-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HA setup #323
Comments
It's received some degree of testing and some validators run in this configuration.
Not yet. We'll be switching to gRPC for validator <-> TMKMS connections soon (#73), after which TMKMS will track an "active" validator node and the others will be passive until the active validator fails. After this migration is completed, we'll look into HA for TMKMS itself. |
I was also thinking about this solution, it seems safer to me even in case of any bugs.
Since a VALIDATOR node accepts only one Tendermint connection (from an external PrivValidator process), A disaster recovery in case of VALIDATOR fault could be connecting one of two TMKMS to a SENTRY. What do you think about it? |
The migration to gRPC reverses the direction of the connection, so validators connect to TMKMS rather than the other way around. We'll likely want to deprecate/phase out the current "secret connection"-based approach. |
I've setup 2 validators 1 tmkms, and From logs, I can see tmkms responding to both validators with same key. So looks like it is risky for now?!
|
@pratikbin it's intended and semi-supported to allow multiple concurrent validators. We don't recommend that but it's been tested and no one has reported problems yet. In that case they're signing the same commit hashes. It's deliberately supported to be able to resign the exact same hash at the exact same h/r/s for fault tolerance purposes. The signature process is deterministic and this will result in the same signature on the same proposal, which doesn't count as double signing. In the event multiple validators send conflicting proposals, the first validator will "win" and the other validator will receive a double signing error |
Hello, I'm interested by running this kind of setup.
But i'm questioning for this architecture about the Should i set 2 nodes with the same and have a config like: [[validator]]
chain_id = "cosmoshub-3"
addr = "tcp://[email protected]:26658"
secret_key = "/root/config/secrets/kms-identity.key"
protocol_version = "legacy"
reconnect = true
[[validator]]
chain_id = "cosmoshub-3"
addr = "tcp://[email protected]:26658"
secret_key = "/root/config/secrets/kms-identity.key"
protocol_version = "legacy"
reconnect = true or set different [[validator]]
chain_id = "cosmoshub-3"
addr = "tcp://[email protected]:26658"
secret_key = "/root/config/secrets/kms-identity.key"
protocol_version = "legacy"
reconnect = true
[[validator]]
chain_id = "cosmoshub-3"
addr = "tcp://[email protected]:26658"
secret_key = "/root/config/secrets/kms-identity.key"
protocol_version = "legacy"
reconnect = true Any ETA on a HA status update ? |
@albttx AFAIK, It won't join p2p with same |
@tony-iqlusion is there any news about HA? |
We've largely been waiting for a migration to gRPC, which will reverse the client/server relationship between the KMS and validator nodes. Instead of having to explicitly configure several validators for the KMS to connect to, multiple validators can connect to the KMS. That's tracked here: cometbft/cometbft#476 |
Following previous conversations it seems that this is the best way to try to deploy an "HA" configuration:
tendermint/tmkms#272
Is it safe?
Have any further developments or improvement been made?
The text was updated successfully, but these errors were encountered: