Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"baggage": prepare for vat upgrade, deliver durable objects to successor #4325

Closed
warner opened this issue Jan 19, 2022 · 0 comments · Fixed by #4873
Closed

"baggage": prepare for vat upgrade, deliver durable objects to successor #4325

warner opened this issue Jan 19, 2022 · 0 comments · Fixed by #4873
Assignees
@FUDCo
Labels
enhancement New feature or request SwingSet package: SwingSet
Milestone
Mainnet 1 RC0

Comments

@warner
Copy link
Member

warner commented Jan 19, 2022
edited
Loading

What is the Problem Being Solved?

As part of #1848 and #2004, we need a way for version-1 of a vat to prepare for upgrade to version-2. The earlier version should store critical data (anything necessary for version-2 to fulfill the obligations impliedexpressed by version-1's durable exports) in durable storage, where it can be accessed by version-2. But then version-2 needs a way to reach it.

Our plan is to define a special durable BigMapStore, colloquially named "the baggage", with at least one string key. As a durable collection, it can only hold durable things (pass-by-copy data, imported Presences, exported Remotables that can be reattached at upgrade, exported virtual objects whose Kinds can be reattached at upgrade, and other durable collections). The handle to the baggage is provided to each version at startup, through some special TBD argument (maybe vatPowers.baggage).

In addition to durable data, the baggage should be able to hold whatever sort of "reattachment handle" / "identity resumption/reclamation facet" / (I haven't found a good word yet) that #3062 exposes, through which version-2 can provide new behavior records for the virtual-object Kinds that the earlier version created. This provides a user-code -legible way to connect the original Kind definition in version-1, through a named path in the baggage, to the code in version-2 that attaches a new Kind definition to that named path.

The metaphor is that version-1 of the vat is a business owner preparing for retirement, and their shop is going to be moved to a new building. Version-1 puts important documents and inventory in durable collections, and puts references to those collections in the "baggage". Upon retirement (upgrade), everything that's durable is moved to the new building, and anything that isn't durable is left behind. But these are ocaps, so merely being present in the new building is not sufficient: you need an access path. Version-2 is the new owner in the new location, who is handed the "baggage" by the estate/transfer agent. Anything not transitively reachable from the baggage is unreachable, even it if was durable. Both the old and new owners can use Store access to store/retrieve their data, e.g. version-1 does baggage.set('pending orders', pendingOrdersCollection), and version-2 does pendingOrdersCollection = baggage.get('pending orders').

The baggage Store can use non-string keys too, later, but the starting point must be a string (or Number, or other flat data), because version-2 starts with nothing but the baggage and the source code they rode in on. That source code can contain data but not objects. The baggage is the only real "object" they get from version-1.

Description of the Design

TBD

Obviously we should find a better name than "baggage". "upgrade data"?

Maybe deliver as vatPowers.baggage, which limits access to just buildRootObject and whatever function version-2++ uses at startup (maybe also buildRootObject, maybe something like upgrade or start). Another option is an additional argument to buildRootObject.

Security Considerations

All sorts of critical (mutable!) state is reachable from the baggage, so it must be closely held and thoughtfully guarded. It's easy to store a hierarchy of data in there, so POLA should be exercised (give pendingOrders to the order-handling code, rather than all baggage). Clearly the baggage must not be exposed as a global.

Test Plan

Unit tests to show baggage being present on vatPowers and usability as a normal collection.

Unit/integration tests to populate baggage with some plausible use-case data (order book, some Kind handles) and then demonstrate a version-2 upgrade path which then reads from baggage and restores functionality using the data therein.

Documentation Plan

docs/vat-upgrade.md should have a section on the baggage, what it offers, how to use it, when to not use it (intentionally abandoned non-durable data), and some examples.
@warner warner added enhancement New feature or request SwingSet package: SwingSet labels Jan 19, 2022
@warner warner added this to the Mainnet: Phase 1 - RUN Protocol milestone Jan 19, 2022
This was referenced Jan 19, 2022
Closed
Open
Closed
@warner warner added the MN-1 label Jan 25, 2022
@warner warner mentioned this issue Jan 25, 2022
Closed
@Tartuffo Tartuffo removed the MN-1 label Feb 7, 2022
@warner warner mentioned this issue Feb 8, 2022
Closed
@Tartuffo Tartuffo removed this from the Mainnet: Phase 1 - RUN Protocol milestone Feb 8, 2022
FUDCo added a commit that referenced this issue Mar 19, 2022
@FUDCo
feat: implement vat baggage
707417f 
This implements the primary vat-side interface for upgrade (#4325, #4382).
However, it does not yet implement the set of post upgrade checks (#3062) that
will be required (e.g., check upon return from `buildRootObject` to verify that
all the durable kinds have had behavior associated with them or have been
explicitly dismissed); the ability to test or otherwise exercise the latter
portion of the upgrade machinery will have to wait until the kernel-side
interfaces (#1848, #3062) are in place.

I am going to tentative declarely that this PR closes #4325, leaving the
remaining work to be covered by #3062.
@FUDCo FUDCo mentioned this issue Mar 19, 2022
Merged
FUDCo added a commit that referenced this issue Mar 20, 2022
@FUDCo
feat: implement vat baggage
e4358bd 
This implements the primary vat-side interface for upgrade (#4325, #4382).
However, it does not yet implement the set of post upgrade checks (#3062) that
will be required (e.g., check upon return from `buildRootObject` to verify that
all the durable kinds have had behavior associated with them or have been
explicitly dismissed); the ability to test or otherwise exercise the latter
portion of the upgrade machinery will have to wait until the kernel-side
interfaces (#1848, #3062) are in place.

I am going to tentative declarely that this PR closes #4325, leaving the
remaining work to be covered by #3062.
FUDCo added a commit that referenced this issue Mar 21, 2022
@FUDCo
feat: implement vat baggage
032486b 
This implements the primary vat-side interface for upgrade (#4325, #4382).
However, it does not yet implement the set of post upgrade checks (#3062) that
will be required (e.g., check upon return from `buildRootObject` to verify that
all the durable kinds have had behavior associated with them or have been
explicitly dismissed); the ability to test or otherwise exercise the latter
portion of the upgrade machinery will have to wait until the kernel-side
interfaces (#1848, #3062) are in place.

I am going to tentative declarely that this PR closes #4325, leaving the
remaining work to be covered by #3062.
@mergify mergify bot closed this as completed in #4873 Mar 21, 2022
@Tartuffo Tartuffo added this to the Mainnet 1 milestone Mar 23, 2022
@warner warner mentioned this issue Apr 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FUDCo FUDCo

Labels
enhancement New feature or request SwingSet package: SwingSet
Projects
None yet
Milestone
Mainnet 1 RC0
Development

Successfully merging a pull request may close this issue.

Implement baggage Agoric/agoric-sdk
3 participants
@warner @Tartuffo @FUDCo