|
Application Architecture Guide
|
|
==============================
|
|
|
|
Overview
|
|
--------
|
|
|
|
A blockchain application is more than the consensus engine and the
|
|
transaction logic (eg. smart contracts, business logic) as implemented
|
|
in the ABCI app. There are also (mobile, web, desktop) clients that will
|
|
need to connect and make use of the app. We will assume for now that you
|
|
have a well designed transactions and database model, but maybe this
|
|
will be the topic of another article. This article is more interested in
|
|
various ways of setting up the "plumbing" and connecting these pieces,
|
|
and demonstrating some evolving best practices.
|
|
|
|
Security
|
|
--------
|
|
|
|
A very important aspect when constructing a blockchain is security. The
|
|
consensus model can be DoSed (no consensus possible) by corrupting 1/3
|
|
of the validators and exploited (writing arbitrary blocks) by corrupting
|
|
2/3 of the validators. So, while the security is not that of the
|
|
"weakest link", you should take care that the "average link" is
|
|
sufficiently hardened.
|
|
|
|
One big attack surface on the validators is the communication between
|
|
the ABCI app and the tendermint core. This should be highly protected.
|
|
Ideally, the app and the core are running on the same machine, so no
|
|
external agent can target the communication channel. You can use unix
|
|
sockets (with permissions preventing access from other users), or even
|
|
compile the two apps into one binary if the ABCI app is also writen in
|
|
go. If you are unable to do that due to language support, then the ABCI
|
|
app should bind a TCP connection to localhost (127.0.0.1), which is less
|
|
efficient and secure, but still not reachable from outside. If you must
|
|
run the ABCI app and tendermint core on separate machines, make sure you
|
|
have a secure communication channel (ssh tunnel?)
|
|
|
|
Now assuming, you have linked together your app and the core securely,
|
|
you must also make sure no one can get on the machine it is hosted on.
|
|
At this point it is basic network security. Run on a secure operating
|
|
system (SELinux?). Limit who has access to the machine (user accounts,
|
|
but also where the physical machine is hosted). Turn off all services
|
|
except for ssh, which should only be accessible by some well-guarded
|
|
public/private key pairs (no password). And maybe even firewall off
|
|
access to the ports used by the validators, so only known validators can
|
|
connect.
|
|
|
|
There was also a suggestion on slack from @jhon about compiling
|
|
everything together with a unikernel for more security, such as
|
|
`Mirage <https://mirage.io>`__ or
|
|
`UNIK <https://github.com/emc-advanced-dev/unik>`__.
|
|
|
|
Connecting your client to the blockchain
|
|
----------------------------------------
|
|
|
|
Tendermint Core RPC
|
|
~~~~~~~~~~~~~~~~~~~
|
|
|
|
The concept is that the ABCI app is completely hidden from the outside
|
|
world and only communicated through a tested and secured `interface
|
|
exposed by the tendermint core <./specification/rpc.html>`__. This interface
|
|
exposes a lot of data on the block header and consensus process, which
|
|
is quite useful for externally verifying the system. It also includes
|
|
3(!) methods to broadcast a transaction (propose it for the blockchain,
|
|
and possibly await a response). And one method to query app-specific
|
|
data from the ABCI application.
|
|
|
|
Pros:
|
|
|
|
- Server code already written
|
|
- Access to block headers to validate merkle proofs (nice for light clients)
|
|
- Basic read/write functionality is supported
|
|
|
|
Cons:
|
|
|
|
- Limited interface to app. All queries must be serialized into []byte (less expressive than JSON over HTTP) and there is no way to push data from ABCI app to the client (eg. notify me if account X receives a transaction)
|
|
|
|
Custom ABCI server
|
|
~~~~~~~~~~~~~~~~~~
|
|
|
|
This was proposed by @wolfposd on slack and demonstrated by
|
|
`TMChat <https://github.com/wolfposd/TMChat>`__, a sample app. The
|
|
concept is to write a custom server for your app (with typical REST
|
|
API/websockets/etc for easy use by a mobile app). This custom server is
|
|
in the same binary as the ABCI app and data store, so can easily react
|
|
to complex events there that involve understanding the data format (send
|
|
a message if my balance drops below 500). All "writes" sent to this
|
|
server are proxied via websocket/JSON-RPC to tendermint core. When they
|
|
come back as deliver\_tx over ABCI, they will be written to the data
|
|
store. For "reads", we can do any queries we wish that are supported by
|
|
our architecture, using any web technology that is useful. The general
|
|
architecture is shown in the following diagram:
|
|
|
|
.. figure:: assets/tm-application-example.png
|
|
|
|
Pros:
|
|
|
|
- Separates application logic from blockchain logic
|
|
- Allows much richer, more flexible client-facing API
|
|
- Allows pub-sub, watching certain fields, etc.
|
|
|
|
Cons:
|
|
|
|
- Access to ABCI app can be dangerous (be VERY careful not to write unless it comes from the validator node)
|
|
- No direct access to the blockchain headers to verify tx
|
|
- You must write your own API (but maybe that's a pro...)
|
|
|
|
Hybrid solutions
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
Likely the least secure but most versatile. The client can access both
|
|
the tendermint node for all blockchain info, as well as a custom app
|
|
server, for complex queries and pub-sub on the abci app.
|
|
|
|
Pros:
|
|
|
|
- All from both above solutions
|
|
|
|
Cons:
|
|
|
|
- Even more complexity; even more attack vectors (less
|
|
security)
|
|
|
|
Scalability
|
|
-----------
|
|
|
|
Read replica using non-validating nodes? They could forward transactions
|
|
to the validators (fewer connections, more security), and locally allow
|
|
all queries in any of the above configurations. Thus, while
|
|
transaction-processing speed is limited by the speed of the abci app and
|
|
the number of validators, one should be able to scale our read
|
|
performance to quite an extent (until the replication process drains too
|
|
many resources from the validator nodes).
|