|
| 1 | +{:.post-meta} |
| 2 | +*by [Roman Taranchenko][], Engineer at [Suredbits][]* |
| 3 | + |
| 4 | +After the first excitement of sending and, more importantly, receiving a |
| 5 | +payment over the Lightning Network has faded away, it’s always good to |
| 6 | +think about how to operate your node in a safe and reliable way. |
| 7 | +Failures almost always happen unexpectedly. How do you recover after a |
| 8 | +possible failure? How do you make backups reliable? How do you keep the |
| 9 | +seed in a secure location? Et cetera, et cetera… |
| 10 | + |
| 11 | +At [Suredbits][] we use Eclair for our nodes. Even though Eclair is |
| 12 | +pretty robust on its own, we took some steps to make it even more |
| 13 | +reliable---such as using PostgreSQL as a database backend [(using this PR |
| 14 | +)][db pr] and [AWS Secrets Manager][] to |
| 15 | +store private keys. |
| 16 | + |
| 17 | +Eclair has a built-in online backup feature, but it requires manual |
| 18 | +setup and script writing to automate, which is not really scalable and |
| 19 | +is error prone. Running PostgreSQL at AWS RDS allows us to automate |
| 20 | +backups and replication in a way that is familiar to many DevOps engineers |
| 21 | +and which makes restoring the database state easier. |
| 22 | + |
| 23 | +Using PostgreSQL as a remote database backend makes node failover |
| 24 | +simpler to implement because, if the node crashes for some reason, |
| 25 | +there’s no need to restore the database from a backup---all you need is |
| 26 | +to point a new Eclair instance to the correct database server. Here’s a |
| 27 | +[quick demo][failover demo] of an automated failover implemented with two Eclair |
| 28 | +instances plus AWS's RDS, ELB, and NAT Gateway. |
| 29 | + |
| 30 | +In the failover scenario depicted in the demo, we needed a secure way to |
| 31 | +allow the node’s seed for its private keys to be shared between the Eclair instances. Eclair |
| 32 | +stores the seed in a file on the local file system which should be |
| 33 | +backed up somewhere and restored when needed. The current Eclair implementation |
| 34 | +requires extra steps to do so in an automated fashion. We instead use AWS Secrets |
| 35 | +Manager---an encrypted key/value store specifically designed to securely hold |
| 36 | +various kinds of secrets including database passwords and encryption |
| 37 | +keys. Now all you need to do to share the seed between the instances is to |
| 38 | +point them to the correct secrets location in the config file. Once |
| 39 | +configured, the instance can be stored as an AMI image which can re-imaged as |
| 40 | +many times as needed without manual configuration. |
| 41 | + |
| 42 | +The measures we took are just the first steps to building |
| 43 | +enterprise-grade Lightning nodes. There are still some more problems |
| 44 | +that need to be solved. For example, which Hardware Security Module |
| 45 | +(HSM) can be used for a Lightning node, or how to failover a Bitcoin |
| 46 | +Core node in a multi-instance setting. But we believe that our work is a |
| 47 | +solid base for scaling out Eclair and making it more fault-tolerant. |
| 48 | + |
| 49 | +For more information about this topic, see our [presentation][enterprise ln vid]. |
| 50 | + |
| 51 | +*Disclaimer: Since private keys are involved, don't use third party cloud |
| 52 | +services without a thorough risk assessment.* |
| 53 | + |
| 54 | +[Roman Taranchenko]: https://github.com/rorp |
| 55 | +[suredbits]: https://suredbits.com |
| 56 | +[db pr]: https://github.com/ACINQ/eclair/pull/1249 |
| 57 | +[aws secrets manager]: https://github.com/rorp/eclair/tree/aws_secretsmanager |
| 58 | +[failover demo]: https://youtu.be/L2DtolwS8ew |
| 59 | +[enterprise ln vid]: https://www.youtube.com/watch?v=tbwy9mJIrZE |
0 commit comments