-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validator Re-Enabling #5724
base: master
Are you sure you want to change the base?
Validator Re-Enabling #5724
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a quick pass by focusing mainly on the approach. It looks good, nice work @Overkillus!
I've left some thoughts about a corner case with the re-enabling.
bot fmt |
@Overkillus https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/7692315 was started for your command Comment |
@Overkillus Command |
Is it possible to move most of the disabling logic to It seems staking does not really need to know anything about disabling. Currently, we are maintaing two copies of disabled validator indices in both There is a larger reason as to why I am flagging this. With staking moving to AH, the offence lifecycle would be something like this:
In practice, tl;dr: Given that Session and Staking communication would become async, this disabling logic doesn’t seem compatible or, at the very least, "good design" with that in mind. |
description: | | ||
Implementation of the Stage 3 for the New Disabling Strategy: https://github.com/paritytech/polkadot-sdk/issues/4359 | ||
|
||
This PR changes when an active validator node gets disabled within parachain consensus (reduced responsibilities and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right?
This PR changes when an active validator node gets disabled within parachain consensus (reduced responsibilities and | |
This PR changes when an active validator node gets disabled within relaychain consensus (reduced responsibilities and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really. Parachains don't have their own native consensus or security and they derive it from the RLC.
In Polkadot when we say parachain consensus we are referring to parts of polkadot protocol that allow the inheritance of security and consensus to parachains AKA the part where we assign responsibility (backing), ensure availability, recheck correctness (approval checking rerunning of PVs) and punish wrongdoers (disputes and slashes).
I can maybe change it Parachain Consensus Protocol to make it a bit clearer but otherwise it is consistent with all our other materials. See here for instance: https://wiki.polkadot.network/docs/learn-parachains-faq#:~:text=%22Parachain%20consensus%22%20is%20special%20in,can%20control%20their%20own%20consensus.
if i >= Validators::<T>::decode_len().unwrap_or(0) as u32 { | ||
return false | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this ever happen? Might want to mark this defensive.
@@ -735,6 +735,23 @@ impl<T: Config> Pallet<T> { | |||
}) | |||
} | |||
|
|||
/// Re-enable the validator of index `i`, returns `false` if the validator was already enabled. | |||
pub fn enable_index(i: u32) -> bool { | |||
if i >= Validators::<T>::decode_len().unwrap_or(0) as u32 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be defensive as well.
if i >= Validators::<T>::decode_len().unwrap_or(0) as u32 { | |
if i >= Validators::<T>::decode_len().defensive_unwrap_or(0) as u32 { |
(assuming we want to do this) I will discuss if this is a good idea later below but even if we assume we want to do this I don't believe it is appropriate to do this in this PR. This PR only aims to, with minimal changes and refactors, simply allow for validator re-enabling using all the previous already in-place logic. I want to make sure that this PR is minimal and adheres to what was already pre-agreed in the design document for disabling, to limit audit time and just be more sure that everything does exactly what we think it does. If we have plans to refactor the staking pallet (which as you mentioned will be done anyway during the port to AH) then it should be done in a separate primarily refactor/port PR.
(answering if we want to do this) Staking pallet as it stands is responsible for more than just slashing. It holds important params with regards to the active validator set. For instance min, ideal, and max validator counts. What it means to be disabled is not within the purview of the staking pallet, what it does is simply keeps track of highest offenders up to some limit and makes this info available for others. This is highly customisable and different users of this pallet can add new strategies with new limits. Since we keep those validators for an era it makes sense to keep track of their offences (potential disabling status) also for a full era. Storing this information in session when we aim to keep it for era seems like an unintuitive approach. I might agree that we could make it less opinionated by moving disabling strategies to session and instead keeping a history of all offences (unfiltered by disabling strategies) in staking. Nevertheless in this approach we still should keep track of all offences in staking. An offence is more than a slash, there might by other byproducts or consequences and we need to allow for them. In the new pipeline for offences that you suggested, where do you think a history of offences within an era should be stored? Session - Staking coupling It is okay to keep staking bounded to session, but session should not be dependant on staking. Adding logic to session that is actually era-wide in scope through hacky reads of signals from staking seems well, hacky. This information should be kept in a context that is explicitly era-wide and shared with session. TLDR: This might be a needed change but is outside of the scope of this PR and some of that information should still live in era-wide and not session-wide scopes. |
I wouldn't try to block you if you want to go ahead with this PR, especially since most of the things I flagged should ideally had been flagged with the earlier PRs, and this PR does not introduce a new design decision. That said:
Since this PR touches the logic that we know we will have to migrate in next couple of months, it is reasonable enough enough to make those changes in this PR.
I believe you only require current count of active validator set. Could you point me any param that you need specifically from
Why does offence or disabling has to relate with an era?
I think we have already tried to hack around with the concept of IMO, this is a flawed design, in addition to the fact that it also doesn’t fit well with the post-AH migration setup. |
Aims to implement Stage 3 of Validator Disbling as outlined here: #4359
Features:
Testing & Security:
Closes #4745
Closes #2418