Subnet Management - fuqsr (Application)

This topic is intended to capture Subnet Management activities over time for the fuqsr subnet, providing a place to ask questions and make observations about the management of this subnet.

At the time of creating this topic the current subnet configuration is as follows:

{
  "version": 44319,
  "records": [
    {
      "key": "subnet_record_fuqsr-in2lc-zbcjj-ydmcw-pzq7h-4xm2z-pto4i-dcyee-5z4rz-x63ji-nae",
      "version": 44319,
      "value": {
        "membership": [
          "mcmqr-z4yrw-7wnwf-au7wv-5f7az-fco3a-vuxx3-7lol5-sigpc-jtnqq-aqe",
          "kydvk-tokwg-vqxwp-xszgh-5reys-aprlz-jpyjd-uwhlz-rnii4-pijvj-yae",
          "4kimr-mx6yo-ncuyf-temzj-lii2h-ex7ub-gvopk-iecxu-3kkt7-wogi3-hae",
          "u6e7b-mgtes-r5nay-mmrcn-p3rns-hj2fn-74dn7-cp2mu-kk24k-ljfnm-2ae",
          "kaoz3-4okcl-24amq-v5y4k-vim56-4njvo-fwvyk-v4grq-kuqum-7zm3p-4qe",
          "st4fx-z43wu-xzc3a-vnajq-ts2u6-v5ws5-q36gu-5amxb-665e4-bsq2a-gqe",
          "aytiw-nezzr-cc3yp-lwl6o-r35hi-hnxsz-nfb7e-3bmy4-er6tf-wrtgv-dae",
          "wbz2k-b6che-eckjw-vdwro-gyxhj-276mr-lxijv-wvk6b-kdmqn-s7zzh-6qe",
          "jamsd-hvypj-w56fb-4cwvt-tqbmo-6652c-eaw2u-3njxg-5nfe7-ae6ht-bae",
          "3zg5o-ieoil-rbw5g-2tsbz-f7xzv-yadzw-g3ivi-t5u37-de7nq-4qe77-2qe",
          "pud2o-rtmqx-ym5vr-3isia-wojnu-xwqmn-qcsxu-ktsva-udz72-m3pkg-zae",
          "foasq-jql3g-5njm3-75iv5-5zlx3-lbods-dnsbj-k7srs-3isgp-k4wlo-tqe",
          "5fpvj-plxyb-bsyji-b4pp5-j47gg-vlkor-q6bhy-5bhmp-kjtu6-fqkjh-iqe"
        ],
        "nodes": {},
        "max_ingress_bytes_per_message": 2097152,
        "max_ingress_messages_per_block": 1000,
        "max_block_payload_size": 4194304,
        "unit_delay_millis": 1000,
        "initial_notary_delay_millis": 600,
        "replica_version_id": "a3831c87440df4821b435050c8a8fcb3745d86f6",
        "dkg_interval_length": 499,
        "start_as_nns": false,
        "subnet_type": "application",
        "features": {
          "canister_sandboxing": false,
          "http_requests": true,
          "sev_enabled": false
        },
        "max_number_of_canisters": 120000,
        "ssh_readonly_access": [
          ""
        ],
        "ssh_backup_access": [],
        "ecdsa_config": {
          "quadruples_to_create_in_advance": 1,
          "key_ids": [
            {
              "curve": "secp256k1",
              "name": "test_key_1"
            }
          ],
          "max_queue_size": 20,
          "signature_request_timeout_ns": null,
          "idkg_key_rotation_period_ms": 604800000
        },
        "chain_key_config": {
          "key_configs": [
            {
              "key_id": {
                "Ecdsa": {
                  "curve": "secp256k1",
                  "name": "test_key_1"
                }
              },
              "pre_signatures_to_create_in_advance": 1,
              "max_queue_size": 20
            },
            {
              "key_id": {
                "Schnorr": {
                  "algorithm": "bip340secp256k1",
                  "name": "test_key_1"
                }
              },
              "pre_signatures_to_create_in_advance": 1,
              "max_queue_size": 20
            }
          ],
          "signature_request_timeout_ns": 1800000000000,
          "idkg_key_rotation_period_ms": 604800000
        }
      }
    }
  ]
}

There’s an open proposal for changing subnet membership - Proposal: 131408 - ICP Dashboard (internetcomputer.org). This information is presented below:

• red marker represents a removed node
• green marker represents an added node
• highlighted patches represent the country a node sits within

image935×503 57.1 KB

The removed node is replaced with another node that’s also based in Germany. I’ve verified that this node is currently unassigned.

The proposal mentions that his change is needed due to the Munich (mu1) data centre being due for decommissioning. I have some questions about this @DRE-Team (please let me know if I should address this questions elsewhere in the future).

• This data centre appears to provide nodes for 21 subnets, but there’s currently only a proposal for 9 subnets (one each). Are the other proposals due to follow? Can I ask why they’re not all submitted together?
• Is there publicly accessible information anywhere that announces the planned decommissioning of this data centre?

Thanks in advance

Hi @Lorimer . Not sure if you saw, but there’s an answer to a related question about this set of proposals in this post. I’m not sure who is best to tag for questions of this type.

I’ve also asked a question here about other current proposals for this subnet.

Thanks @timk11, that clears up the mu1 data centre query

I responded to your other question, copied here for reference -

Thanks for providing further context @andrea. I have some questions about CUP proposals:

• How should a community member go about verifying that the proposed CUP is valid? This is particularly relevant for manually created CUPs during subnet recovery.
• Why does key resharing require a catchup package? Is this simply to ensure that in a worst case scenario the subnet does not recover to an earlier state prior to acquring the key (thereby loosing the key)?
• Subnets create a CUP every epoch without halting and restarting. Why does the subnet need to be halted and restarted when resharing keys?

Thanks @andrea, I’m looking forward to these sorts of proposals being announced on these threads in the future if that’s feasible

All very good questions!

Yes, that’s indeed tricky right now. I believe people are looking into improving the entire recovery process, but I am not the most up to date person on this. Let me ping some other team member.

• Why does key resharing require a catchup package? Is this simply to ensure that in a worst case scenario the subnet does not recover to an earlier state prior to acquiring the key (thereby loosing the key)?

Currently the only mechanism in place to deliver threshold keys to a subnet is via the registry in a catch-up package. This is the mechanism used during subnet creation and recovery, where the NIDKG keys are delivered to the subnet while it is not operating, as these are needed by the consensus protocol. The same mechanism is reused by ECDSA/Schnorr. The main reason for reusing this is that it is convenient and it does not introduce extra complexity. E.g. CUPs reference an height, which makes it easy for the nodes of a subnet to determine if the CUP in the registry is more recent than the local one and decide which one they should be using. If the keys are included, e.g., as separate records in the registry, the nodes would need to monitor this record for changes across multiple registry versions to decide whether they should use it or not.

In principle you could deliver the keys to a running subnet in other ways, e.g. using XNet communication. This is appealing but it adds some difficulties:

• Key resharing may fail: the source subnet may initiate the key resharing (e.g. as a result of a proposal or a subnet record update), but only deliver the key at a later time. In the meantime the subnet may have changed topology, and the delivered key may be unusable on the target subnet. These failures would need to be handled in some way.
• The registry should reflect whether a key resharing failed, e.g. by not including the key ID in the subnet record. If the registry is used to deliver the keys, it is possible to perform certain checks before updating the subnet record. If the keys are delivered in other ways, it becomes more difficult to reflect the result in the registry, or it may cause the registry to have long running open call contexts with multiple subnets, which may not be desirable.

• Subnets create a CUP every epoch without halting and restarting. Why does the subnet need to be halted and restarted when resharing keys?

In normal operation the subnet has all the information to create and agree on a CUP. In this case the key is on a different subnet, and it needs to be delivered to the backup subnet before this can be included in a normal CUP. The subnet has to be stalled, because the recovery CUP includes the last reported state hash from the subnet and the new key, but most importantly has a larger height than the last CUP of the subnet. If the recovery CUP was not executed with a stalled subnet, then either some subnet state will be lost, or the recovery CUP will be ignored by the subnet if it had already moved past that height.

Anyway, having the possibility of resharing to a running subnet sounds definitely like a good idea. So far these proposals have been very rare, so it did not seem very critical to support this given the extra complexity. As more keys are added to the IC and more dapps depend on them, this may change in the future.

Thanks for the detailed explanation @andrea! This is very helpful and much appreciated.

If there’s practically no means for the community to inspect and verify a catch up package, it seems the only prudent way to handle these proposals is to abstain or reject them (not with the intention of blocking the proposal, but to highlight the inability to cast a confident vote that doesn’t require trust). Does this sound like a reasonable way of looking at this?

One potential path to make progress on this front would be along the lines of

1. let replicas somehow expose the checkpoint hashes that they have
2. in case of an incident that requires recovery, introduce a proposal that lets replicas on a subnet create a special checkpoint at a certain height and stop there

With that, in case of some stall or crash loop or so, we could submit a proposal that lets replicas take a checkpoint at the latest computable state, which users can then see because the checkpoint hashes are exposed, and then finally a proposal can set a new recovery CUP with that state hash.

This sounds great I think until something like this is implemented I’ll plan to reject these sorts of proposals (just to keep some visibility on the need for this feature).

As a separate but related question, it’s often critical for these proposals to be accepted promptly to minimise disruption - in a theoretical future where governance power is significantly more decentralised than it is now, what mechanisms would be employed to encourage these sorts of proposals to be reviewed promptly by the community (or is this too far away to be a concern right now)?

Yeah I thought about it a bit. With the following mechanism and plans to incentivize being followed, I expect that in the near future, a handful of voting neurons have significant voting power and be required to reach >50% VP. Those neurons would have a lot of responsibility, and I think one part of that responsibility would be that they can somehow be contacted in case of emergency and help with quick verification and voting on urgent proposals (which should be extremely rare).

With periodic confirmation, hopefully neuron holders once in a while carefully think about who they follow and whether the neuron they follow is doing a good job handling that responsibility or not. If the neuron I follow does not actually help vote quickly in case of emergency, I would consider delegating my voting power to someone else.

Quickly and accurately. A quick automatic yes or no is of course also not cool.

Proposal 132215

This proposal sets the notarisation delay of the subnet to 300ms, down from 600ms. The change will increase the block rate of the subnet, aimed to reduce latency of update calls.

This is the same subnet config update that was applied to the canary subnet last week, which has held a steady and impressive block rate since. More context is available here → Reducing End to End latencies on the Internet Computer

This looks like a low risk config update for this subnet. fuqsr is an application subnet with 0 canisters, and it’s also the backup test key subnet. I do have a couple of questions though.

image1247×726 46.7 KB

@dsharifi, metrics currently show that this subnet:

• is processing 0.00 transactions per second, yet blocks are being produced (1.28 per second). What do these blocks contain if not transactions?
• is burning cycles periodically, but there are no canisters running. Can I ask what the cause of these burnt cycles and transactionless blocks is?

• is processing 0.00 transactions per second, yet blocks are being produced (1.28 per second). What do these blocks contain if not transactions?

• is burning cycles periodically, but there are no canisters running. Can I ask what the cause of these burnt cycles and transactionless blocks is?

The cycles are being burnt through threshold ECDSA and Schnorr signatures. For every tECDSA/tSchnorr key, there is typically only one subnet that creates signatures with that key, and signing requests are routed to that subnet. fuqsr is the signing subnet for the test ECDSA and schnorr keys. What happens is that certain canisters on other subnets request signatures, which are routed to fuqsr where the signature is created, leading to the cycles being burnt there.

Subnet fuqsr is being made public by → Expanding the list of Public Subnets on the Internet Computer - Governance / NNS proposal discussions - Internet Computer Developer Forum (dfinity.org)