194. theres something to send its peers.
  195. 

  196. - `consensus.timeout_commit`
  197. 

  198. You can also try lowering `timeout_commit` (time we sleep before
  199. proposing the next block).
  200. 

  201. - `p2p.addr_book_strict`
  202. 

  203. By default, Tendermint checks whenever a peer's address is routable before
  204. saving it to the address book. The address is considered as routable if the IP
  205. is [valid and within allowed
  206. ranges](https://github.com/tendermint/tendermint/blob/27bd1deabe4ba6a2d9b463b8f3e3f1e31b993e61/p2p/netaddress.go#L209).
  207. 

  208. This may not be the case for private networks, where your IP range is usually
  209. strictly limited and private. If that case, you need to set `addr_book_strict`
  210. to `false` (turn off).
  211. 

  212. - `rpc.max_open_connections`
  213. 

  214. By default, the number of simultaneous connections is limited because most OS
  215. give you limited number of file descriptors.
  216. 

  217. If you want to accept greater number of connections, you will need to increase
  218. these limits.
  219. 

  220. [Sysctls to tune the system to be able to open more connections](https://github.com/satori-com/tcpkali/blob/master/doc/tcpkali.man.md#sysctls-to-tune-the-system-to-be-able-to-open-more-connections)
  221. 

  222. ...for N connections, such as 50k:
  223. 

  224. ```
  225. kern.maxfiles=10000+2*N         # BSD
  226. kern.maxfilesperproc=100+2*N    # BSD
  227. kern.ipc.maxsockets=10000+2*N   # BSD
  228. fs.file-max=10000+2*N           # Linux
  229. net.ipv4.tcp_max_orphans=N      # Linux
  230. 

  231. # For load-generating clients.

  232. net.ipv4.ip_local_port_range="10000  65535"  # Linux.
  233. net.inet.ip.portrange.first=10000  # BSD/Mac.
  234. net.inet.ip.portrange.last=65535   # (Enough for N < 55535)
  235. net.ipv4.tcp_tw_reuse=1         # Linux
  236. net.inet.tcp.maxtcptw=2*N       # BSD
  237. 

  238. # If using netfilter on Linux:

  239. net.netfilter.nf_conntrack_max=N
  240. echo $((N/8)) > /sys/module/nf_conntrack/parameters/hashsize
  241. ```
  242. 

  243. The similar option exists for limiting the number of gRPC connections -
  244. `rpc.grpc_max_open_connections`.