Proposal to elect new release rc--2024-09-19_01-31

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 133061.

Here is a summary of the changes since the last release:

Release Notes for release-2024-09-19_01-31-base (0441f40482386397f7c688bf508ddd901ca6c1b7)

This release is based on changes since release-2024-09-12_01-30-base (afe1a18291987667fdb52dac3ca44b1aebf7176e).

Please note that some commits may be excluded from this release if they’re not relevant, or not modifying the GuestOS image. Additionally, descriptions of some changes might have been slightly modified to fit the release notes format.

To see a full list of commits added since last release, compare the revisions on GitHub.

Features:

  • 060f84b48 Interface,Networking(call-v3): Enable synchronous call handler for all Application subnets (#1526)
  • 959e8a5a3 Interface,Networking: implement the logic of stripping and assembling of block proposals (#1325)
  • b1e1c0728 Interface: Set default initial notarisation delay for APP subnets to 300ms (#1508)
  • 380182c78 Execution,Interface,Message Routing: Prevent enqueueing multiple responses for the same callback (#1071)
  • 02cc3657d Consensus,Interface(consensus): Introduce per-peer limit on the number/size of ingress messages in the ingress pool (#1061)
  • c99e1478d Execution,Interface: Update instrumentation to adjust costs for instructions in Wasm64 mode (#1452)
  • 70dc1a743 Execution,Interface,Message Routing: Ignore non-matching best-effort responses (#1517)
  • c29dde299 Interface,Message Routing: Don’t allow responses in subnet input queues (#1471)
  • e880042de Interface,Node: Configuration revamp (define config structure and config tool) (#1539)
  • d64d62905 Node: Update SetupOS base image to 24.04 (#1536)
  • 7a93bcafd Node: Use nightly baremetal tests for benchmarking (#1420)
  • 160734742 Node: GuestOS base image changes only (#1421)

Bugfixes:

  • 942668985 Consensus,Interface(consensus): Add missing metric for the equivocation pool section (#1500)
  • d373ce97a Execution,Interface: Remove deprecated assert (#1528)
  • 7a3fcfa9c Execution,Interface: Fix system API performance regression (#1440)
  • 02aba7918 Execution,Interface,Message Routing: CanisterQueues: Check for zero-length encoding after GC (#1480)
  • bbb8a5152 Interface(cmc): Fix the data certification for the get_average_icp_xdr_conversion_rate endpoint (#1423)
  • f95748820 Interface,Networking(quic-transport): Send RESET_STREAM frame for transport handles that are dropped (#1346)
  • 1ca9fc370 Owners: revert dependency update (#1497)

Chores:

  • b1e6f4ef9 Consensus,Interface: Remove testonly dependencies of ic-replay (#1548)
  • 6bbae04ac Execution,Interface(RUN): Upgrade wasmtime 24 dependencies (#1275)
  • b60c9012d Execution,Interface: add metric for executed canisters per round (#1485)
  • 4a8ed78c9 Execution,Interface: add a metric for tracking fetch_canister_logs query calls (#1408)
  • 490fbd87f Interface: Pass argument to clamp_debug_len by reference (#1541)
  • 73e7bd419 Interface(IDX): replace rules_docker with rules_oci (#1512)
  • da62cf633 Interface,Message Routing: Replace some map().unwrap_or() with map_or(). (#1503)
  • 0441f4048 Interface,Node: remove unnecessary setupos_tool GenerateMacAddress command (#1564)
  • 5aa7ad88d Node: Update Base Image Refs [2024-09-12-0807] (#1459)

Refactoring:

  • b2400524f Consensus,Interface: fix most of the naming in the consensus-p2p interface so it is consistent with the paper submission (#1470)
  • 41f6ce3a7 Interface: Remove dependencies on nns governance crate from sns cli and ic-admin (#1252)
  • 4f4eef293 Interface(nervous-system): Make ic-nervous-system-agent generic over how it calls canisters (#1495)
  • bfc9da079 Interface(nervous_system): use Runtime trait for Ledger (#1455)
  • 7f0f5d5d3 Interface(nervous_system): Use candid methods in ledger canister client (#1454)
  • c19e9b1c9 Node: Update SetupOS script naming (#1473)

Tests:

  • b8845b555 Interface,Networking: fix flaky quic test for sending reset frames (#1552)

Full list of changes (including the ones that are not relevant to GuestOS) can be found on GitHub.

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/0441f40482386397f7c688bf508ddd901ca6c1b7/ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 0441f40482386397f7c688bf508ddd901ca6c1b7

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

2 Likes

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 133062.

Here is a summary of the changes since the last release:

Release Notes for release-2024-09-19_01-31-canister-snapshots (7f6a81f48e2a25a28bf07f83ca99f9ec1356da9d)

This release is based on changes since release-2024-09-19_01-31-base (0441f40482386397f7c688bf508ddd901ca6c1b7).

Please note that some commits may be excluded from this release if they’re not relevant, or not modifying the GuestOS image. Additionally, descriptions of some changes might have been slightly modified to fit the release notes format.

To see a full list of commits added since last release, compare the revisions on GitHub.

Features:

  • 7f6a81f48 Execution,Interface,Networking: Enable canister snapshots

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/7f6a81f48e2a25a28bf07f83ca99f9ec1356da9d/ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 7f6a81f48e2a25a28bf07f83ca99f9ec1356da9d

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

1 Like

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 133063.

Here is a summary of the changes since the last release:

Release Notes for release-2024-09-19_01-31-ubuntu24 (c87abf70cf6f0f81f7f16d9f517c3ff0db1fab1e)

This release is based on changes since release-2024-09-19_01-31-base (0441f40482386397f7c688bf508ddd901ca6c1b7).

Please note that some commits may be excluded from this release if they’re not relevant, or not modifying the GuestOS image. Additionally, descriptions of some changes might have been slightly modified to fit the release notes format.

To see a full list of commits added since last release, compare the revisions on GitHub.

Other changes:

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/c87abf70cf6f0f81f7f16d9f517c3ff0db1fab1e/ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c c87abf70cf6f0f81f7f16d9f517c3ff0db1fab1e

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

1 Like

Note: there is one base and two feature builds: canister-snapshots and ubuntu24. Over the past few weeks we gained sufficient confidence into the canister-snapshots version to deploy it to all subnets in this release cycle. The base version will only be used as a fallback. The plan is to deploy the ubuntu24 version to one canary subnet, and all other subnets (including the NNS) to get the canister-snapshots version.

6 Likes

I have reviewed all commits listed in this proposal and in my opinion they all look fine, I have also run the build verification script which completed successfully, so I have voted to adopt the proposal.

Full review:

Features:

060f84b48 Interface,Networking(call-v3): Enable synchronous call handler for all Application subnets (#1526)
Review: Looks fine + matches description
Notes: Replaces the whitelist of which subnets have the synchronous call v3 endpoint enabled with a list of which subnets have it disabled, then populates that list only with the system subnets, enabling the feature on all application subnets.

959e8a5a3 Interface,Networking: implement the logic of stripping and assembling of block proposals (#1325)
Review: Looks fine + matches description
Notes: This is the final piece of the puzzle to make block makers propose blocks which only include message Ids rather than the actual messages themselves. The block proposer “strips” the messages from the block, then on the receiving side the replica determines which (if any) messages are missing, gathers them, then uses them to re-assemble the block.

b1e1c0728 Interface: Set default initial notarisation delay for APP subnets to 300ms (#1508)
Review: Looks fine + matches description
Notes: Almost all application subnets have been updated to have their initial notarisation delay set to 300ms, the results have been positive so this change makes the 300ms delay the default.

380182c78 Execution,Interface,Message Routing: Prevent enqueueing multiple responses for the same callback (#1071)
Review: Looks fine + matches description
Notes: Adds the new callbacks_with_enqueued_response set, which maintains the callback Ids of all responses enqueued in the canister queues. This allows for the detection of duplicate callbacks plus allows timeout responses to be safely generated locally since if a canister response ends up being received it will be detected and dropped.

02cc3657d Consensus,Interface(consensus): Introduce per-peer limit on the number/size of ingress messages in the ingress pool (#1061)
Review: Looks fine + matches description
Notes: Modifies the ingress pool to have a per peer limit on objects in the pool rather than having a global limit. This reduces the impact a malicious node can have plus helps ensure ingress messages are received from all peers.

c99e1478d Execution,Interface: Update instrumentation to adjust costs for instructions in Wasm64 mode (#1452)
Review: Looks fine + matches description
Notes: Changes the cost of a few functions when running in Wasm64 mode.

70dc1a743 Execution,Interface,Message Routing: Ignore non-matching best-effort responses (#1517)
Review: Looks fine + matches description
Notes: If a response is received with no matching callback Id, only return an error if the response had no deadline, else drop the response.

c29dde299 Interface,Message Routing: Don’t allow responses in subnet input queues (#1471)
Review: Looks fine + matches description
Notes: Returns an error if a response is received targeting the management canister, since responses should always go to the canister the management canister is making outgoing requests on behalf of.

e880042de Interface,Node: Configuration revamp (define config structure and config tool) (#1539)
Review: Looks fine + matches description
Notes: Expands the ic_os/config package which going forward will be used to configure IC-OS deployments.

d64d62905 Node: Update SetupOS base image to 24.04 (#1536)
Review: Looks fine + matches description
Notes: Bumps the SetupOS base image from Ubuntu 20.04 to 24.04.

7a93bcafd Node: Use nightly baremetal tests for benchmarking (#1420)
Review: Looks fine + matches description
Notes: Adds benchmark tests to the schedule-daily.yml plus makes the necessary adjustments to make the tests work within this pipeline.

160734742 Node: GuestOS base image changes only (#1421)
Review: Looks fine + matches description
Notes: Bumps the GuestOS base image from Ubuntu 20.04 to 24.04.

Bugfixes:

942668985 Consensus,Interface(consensus): Add missing metric for the equivocation pool section (#1500)
Review: Looks fine + matches description
Notes: Starts collecting equivocation_proof metrics as part of the consensus pool metrics.

d373ce97a Execution,Interface: Remove deprecated assert (#1528)
Review: Looks fine + matches description
Notes: Removes an assertion which is no longer applicable.

7a3fcfa9c Execution,Interface: Fix system API performance regression (#1440)
Review: Looks fine + matches description
Notes: Implements some system API performance optimisations and adds the new benchmark results showing the improvements.

02aba7918 Execution,Interface,Message Routing: CanisterQueues: Check for zero-length encoding after GC (#1480)
Review: Looks fine + matches description
Notes: Adds a debug assertion to check that after running garbage_collect on a canister queue, when serialized, the output is of length 0.

bbb8a5152 Interface(cmc): Fix the data certification for the get_average_icp_xdr_conversion_rate endpoint (#1423)
Review: Looks fine + matches description
Notes: Fixes the data certification for get_average_icp_xdr_conversion_rate which was incorrectly using the label for the get_icp_xdr_conversion_rate value.

f95748820 Interface,Networking(quic-transport): Send RESET_STREAM frame for transport handles that are dropped (#1346)
Review: Looks fine + matches description
Notes: Implements Drop for SendStreamDropGuard which sends a QUIC_STREAM_CANCELLED frame to signal to the recipient that the transmission of the message was cancelled.

1ca9fc370 Owners: revert dependency update (#1497)
Review: Looks fine + matches description
Notes: Reverts the cloudflare dependency back to using Dfinity’s forked version.

Chores:

b1e6f4ef9 Consensus,Interface: Remove testonly dependencies of ic-replay (#1548)
Review: Looks fine + matches description
Notes: Simplifies the dummy certificates delivered after restoring from a backup, so they are now built from empty signatures allowing a load of dependencies to be removed.

6bbae04ac Execution,Interface(RUN): Upgrade wasmtime 24 dependencies (#1275)
Review: Looks fine + matches description
Notes: Upgrades the versions of wasmparser, wasmprinter, and wasm-encoder, so that they match the versions used by wasmtime 24.0.0.

b60c9012d Execution,Interface: add metric for executed canisters per round (#1485)
Review: Looks fine + matches description
Notes: Adds the executed_canisters_per_round metric to track how many canisters ended up being executed in each round, previously it was only tracking the number that were eligible for execution.

4a8ed78c9 Execution,Interface: add a metric for tracking fetch_canister_logs query calls (#1408)
Review: Looks fine + matches description
Notes: Adds the new subnet_query_messages metric and uses it to track metrics for calls to fetch canister logs.

490fbd87f Interface: Pass argument to clamp_debug_len by reference (#1541)
Review: Looks fine + matches description
Notes: Passes the input to clamp_debug_len by reference rather than moving it.

73e7bd419 Interface(IDX): replace rules_docker with rules_oci (#1512)
Review: Looks fine + matches description
Notes: Replaces the usage of rules_docker (which is now deprecated) in the Bazel build pipeline with the new and actively maintained rules_oci, also migrates the image build to using a lockfile and a specific Ubuntu snapshot to makes builds more reproducible.

da62cf633 Interface,Message Routing: Replace some map().unwrap_or() with map_or(). (#1503)
Review: Looks fine + matches description
Notes: Simply replaces a few usages of map(..).unwrap_or(..) with a single call to map_or(..).

0441f4048 Interface,Node: remove unnecessary setupos_tool GenerateMacAddress command (#1564)
Review: Looks fine + matches description
Notes: Removes the unused GenerateMacAddress command from the SetupOS tool.

5aa7ad88d Node: Update Base Image Refs [2024-09-12-0807] (#1459)
Review: Looks fine + matches description
Notes: Updates the hashes of the base image references.

Refactoring:

b2400524f Consensus,Interface: fix most of the naming in the consensus-p2p interface so it is consistent with the paper submission (#1470)
Review: Looks fine + matches description
Notes: No functionality change, just renames some variables and types, eg. ChangeSetsMutations.

41f6ce3a7 Interface: Remove dependencies on nns governance crate from sns cli and ic-admin (#1252)
Review: Looks fine + matches description
Notes: Moves proposal validation logic out of ic-nns-governance and into ic-nervous-system-common-validation allowing other crates that require this validation logic to stop depending on ic-nns-governance.

4f4eef293 Interface(nervous-system): Make ic-nervous-system-agent generic over how it calls canisters (#1495)
Review: Looks fine + matches description
Notes: Introduces the CallCanisters trait and makes each of the canister clients use it rather than the Agent concrete type. This allows the canister clients to be used in more scenarios where an Agent may not be applicable.

bfc9da079 Interface(nervous_system): use Runtime trait for Ledger (#1455)
Review: Looks fine + matches description
Notes: Makes the ledger client depend on the Runtime trait which is implemented by both dfn_core and ic_cdk. This will allow the implementation to switch to using ic_cdk in the future.

7f0f5d5d3 Interface(nervous_system): Use candid methods in ledger canister client (#1454)
Review: Looks fine + matches description
Notes: The ledger exposes candid and protobuf endpoints, up until now the ledger client has been calling into the protobuf endpoints, but this changes switches to the candid versions in preparation to switching to using ic_cdk.

c19e9b1c9 Node: Update SetupOS script naming (#1473)
Review: Looks fine + matches description
Notes: No functionality change, just renames a few SetupOS scripts.

Tests:

b8845b555 Interface,Networking: fix flaky quic test for sending reset frames (#1552)
Review: Looks fine + matches description
Notes: Modifies a test to use tokio::sync::Barrier rather than tokio::sync::Notify which in turn makes it run more reliably.

I have also successfully run the build verification scripts for 7f6a81f48e2a25a28bf07f83ca99f9ec1356da9d and c87abf70cf6f0f81f7f16d9f517c3ff0db1fab1e so have voted to adopt their proposals too.


3 Likes

Proposal 133061 for release-2024-09-19_01-31-base .


Review pending.

Proposal 133062 for release-2024-09-19_01-31-canister-snapshots .

Proposal 133063 for release-2024-09-19_01-31-ubuntu24 .

.

.

3 Likes

proposal - 133061

Vote: ADOPT

Hash: MATCH

Urls: MATCH

Feedback:

Review:

Features:

[060f84b48]
Changes from a whitelist of allowed subnets to a list of subnets where synchronous v3 calls are disabled, effectively inverting the logic to enable synchronous responses for all subnets except those explicitly listed.

This switch simplifies by only excluding specific ones as needed.

[959e8a5a3]
Continuation to implement StrippedBlockProposal

Updates StrippedBlockProposal by adding ingress payload fields and fully implements serialization, deserialization, and testing for StrippedBlockProposal.

[b1e1c0728]
Lower INITIAL_NOTARY_DELAY_APP_SUBNET to 300

[380182c78]
To prevent malicious subnets or bugs from enqueuing duplicate responses for the same callback—which could consume extra slot reservations and cause legitimate responses to be dropped—we now maintain an explicit transient set of callback IDs with enqueued responses.

[02cc3657d]
Replaced the global byte size tracking with per-peer counters by introducing a new peer_counter module, which allows the IngressPool to track message counts and sizes on a per-peer basis. Additionally, the ingress pool’s threshold checks are now performed per peer using these counters, enforcing limits specifically for each peer (including the node itself) rather than applying global thresholds across all messages in the pool.

This is a good change for DDOS attacks and heavy load in general.

[c99e1478d]
Adjusts costs for Wasm64 vs Wasm32.
So now curr.cost_detail.increment_cost(instruction_to_cost(i, mem_type)); will base cost on memory type.

[70dc1a743]
The push_input function enqueues a canister-to-canister message into the induction pool, handling Request and Response messages with specific logic for guaranteed and best-effort responses—particularly, it now silently drops duplicate best-effort responses instead of returning an error.

[c29dde299]
New state error non_matching_response
Updated push_input function now explicitly checks if a message addressed to the subnet (management canister) is a Response and returns an error because the management canister does not accept responses, whereas previously it accepted all messages addressed to the subnet without distinguishing between Request and Response.

[e880042de]
This is an extensive structural config change.
Defines functions to read and parse a configuration file to extract network settings like IPv6/IPv4 addresses, gateways, and other parameters, encapsulated in a ConfigIniSettings struct. It includes validation of the inputs, normalization of the configuration content, and provides error handling to ensure the settings are correctly formatted and present.

Structured configuration types with serialization and deserialization capabilities for config/lib

[d64d62905]
Update ubuntu to 24.04 and adds ssh setup tool

[7a93bcafd]
Additional jobs for cutting release candidates, running Rust benchmarks, performing Bazel tests on bare metal, and executing nightly tests.

[160734742]
Update ubuntu to 24.04

Bugfixes:

[942668985]
Add equivocation_proof metric

[d373ce97a]
The change removes an outdated check that prevented canisters from reducing their cycle balance during execution, allowing legitimate cases like storage reservations and the cycles_burn API to function properly.

[7a3fcfa9c]
Adds lib num-traits.
Use of the num_traits::ops::saturating::SaturatingAdd trait to handle instruction and memory charge calculations safely without overflow.

Significant performance improvement—reducing a prior regression from +63% to +14% in execution time.

[02aba7918]
Fix ensure that the CanisterQueues now encodes to zero bytes.

[bbb8a5152]
Add label parameter, allowing more flexibility in specifying the label for the witness tree. This change is used in both get_icp_xdr_conversion_rate and get_average_icp_xdr_conversion_rate functions, enabling them to pass different labels (LABEL_ICP_XDR_CONVERSION_RATE and LABEL_AVERAGE_ICP_XDR_CONVERSION_RATE) when generating the CBOR-encoded hash tree

[f95748820]
SendStreamDropGuard ensures that a QUIC stream sends a reset frame on drop to signal cancellation, preventing the peer from incorrectly assuming a complete message was sent

Test utility functions generate_self_signed_cert() and SkipServerVerification are used in the test module for the QUIC transport connection.

[1ca9fc370]
Revert dep udate from cloudflare server.

Chores:

[b1e6f4ef9]
Removal of various test-only binaries and dependencies, including “ic-backup” and “ic-recovery” binaries, as well as test utilities like ic-crypto-test-utils-ni-dkg. Additionally, test-only flags were removed from several Rust libraries, such as backup, recovery, and subnet-splitting

[6bbae04ac]
Upgrading the wasm-encoder, wasmparser, and wasmprinter packages from version 0.212.0 to 0.215.0, and updating various internal function types from CompositeType::Func to CompositeInnerType::Func

[b60c9012d]
Add metric executed_canisters_per_round

[4a8ed78c9]
Add metric observe_subnet_query_message

[490fbd87f]
Matches description of passing object by ref for clamp_debug_len

[73e7bd419]
Addition of new oci_pull container images for testing, and significant modifications to the Bazel build configuration, including updates to the use of Bazel Skylib, Aspect Bazel Lib

Removes the use of test-only cryptographic signatures in ic-replay and replaces them with empty signatures, simplifying the certification process and eliminating the dependency on test-specific code.

[da62cf633]
Refactoring .map() and .unwrap_or() calls into more concise .map_or() or .map_or_else() structures

[0441f4048]
Removes GenerateMacAddress command

[5aa7ad88d]
Update base images

Refactoring:

[b2400524f]
Rename various consensus and P2P-related types and methods to align with the terminology used in a related paper. Specifically, the term ChangeSet is replaced with Mutations, and ArtifactMutation is changed to ArtifactTransmit or ArtifactTransmits. Additionally, methods like apply_changes have been renamed to apply.

[41f6ce3a7]
Moving some logic from the ic-nns-governance to ic-nervous-system-common-validation. Several components related to governance are refactored to use this new validation logic.

[4f4eef293]
CallCanisters trait for modularity and error handling using a custom AgentCallError enum for better error classification.

CallCanisters trait allows different implementations for making canister calls

[bfc9da079]
Runtime trait with a PhantomData type parameter in the IcpLedgerCanister struct, allowing for more flexible and testable runtime environments, replacing the direct use of the dfn_core::call method with Rt::call_without_cleanup for runtime-dependent execution

[7f0f5d5d3]
Replacement of protobuf encoding with candid_one encoding for canister calls, shifting from Protobuf-based serialization to Candid-based serialization for methods like transfer, total_supply, and account_balance

[c19e9b1c9]
Update setup os script.

Tests:

[b8845b555]
Barrier is added to the test code to synchronize client completion in the
test_dropped_connection_handle_resets_the_stream function

proposal - 133062

Vote: ADOPT

Hash: MATCH

Urls: MATCH

Canister snapshot feature flag enabled.

proposal - 133063

Vote: ADOPT

Hash: MATCH

Urls: MATCH

Upgrade GuestOS to run on Ubuntu 24.04

3 Likes

Proposal 133061


Hashes match.
ADOPTED.
Review:
I’ve reviewed all the commits listed in the proposal, for the Execution and Runtime layers:

380182c78:
Adds the callbacks_with_enqueued_response BTreeSet to the CanisterQueues struct. This set is used in the push_input method to check if there’s already a response in the canister queue with that callback id. If the response is already present in the queue and is a guaranteed response, returns an error, otherwise (response is best effort) silently drops the duplicate.

c99e1478d:
Adjusts the cost of some Wasm instructions, after some benchmarks run with the new Wasm64 memory type. In particular, the cost of all load and store instructions (including SIMD instructions) changes from 1 to 2 for Wasm64.
The instruction_to_cost function of the Wasm instrumentation module now accepts a mem_type argument, to distinguish between Wasm32 and Wasm64 memory types.

70dc1a743:
Updates the push_input method of the CanisterQueues struct in the case when the canister queue does not exist or does not have reserved slots, in order to return an error only if the response is a guaranteed response. Otherwise (best-effort response), it silently drops it.
It also updates the push_input method of the SystemState struct, in order to silently drop a best-effort response when its callback is missing. This method internally uses the should_enqueue method of the CallContextManager, which in turn has been renamed and updated to better distinguish between guaranteed and best-effort responses.
Added a comment on GitHub.

d373ce97a:
Replicates the changes made in the past week to fix the security bug that occurred.

7a3fcfa9c:
Improves the performance of the mark_writes_on_bytemap, charge_for_cpu, charge_for_cpu_and_mem, charge_for_stable_write, charge_for_system_api_call, charge_direct_fee. These improvements reduce the time regression from +63% to +14%.
The improvements mainly consist in inlining these functions and making use of saturating_add instead of checked_add inside some of them.

02aba7918:
Updates the garbage_collect method of the CanisterQueues struct in order to check explicitly if the struct serializes to an empty bytes array, which means that all the fields are empty. Previously, the check was rather comparing the current instance of CanisterQueues with the default one.

6bbae04ac:
Upgrades the wasmtime dependencies in order to use the same versions used by wasmtime v24. This upgrade replaces the CompositeType enum of the wasmparser with CompositeInnerType.

b60c9012d:
Adds the executed_canisters_per_round gauge metric to the SchedulerMetrics struct. This metric is set in the inner_round method of the SchedulerImpl struct, by counting the executed_canisters returned by the execute_canisters_in_inner_round method.

4a8ed78c9:
Adds the subnet_query_messages set of histograms to the IngressFilterMetrics struct. The histograms in this metric are labeled with the query method name and the result status of the method inside the observe_subnet_query_message method. This method has been introduced in the QueryHandlerMetrics struct. The observe_subnet_query_message is called in the query method of the InternalHttpQueryHandler struct, when the query method is the management canister’s fetch_canister_logs method and observes its execution duration.

All reviewed commits match their description.


Proposal 133062


Hashes match.
ADOPTED.
Review:
This release is the same as the one in 133061 with the addition of the commit 7f6a81f48, which matches its description.


Proposal 133063


Hashes match.
ADOPTED.
Review:
This release is the same as the one in 133061 with the addition of the commit c87abf70c, which matches its description.

4 Likes

Proposal 133061

Hashes and code match. Voted to adopt.

[060f84b48] Inverted check to enable sync v3 endpoint, instead of enabling it on a set of specified subnets, it is now enabled by default on all of them except for system subnets.

[b1e1c0728] Reduced the initial notarization delay from 600 ms to 300 ms by default.

[380182c78] Added callbacks_with_enqueued_response field to CanisterQueues struct, this is a BTreeSet used to keep track of all enqueued CallbackIds, when trying to induct a response message, if it is already present in the set and it is not a best effort response an error is returned, otherwise the duplicate response is dropped.

[c99e1478d] Adjusted cost of load/store and SIMD instructions based on memory type.

[70dc1a743] Modify push_input method to only return an error when a respective queue or reservation slot doesn’t exist for a guaranteed response, otherwise the response is dropped. validate_response was modified similarly and renamed to should_enqueue to better reflect its purpose.

[c29dde299] Modified push_input method of ReplicatedState to return a StateError when trying to redirect a response to the management canister. A new metric named critical_error_induct_response_failed has been added to keep track of the number of times an attempt to induct a response ends up returning an error, which at the moment happens either in the aforementioned scenario or when the canister can’t be found in the state of the local subnet.

[d373ce97a] Same code changes as the ones proposed in this week’s hotfix build.

[7a3fcfa9c] Improve performance by inlining functions and using saturating_add in place of checked_add.

[02aba7918] Modified debug assertion in garbage_collect method, instead of comparing the GCed canister queues with the default CanisterQueues instance, it ensures the encoded size of the queues is 0 bytes.

[bbb8a5152] get_average_icp_xdr_conversion_rate was using a wrong label for data certification, convert_conversion_rate_to_payload method has been modified to take a label as an argument which is used when generating the hash tree.

[6bbae04ac] Bump wasmparser, wasmprinter, and wasm-encoder crate versions to match wasmtime v24.

[b60c9012d] Added new metric to SchedulerMetrics to keep track of unique canisters executed per round. When an execution round is performed, canister ids are added to the a set, whose size is used to update the metric once the round is completed.

[4a8ed78c9] Added new metric to IngressFilterMetrics to track the duration of queries. It is currently only used to log duration of FetchCanisterLogs query method.

[490fbd87f] Modified clamp_debug_len function to take object argument by reference instead of moving ownership.

[da62cf633] Same as description, replaces map().unwrap_or() and map().unwrap_or_else() instances with map_or and map_or_else respectively.

[41f6ce3a7] Disentangled proposal validation logic by moving it from ic-nns-governance to ic-nervous-system-common-validation crate. Due to these changes SNS cli and ic-admin no longer need ic-nns-governance as a dependency.

[4f4eef293] Generalized call method in ic-nervous-system-agent library, instead of a concrete implementation which required an Agent instance to be passed in, a CallCanister trait has been created to define an interface for calling canisters.

[bfc9da079] Abstract cdk interactions using the Runtime trait for the IcpLedgerCanister, this change makes the code more easily testable and facilitates the eventual replacement of dfn_core with ic-cdk.

[7f0f5d5d3] Use candid compatible endpoints and encodings instead of protobuf variant for transfer, icrc1_total_supply and account_balance ledger canister calls.

Proposal 133062

Hashes match. Code wise it is the same build proposed with 133061 but with canister snapshot feature flag enabled.
Voted to adopt.

Proposal 133063

Hashes match. Code wise it is the same build proposed with 133061 but with GuestOS running on Ubuntu 24.04
Voted to adopt.

3 Likes

Hashes match for below 3 proposals. Reviews provided. Voting to Adopt

Proposal: 133061

Review

Features:

060f84b48 Previously used whitelisted subnet endpoints which had sync call enabled is replaced with a list of subnets with sync call disabled. Enable sync call if the match is not found in the list.

959e8a5a3 Added functionality for stripping and assembling Data blocks and introducing StrippedBlockProposal which retains stripped message IDs for reconstruction

b1e1c0728 Interface: Commit matches the description. Reduced notarization delay to 300ms

380182c78 Introduces a transient set of callback IDs to track enqueued responses, preventing duplicate responses from consuming slots and causing legitimate responses to be dropped. Safely handles local timeout reject responses

02cc3657d Implements a per-peer limit instead of global. Adds new structures and functions to manage and track ingress messages per peer

70dc1a743 Handled response with more context based on its properties such as deadline, status

c29dde299 Changes related to critical_error_induct_response_failed and nonmatching responses. Makes the canisters responsible for calls made

e880042de Interface,Node: Implemented to config settings,tools, functions. Has not been integrated to the OS though.

d64d62905 Commit matches the description

7a93bcafd Deployment changes and scripts to run benchmark tests.

160734742 Commit matches the description

Bugfixes:

942668985 Commit matches the description. Added a new metrics

d373ce97a Removes an assertion no longer applicable

7a3fcfa9c Implement performance improvements with comparison between previous and enhanced performance.

02aba7918 Garbage collection sets the canister queue to 0 instead of default.

bbb8a5152 Fixed the calculation of get_average_icp_xdr_conversion_rate

f95748820 Adds a drop guard for SendStream ensuring a SendStream::reset frame is sent if dropped. Avoids decoding errors when RPC calls are canceled

1ca9fc370 Commit matches the description

Chores:

b1e6f4ef9 Removed test-only dependencies of different binaries. Use of empty signatures.

6bbae04ac Version upgrades

b60c9012d Introduced a new metric to tract actual numbero f canisters executed.

4a8ed78c9 Similar to previous commit. This one also added a new metric to track calls length of the fetch call

490fbd87f Changes match the commit note

73e7bd419 Replace rules_docker with rules_oci to upgrade Bazel, improving image reproducibility and tagging, while introducing new macros and simplifying environment variable handling.

da62cf633 simplified logic to use map_or or map_or_else

0441f4048 Code cleanup. Matches the commit message

5aa7ad88d Assuming the image hashes are correct, changes matches the commit message

Refactoring:

b2400524f Replaced ChangSets with Mutation, introduced ArtifactTransmit instead of ArtifactMutation. Changed the function accordingly

41f6ce3a7 Removed dependency. Added common api into ic-nns-governance.

4f4eef293 CallCanisters simplified the code. Generic interaction with other canisters instead of fine-grain control in Agent

bfc9da079 Using Runtime trait is inline with the migration

7f0f5d5d3 Code changes reflect the use of candid methods as part of the migration plan from dfn_protobuf. Compatibility is ensured before the migration is completed in future.

c19e9b1c9 Renaming of scripts

Tests-

tokio::sync::Barrier, will be useful for synchronization between multiple tasks.
Proposal: 133062

Review –

Changes matches the commit notes
Proposal: 133063


b8845b555

Review –

Changes matches the commit notes

3 Likes

Proposal 133061

The hash from CDN, local build and the payload matches

Features

[060f84b48]
The code replaces white listed subnets with a list of disabled subnets. This inverting logic will enable synchronous responses for all the subnets expect the once explicitly listed.

[959e8a5a3]
This completes the process for block makers to propose blocks containing only message IDs, not the actual messages. The block proposer removes the messages, and the receiving replica checks for missing ones, retrieves them, and reassembles the block.

[b1e1c0728]
The default initial notarization delay INITIAL_NOTARY_DELAY_APP_SUBNET has been reduced from 600 ms to 300 ms.

[380182c78]
A new callbacks_with_enqueued_response set has been added to the CanisterQueues struct to track callback IDs for enqueued responses. This helps detect and prevent duplicate callbacks, ensuring safe handling of local timeout responses. If a duplicate callback is detected in the queue during response induction, it either returns an error (for guaranteed responses) or silently drops the duplicate (for best-effort responses). This approach also mitigates issues caused by bugs or malicious subnets that might enqueue duplicate responses, preventing unnecessary slot consumption and potential loss of valid responses.

[02cc3657d]
This update modifies the ingress pool to enforce per-peer limits on the number/size of ingress messages in the ingress pool, replacing the previous global limit. By introducing a per-peer counter module, the system now tracks message counts and sizes on a per-peer basis, ensuring that threshold checks are applied individually for each peer, including the node itself. This change improves resilience under heavy load or potential DDOS attacks by ensuring that ingress messages from all peers are still received, even if one peer is overloaded. Additionally, it prevents malicious nodes from disrupting the acceptance of ingress messages from other peers, helping to maintain a balanced flow of messages in scenarios like the future hashes-in-blocks feature.

[c99e1478d]
This update adjusts the cost of certain Wasm instructions, particularly memory load/store and SIMD, following recent benchmarking with the new Wasm64 memory type. The cost for these instructions increases from 1 to 2 in Wasm64 mode. The instruction_to_cost function now takes memory type into account, allowing for differentiation between Wasm32 and Wasm64.

[70dc1a743]
The push_input method now silently drops best-effort responses without matching callbacks, while returning errors only for guaranteed responses when no queue or slot exists. The validate_response function was renamed to should_enqueue to clarify its role in handling response queuing.

[c29dde299]
The push_input method now returns an error if a response is directed to the management canister, as it does not accept responses. A new StateError has been introduced for this scenario, along with a metric critical_error_induct_response_failed to track failed response inductions. This ensures responses are correctly routed to the canisters that initiated the requests, not the management canister.

[e880042de]
This update defines the config structure and tool for reading, validating, and normalizing network settings such as IP addresses and gateways. While not yet integrated into SetupOS, this prepares for future use in IC-OS deployments to handle configuration sanitization, organization, and access.

[d64d62905]
This change updates the ubuntu image from 20.04 to 24.04

[7a93bcafd]
This update adds benchmarking steps to the nightly pipeline, allowing performance tracking for the IC-OS stack deployed on physical hardware.

[160734742]
This change updates ubuntu from 20.04 to 24.04

Bugfixes

[942668985]
This change starts adding equivocation_proof metric.

[d373ce97a]
This update applies the same changes from the security hotfix that was deployed across all IC subnets last week.

[7a3fcfa9c]
This update implements performance optimizations based on System API microbenchmarks, including inlining critical functions and replacing checked_add with saturating_add. These changes significantly improve execution time, reducing a prior regression from +63% to +14%. Key functions like mark_writes_on_bytemap, charge_for_cpu, and others have been optimized for better performance.

[02aba7918]
This update modifies the garbage_collect method in CanisterQueues to ensure the structure serializes to zero bytes after cleanup, rather than comparing it to a default instance. A debug assertion is added to verify that the encoded size of the queues is 0 bytes post-garbage collection.

[bbb8a5152]
This change fixes the data ertificate for get_average_icp_xdr_conversion_rate

[f95748820]
This change introduces a drop guard that wraps quinn::SendStream in the transport implementation for RPC calls. The guard ensures that a SendStream::reset frame is sent when the stream is dropped, preventing peers from mistakenly interpreting incomplete messages as complete. This resolves the issue where dropping a stream sends a finish frame by default, causing peers to attempt decoding incomplete messages when a client, such as P2P, cancels the RPC.

[1ca9fc370]
This change reverts the Cloudflare dependency back to using Dfinity’s forked version, undoing the recent dependency update to the Cloudflare server.

Chores

[b1e6f4ef9]
This change removes the synchronous QueryHandler from ic-replay and replaces it with the asynchronous QueryExecutionService, which evaluates queries on the latest certified state. To handle states modified by extra ingress messages during NNS recoveries, dummy certifications with empty signatures are now used, eliminating the need for a test-only dependency.

[6bbae04ac]
This change upgrades the versions of wasmparser, wasmprinter, and wasm-encoder to align with the version used by wasmtime 24.

[b60c9012d]
This update introduces a new scheduler metric that tracks the number of canisters actually executed in the previous round. This is distinct from the scheduler_executable_canisters_per_round metric, which counts canisters eligible for execution but may not reflect those actually run due to round limits or other constraints.

[4a8ed78c9]
This change introduces a new metric, execution_subnet_query_message_duration_seconds, to track the duration of subnet query message execution, similar to the existing metric for update calls (execution_subnet_message_duration_seconds). Since the query handler lacks access to execution environment metrics, this new metric will specifically monitor query performance. The metrics for update calls and queries will later be combined using a Prometheus query.

[490fbd87f]
This PR fixes an issue with clamp_debug_len, where the argument was being moved instead of passed by reference, leading to unintended behavior. The update now correctly passes the argument by reference to reduce log spam.

[73e7bd419]
This change replaces the deprecated rules_docker with rules_oci to support future Bazel version upgrades. Key changes include:

  • Introduction of a new oci_tar macro to expose tarballs since rules_oci does not do so by default.
  • The ubuntu_test_runtime_image is now based on an Ubuntu snapshot with its own lockfile, improving reproducibility and allowing image builds on CI.
  • Images can be tagged upon creation, removing the default bazel/image:image tag for clearer image identification.
  • _colocate tests now receive environment variables via an --env-file, simplifying test configurations.

[da62cf633]
This change simplifies code by replacing a few instances of map().unwrap_or() with the more concise map_or() function.

[0441f4048]
This change removes the GenerateMacAddress command from SetupOS.

[5aa7ad88d]
This change updates the base container image references

Refactoring

[b2400524f]
This change introduces no functional changes but renames variables and types for better alignment with related terminology. ChangeSets are renamed to Mutations, and ArtifactMutation is now ArtifactTransmit. Methods like apply_changes are also renamed to apply to reflect these updates.

[41f6ce3a7]
This PR continues the effort to remove dependencies on the NNS Governance crate, aiming to eliminate its Bazel visibility as a dependency. This is part of an ongoing process to decouple it from other components.

[41f6ce3a7]
This change moves the proposal validation logic from ic-nns-governance to ic-nervous-system-common-validation, allowing other crates to use the validation logic without relying on ic-nns-governance. This reduces dependencies on the nns-governance crate and eliminate its Bazel visibility.

[4f4eef293]
The ic-nervous-system-agent library is currently hardcoded to work only with ic_agent, which restricts its flexibility for use in contexts without ic_agent.

To address this, a CallCanisters trait has been introduced, representing an object capable of calling a canister. This trait is implemented for Agent but can be extended for other types in the future. With Rust now supporting async traits, this change is easier to implement.

The CallCanisters trait includes a call function, allowing different implementations to handle different types of errors. This is useful since various methods of calling canisters can result in different errors. For example, boundary node errors are possible for external users but not for canister-to-canister calls.

Additionally, this change allows the ic-nervous-system-agent functions to return more specific error types instead of the generic anyhow::Result, providing more detailed error information to callers.

[bfc9da079]
This change migrates the ledger canister client to utilize the Runtime trait, replacing direct calls to dfn_core

[7f0f5d5d3]
To facilitate the transition from dfn_core to ic_cdk, this change introduces more usage of dfn_candid to ensure compatibility with Candid methods, temporarily replacing dfn_protobuf.

[c19e9b1c9]
This update renames various SetupOS scripts to improve readability.

Tests

[b8845b555]
This update fixes a flaky test for sending reset frames by modifying the test to use tokio::sync::Barrier instead of tokio::sync::Notify.

Voting to adopt.

Proposal 133062

The hash from CDN, local build and the payload matches

[7f6a81f48]
It is the same build as proposed in 133061 with
canister snapshot feature flag enabled.

Voting to adopt.

Proposal 133063

The hash from CDN, local build and the payload matches.

[c87abf70c]
It is the same build as proposed in 133061 with guest os upgraded to 24.04
Voting to adopt.

2 Likes

Proposal 133061

Features:

[060f84b48]
Replaces a whitelist of allowed subnets with a list of subnets where synchronous v3 calls are disabled, effectively reversing the logic to enable synchronous responses for all subnets except those explicitly listed. This change simplifies configuration by only excluding specific subnets when necessary.

[959e8a5a3]
Continues the implementation of StrippedBlockProposal, adding ingress payload fields and fully supporting serialization, deserialization, and testing for StrippedBlockProposal.

[b1e1c0728]
Reduces the INITIAL_NOTARY_DELAY_APP_SUBNET to 300.

[380182c78]
Introduces a mechanism to prevent malicious subnets or bugs from queuing duplicate responses for the same callback, which could otherwise lead to wasted slot reservations and cause valid responses to be dropped. Now, an explicit transient set of callback IDs with queued responses is maintained.

[02cc3657d]
Replaces global byte-size tracking with per-peer counters through a new peer_counter module. This allows the IngressPool to track message counts and sizes per peer, and apply threshold checks on a per-peer basis rather than globally, enhancing protection against DDoS attacks and high loads.

[c99e1478d]
Adjusts cost calculations for Wasm64 vs. Wasm32, so that curr.cost_detail.increment_cost(instruction_to_cost(i, mem_type)) now depends on the memory type.

[70dc1a743]
Modifies the push_input function to handle canister-to-canister messages, ensuring that best-effort responses are silently dropped when duplicates are detected, avoiding unnecessary errors.

[c29dde299]
Adds a new state error non_matching_response. Updates the push_input function to explicitly reject Response messages addressed to the subnet’s management canister, which previously accepted all message types without distinction.

[e880042de]
Implements a large structural configuration change, defining functions to read and parse network settings (e.g., IPv6/IPv4 addresses, gateways) from a configuration file. This includes validation, normalization, and error handling for the configuration content, ensuring it’s correctly formatted and present.

[d64d62905]
Updates to Ubuntu 24.04 and introduces an SSH setup tool.

[7a93bcafd]
Adds new jobs for release candidates, Rust benchmarks, bare metal Bazel tests, and nightly test execution.

[160734742]
Updates to Ubuntu 24.04.

Bugfixes:
[942668985]
Introduces a new equivocation_proof metric.

[d373ce97a]
Removes an outdated check that prevented canisters from reducing their cycle balance during execution, now allowing legitimate use cases like storage reservations and the cycles_burn API.

[7a3fcfa9c]
Adds the num_traits::ops::saturating::SaturatingAdd trait to safely handle instruction and memory charge calculations, improving performance by reducing execution time from +63% to +14%.

[02aba7918]
Fixes CanisterQueues so that they now encode to zero bytes.

[bbb8a5152]
Adds a label parameter for increased flexibility when specifying labels for the witness tree. This change is used in both get_icp_xdr_conversion_rate and get_average_icp_xdr_conversion_rate.

[f95748820]
Introduces SendStreamDropGuard to ensure that a QUIC stream sends a reset frame on drop, signaling cancellation and preventing the peer from incorrectly assuming the message was fully sent. Also adds test utility functions for QUIC transport connection testing.

[1ca9fc370]
Reverts a dependency update from the Cloudflare server.

Chores:

[b1e6f4ef9]
Removes various test-only binaries and dependencies, such as ic-backup and ic-recovery, and eliminates test flags from several Rust libraries.

[6bbae04ac]
Upgrades wasm-encoder, wasmparser, and wasmprinter packages, and updates internal function types accordingly.

[b60c9012d]
Adds the executed_canisters_per_round metric.

[4a8ed78c9]
Introduces the observe_subnet_query_message metric.

[490fbd87f]
Updates descriptions for passing objects by reference for clamp_debug_len.

[73e7bd419]
Adds new oci_pull container images for testing and makes significant changes to the Bazel build configuration, including updates to Bazel Skylib and Aspect Bazel Lib. It also removes test-only cryptographic signatures in ic-replay, simplifying certification.

[da62cf633]
Refactors .map() and .unwrap_or() calls into more concise .map_or() or .map_or_else() structures.

[0441f4048]
Removes the GenerateMacAddress command.

[5aa7ad88d]
Updates base images.

Refactoring:

[b2400524f]
Renames various consensus and P2P-related types and methods for consistency with terminology in a related paper. ChangeSet becomes Mutations, and ArtifactMutation is renamed ArtifactTransmit. Methods like apply_changes are now called apply.

[41f6ce3a7]
Moves some logic from ic-nns-governance to ic-nervous-system-common-validation. Refactors components to use this new validation logic.

[4f4eef293]
Introduces the CallCanisters trait for modularity and better error handling, using the custom AgentCallError enum for improved error classification.

[bfc9da079]
Adds the Runtime trait with a PhantomData type parameter to the IcpLedgerCanister struct, enabling more flexible runtime environments and replacing direct calls to dfn_core::call with Rt::call_without_cleanup.

[7f0f5d5d3]
Shifts from Protobuf-based serialization to Candid-based serialization for canister methods like transfer, total_supply, and account_balance.

[c19e9b1c9]
Updates the OS setup script.

Tests:

[b8845b555]
Adds a Barrier to the test code to synchronize client completion in the test_dropped_connection_handle_resets_the_stream function.

Voted to adopt.

Proposal 133062

This build is identical to the one proposed in 133061, with the addition of the canister snapshot feature flag enabled.

Voted to adopt.

Proposal 133063

This build is the same as the one proposed in 133061, but with the guest OS upgraded to version 24.04.

Voted to adopt.

2 Likes