-
Notifications
You must be signed in to change notification settings - Fork 1.6k
CLI: Restrict os/arch for secure validators, add flag for insecure mode #7073
base: master
Are you sure you want to change the base?
Conversation
Due to #4718 becoming high-priority for parathreads, we are now forced to provide a secure validator mode only for Linux x86-64 (to start). We will still support MacOS with an `--insecure-validator-i-know-what-i-do` flag. (Naming follows [`interpreted-i-know-what-i-do`](https://github.com/paritytech/substrate/blob//client/cli/src/arg_enums.rs#L58).) See https://github.com/paritytech/polkadot/issues/4718#issuecomment-1484137059 Closes https://github.com/paritytech/polkadot/issues/4720
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm.... I'm not entirely sure we want to immediately do this? Are we going to insta-enable the sandboxing? I was thinking that maybe we could do something like this:
- Add sandboxing support, but keep it disabled by default.
- Get the people from the thousand validators program to test it for us for one release.
- Then if it all goes well switch it on by default and add this flag.
But maybe this is too cautiousness? In case there would be any problems people could always disable sandboxing if they want, but on the other hand it's probably not a good look to tell people to run with this parameter because we didn't test it out enough to ensure it's completely compatible with everything.
@@ -118,6 +118,10 @@ pub struct RunCmd { | |||
#[arg(long)] | |||
pub beefy: bool, | |||
|
|||
/// Allows the validator to run insecurely if they know what they're doing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is visible to the user in --help
, right? In which case a slightly longer explanation would be nice. (Or as I've said in the other comment, maybe a link to somewhere where it's explained in more detail.)
#[cfg(not(target_os = "linux"))] | ||
let result = Err("Must be on Linux to run a validator securely.".into()); | ||
|
||
#[cfg(all(target_os = "linux", not(target_arch = "x86_64")))] | ||
let result = Err("Must be on x86_64 to run a validator securely.".into()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe a little bit less jargon-y? Normal users might not necessarily know what x86_64
is.
#[cfg(not(target_os = "linux"))] | |
let result = Err("Must be on Linux to run a validator securely.".into()); | |
#[cfg(all(target_os = "linux", not(target_arch = "x86_64")))] | |
let result = Err("Must be on x86_64 to run a validator securely.".into()); | |
#[cfg(not(target_os = "linux"))] | |
let result = Err("Running a validator is only supported on Linux.".into()); | |
#[cfg(all(target_os = "linux", not(target_arch = "x86_64")))] | |
let result = Err("Running a validator is only supported on CPUs from the x86_64 family (usually Intel or AMD).".into()); |
@@ -57,4 +57,7 @@ pub enum Error { | |||
|
|||
#[error("This subcommand is only available when compiled with `{feature}`")] | |||
FeatureNotEnabled { feature: &'static str }, | |||
|
|||
#[error("Insecure validator: {0} Run with --insecure-validator-i-know-what-i-do if you understand and accept the risks of running insecurely.")] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Insecure validator" can be kinda vague, maybe something like this?
#[error("Insecure validator: {0} Run with --insecure-validator-i-know-what-i-do if you understand and accept the risks of running insecurely.")] | |
#[error("Your system cannot securely run a validator: {0}\nYou can ignore this requirement by using the `--insecure-validator-i-know-what-i-do` command line argument if you understand and accept the risks of running insecurely.")] |
Also, I think in this case it'd be nice to maybe e.g. put a link to the docs with a longer explanation of why this is and what will be the consequences when running in unsecure mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like the idea, just don't know where the doc should go. Maybe on the validators guide?
Good point @koute. I just thought, since the upcoming os/arch requirement is certain, we could start enforcing it early -- or at least start informing validators and getting the docs ready. And people seem confident that essentially all validators are already on Linux amd64 (though I still haven't seen any data myself).
That is a really good idea. I am worried about turning on sandboxing and having legitimate syscalls blocked on some real PVFs. One concern though is that for validators, it might seem too risky to beta test a new feature that could get them slashed? This PR can certainly wait until sandboxing, no strong preference here as to when it's merged. Can mark as |
I'm with @koute. I would also propose to close the pr, it will just get stale and recreating it will be very easy.
That is a good point. I think at the beginning we should run with some kind of training wheels, aka: https://github.com/pmem/syscall_intercept We could intercept all the syscalls and let each unknown syscall print some error message. |
Thanks! To be clear, this PR doesn't enable sandboxing, it just restricts the os/arch for validators without the insecure flag.
That looks like a C library and not very easy to use? We could provide e.g. a |
We could, but the problem is - how do we get the users to report that to us if the only thing it does is print out a message? If a tree falls down in a forest and no one is there, does it make a sound? :P
I think Basti meant to just adopt a similar concept, not to actually use that library. Especially since from what I can see that library works by monkeypatching the process' memory, which is not what we want. |
The message could say: "in the future this error may result in a dispute, please report to the Polkadot development team!" |
I know :P
No, I meant to use this monkeypatching :P My 5 min google search told me that you can not replace |
I don't think we can change where it logs. @koute Is it possible to use the trace action to log from a tracer? |
Well, with |
This pull request has been mentioned on Polkadot Forum. There might be relevant details there: https://forum.polkadot.network/t/ux-of-distributing-multiple-binaries-take-2/2854/22 |
I realized some things related to this work:
See #7303 (comment) for more informations. |
PULL REQUEST
Overview
Summary: Running
--validator
on a platform other than Linux x86-64 requires the--insecure-validator-i-know-what-i-do
flag.Due to paritytech/polkadot-sdk#882 becoming high-priority for parathreads, we are now forced to provide a secure validator mode only for Linux x86-64 (to start).
We will still support other platforms with an
--insecure-validator-i-know-what-i-do
flag. (Naming followsinterpreted-i-know-what-i-do
.)We may want to wait for paritytech/polkadot-sdk#882 before merging, but it seems at this point pretty certain that platform-specific code is a requirement for securely running the PVF workers.
TODO
Related Issues
See paritytech/polkadot-sdk#882
Closes paritytech/polkadot-sdk#881