R4R circuit breaker high level explanation #3898
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| \#926 circuit breaker high level explanation |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Concepts | ||
|
|
||
| The intention of the circuit breaker is to have a contingency plan for a | ||
| running network which maintains network liveness. This can be achieved through | ||
| selectively "pausing" functionality of specific modules on a running network. | ||
rigelrozanski marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| The circuit breaker is intended to be enabled through either: | ||
|
|
||
| - governance, | ||
rigelrozanski marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - the bonded validator group (for emergencies), | ||
alexanderbez marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. @cwgoes (responding in a different conversation)
This will have to be detailed in the actual spec, however, I imagine in makes sense for there to be consensus among the validator set through either config or some alternative special validator only consensus process which shuts off a message type for all validators (so now if you're a validator who had not been aware of the circuit breaker, but you received the information that the circuit breaker had been switched, you would nolonger accept those messages in blocks or by CheckTx) There was a problem hiding this comment. I suggest any set of accounts with varying power distribution which is selected by the state machine, instead of a partial validator set. For an emergency situation, there will not be enough time to make a full consensus from the entire validator set, but if the state machine selects some validators to give this permission, it will make the power distribution between the validators not proportional to the voting power and possibly create some vulnerability. I'm not sure which is the best way to handle these emergency situations but denoting that the emergency permission is not restricted on the validators will leave more possibilities. There was a problem hiding this comment. that makes a lot of sense, I'll integrate into the documentation |
||
| - special transaction (which proves how expected behaviour is broken). | ||
|
|
||
| ## Pause state | ||
|
|
||
| The basic pause state of any module simply disables all message routes to | ||
| that module. Beyond that, it may be a appropriate for different modules to | ||
| process begin-block/end-block in an altered "safe" way. | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which desires to maintain network liveness?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We want a contingency plan for handling possible state machine bugs which maintains the ability of governance to vote on what to do next, right? I don't think this has much to do with liveness "in general".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I think it does! - There could be an extreme case of the circuit breaker where all messages besides governance messages are switched off... but I don't think all circuits need to lead to this state... why not switch off a particular message type which you know is the troublemaker? no need to shut down everything all the time