Merge branch 'main' into likhita/add-tx/encode-endpoint

CHANGELOG.md

@@ -91,6 +91,8 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * [#13781](https://github.com/cosmos/cosmos-sdk/pull/13781) Remove `client/keys.KeysCdc`.
 * [#13803](https://github.com/cosmos/cosmos-sdk/pull/13803) Add an error log if iavl set operation failed.
 * [#13802](https://github.com/cosmos/cosmos-sdk/pull/13802) Add --output-document flag to the export CLI command to allow writing genesis state to a file.
+* [#13794](https://github.com/cosmos/cosmos-sdk/pull/13794) `types/module.Manager` now supports the
+`cosmossdk.io/core/appmodule.AppModule` API via the new `NewManagerFromMap` constructor.
 
 ### State Machine Breaking
 
@@ -161,7 +163,10 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * (x/gov) [#13160](https://github.com/cosmos/cosmos-sdk/pull/13160) Remove custom marshaling of proposl and voteoption.
 * (types) [#13430](https://github.com/cosmos/cosmos-sdk/pull/13430) Remove unused code `ResponseCheckTx` and `ResponseDeliverTx`
 * (store) [#13529](https://github.com/cosmos/cosmos-sdk/pull/13529) Add method `LatestVersion` to `MultiStore` interface, add method `SetQueryMultiStore` to baesapp to support alternative `MultiStore` implementation for query service.
-* (pruning) [#13609]](https://github.com/cosmos/cosmos-sdk/pull/13609) Move pruning pacakge to be under store pacakge
+* (pruning) [#13609]](https://github.com/cosmos/cosmos-sdk/pull/13609) Move pruning package to be under store package
+* [#13794](https://github.com/cosmos/cosmos-sdk/pull/13794) Most methods on `types/module.AppModule` have been moved to 
+extension interfaces. `module.Manager.Modules` is now of type `map[string]interface{}` to support in parallel the new 
+`cosmossdk.io/core/appmodule.AppModule` API.
 
 ### CLI Breaking Changes
 
@@ -188,7 +193,8 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * (x/gov) [#13045](https://github.com/cosmos/cosmos-sdk/pull/13045) Fix gov migrations for v3(0.46).
 * (snapshot) [#13400](https://github.com/cosmos/cosmos-sdk/pull/13400) Fix snapshot checksum issue in golang 1.19.
 * (x/gov) [#13728](https://github.com/cosmos/cosmos-sdk/pull/13728) Fix propagation of message events to the current context in `EndBlocker`.
-* (server) [#13778](https://github.com/cosmos/cosmos-sdk/pull/13778) Set Cosmos SDK default endpoints to localhost to avoid unknown exposure of endpoints. 
+* (server) [#13778](https://github.com/cosmos/cosmos-sdk/pull/13778) Set Cosmos SDK default endpoints to localhost to avoid unknown exposure of endpoints.
+* [#13861](https://github.com/cosmos/cosmos-sdk/pull/13861) Allow `_` characters in tx event queries, i.e. `GetTxsEvent`.
 
 ### Deprecated
 

UPGRADING.md

@@ -18,7 +18,13 @@ is typically found in `RegisterAPIRoutes`.
 
 ### AppModule Interface
 
-Remove `Querier`, `Route` and `LegacyQuerier` from the app module interface. This removes and fully deprecates all legacy queriers. All modules no longer support the REST API previously known as the LCD, and the `sdk.Msg#Route` method won't be used anymore.
+Support for the `AppModule` `Querier`, `Route` and `LegacyQuerier` methods has been entirely removed from the `AppModule`
+interface. This removes and fully deprecates all legacy queriers. All modules no longer support the REST API previously
+known as the LCD, and the `sdk.Msg#Route` method won't be used anymore.
+
+Most other existing `AppModule` methods have been moved to extension interfaces in preparation for the migration
+to the `cosmossdk.io/core/appmodule` API in the next release. Most `AppModule` implementations should not be broken
+by this change.
 
 ### SimApp
 

docs/docs/building-modules/14-depinject.md

@@ -81,13 +81,7 @@ All methods, structs and their fields must be public for `depinject`.
   https://github.com/cosmos/cosmos-sdk/blob/main/x/group/module/module.go#L184-L192
   ```
 
-2. `ProvideModuleBasic` is calls `WrapAppModuleBasic` for wrapping the module `AppModuleBasic`, so that it can be injected and used by the runtime module.
-
-  ```go reference
-  https://github.com/cosmos/cosmos-sdk/blob/main/x/group/module/module.go#L194-L196
-  ```
-
-3. Define a struct that inherits `depinject.In` and define the module inputs (i.e. module dependencies):
+2. Define a struct that inherits `depinject.In` and define the module inputs (i.e. module dependencies):
    * `depinject` provides the right dependencies to the module.
    * `depinject` also checks that all dependencies are provided.
 
@@ -99,19 +93,22 @@ All methods, structs and their fields must be public for `depinject`.
   https://github.com/cosmos/cosmos-sdk/blob/main/x/group/module/module.go#L198-L208
   ```
 
-4. Define the module outputs with a public struct that inherits `depinject.Out`:
+3. Define the module outputs with a public struct that inherits `depinject.Out`:
    The module outputs are the dependencies that the module provides to other modules. It is usually the module itself and its keeper.
 
   ```go reference
   https://github.com/cosmos/cosmos-sdk/blob/main/x/group/module/module.go#L210-L215
   ```
 
-5. Create a function named `ProvideModule` (as called in 1.) and use the inputs for instantitating the module outputs.
+4. Create a function named `ProvideModule` (as called in 1.) and use the inputs for instantiating the module outputs.
 
   ```go reference
   https://github.com/cosmos/cosmos-sdk/blob/main/x/group/module/module.go#L217-L227
   ```
 
+The `ProvideModule` function should return an instance of `cosmossdk.io/core/appmodule.AppModule` which implements
+one or more app module extension interfaces for initializing the module.
+
 Following is the complete app wiring configuration for `group`:
 
 ```go reference

docs/docs/run-node/06-run-production.md

@@ -0,0 +1,258 @@
+---
+sidebar_position: 1
+---
+
+# Running in Production
+
+:::note Synopsis
+This section describes how to securely run a node in a public setting and/or on a mainnet on one of the many Cosmos SDK public blockchains. 
+:::
+
+When operating a node, full node or validator, in production it is important to set your server up securely. 
+
+:::note
+There are many different ways to secure a server and your node, the described steps here is one way. To see another way of setting up a server see the [run in production tutorial](https://tutorials.cosmos.network/hands-on-exercise/5-run-in-prod/1-overview.html)
+:::
+
+:::note
+This walkthrough assumes the underlying operating system is Ubuntu. 
+:::
+
+## Sever Setup
+
+### User
+
+When creating a server most times it is created as user `root`. This user has heightened privileges on the server. When operating a node, it is recommended to not run your node as the root user.  
+
+1. Create a new user
+
+```bash
+sudo adduser change_me
+```
+
+2. We want to allow this user to perform sudo tasks
+
+```bash
+sudo usermod -aG sudo change_me
+```
+
+Now when logging into the server, the non `root` user can be used. 
+
+### Firewall
+
+Nodes should not have all ports open to the public, this is a simple way to get DDOS'd. Secondly it is recommended by [Tendermint](github.com/tendermint/tendermint) to never expose ports that are not required to operate a node. 
+
+When setting up a firewall there are a few ports that can be open when operating a Cosmos SDK node. There is the Tendermint json-RPC, prometheus, p2p, remote signer and Cosmos SDK GRPC and REST. If the node is being operated as a node that does not offer endpoints to be used for submission or querying then a max of three endpoints are needed.
+
+Most, if not all servers come equipped with [ufw](https://help.ubuntu.com/community/UFW). Ufw will be used in this tutorial. 
+
+1. Reset UFW to disallow all incoming connections and allow outgoing
+
+```bash
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+```
+
+2. Lets make sure that port 22 (ssh) stays open. 
+
+```bash
+sudo ufw allow ssh
+```
+
+or 
+
+```bash
+sudo ufw allow 22
+```
+Both of the above commands are the same. 
+
+3. Allow Port 26656 (tendermint p2p port). If the node has a modified p2p port then that port must be used here.
+
+```bash
+sudo ufw allow 26656/tcp
+```
+
+4. Allow port 26660 (tendermint [prometheus](https://prometheus.io)). This acts as the applications monitoring port as well. 
+
+```bash
+sudo ufw allow 26660/tcp
+```
+
+5. IF the node which is being setup would like to expose Tendermints jsonRPC and Cosmos SDK GRPC and REST then follow this step. (Optional)
+
+##### Tendermint JsonRPC
+
+```bash
+sudo ufw allow 26657/tcp
+```
+
+##### Cosmos SDK GRPC
+
+```bash
+sudo ufw allow 9090/tcp
+```
+
+##### Cosmos SDK REST
+
+```bash
+sudo ufw allow 1317/tcp
+```
+
+6. Lastly, enable ufw
+
+```bash
+sudo ufw enable
+```
+
+### Signing
+
+If the node that is being started is a validator there are multiple ways a validator could sign blocks. 
+
+#### File
+
+File based signing is the simplest and default approach. This approach works by storing the consensus key, generated on initialization, to sign blocks. This approach is only as safe as your server setup as if the server is compromised so is your key.  This key is located in the `config/priv_val_key.json` directory generated on initialization.
+
+A second file exists that user must be aware of, the file is located in the data directory `data/priv_val_state.json`. This file protects your node from double signing. It keeps track of the consensus keys last sign height, round and latest signature. If the node crashes and needs to be recovered this file must be kept in order to ensure that the consensus key will not be used for signing a block that was previously signed. 
+
+#### Remote Signer
+
+A remote signer is a secondary server that is separate from the running node that signs blocks with the consensus key. This means that the consensus key does not live on the node itself. This increases security because your full node which is connected to the remote signer can be swapped without missing blocks. 
+
+The two most used remote signers are [tmkms](https://github.com/iqlusioninc/tmkms) from [Iqlusion](https://www.iqlusion.io) and [horcrux](https://github.com/strangelove-ventures/horcrux) from [Strangelove](https://strange.love).
+
+##### TMKMS 
+
+###### Dependencies
+
+1. Update server dependencies and install extras needed. 
+
+```sh
+sudo apt update -y && sudo apt install build-essential curl jq -y
+```
+
+2. Install Rust: 
+
+```sh
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+```
+
+3. Install Libusb:
+
+```sh
+sudo apt install libusb-1.0-0-dev
+```
+
+###### Setup
+
+There are two ways to install tmkms, from source or `cargo install`. In the examples we will cover downloading or building from source and using softsign. Softsign stands for software signing, but you could use a [yubihsm](https://www.yubico.com/products/hardware-security-module/) as your signing key if you wish. 
+
+1. Build:
+
+From source:
+
+```bash
+cd $HOME
+git clone https://github.com/iqlusioninc/tmkms.git
+cd $HOME/tmkms
+cargo install tmkms --features=softsign
+tmkms init config
+tmkms softsign keygen ./config/secrets/secret_connection_key
+```
+or 
+
+Cargo install: 
+
+```bash
+cargo install tmkms --features=softsign
+tmkms init config
+tmkms softsign keygen ./config/secrets/secret_connection_key
+```
+
+:::note
+To use tmkms with a yubikey install the binary with `--features=yubihsm`.
+:::
+
+2. Migrate the validator key from the full node to the new tmkms instance. 
+
+```bash
+scp [email protected]:~/.simd/config/priv_validator_key.json ~/tmkms/config/secrets
+```
+
+3. Import the validator key into tmkms. 
+
+```bash
+tmkms softsign import $HOME/tmkms/config/secrets/priv_validator_key.json $HOME/tmkms/config/secrets/priv_validator_key
+```
+
+At this point, it is necessary to delete the `priv_validator_key.json` from the validator node and the tmkms node. Since the key has been imported into tmkms (above) it is no longer necessary on the nodes. The key can be safely stored offline. 
+
+4. Modifiy the `tmkms.toml`. 
+
+```bash
+vim $HOME/tmkms/config/tmkms.toml
+```
+
+This example shows a configuration that could be used for soft signing. The example has an IP of `123.456.12.345` with a port of `26659` a chain_id of `test-chain-waSDSe`. These are items that most be modified for the usecase of tmkms and the network. 
+
+```toml
+# Tendermint KMS configuration file
+
+## Chain Configuration
+
+[[chain]]
+id = "osmosis-1"
+key_format = { type = "bech32", account_key_prefix = "cosmospub", consensus_key_prefix = "cosmosvalconspub" }
+state_file = "/root/tmkms/config/state/priv_validator_state.json"
+
+## Signing Provider Configuration
+
+### Software-based Signer Configuration
+
+[[providers.softsign]]
+chain_ids = ["test-chain-waSDSe"]
+key_type = "consensus"
+path = "/root/tmkms/config/secrets/priv_validator_key"
+
+## Validator Configuration
+
+[[validator]]
+chain_id = "test-chain-waSDSe"
+addr = "tcp://123.456.12.345:26659"
+secret_key = "/root/tmkms/config/secrets/secret_connection_key"
+protocol_version = "v0.34"
+reconnect = true
+```
+
+5. Set the address of the tmkms instance. 
+
+```bash
+vim $HOME/.simd/config/config.toml
+
+priv_validator_laddr = "tcp://0.0.0.0:26659"
+```
+
+:::tip
+The above address it set to `0.0.0.0` but it is recommended to set the tmkms server to secure the startup
+:::
+
+:::tip
+It is recommended to comment or delete the lines that specify the path of the validator key and validator:
+
+```toml
+# Path to the JSON file containing the private key to use as a validator in the consensus protocol
+# priv_validator_key_file = "config/priv_validator_key.json"
+
+# Path to the JSON file containing the last sign state of a validator
+# priv_validator_state_file = "data/priv_validator_state.json"
+```
+:::
+
+6. Start the two processes. 
+
+```bash
+tmkms start -c $HOME/tmkms/config/tmkms.toml
+```
+
+```bash
+simd start
+```