Feature Request: Add toml file specifically for captive core #3442
Comments
|
Let's discuss this. What are the pros and cons? |
|
One of the cons we should definitely keep in mind is that by pulling in a TOML parser, we're now exposing a potential attack vector to malicious user input. I'm not sure we should worry about that much, given that if you can control the config file, you can control everything else about Horizon anyway, but it's still worth keeping in mind, especially given our recent discussions about security. |
|
If we have a separate toml file for captive core we should consider allowing One point of duplication we need to figure out is how to deal with the configuration of history archive urls. History archive urls are part of horizon configuration and stellar core configuration. Ideally we should not have to configure both. But the difficulty is that stellar core's configuration is more expressive than horizon. It allows for specifying how core should obtain the history archives (e.g. |
|
After the discussion with ops, I think this has progressed into a far bigger, arguably meta-issue. Should we push to make Horizon configured by toml files entirely, just like Stellar Core? Then, it will simply contain a subsection related to Captive Core configurations (while the rest will be a tomlification replacing Horizon's existing CLI / env params entirely). While this subsection may "look" just like Core's, its validity will be controlled by us entirely. This encourages our don't worry about Core's existence abstraction intended by Horizon 2.0 and Captive Core. This transition will subsequently encompass all of the config-related issues, like #3437, #3438, #3441, and undoubtedly others that will pop up. (Technically this breaking change would require releasing Horizon 3.0 which is a little odd, but that's the nature of semver.) |
This can be done in a non-breaking way (however requires some extra work): if config file param is set ( Pros, cons and random thoughts:
|
Good point. We can even consolidate the code to essentially make an in-memory TOML file from env/cli parameters, making it easier to drop the latter entirely in a future version and ensure we only have a single parsing / validation path. e.g.
With proper parsing, we'll be able to advise users much better, e.g. these lines are ignored, this line is wrong, here's a Horizon-compatible toml, etc. which is still a big win over the current "Captive Core isn't running because of a bad config" state.
Can we make it such that we essentially add an extra parameter to the Stellar-Core command in which we populate the URL, or would that be even more confusing? e.g. instead of the following: HISTORY="curl -sf http://history.stellar.org/prd/core-testnet/core_testnet_001/{0} -o {1}"We have HISTORY_ARCHIVE_URL="http://history.stellar.org/prd/core-testnet/core_testnet_001"
HISTORY="curl -sf {0}/{1} -o {2}"Unfortunately there are some assumptions built-in to the form of the |
…ging (#3558) This PR fixes #3486 and lays the groundwork for implementing #3442 . This PR changes how we interpret captive core append file (configured via --captive-core-config-append-path). Previously, we automatically generated the stellar core toml file for the captive core subprocess in ingest/ledgerbackend/stellar_core_runner.go by presetting some defaults and then concatenating the generated configuration with the user supplied append file. This strategy did not work out so well because sometimes horizon operators included configuration in the append file which was already configured in the presets generated by ingest/ledgerbackend/stellar_core_runner.go. An example of this type of error can be found in #3486 . Now, in this PR, instead of generating the stellar core toml file via simple string concatenation we actually parse the user supplied append file and try to do more robust merging between the user supplied configuration and the captive core preset defaults. The merging code is implemented in ingest/ledgerbackend/toml.go . The merging strategy is unfortunately complicated by the fact that captive core configuration can come from 3 places: User supplied append file horizon command line flag (e.g. --captive-core-peer-port, --captive-core-http-port, etc) default values which we preset (e.g. DISABLE_XDR_FSYNC) In theory the user supplied append file should only contain the quorum set but in practice we have never validated the append file to ensure that it configures a quorum set and nothing else. We could simplify the merging logic in this PR by choosing to validate the append file in this way. I decided not to take that approach because I think that it would be a breaking change for many horizon operators (including SDF) who have configuration in the append file which is not related to quorum sets. If you disagree with this design decision please let me know. The merging algorithm generally works as follows: If there is a configuration field which is set both in source (1) and source (2) we check that both sources provide equivalent values, otherwise we return an error. The exception to this rule is the history archive configuration. We take the history archive configuration from source (1) and completely disregard what is provided in source (2) unless there is no history archive configuration in source (1). The reason for this is that it's difficult to compare the history archive values from source (1) and source (2). If a configuration field is defined in source (1) but not source (2), we will use the field which is explicitly defined. The same logic applies if the field is defined in source (2) but not source (1). Finally, if there is no configuration defined in either source (1) or source (2), we use the value from source (3). In the next PR, my plan is to fully implement #3442 by introducing a new horizon command line flag --captive-core-config-file which deprecates --captive-core-config-append-path. The difference between --captive-core-config-file and --captive-core-config-append-path is that the validation is stricter. --captive-core-config-file will not allow any unknown fields to be present in the toml file. Furthermore, if --captive-core-config-file is provided then you will not be allowed to use any horizon command line flags to configure captive core. In other words, --captive-core-config-file deprecates source (2). Along with defining --captive-core-config-file, the next PR will also add documentation for the captive core configuration file in an captive-core_example.cfg file (similar to how stellar core does it https://github.com/stellar/stellar-core/blob/master/docs/stellar-core_example.cfg ). The example file will document the full range of configuration options available to captive core instances. Unfortunately there will be some slight differences between the stellar core example cfg and the captive core example cfg because captive core has different defaults compared to stellar core. For example, captive core sets DISABLE_XDR_FSYNC to true by default whereas stellar core sets DISABLE_XDR_FSYNC to false by default. We should think carefully about each of the cases where captive core diverges from stellar core.
What problem does your feature solve?
The configuration space for the captive core append path file is not fully documented. Operators don't know what is possible to configure in captive core so they try to copy parts of the stellar-core.cfg file from their stand-alone stellar core instances into the captive core configuration. However, it's not clear which fields can and can't be set, which forces operators to go through a trial and error process of trying different combinations of fields until they get their setup to work.
What would you like to see?
We should create a restricted toml file just for captive core which is a subset of stellar-core.cfg.
The restricted toml file should be documented with an example cfg file just like the one in the stellar core repo: https://github.com/stellar/stellar-core/blob/master/docs/stellar-core_example.cfg
We should strive to make sure that configuration is not duplicated between horizon command line flags and the captive core toml file.
The text was updated successfully, but these errors were encountered: