Is the Management-Canister blocked from https calls from the outside? How to create a canister with an agent from the outside?

When I try calling the management-canister with a post-call to with the cbor-bytes:
55799({“content”: {“request_type”: “call”, “canister_id”: h’’, “method_name”: “canister_status”, “arg”: h’4449444C02686C01B3C4B1F204000101010A00000000011001C40101’, “sender”: h’A511337DCEA0CA19D788874C8B111A0971EF919FFEE5FCB9786B2ECF02’, “nonce”: h’0100010100010100010100010100010101010101010000000000010000’, “ingress_expiry”: 1629405987894000000}, “sender_pubkey”: h’302A300506032B6570032100CC6F314161F04826C5A9DA2F878A0570BD5F12DFA1AF6AA7C9BE9C5BF21BEDA0’, “sender_sig”: h’C2E7F694E8ABAA83295719AA2E6D98239A41ADA6032747D629214F375D42FDB511C748313BF2D934728CD40645177F878C447C9CBD75A1FE7A6242ABE7121506’})

It gives a 404 Not found, nginx/1.19.10 with some html.

same when I try to call the create_canister method,

Is the management-canister with the block of the outside-calls or is there something wrong with the call?

Can someone from the Dfx team tell me if dfx is using the management-canister to create new canisters ? Or is doing it through the ledger somehow? Or share the source with me (GitHub: levifeldman ). Is dfx talking to the management-canister itself in the general? How does dfx create canisters??

Management canister is virtual, so there is no http endpoint for aaaaa-aa. You need to use the effective_canister_id to call management canister. See this code: ic-repl/ at master · chenyan2002/ic-repl · GitHub.

Yes, dfx creates canister by calling create_canister from the management canister, but create_canister can only be called via inter-canister calls, i.e. called from a wallet canister. The frontend or dfx cannot call this method directly as ingress message.

Here is an example of how to create a new canister via wallet: GitHub - chenyan2002/ic-repl


Thank you, but How does the wallet get create? Who creates the first canister? and what is this first-canister?

put here: The Internet Computer Interface Specification :: Internet Computer that the create_canister method is also not accepted from the outside, also maybe put the part bout the effective_canister_ids in the ic-management-canister-section or link to it.

I think the wallet is created by NNS proposal.

Hmm, so the dfx-tool submits a proposal to the nns and it gets voted on and passed everytime someone creates a wallet with dfx? If this is the case, what kind of proposal is it? what specifics do I need to create a proposal for me to create a canister? Does dfx put something specific in the proposal so that it gets accepted right away? can I see a sample of the dfx-code that creates this proposal and then gets the canister_id back from it? also i see in the nns-ui, when creating a new canister that my browser makes a call to the ledger canister send_pb method and then somehow gets the canister_id from it so is that somehow getting the ledger to create a canister or is it also making a proposal somewhere in the background? how does the nns-ui create canisters?

While open-sourcing SDK is still in progress, this is the canister creation logic we use

1 Like

Some rust-specific details, but I hope it helps give a picture of the arguments we pass

Is that code run for a local-instance? or is this the code that creates the factual-canisters on the true-ic?
looks like its using the provisional create canisters function here: Create canister from dfx · GitHub which the spec says is only for local instances or the pre-ledger-network. The spec says that method cant be used in production

dfx cannot create wallet canister. It is given as part of the onboarding process, which basically sets your dfx identity as the controller of the wallet, so that you can call your wallet canister to forward calls, including creating new canisters from your wallet canister.

Also there is nothing special in the wallet canister. As long as you have some initial cycles in a canister id, you can use that canister id to create new canisters by calling the create_canister method.

1 Like


Which onboarding process are you talking bout?
you say:

It is given as part of the onboarding process, which basically sets your dfx identity as the controller of the wallet

How does the creation of the wallet happen?

You can

@kpeacock can you answer this question?

How does the creation of the wallet happen?

Which interface calls does some agent need to make to create a canister? this is a most simple fundamental question.
I want to create a canister by talking to the internet-computer-network-system directly! Without any tooling which I can’t see the source for. I have an agent that works to talk to any canister on the internet-computer here. I have ICP on an account that I manage with my own keys and my own agent. Now which interface calls to which canisters can I make to create a canister?!

@chenyan explained the design above. A canister has to make the create_canister call. That’s the current design of the system.


He didnt say how the first wallet-canister gets created. I get that when deploying a canister with dfx, it uses the user’s-wallet canister to create a new canister. Ok, now which canister creates the user’s-wallet-canister? Which canister makes the first create_canister call to create the user’s-first-wallet-canister?
let me know if this question is still unclear.

The faucet will create a Cycles Wallet and canister for you. The other methods assume you can create an initial canister, either using the NNS app, or following the Network deployment guide from our docs

I am looking for the answer for the question: How does the dfx tool create a user’s-first-wallet-canister? Which canister is dfx talking to to create the first wallet-canisters? and you are saying that the only way to create a canister is to use tools that are not open-source? The faucet and the nns-ui and dfx is not open-source.

You can use dfx ledger create-canister to create the first canister with cycles. Under the hood, dfx is calling the send and notify method from the ledger canister to transfer ICP into cycles: ic/ at master · dfinity/ic · GitHub

It’s a bit difficult to decipher how to get the canister id from the notify return, without seeing the dfx source code. But if you are developing a user-facing library, can’t you assume the first canister is already created, unless you want to pay for all your users?

1 Like

Yes thank you, this is what I am looking for. I am looking for the specific-call-parameters for the send and notify and then get the canister_id back. I can work with the complex, if you share with me the dfx-source I can track it down, I can sign an NDA or something and I promise not to judge any code.
It is a coder-facing-library and I want coders (me) to be able to open up a dart-file and create a canister for themselves by talking to the ic-system directly through this library.

Maybe you can tell me with something like:
First-call: to the ledger canister , with the send_dfx-method and the following record {}
Second-call: ….

1 Like

I have it with the correct parameters.
The steps for the creation of a canister with an agent talking to the ledger are as follows:

  1. Get the the caller(future-canister-controller)'s-principal as a 32byte subaccount using this function here.

  2. Create an icp account-identifier using this function here, with the cycles-mint-canister-principal and with the subaccount-bytes as the subaccount-bytes of the step-1.

  3. Call the send_dfx method with the ‘to’-field as the icp-account-identifier of the step-2, with the ‘memo’ field as a Nat64: 1095062083 (this is the create-canister-memo) , and save the block-height.

  4. Call the notify_dfx method on the ledger-canister with the block-height of the step-3, with the ‘to_canister’ field as a Blob of the cycles-mint-canister-principal, with the ‘to_subaccount’ field as an option with a value of a Blob of the subaccount-bytes of the step-1.

  5. Step-4 should give back this Variant here :

variant {
  Refunded : record { text; opt nat64 };
  CanisterCreated : principal;

And if everything goes well then a new-canister-id will be in the CanisterCreated field as a candid-principal-reference.

Also the caller must have sufficient icp.

Here is a link to the management-canister-effective-canister-id-post above in this thread because I can’t mark a post as a partial-answer.

Also, each ledger .did file Ive seen shows the notify_dfx method as taking a record with the field: ‘to_canister’ as a principal-reference-type, but in the fact it is a blob-type.


1 Like