Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
interop: Supervisor<>Node Architecture #171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uh oh!
There was an error while loading. Please reload this page.
interop: Supervisor<>Node Architecture #171
Changes from all commits
9b329acFile filter
Filter by extension
Conversations
Uh oh!
There was an error while loading. Please reload this page.
Jump to
Uh oh!
There was an error while loading. Please reload this page.
There are no files selected for viewing
Purpose
This document enumerates a collection of architectural updates to the OP-Supervisor and OP-Node which the OP Labs Interop Engineering Team has discussed prior.
Summary
In order to enable more consistent reasoning and control, the OP-Supervisor component should be given the following features:
Problem Statement + Context
The OP-Supervisor is a new component of the OP-Stack which provides Cross-Chain validation by exhaustively indexing log data for the chains in a Dependency Set. The current design comes with complexity which needs to be managed across the Supervisor and Nodes. The short list of these issues are:
These issues come down to a lack of clarity in the ownership model between components. Nodes are responsible for the vast majority of data and derivation, which leads to situations where the Supervisor can't enforce a consistent view over the Nodes at all. If we were to give Supervisor control over data and some activity orchestration, we can have improved consistency and reduced complexity in both the Supervisor and OP Node.
Extra Context
Leading up to this document were two documents and a meeting:
Proposed Solution(s)
This document contains a colleciton of moderate sized refactoring tasks for the OP Node and OP Supervisor which seek to make our abstractions and patterns better suited to the goals of Interop.
Distinguishing Node Relationships
First, we should define two different modes of association an OP Node can have with an OP Supervisor:
External (Read Only) Nodes
External Nodes are OP Node instances which access the Supervisor to ask questions about cross safety for messages or block-heights. A home-node runner may have an External relationship to a Supervisor as an API, for example. These nodes do not contribute to the data a Supervisor maintains.
Owned (Writer) Nodes
Owned Nodes are special OP Nodes which are paired to the Supervisor. There must be at least one Owned Node per Chain per Supervisor. Owned nodes respond to requests from the Supervisor to provide sync information (ie log data and local head data). The Supervisor may maintain multiple nodes per chain in order to provide parallelized access or redundancy.
Specifying External Node Architecture
External Nodes have minimal bearing on the complexity of a Supervisor. That is because the External Nodes only make simple queries, and data held by that Node is never considered by the Supervisor. Their connections should be made from the Node to the Supervisor, and a one-way, unauthenticated RPC connection is fine.
However, the OP Node does need to take protective measures if it is using an External Supervisor. It is possible the the OP Node in question is deriving its chain based on data which is not consistent with the data the External Supervisor is using. When this occurs, the OP Node must halt. There is no way to attribute fault, and so the Supervisor is effectively unusable by the Node for this period. The system would resume operation when one side or the other handles a reorg which re-aligns the views.
Specifying Owned Node Architecture
For Owned Nodes, there are several architecture decisions being made in this document:
Bi-directional RPC
For Owned Nodes, the Supervisor should initiate the connection. The connection should be an authenticated two-way RPC which the units can communicate over. This gives us strong connectivity and instant signaling mechanisms from the Supervisor down to the OP Node.
Supervisor as Orchestrator for Sync
In the current architecture, OP Nodes decide to send their updated heads to the Supervisor as part of Derivation. When this happens, the Supervisor reaches out and fetches receipt data. Both of these activites load data into the Supervisor's database, and this presents a problem -- how can the Supervisor interact with multiple Nodes without suffering redundant or conflicting writes?
To solve this, we propose that the Supervisor should be in control of Synchronization. The Supervisor would now take an approach like this:
This control flow also allows for the Supervisor to notice and react to discrepancies between nodes:
Supervisor as L1 Source
This topic has been mentioned previously in draft.
In addition to making the Supervisor the centralized controller, we also propose the Supervisor should be the centralized source of L1 Data for Owned Nodes. This is because when OP Nodes act independently, they establish their own L1 connections, which could be divergent from others'. When this happens, there is no tie-breaking to decide which L1 source is canonical, and so the Supervisor is unable to come to meaningful conclusions with the data provided, as it comes from divergent sources.
Instead, we should use the Supervisor as the source of L1 data which Owned Nodes use for Derivation. The way we can accomplish this is:
By doing this, we ensure that the data used to construct the Supervisor Database is consistent, and we allow the OP Node to still perform derivation per usual. In addition, by putting Supervisor in control of the data administration, it is able to better predict and control updates to Safe data. Any time it sends new L1 data down, it can immediately listen back for the updates from that data.
Solution Summary
The prioritized list of changes this Design Document covers are:
And summarized to a short statement: These changes represent an architectural arrangement between OP Node and OP Supervisor which allows much higher confidence and control over data in the Supervisor, while still leaving the option open for Externally Connected Nodes to follow a Supervisor over an API. The Supervisor gains authority over the L1 data and the sync actions which flow into its database.
Solution Footnote: Supervisor Snapshot Sync
It isn't well married to the other ideas presented in the solution, but recent architectural conversations have also proposed sync methods for Supervisors to load data without consulting Owned Nodes. For example, the Supervisor Datadir can be copied and used aggressively by other Supervisors, so supporting a "bootstrap" kind of API would allow for easier initialization. This would be effective in combination with Supervisor-driven Orchestration of Log Sync, since the Supervisor would be able to explicitly seek out the missing information from its Owned Nodes. This should be cut into its own ticket, but this design document does not cover this topic in any further detail.
Resource Usage
Compute Resources
These changes do not significantly increase the computational load on any components. It actually reduces L1 connections for Supernode groups, and gives more allowance to Home Node Runners to use an API based Supervisor, which is less intensive than doing it at home. The Supervisor cluster itself may take more OP Node resources for redundancy, but we needed that no matter what.
Work Resources
This makes our plan toward the Stable Devnet more of a proper development plan. I think the current Interop Engineering Staff can execute to this plan alongside our stability and bugfixes on the way to our next milestone.
Alternatives Considered
Build a Monolith
Another design takes these same ideas a bit further and pulls all consensus components into one binary, featuring N Derivation Pipelines and one Safety-Index like component for cross-safety tracking. This change has value, but the extreme pivot is not something we currently have an appetite for.
Do Nothing
We could try to continue to chase stability and consistency issues into our current system without making these architectural changes. However, the cost of this effort would rival the changes being proposed in this document. And if not addressed, we'll still have a confusing story for supporting multiple nodes per supervisor, and still have lots of wasteful complexity management with conflicting L1 views.
Risks & Uncertainties
There are no risks, this team can do anything. There is only upside; WAGMI.