You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

310 lines
11 KiB

7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
  1. # Running in production
  2. ## Logging
  3. Default logging level (`main:info,state:info,*:`) should suffice for
  4. normal operation mode. Read [this
  5. post](https://blog.cosmos.network/one-of-the-exciting-new-features-in-0-10-0-release-is-smart-log-level-flag-e2506b4ab756)
  6. for details on how to configure `log_level` config variable. Some of the
  7. modules can be found [here](./how-to-read-logs.md#list-of-modules). If
  8. you're trying to debug Tendermint or asked to provide logs with debug
  9. logging level, you can do so by running tendermint with
  10. `--log_level="*:debug"`.
  11. ## DOS Exposure and Mitigation
  12. Validators are supposed to setup [Sentry Node
  13. Architecture](https://blog.cosmos.network/tendermint-explained-bringing-bft-based-pos-to-the-public-blockchain-domain-f22e274a0fdb)
  14. to prevent Denial-of-service attacks. You can read more about it
  15. [here](../interviews/tendermint-bft.md).
  16. ### P2P
  17. The core of the Tendermint peer-to-peer system is `MConnection`. Each
  18. connection has `MaxPacketMsgPayloadSize`, which is the maximum packet
  19. size and bounded send & receive queues. One can impose restrictions on
  20. send & receive rate per connection (`SendRate`, `RecvRate`).
  21. ### RPC
  22. Endpoints returning multiple entries are limited by default to return 30
  23. elements (100 max). See the [RPC Documentation](https://tendermint.com/rpc/)
  24. for more information.
  25. Rate-limiting and authentication are another key aspects to help protect
  26. against DOS attacks. While in the future we may implement these
  27. features, for now, validators are supposed to use external tools like
  28. [NGINX](https://www.nginx.com/blog/rate-limiting-nginx/) or
  29. [traefik](https://docs.traefik.io/configuration/commons/#rate-limiting)
  30. to achieve the same things.
  31. ## Debugging Tendermint
  32. If you ever have to debug Tendermint, the first thing you should
  33. probably do is to check out the logs. See [How to read
  34. logs](./how-to-read-logs.md), where we explain what certain log
  35. statements mean.
  36. If, after skimming through the logs, things are not clear still, the
  37. next thing to try is query the /status RPC endpoint. It provides the
  38. necessary info: whenever the node is syncing or not, what height it is
  39. on, etc.
  40. ```
  41. curl http(s)://{ip}:{rpcPort}/status
  42. ```
  43. `dump_consensus_state` will give you a detailed overview of the
  44. consensus state (proposer, lastest validators, peers states). From it,
  45. you should be able to figure out why, for example, the network had
  46. halted.
  47. ```
  48. curl http(s)://{ip}:{rpcPort}/dump_consensus_state
  49. ```
  50. There is a reduced version of this endpoint - `consensus_state`, which
  51. returns just the votes seen at the current height.
  52. - [Github Issues](https://github.com/tendermint/tendermint/issues)
  53. - [StackOverflow
  54. questions](https://stackoverflow.com/questions/tagged/tendermint)
  55. ## Monitoring Tendermint
  56. Each Tendermint instance has a standard `/health` RPC endpoint, which
  57. responds with 200 (OK) if everything is fine and 500 (or no response) -
  58. if something is wrong.
  59. Other useful endpoints include mentioned earlier `/status`, `/net_info` and
  60. `/validators`.
  61. We have a small tool, called `tm-monitor`, which outputs information from
  62. the endpoints above plus some statistics. The tool can be found
  63. [here](https://github.com/tendermint/tendermint/tree/master/tools/tm-monitor).
  64. Tendermint also can report and serve Prometheus metrics. See
  65. [Metrics](./metrics.md).
  66. ## What happens when my app dies?
  67. You are supposed to run Tendermint under a [process
  68. supervisor](https://en.wikipedia.org/wiki/Process_supervision) (like
  69. systemd or runit). It will ensure Tendermint is always running (despite
  70. possible errors).
  71. Getting back to the original question, if your application dies,
  72. Tendermint will panic. After a process supervisor restarts your
  73. application, Tendermint should be able to reconnect successfully. The
  74. order of restart does not matter for it.
  75. ## Signal handling
  76. We catch SIGINT and SIGTERM and try to clean up nicely. For other
  77. signals we use the default behaviour in Go: [Default behavior of signals
  78. in Go
  79. programs](https://golang.org/pkg/os/signal/#hdr-Default_behavior_of_signals_in_Go_programs).
  80. ## Corruption
  81. **NOTE:** Make sure you have a backup of the Tendermint data directory.
  82. ### Possible causes
  83. Remember that most corruption is caused by hardware issues:
  84. - RAID controllers with faulty / worn out battery backup, and an unexpected power loss
  85. - Hard disk drives with write-back cache enabled, and an unexpected power loss
  86. - Cheap SSDs with insufficient power-loss protection, and an unexpected power-loss
  87. - Defective RAM
  88. - Defective or overheating CPU(s)
  89. Other causes can be:
  90. - Database systems configured with fsync=off and an OS crash or power loss
  91. - Filesystems configured to use write barriers plus a storage layer that ignores write barriers. LVM is a particular culprit.
  92. - Tendermint bugs
  93. - Operating system bugs
  94. - Admin error (e.g., directly modifying Tendermint data-directory contents)
  95. (Source: https://wiki.postgresql.org/wiki/Corruption)
  96. ### WAL Corruption
  97. If consensus WAL is corrupted at the lastest height and you are trying to start
  98. Tendermint, replay will fail with panic.
  99. Recovering from data corruption can be hard and time-consuming. Here are two approaches you can take:
  100. 1. Delete the WAL file and restart Tendermint. It will attempt to sync with other peers.
  101. 2. Try to repair the WAL file manually:
  102. 1) Create a backup of the corrupted WAL file:
  103. ```
  104. cp "$TMHOME/data/cs.wal/wal" > /tmp/corrupted_wal_backup
  105. ```
  106. 2. Use `./scripts/wal2json` to create a human-readable version
  107. ```
  108. ./scripts/wal2json/wal2json "$TMHOME/data/cs.wal/wal" > /tmp/corrupted_wal
  109. ```
  110. 3. Search for a "CORRUPTED MESSAGE" line.
  111. 4. By looking at the previous message and the message after the corrupted one
  112. and looking at the logs, try to rebuild the message. If the consequent
  113. messages are marked as corrupted too (this may happen if length header
  114. got corrupted or some writes did not make it to the WAL ~ truncation),
  115. then remove all the lines starting from the corrupted one and restart
  116. Tendermint.
  117. ```
  118. $EDITOR /tmp/corrupted_wal
  119. ```
  120. 5. After editing, convert this file back into binary form by running:
  121. ```
  122. ./scripts/json2wal/json2wal /tmp/corrupted_wal $TMHOME/data/cs.wal/wal
  123. ```
  124. ## Hardware
  125. ### Processor and Memory
  126. While actual specs vary depending on the load and validators count,
  127. minimal requirements are:
  128. - 1GB RAM
  129. - 25GB of disk space
  130. - 1.4 GHz CPU
  131. SSD disks are preferable for applications with high transaction
  132. throughput.
  133. Recommended:
  134. - 2GB RAM
  135. - 100GB SSD
  136. - x64 2.0 GHz 2v CPU
  137. While for now, Tendermint stores all the history and it may require
  138. significant disk space over time, we are planning to implement state
  139. syncing (See
  140. [this issue](https://github.com/tendermint/tendermint/issues/828)). So,
  141. storing all the past blocks will not be necessary.
  142. ### Operating Systems
  143. Tendermint can be compiled for a wide range of operating systems thanks
  144. to Go language (the list of \$OS/\$ARCH pairs can be found
  145. [here](https://golang.org/doc/install/source#environment)).
  146. While we do not favor any operation system, more secure and stable Linux
  147. server distributions (like Centos) should be preferred over desktop
  148. operation systems (like Mac OS).
  149. ### Miscellaneous
  150. NOTE: if you are going to use Tendermint in a public domain, make sure
  151. you read [hardware recommendations](https://cosmos.network/validators) for a validator in the
  152. Cosmos network.
  153. ## Configuration parameters
  154. - `p2p.flush_throttle_timeout`
  155. - `p2p.max_packet_msg_payload_size`
  156. - `p2p.send_rate`
  157. - `p2p.recv_rate`
  158. If you are going to use Tendermint in a private domain and you have a
  159. private high-speed network among your peers, it makes sense to lower
  160. flush throttle timeout and increase other params.
  161. ```
  162. [p2p]
  163. send_rate=20000000 # 2MB/s
  164. recv_rate=20000000 # 2MB/s
  165. flush_throttle_timeout=10
  166. max_packet_msg_payload_size=10240 # 10KB
  167. ```
  168. - `mempool.recheck`
  169. After every block, Tendermint rechecks every transaction left in the
  170. mempool to see if transactions committed in that block affected the
  171. application state, so some of the transactions left may become invalid.
  172. If that does not apply to your application, you can disable it by
  173. setting `mempool.recheck=false`.
  174. - `mempool.broadcast`
  175. Setting this to false will stop the mempool from relaying transactions
  176. to other peers until they are included in a block. It means only the
  177. peer you send the tx to will see it until it is included in a block.
  178. - `consensus.skip_timeout_commit`
  179. We want `skip_timeout_commit=false` when there is economics on the line
  180. because proposers should wait to hear for more votes. But if you don't
  181. care about that and want the fastest consensus, you can skip it. It will
  182. be kept false by default for public deployments (e.g. [Cosmos
  183. Hub](https://cosmos.network/intro/hub)) while for enterprise
  184. applications, setting it to true is not a problem.
  185. - `consensus.peer_gossip_sleep_duration`
  186. You can try to reduce the time your node sleeps before checking if
  187. theres something to send its peers.
  188. - `consensus.timeout_commit`
  189. You can also try lowering `timeout_commit` (time we sleep before
  190. proposing the next block).
  191. - `p2p.addr_book_strict`
  192. By default, Tendermint checks whenever a peer's address is routable before
  193. saving it to the address book. The address is considered as routable if the IP
  194. is [valid and within allowed
  195. ranges](https://github.com/tendermint/tendermint/blob/27bd1deabe4ba6a2d9b463b8f3e3f1e31b993e61/p2p/netaddress.go#L209).
  196. This may not be the case for private or local networks, where your IP range is usually
  197. strictly limited and private. If that case, you need to set `addr_book_strict`
  198. to `false` (turn it off).
  199. - `rpc.max_open_connections`
  200. By default, the number of simultaneous connections is limited because most OS
  201. give you limited number of file descriptors.
  202. If you want to accept greater number of connections, you will need to increase
  203. these limits.
  204. [Sysctls to tune the system to be able to open more connections](https://github.com/satori-com/tcpkali/blob/master/doc/tcpkali.man.md#sysctls-to-tune-the-system-to-be-able-to-open-more-connections)
  205. ...for N connections, such as 50k:
  206. ```
  207. kern.maxfiles=10000+2*N # BSD
  208. kern.maxfilesperproc=100+2*N # BSD
  209. kern.ipc.maxsockets=10000+2*N # BSD
  210. fs.file-max=10000+2*N # Linux
  211. net.ipv4.tcp_max_orphans=N # Linux
  212. # For load-generating clients.
  213. net.ipv4.ip_local_port_range="10000 65535" # Linux.
  214. net.inet.ip.portrange.first=10000 # BSD/Mac.
  215. net.inet.ip.portrange.last=65535 # (Enough for N < 55535)
  216. net.ipv4.tcp_tw_reuse=1 # Linux
  217. net.inet.tcp.maxtcptw=2*N # BSD
  218. # If using netfilter on Linux:
  219. net.netfilter.nf_conntrack_max=N
  220. echo $((N/8)) > /sys/module/nf_conntrack/parameters/hashsize
  221. ```
  222. The similar option exists for limiting the number of gRPC connections -
  223. `rpc.grpc_max_open_connections`.