zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2223 Commits
183 Branches
291 MiB
Tree: e509e8f354
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e509e8f354'
${ noResults }
tendermint/docs/app-architecture.rst

127 lines
5.6 KiB
Raw Normal View History

docs: convert markdown to rst
7 years ago
docs: clean a bunch of stuff up
7 years ago
docs: convert markdown to rst
7 years ago
docs: clean a bunch of stuff up
7 years ago
 
  1. Application Architecture Guide

  2. ==============================

  3. 

  4. Overview

  5. --------

  6. 

  7. A blockchain application is more than the consensus engine and the

  8. transaction logic (eg. smart contracts, business logic) as implemented

  9. in the ABCI app. There are also (mobile, web, desktop) clients that will

  10. need to connect and make use of the app. We will assume for now that you

  11. have a well designed transactions and database model, but maybe this

  12. will be the topic of another article. This article is more interested in

  13. various ways of setting up the "plumbing" and connecting these pieces,

  14. and demonstrating some evolving best practices.

  15. 

  16. Security

  17. --------

  18. 

  19. A very important aspect when constructing a blockchain is security. The

  20. consensus model can be DoSed (no consensus possible) by corrupting 1/3

  21. of the validators and exploited (writing arbitrary blocks) by corrupting

  22. 2/3 of the validators. So, while the security is not that of the

  23. "weakest link", you should take care that the "average link" is

  24. sufficiently hardened.

  25. 

  26. One big attack surface on the validators is the communication between

  27. the ABCI app and the tendermint core. This should be highly protected.

  28. Ideally, the app and the core are running on the same machine, so no

  29. external agent can target the communication channel. You can use unix

  30. sockets (with permissions preventing access from other users), or even

  31. compile the two apps into one binary if the ABCI app is also writen in

  32. go. If you are unable to do that due to language support, then the ABCI

  33. app should bind a TCP connection to localhost (127.0.0.1), which is less

  34. efficient and secure, but still not reachable from outside. If you must

  35. run the ABCI app and tendermint core on separate machines, make sure you

  36. have a secure communication channel (ssh tunnel?)

  37. 

  38. Now assuming, you have linked together your app and the core securely,

  39. you must also make sure no one can get on the machine it is hosted on.

  40. At this point it is basic network security. Run on a secure operating

  41. system (SELinux?). Limit who has access to the machine (user accounts,

  42. but also where the physical machine is hosted). Turn off all services

  43. except for ssh, which should only be accessible by some well-guarded

  44. public/private key pairs (no password). And maybe even firewall off

  45. access to the ports used by the validators, so only known validators can

  46. connect.

  47. 

  48. There was also a suggestion on slack from @jhon about compiling

  49. everything together with a unikernel for more security, such as

  50. `Mirage <https://mirage.io>`__ or

  51. `UNIK <https://github.com/emc-advanced-dev/unik>`__.

  52. 

  53. Connecting your client to the blockchain

  54. ----------------------------------------

  55. 

  56. Tendermint Core RPC

  57. ~~~~~~~~~~~~~~~~~~~

  58. 

  59. The concept is that the ABCI app is completely hidden from the outside

  60. world and only communicated through a tested and secured `interface

  61. exposed by the tendermint core <./rpc.html>`__. This interface

  62. exposes a lot of data on the block header and consensus process, which

  63. is quite useful for externally verifying the system. It also includes

  64. 3(!) methods to broadcast a transaction (propose it for the blockchain,

  65. and possibly await a response). And one method to query app-specific

  66. data from the ABCI application.

  67. 

  68. Pros: \* Server code already written \* Access to block headers to

  69. validate merkle proofs (nice for light clients) \* Basic read/write

  70. functionality is supported

  71. 

  72. Cons: \* Limited interface to app. All queries must be serialized into

  73. []byte (less expressive than JSON over HTTP) and there is no way to push

  74. data from ABCI app to the client (eg. notify me if account X receives a

  75. transaction)

  76. 

  77. Custom ABCI server

  78. ~~~~~~~~~~~~~~~~~~

  79. 

  80. This was proposed by @wolfposd on slack and demonstrated by

  81. `TMChat <https://github.com/wolfposd/TMChat>`__, a sample app. The

  82. concept is to write a custom server for your app (with typical REST

  83. API/websockets/etc for easy use by a mobile app). This custom server is

  84. in the same binary as the ABCI app and data store, so can easily react

  85. to complex events there that involve understanding the data format (send

  86. a message if my balance drops below 500). All "writes" sent to this

  87. server are proxied via websocket/JSON-RPC to tendermint core. When they

  88. come back as deliver\_tx over ABCI, they will be written to the data

  89. store. For "reads", we can do any queries we wish that are supported by

  90. our architecture, using any web technology that is useful. The general

  91. architecture is shown in the following diagram:

  92. 

  93. Pros: \* Separates application logic from blockchain logic \* Allows

  94. much richer, more flexible client-facing API \* Allows pub-sub, watching

  95. certain fields, etc.

  96. 

  97. Cons: \* Access to ABCI app can be dangerous (be VERY careful not to

  98. write unless it comes from the validator node) \* No direct access to

  99. the blockchain headers to verify tx \* You must write your own API (but

  100. maybe that's a pro...)

  101. 

  102. Hybrid solutions

  103. ~~~~~~~~~~~~~~~~

  104. 

  105. Likely the least secure but most versatile. The client can access both

  106. the tendermint node for all blockchain info, as well as a custom app

  107. server, for complex queries and pub-sub on the abci app.

  108. 

  109. Pros: \* All from both above solutions

  110. 

  111. Cons: \* Even more complexity \* Even more attack vectors (less

  112. security)

  113. 

  114. Scalability

  115. -----------

  116. 

  117. Read replica using non-validating nodes? They could forward transactions

  118. to the validators (fewer connections, more security), and locally allow

  119. all queries in any of the above configurations. Thus, while

  120. transaction-processing speed is limited by the speed of the abci app and

  121. the number of validators, one should be able to scale our read

  122. performance to quite an extent (until the replication process drains too

  123. many resources from the validator nodes).

  124. 

  125. 

  126. `TMChat <https://github.com/wolfposd/TMChat>`__ is an example of an ABCI

  127. application.