On-demand Cumulus Integration #1487
Comments
We should go directly for core time. The pallet is ready and the parachain also almost. So, only the relay chain side is missing.
If you need to force collators, the protocol is broken. Collators should be incentivized by something to build these blocks, otherwise they will just do nothing.
Can we not just record alongside the latest head of the para in the relay chain who paid for this core time? Could be some vector for when there was multiple core time purchases to make one state transition happening. |
Poor wording. It needs to be ensured (by incentivization of some kind - or alignment of interest)
Getting there. This ticket is WIP - should have noted in the title 😬 . Also a good angle though, we aimed for simply making it possible to deliver a proof at a later point in time. Then a few censoring collators don't matter, as long as there is at least one who is honest/your friend or yourself. I like your approach though, might make things more straight forward. |
eskimor
changed the title
Does not help. While this would prove who ordered the core that was just being scheduled, it does not tell you whether the order was legit (whether it was your turn). To determine this you will still need to check which block included an order. |
eskimor
changed the title
|
Refunding logic (node + runtime) might even live on a different parachain. A generalized reimbursement chain. |
eskimor
added
the
I6-meta
|
This issue has been mentioned on Polkadot Forum. There might be relevant details there: |
|
This issue has been mentioned on Polkadot Forum. There might be relevant details there: |
|
I have a few questions:
Do you mean here that a collator should only make an order if all the conditions are met on the first relay chain block of its slot? This to ensure that the order won't end up in a block in the next slot.
If someone didn't place an order while they should, the next will place an order. Is this not an acceptable solution?
|
|
This issue has been mentioned on Polkadot Forum. There might be relevant details there: https://forum.polkadot.network/t/r0gue-reimagining-polkadot-development-with-pop-network/5119/1 |
The condition can become true later, but we would still anchor the transaction to the first block of our "slot", in order for the lifetime to not reach within the next "slot". Alternatively it could also just not place an order, but then it might miss an opportunity.
Challenge period has to be long enough, so we can assume at least one "honest" block producer had a chance to produce a block. challenge period can be based on blocks, so it would not matter how seldom the chain produces blocks. To enhance this even further, a block production rule could be: "I am comitting a proof, that someone before me cheated."
So in fact two block production opportunities have been ordered ... usually only one block will be able to be produced (block production rule is met). So yes, any valid block that is produced should be rewarded ... but there will only be one. But I am not sure, that is what you are really interested in. Isn't it more if the block producer omitted a proof of the earlier order? So basically we have to subsequent orders - the second is invalid. The block producer only includes the second ... sounds reasonable to scratch block rewards for this guy - if it behaved correctly it should have put in the proof of the earlier order. So two orders, only one block is produced and that block included the wrong/invalid order proof - this is a violation and there should be no reward (the least).
Absolutely. That is the whole idea of these order slots. We coordinate responsibility, but also making sure if one collator fails to place an order that someone else will cover. |
|
This issue has been mentioned on Polkadot Forum. There might be relevant details there: https://forum.polkadot.network/t/initial-coretime-pricing/5187/13 |
|
@Daanvdplas any updates? |
Daan is currently OOO but due back next week so I will follow up with him then. |
|
Magnet variant implemented: https://github.com/Magport/Magnet/pull/19/files |
* draft: remove without_storage_info for messages pallet * some cleanup
* Remove unused trait implementations Signed-off-by: Serban Iorga <[email protected]> * Define encoded_size_hint_u32() Signed-off-by: Serban Iorga <[email protected]> * Define TransactionEstimationParams trait Signed-off-by: Serban Iorga <[email protected]> * Rework TransactionEstimation Signed-off-by: Serban Iorga <[email protected]> * Docs + Renamings Signed-off-by: Serban Iorga <[email protected]>
|
This issue has been mentioned on Polkadot Forum. There might be relevant details there: https://forum.polkadot.network/t/on-demand-around-the-corner-what-do-you-want-need/7382/1 |
On-demand functionality present on the relay chain, which means technically on-demand is implemented.
This works, but leaves room for desire on (1). Who is going to place an order when? For very early on this might just be a developer with a laptop, trying things out, but at some point people will need this automated and decentralized.
Automation
Collators should be able to monitor some condition over time, e.g.:
and then when that condition becomes true, should automatically place an order.
In order to avoid having hot keys on the collator, we will with RFC-1 implemented have credits on the relay chain which can only be used for ordering a core. Until then we added an additional proxy kind, which restricts the proxy account to only placing orders. We intend to harden this further, so restricting the proxy to even just ordering cores for a particular on-demand para will be possible.
EDIT: Before proxy hardening, we should likely go for RFC-1 credits directly.
Now with security considerations out of the way, we need to:
Block Production Conditions
This is mostly about exposing some state that is relevant to the on-demand order placing logic. For actual decentralization, it will also be important that we have a condition that can also be verified/proven to be true in the para runtime.
Coordination
All collators will see any block production condition come true at approximately the same time, yet only one of them should be placing an order. To coordinate this, we introduce a mechanism similarly to Aura:
Where
his the relay chain block height andwis the slot width. 0 would mean an order slot is exactly one relay chain block, 1, would mean a slot is two relay chain blocks.The slot width has to be picked based on the expectation how long it will take for a placed order to actually show up in a block. (How long will it need to be gossiped, how long will it linger around in the mem pool?)
The idea is, we have an asynchronous network and we still need to avoid having two collators place an order. To avoid this we pick a sensible
wwhich should allow for orders to easily go into a block most of the time. The order placing collator will use transaction mortality to ensure that the order will either end up in a block still in its slot or is dropped.The lowest transaction mortality possible is 4. Therefore the collator will always pick the first relay chain block of its slot as the base, with mortality 4 - even if the block production condition became only true later. We need to ensure that the order is already invalid when it's the next collator's turn.
The next collator, if also seeing the block production condition to be true, will then check the last 4 relay chain blocks for an order, if it finds one, it does nothing. If it does not find one, it will place an order by itself.
Summary:
With this, it should not be possible on a single relay chain fork for collators to place redundant orders by accident.
The only caveat is, that we limit our block rate to maximum 1 block every 4 relay chain blocks, because we don't check for already produced blocks: If the block production condition is true, but we have seen an order within the last 4 relay chain blocks, it might still had been served already and the condition is just still true or already true again. This should be easily fixable by adjusting above algorithm to also check whether an order has been served already. I would consider this low priority as at least in the beginning, on-demand is meant for chains that don't have high throughput requirements. Later when we might want to use on-demand for boost, this might become more important. Therefore do it, if it is easy enough, but certainly don't block a release on this. Also for boost/elastic scaling, the parachain is producing blocks already on a bulk core, which means it can place on-demand orders for elastic scaling by itself and non of this here is needed.
Decentralization
With the above we have achieved automation. Collators now know who should place an order when. But placing an order incurs costs. Why would collators bother placing orders, assuming we have decentralization? (They are not intrinsically motivated somehow.) The answer is, they would not. The collators would need to have orders placed in order to produce blocks, which gets them rewards, but they would also gain those rewards if someone else placed the order and they just produce a block when it is their Aura slot for example. Initial ideas for solving this dilemma aimed at strategies for ensuring that the one placing an order will also always be the block producer - so there is an incentive in placing the order, because you will the block producer and will gain rewards/refunds from the parachain logic. Those initial designs can be found here. The problem with those is, that they couple consensus very tightly on the on-demand feature, which is a pity by itself, because we wanted to make on-demand as transparent as possible, but it would especially be annoying to do the switch from an on-demand parachain to a reserved chain and back: You would need to swap out consensus!
We can fortunately think of order placement completely (almost) separate from actual block production. We only need to find a way for order placement to be incentivized. We need to have someone do it - it does not matter who. All we need, is to make sure collators produce blocks that will refund and reward the nodes placing the order.
So how do we do that? We can prove that an order was placed in a block, but we can not prove that it did not happen. Thus block producers can chose to omit any such proof. A related problem: How do we check that an order placing machine did not just ignore a previous order which would make it illegal for it to place an order as well (see section Automation above): What if nobody provides the proof of that earlier order?
To mitigate proof omission, we don't pay out refunds and rewards immediately, but will wait for each payout until at least f+1 collators produced a block since the payout in question (and had a chance of including the proof). We call this the challenging period.
We need two kinds of proofs that should be accepted at the ordered block, but also at any later block within the challenging period:
a) Proof that order was within a relay chain block that is an ancestor of our current relay parent (or the relay parent itself).
b) A state proof for that same block, about the current spot price (so the parachain knows what to refund).
also placed an invalid order (too close to ours). Such a proof would prove
our order in a block corresponding to our slot and proving that a descendant
of the block contained an order with the same sequence number, ignoring our
order.
By adding sequence numbers to the orders (parachain advances it whenever an
order proof was processed), we can make (2) a self contained proof that does not
require the parachain to keep a lot of state.
Point (2) needs more explanation: We do want it to be possible for the next collator/order placing node to cover for the previous node failing to place an order, but it should only be able to be refunded if the previous node indeed failed to place an order.
Sequence numbers also help in making block producers honest: If they don't
include the proof, their own next order would not be accepted, except if they picked
the same sequence number, but if they did that they risk getting challenged and
would lose their reward/refund.
Orders will only be refunded, if a block was produced for that order (ensured via sequence numbers). This is necessary, because otherwise collators could just order cores, without the block production rule being met. The block producer is incentivized to produce a block. On top of that we do have small order placement rewards, which should cover the risk of the block producer not producing and thus making us lose out on our refund.
WIP Implementation steps:
Node:
rule is met.
(expected sequence number) in a block, if we are block producer.
proof in block.
Runtime:
each accepted proof.
one.
can challenge it - order by block number.
and pay out rewards.
Runtime API
Call for collators, telling them whether an order should be placed/will be refunded - Option.
Nonein case the parachain gained a reserved slot.Proofs:
Order proof:
Merkle proof that order is in block + proof that the including block is a parent
of some recent relay parent. (Full header chain)
Fraud proof:
Merkle proof of our order in a block, merkle proof of offending order in a
block. Full header chain between those two and up to some recent relay parent.
Size considerations: By keeping in state not only the current relay parent, but also the relay parents of some
nolder blocks, required header chains should be relatively small, more sophisticated data structures are likely not needed, but worth a consideration.The text was updated successfully, but these errors were encountered: