You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

373 lines
14 KiB

6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
  1. # Running in production
  2. ## Database
  3. By default, Tendermint uses the `syndtr/goleveldb` package for it's in-process
  4. key-value database. Unfortunately, this implementation of LevelDB seems to suffer under heavy load (see
  5. [#226](https://github.com/syndtr/goleveldb/issues/226)). It may be best to
  6. install the real C-implementaiton of LevelDB and compile Tendermint to use
  7. that using `make build_c`. See the [install instructions](../introduction/install.md) for details.
  8. Tendermint keeps multiple distinct LevelDB databases in the `$TMROOT/data`:
  9. - `blockstore.db`: Keeps the entire blockchain - stores blocks,
  10. block commits, and block meta data, each indexed by height. Used to sync new
  11. peers.
  12. - `evidence.db`: Stores all verified evidence of misbehaviour.
  13. - `state.db`: Stores the current blockchain state (ie. height, validators,
  14. consensus params). Only grows if consensus params or validators change. Also
  15. used to temporarily store intermediate results during block processing.
  16. - `tx_index.db`: Indexes txs (and their results) by tx hash and by DeliverTx result tags.
  17. By default, Tendermint will only index txs by their hash, not by their DeliverTx
  18. result tags. See [indexing transactions](../app-dev/indexing-transactions.md) for
  19. details.
  20. There is no current strategy for pruning the databases. Consider reducing
  21. block production by [controlling empty blocks](../tendermint-core/using-tendermint.md#no-empty-blocks)
  22. or by increasing the `consensus.timeout_commit` param. Note both of these are
  23. local settings and not enforced by the consensus.
  24. We're working on [state
  25. syncing](https://github.com/tendermint/tendermint/issues/828),
  26. which will enable history to be thrown away
  27. and recent application state to be directly synced. We'll need to develop solutions
  28. for archival nodes that allow queries on historical transactions and states.
  29. The Cosmos project has had much success just dumping the latest state of a
  30. blockchain to disk and starting a new chain from that state.
  31. ## Logging
  32. Default logging level (`main:info,state:info,*:`) should suffice for
  33. normal operation mode. Read [this
  34. post](https://blog.cosmos.network/one-of-the-exciting-new-features-in-0-10-0-release-is-smart-log-level-flag-e2506b4ab756)
  35. for details on how to configure `log_level` config variable. Some of the
  36. modules can be found [here](./how-to-read-logs.md#list-of-modules). If
  37. you're trying to debug Tendermint or asked to provide logs with debug
  38. logging level, you can do so by running tendermint with
  39. `--log_level="*:debug"`.
  40. ## Write Ahead Logs (WAL)
  41. Tendermint uses write ahead logs for the consensus (`cs.wal`) and the mempool
  42. (`mempool.wal`). Both WALs have a max size of 1GB and are automatically rotated.
  43. ### Consensus WAL
  44. The `consensus.wal` is used to ensure we can recover from a crash at any point
  45. in the consensus state machine.
  46. It writes all consensus messages (timeouts, proposals, block part, or vote)
  47. to a single file, flushing to disk before processing messages from its own
  48. validator. Since Tendermint validators are expected to never sign a conflicting vote, the
  49. WAL ensures we can always recover deterministically to the latest state of the consensus without
  50. using the network or re-signing any consensus messages.
  51. If your `consensus.wal` is corrupted, see [below](#wal-corruption).
  52. ### Mempool WAL
  53. The `mempool.wal` logs all incoming txs before running CheckTx, but is
  54. otherwise not used in any programmatic way. It's just a kind of manual
  55. safe guard. Note the mempool provides no durability guarantees - a tx sent to one or many nodes
  56. may never make it into the blockchain if those nodes crash before being able to
  57. propose it. Clients must monitor their txs by subscribing over websockets,
  58. polling for them, or using `/broadcast_tx_commit`. In the worst case, txs can be
  59. resent from the mempool WAL manually.
  60. ## DOS Exposure and Mitigation
  61. Validators are supposed to setup [Sentry Node
  62. Architecture](https://blog.cosmos.network/tendermint-explained-bringing-bft-based-pos-to-the-public-blockchain-domain-f22e274a0fdb)
  63. to prevent Denial-of-service attacks. You can read more about it
  64. [here](../interviews/tendermint-bft.md).
  65. ### P2P
  66. The core of the Tendermint peer-to-peer system is `MConnection`. Each
  67. connection has `MaxPacketMsgPayloadSize`, which is the maximum packet
  68. size and bounded send & receive queues. One can impose restrictions on
  69. send & receive rate per connection (`SendRate`, `RecvRate`).
  70. ### RPC
  71. Endpoints returning multiple entries are limited by default to return 30
  72. elements (100 max). See the [RPC Documentation](https://tendermint.com/rpc/)
  73. for more information.
  74. Rate-limiting and authentication are another key aspects to help protect
  75. against DOS attacks. While in the future we may implement these
  76. features, for now, validators are supposed to use external tools like
  77. [NGINX](https://www.nginx.com/blog/rate-limiting-nginx/) or
  78. [traefik](https://docs.traefik.io/configuration/commons/#rate-limiting)
  79. to achieve the same things.
  80. ## Debugging Tendermint
  81. If you ever have to debug Tendermint, the first thing you should
  82. probably do is to check out the logs. See [How to read
  83. logs](./how-to-read-logs.md), where we explain what certain log
  84. statements mean.
  85. If, after skimming through the logs, things are not clear still, the
  86. next thing to try is query the /status RPC endpoint. It provides the
  87. necessary info: whenever the node is syncing or not, what height it is
  88. on, etc.
  89. ```
  90. curl http(s)://{ip}:{rpcPort}/status
  91. ```
  92. `dump_consensus_state` will give you a detailed overview of the
  93. consensus state (proposer, lastest validators, peers states). From it,
  94. you should be able to figure out why, for example, the network had
  95. halted.
  96. ```
  97. curl http(s)://{ip}:{rpcPort}/dump_consensus_state
  98. ```
  99. There is a reduced version of this endpoint - `consensus_state`, which
  100. returns just the votes seen at the current height.
  101. - [Github Issues](https://github.com/tendermint/tendermint/issues)
  102. - [StackOverflow
  103. questions](https://stackoverflow.com/questions/tagged/tendermint)
  104. ## Monitoring Tendermint
  105. Each Tendermint instance has a standard `/health` RPC endpoint, which
  106. responds with 200 (OK) if everything is fine and 500 (or no response) -
  107. if something is wrong.
  108. Other useful endpoints include mentioned earlier `/status`, `/net_info` and
  109. `/validators`.
  110. We have a small tool, called `tm-monitor`, which outputs information from
  111. the endpoints above plus some statistics. The tool can be found
  112. [here](https://github.com/tendermint/tendermint/tree/master/tools/tm-monitor).
  113. Tendermint also can report and serve Prometheus metrics. See
  114. [Metrics](./metrics.md).
  115. ## What happens when my app dies?
  116. You are supposed to run Tendermint under a [process
  117. supervisor](https://en.wikipedia.org/wiki/Process_supervision) (like
  118. systemd or runit). It will ensure Tendermint is always running (despite
  119. possible errors).
  120. Getting back to the original question, if your application dies,
  121. Tendermint will panic. After a process supervisor restarts your
  122. application, Tendermint should be able to reconnect successfully. The
  123. order of restart does not matter for it.
  124. ## Signal handling
  125. We catch SIGINT and SIGTERM and try to clean up nicely. For other
  126. signals we use the default behaviour in Go: [Default behavior of signals
  127. in Go
  128. programs](https://golang.org/pkg/os/signal/#hdr-Default_behavior_of_signals_in_Go_programs).
  129. ## Corruption
  130. **NOTE:** Make sure you have a backup of the Tendermint data directory.
  131. ### Possible causes
  132. Remember that most corruption is caused by hardware issues:
  133. - RAID controllers with faulty / worn out battery backup, and an unexpected power loss
  134. - Hard disk drives with write-back cache enabled, and an unexpected power loss
  135. - Cheap SSDs with insufficient power-loss protection, and an unexpected power-loss
  136. - Defective RAM
  137. - Defective or overheating CPU(s)
  138. Other causes can be:
  139. - Database systems configured with fsync=off and an OS crash or power loss
  140. - Filesystems configured to use write barriers plus a storage layer that ignores write barriers. LVM is a particular culprit.
  141. - Tendermint bugs
  142. - Operating system bugs
  143. - Admin error (e.g., directly modifying Tendermint data-directory contents)
  144. (Source: https://wiki.postgresql.org/wiki/Corruption)
  145. ### WAL Corruption
  146. If consensus WAL is corrupted at the lastest height and you are trying to start
  147. Tendermint, replay will fail with panic.
  148. Recovering from data corruption can be hard and time-consuming. Here are two approaches you can take:
  149. 1. Delete the WAL file and restart Tendermint. It will attempt to sync with other peers.
  150. 2. Try to repair the WAL file manually:
  151. 1) Create a backup of the corrupted WAL file:
  152. ```
  153. cp "$TMHOME/data/cs.wal/wal" > /tmp/corrupted_wal_backup
  154. ```
  155. 2. Use `./scripts/wal2json` to create a human-readable version
  156. ```
  157. ./scripts/wal2json/wal2json "$TMHOME/data/cs.wal/wal" > /tmp/corrupted_wal
  158. ```
  159. 3. Search for a "CORRUPTED MESSAGE" line.
  160. 4. By looking at the previous message and the message after the corrupted one
  161. and looking at the logs, try to rebuild the message. If the consequent
  162. messages are marked as corrupted too (this may happen if length header
  163. got corrupted or some writes did not make it to the WAL ~ truncation),
  164. then remove all the lines starting from the corrupted one and restart
  165. Tendermint.
  166. ```
  167. $EDITOR /tmp/corrupted_wal
  168. ```
  169. 5. After editing, convert this file back into binary form by running:
  170. ```
  171. ./scripts/json2wal/json2wal /tmp/corrupted_wal $TMHOME/data/cs.wal/wal
  172. ```
  173. ## Hardware
  174. ### Processor and Memory
  175. While actual specs vary depending on the load and validators count,
  176. minimal requirements are:
  177. - 1GB RAM
  178. - 25GB of disk space
  179. - 1.4 GHz CPU
  180. SSD disks are preferable for applications with high transaction
  181. throughput.
  182. Recommended:
  183. - 2GB RAM
  184. - 100GB SSD
  185. - x64 2.0 GHz 2v CPU
  186. While for now, Tendermint stores all the history and it may require
  187. significant disk space over time, we are planning to implement state
  188. syncing (See
  189. [this issue](https://github.com/tendermint/tendermint/issues/828)). So,
  190. storing all the past blocks will not be necessary.
  191. ### Operating Systems
  192. Tendermint can be compiled for a wide range of operating systems thanks
  193. to Go language (the list of \$OS/\$ARCH pairs can be found
  194. [here](https://golang.org/doc/install/source#environment)).
  195. While we do not favor any operation system, more secure and stable Linux
  196. server distributions (like Centos) should be preferred over desktop
  197. operation systems (like Mac OS).
  198. ### Miscellaneous
  199. NOTE: if you are going to use Tendermint in a public domain, make sure
  200. you read [hardware recommendations](https://cosmos.network/validators) for a validator in the
  201. Cosmos network.
  202. ## Configuration parameters
  203. - `p2p.flush_throttle_timeout`
  204. - `p2p.max_packet_msg_payload_size`
  205. - `p2p.send_rate`
  206. - `p2p.recv_rate`
  207. If you are going to use Tendermint in a private domain and you have a
  208. private high-speed network among your peers, it makes sense to lower
  209. flush throttle timeout and increase other params.
  210. ```
  211. [p2p]
  212. send_rate=20000000 # 2MB/s
  213. recv_rate=20000000 # 2MB/s
  214. flush_throttle_timeout=10
  215. max_packet_msg_payload_size=10240 # 10KB
  216. ```
  217. - `mempool.recheck`
  218. After every block, Tendermint rechecks every transaction left in the
  219. mempool to see if transactions committed in that block affected the
  220. application state, so some of the transactions left may become invalid.
  221. If that does not apply to your application, you can disable it by
  222. setting `mempool.recheck=false`.
  223. - `mempool.broadcast`
  224. Setting this to false will stop the mempool from relaying transactions
  225. to other peers until they are included in a block. It means only the
  226. peer you send the tx to will see it until it is included in a block.
  227. - `consensus.skip_timeout_commit`
  228. We want `skip_timeout_commit=false` when there is economics on the line
  229. because proposers should wait to hear for more votes. But if you don't
  230. care about that and want the fastest consensus, you can skip it. It will
  231. be kept false by default for public deployments (e.g. [Cosmos
  232. Hub](https://cosmos.network/intro/hub)) while for enterprise
  233. applications, setting it to true is not a problem.
  234. - `consensus.peer_gossip_sleep_duration`
  235. You can try to reduce the time your node sleeps before checking if
  236. theres something to send its peers.
  237. - `consensus.timeout_commit`
  238. You can also try lowering `timeout_commit` (time we sleep before
  239. proposing the next block).
  240. - `p2p.addr_book_strict`
  241. By default, Tendermint checks whenever a peer's address is routable before
  242. saving it to the address book. The address is considered as routable if the IP
  243. is [valid and within allowed
  244. ranges](https://github.com/tendermint/tendermint/blob/27bd1deabe4ba6a2d9b463b8f3e3f1e31b993e61/p2p/netaddress.go#L209).
  245. This may not be the case for private or local networks, where your IP range is usually
  246. strictly limited and private. If that case, you need to set `addr_book_strict`
  247. to `false` (turn it off).
  248. - `rpc.max_open_connections`
  249. By default, the number of simultaneous connections is limited because most OS
  250. give you limited number of file descriptors.
  251. If you want to accept greater number of connections, you will need to increase
  252. these limits.
  253. [Sysctls to tune the system to be able to open more connections](https://github.com/satori-com/tcpkali/blob/master/doc/tcpkali.man.md#sysctls-to-tune-the-system-to-be-able-to-open-more-connections)
  254. ...for N connections, such as 50k:
  255. ```
  256. kern.maxfiles=10000+2*N # BSD
  257. kern.maxfilesperproc=100+2*N # BSD
  258. kern.ipc.maxsockets=10000+2*N # BSD
  259. fs.file-max=10000+2*N # Linux
  260. net.ipv4.tcp_max_orphans=N # Linux
  261. # For load-generating clients.
  262. net.ipv4.ip_local_port_range="10000 65535" # Linux.
  263. net.inet.ip.portrange.first=10000 # BSD/Mac.
  264. net.inet.ip.portrange.last=65535 # (Enough for N < 55535)
  265. net.ipv4.tcp_tw_reuse=1 # Linux
  266. net.inet.tcp.maxtcptw=2*N # BSD
  267. # If using netfilter on Linux:
  268. net.netfilter.nf_conntrack_max=N
  269. echo $((N/8)) > /sys/module/nf_conntrack/parameters/hashsize
  270. ```
  271. The similar option exists for limiting the number of gRPC connections -
  272. `rpc.grpc_max_open_connections`.