Make binaries have protection against accidental downgrades #10318
Comments
|
Yes! This actually happened to me on Osmosis due to an invalid setup of cosmovisor. I think the proposal makes sense. If there is support from @AmauryM or @robert-zaremba, I can tackle it. |
|
ACK - we can use info from upgrade module. |
|
@alexanderbez - if you have time you can go with it. We could do a short call. Otherwise during the standup we were talking about this task and @aleem1314 could handle it. |
|
@aleem1314 go for it! Happy to review :) |
|
@robert-zaremba I am not sure if we can access upgrade info from store before starting the app, I believe we cannot. That is the reason we are using |
|
Can we add something in BeginBlock that checks this then, or make a new hook in the server's main command for this safety check? This would help a lot with v0.42.x node upgrades as well. |
|
Yeah we should really strive to do something here to prevent this execution path. ACK @ValarDragon's idea. |
Yes, we can add this check in the |
Why do you need to look at the binary version? We should look at the state to see all the upgrades plans executed, and what upgrade plans are registered. If there is a plan that has been executed, but has not been registered, then we know we are on an old version |
I believe we are pruning the plans once they are executed. |
|
How does It calls this function internally: cosmos-sdk/x/upgrade/keeper/keeper.go Lines 230 to 239 in e657c7f So presumably all the upgrades can be obtained by iterating over the store. |
|
We only prune skipped upgrades. |
|
(sorry wrong button) |
|
I think we can use |
|
I'm a bit confused. I wrote this code and tested it in the original upgrade handler in 2019. I thought this was still there. The old binary would die if it started too late. New binary would die if it started too soon. |
InitChainer is only called once at genesis, not when restarting |
Currently, the first case holds, the latter doesn't. I don't know what changed. @ethanfrey what was your original solution? |
|
@robert-zaremba I think it's vice-versa. It always fails if we start new binary early. If we start old-binary at the time of upgrade also it fails. But after the upgrade if we start old binary, as there's no active plan, it tries to produce blocks and thus creating consensus failures iiuc |
|
You can read https://medium.com/regen-network/amazonas-upgrade-guide-b31e9e18e0be When running this in testnets 2 years ago, I had to handle both cases, to avoid operator error. If you find the binary used for that upgrade and the regen/cosmos-sdk code used at that time, you can find my solution (which was 0.37/0.38 compatible) |
## Description Closes: #10318 --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable)
## Description Closes: #10318 --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable) (cherry picked from commit 5622115) # Conflicts: # CHANGELOG.md # x/upgrade/keeper/keeper.go
…#11026) * feat!: add protection against accidental downgrades (#10407) ## Description Closes: #10318 --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable) (cherry picked from commit 5622115) # Conflicts: # CHANGELOG.md # x/upgrade/keeper/keeper.go * chore: resolve conflicts Co-authored-by: MD Aleem <[email protected]> Co-authored-by: aleem1314 <[email protected]>
…10407) (cosmos#11026) * feat!: add protection against accidental downgrades (cosmos#10407) ## Description Closes: cosmos#10318 --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable) (cherry picked from commit 5622115) # Conflicts: # CHANGELOG.md # x/upgrade/keeper/keeper.go * chore: resolve conflicts Co-authored-by: MD Aleem <[email protected]> Co-authored-by: aleem1314 <[email protected]>
…10407) (cosmos#11026) * feat!: add protection against accidental downgrades (cosmos#10407) ## Description Closes: cosmos#10318 --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable) (cherry picked from commit 5622115) # Conflicts: # CHANGELOG.md # x/upgrade/keeper/keeper.go * chore: resolve conflicts Co-authored-by: MD Aleem <[email protected]> Co-authored-by: aleem1314 <[email protected]>
Summary
A common issue node operators have is accidentally starting with their default installed binary, after cosmovisor has done an automatic upgrade. If their binary is on the wrong version, they compute the wrong app hash, and their node gets stuck. (And since we can't rollback, #10281 #10198 you have to redownload your entire state)
We should add protection against this as well.
Proposal
On node start, we should look at the state to see all the upgrades plans executed, and what upgrade plans are registered. If there is a plan that has been executed, that has not been registered, it should halt saying that this binary is a downgrade.
For Admin Use
The text was updated successfully, but these errors were encountered: