Skip to content

RandomX sustained-hash performance authority#15

Draft
Deadbytes101 wants to merge 132 commits into
stability/hive-exit-gatesfrom
performance/randomx-sustained-hash
Draft

RandomX sustained-hash performance authority#15
Deadbytes101 wants to merge 132 commits into
stability/hive-exit-gatesfrom
performance/randomx-sustained-hash

Conversation

@Deadbytes101

@Deadbytes101 Deadbytes101 commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Purpose

Start the performance phase defined by #14: maximize sustained RandomX H/s while preserving fail-closed appliance behavior and exact-image stability.

Physical evidence driving this batch

  • Intel Core i3-2310M, 2C/4T, 3 MiB L3
  • exact 2-thread baseline around 340.7–341.2 H/s at 60 seconds
  • accepted shares with zero rejects during the baseline window
  • regular huge pages at 100%
  • package temperature approximately 81 C on the test system
  • miner remains unprivileged as rigos

RandomX MSR authority

  • exact allowlist: GenuineIntel family 6 model 42
  • register 0x1a4, target value 0xf
  • snapshot every original per-CPU value before mutation
  • per-CPU write and readback
  • rollback after partial failure
  • retain restore state when rollback is incomplete
  • restore original values on service stop
  • discard stale runtime state across reboot
  • serialize apply/restore with an exclusive runtime lock
  • optional through Wants= rather than Requires=
  • authority limited to CAP_SYS_MODULE and CAP_SYS_RAWIO
  • behavioral tests and built-image verification

Persistent SSH host identity

Added after physical power-loss testing proved that package-generated host keys lived in the ephemeral live overlay.

  • generate one ED25519 host key under /var/lib/rigos/system/ssh-hostkeys
  • root-owned persistent namespace
  • atomic staging, fsync, and rename
  • manifest with fingerprint and public-key SHA256
  • verify private/public pairing and exact ownership/modes every boot
  • reuse the same key across later boots
  • fail closed on partial, missing, unsafe, mismatched, or invalid existing identity state
  • order rigos-state-ready.service -> rigos-ssh-hostkeys.service -> ssh.service
  • make ssh.service require the persistent identity authority
  • remove package-generated host keys during image construction
  • reject baked SSH host keys in source and exact-image verification

Authenticated miner observability

Added after physical testing exposed a false no_recent_speed_evidence state while XMRig was still connected and accepting work.

  • enable XMRig HTTP API only on 127.0.0.1:18080
  • generate an unpredictable per-boot API token under /run/rigos/xmrig-api-token
  • reuse the exact token across serialized runtime renders in the same boot
  • force restricted=true
  • remove the token from the public runtime config
  • query GET /2/summary with Bearer authorization
  • collect 10-second, 60-second, and 15-minute hashrate, pool state, shares, failures, ping, uptime, algorithm, and huge-page evidence
  • retain bounded journal fallback for API startup or failure cases
  • classify from API truth before journal heuristics
  • sandbox the observer to loopback IPv4 only
  • add source behavioral tests and a dedicated exact-image verifier

BASED cleanup

The temporary raw HiveOS filesystem import was removed from this branch before the RIGOS-native patch was applied. Security rotation and unreachable-object cleanup are tracked in #17.

Non-goals

  • no blind governor change
  • no overclocking
  • no 1 GiB pages without hardware support
  • no HiveOS parity claim
  • no release version bump
  • no imported HiveOS scripts, private keys, password hashes, or machine configuration
  • no automatic miner restart or machine reboot from the observer in this batch

Completed physical gates

  • physical MSR apply/readback
  • clean MSR restore/reapply
  • forced miner crash/restart
  • network unplug/replug recovery
  • hard power-loss state/filesystem/service recovery

Required gates before merge

  • authoritative source verification at the current head
  • exact image construction and image-level authority verification
  • first-boot persistent SSH fingerprint capture
  • clean reboot with the same SSH fingerprint
  • hard power-loss reboot with the same SSH fingerprint
  • authenticated XMRig API evidence on the physical node
  • observer reports ready from API evidence rather than journal-only evidence
  • API remains unreachable from non-loopback interfaces
  • sustained before/after 15-minute RandomX H/s comparison with working cooling
  • thermal and rejected-share comparison
  • rollback/A-B validation
  • 24-hour one-node endurance
  • 7-day three-node endurance

This PR must remain draft and unmerged until the exact rebuilt image and all required physical gates pass.

Copy link
Copy Markdown
Owner Author

Source gate follow-up: rustfmt-only fix

The first local authoritative run stopped at cargo fmt --all -- --check before any behavioral test executed.

Observed diff was formatting-only in crates/rigos-config/tests/randomx_msr_authority.rs:

  • multiline fs::write calls
  • multiline assertion formatting

No MSR authority logic, systemd wiring, capability boundary, register, target value, rollback behavior, or image verifier contract changed.

Formatted head: 60eb695fe14424f25b005e7e3dde45d65b7a1a41.

Required next step: fast-forward local branch and rerun the complete authoritative source gate from the beginning. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

RandomX performance authority source gate: PASS

Exact head: 528c4e4a162089fec8f2568337ec1dda45085b65

Authoritative local verification completed successfully from the Windows checkout through WSL.

Passed:

  • Alpha8 non-login builder entrypoint contract
  • Python MSR authority syntax
  • shell syntax for build/image verification entrypoints
  • cargo fmt --all -- --check
  • RandomX MSR behavior suite: 4/4
    • optional/narrow wiring
    • supported CPU apply + idempotence + restore
    • unsupported CPU truth path
    • partial failure rollback path
  • existing Hive-exit shell/image contracts
  • complete workspace tests and doc-tests
  • schema check
  • release build
  • systemd ordering verification
  • full RIGOS verification

Final marker:

RANDOMX_PERFORMANCE_AUTHORITY_VERIFICATION=PASS

The earlier standalone grep helper failed due to PowerShell quoting only; the actual Alpha8 checker and full authoritative gate both passed. PR remains draft and unmerged. Next permitted step is a fresh exact image build from this head with built-image MSR authority verification.

Copy link
Copy Markdown
Owner Author

Pre-image safety hardening added

New exact head: c84dee38784becd7cb18fa26b8bc31b5cd655736

A review after the first source PASS found one unsafe edge: an MSR apply could partially fail, retain mutation state, and still leave the optional baseline miner path eligible to start.

This batch closes that edge without adding a privileged miner path:

  • existing unprivileged rigos-miner-gate now validates the atomic RandomX MSR authority status on the production state path
  • production requires current boot ID, exact register 0x1a4, exact target 0xf, and a safe authority outcome
  • ready requires restore state to exist
  • unsupported and unavailable are allowed only with no mutation state
  • fully rolled-back apply failure is allowed only with no retained state
  • partial/incomplete rollback, stale status, malformed status, or missing restore state denies miner start
  • synthetic custom-state fixtures remain compatible unless explicit MSR fixture paths are supplied
  • RandomX behavior tests now verify ready and unsupported paths are allowed while incomplete rollback is denied
  • built-image verification now checks the kernel msr module, kmod/modprobe, enabled service symlink, authority bytes, unprivileged miner wiring, and MSR safety markers inside squashfs

The prior source PASS is superseded by this head. PR remains draft and unmerged. A fresh authoritative source gate is required before image construction.

Copy link
Copy Markdown
Owner Author

RandomX MSR miner-gate authoritative source verification: PASS

Exact head: 3b8f051b521b52e6e606750499701af4c93cde1f

Local Windows + WSL authoritative verification completed successfully.

Passed:

  • Python syntax for rigos-randomx-msr and rigos-miner-gate
  • shell syntax for build/image verification entrypoints
  • production fail-closed markers
  • cargo fmt --all -- --check
  • RandomX MSR + miner-gate behavior: 4/4
    • exact optional/narrow wiring
    • supported CPU apply, idempotence, and restore
    • unsupported CPU non-mutating baseline path
    • incomplete rollback denied by miner gate
  • miner stability regression suite: 2/2
  • Alpha8 non-login builder contract
  • complete workspace tests and doc-tests
  • schema generation check
  • release build
  • systemd ordering verification
  • full RIGOS verification

Final marker:

RANDOMX_MSR_MINER_GATE_AUTHORITY=PASS

This supersedes all prior source-gate evidence for older heads. PR remains draft and unmerged. Fresh exact image construction from this SHA is now authorized; physical MSR/H/s claims remain blocked until built-image verification and controlled hardware testing pass.

Copy link
Copy Markdown
Owner Author

Exact image build launcher compatibility failure

The authorized source head remained exact at 3b8f051b521b52e6e606750499701af4c93cde1f and rootful Podman was confirmed (PODMAN_ROOTLESS=false).

The build stopped before the builder image was created because this installed Podman version parses podman build --pull as a boolean flag and rejected --pull=never:

Error: invalid argument "never" for "--pull" flag

Impact:

  • no builder image was created
  • no appliance build started
  • no artifact was generated or modified
  • source and image authority status remain unchanged

Corrected launcher must use --pull=false (or omit the flag) for this host. PR remains draft and unmerged; exact image build evidence is still pending.

Copy link
Copy Markdown
Owner Author

Exact image build launcher parse failure

Exact source remained 3b8f051b521b52e6e606750499701af4c93cde1f and rootful Podman was confirmed.

The retry did not start the builder. The generated shell script contained blank lines between backslash-continuation lines, so Bash terminated the continuation early and failed near the first artifact token ("$image"). The PowerShell cleanup command had the same issue with backtick continuation and prompted for Path[0].

Impact:

  • no builder image was created
  • no appliance build started
  • no artifact was archived, generated, or modified
  • source gate remains valid
  • exact image gate remains pending

Next retry uses a continuation-free launcher: single-line Podman commands, Bash arrays for artifact lists, and a single-line Remove-Item cleanup.

Copy link
Copy Markdown
Owner Author

Obsolete namespace hygiene false-positive removed without weakening the gate

Evidence from head 8741c9d25b064d20da74f6c98d24c72f9e433070:

  • lifecycle LF attribute and direct /bin/sh -n check passed
  • Linux workspace tests passed
  • authenticated miner stability passed, 2/2
  • schema generation passed
  • optimized release build passed
  • systemd ordering verification passed
  • source gate stopped only at the obsolete namespace scan
  • reported matches were self-references in the WSL regression test and developer documentation, not runtime or appliance namespace leaks

Current correction at 4c8b4acf0d8298b255d54d7498638d6bcb3f4424:

  • renamed the document heading to RIGOS WINDOWS SOURCE GATE
  • replaced the operator-specific direct Linux checkout path with /path/to/rigos-checkout
  • retained the hard-coded checkout regression by constructing the forbidden string at test runtime
  • did not add exclusions to scripts/verify.sh
  • did not weaken the obsolete namespace scan

No Linux source PASS is claimed until the complete source gate passes at the new head. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Runtime dependency scan made token-aware and fail-closed

Evidence from head 4c8b4acf0d8298b255d54d7498638d6bcb3f4424:

  • Windows formatting passed
  • WSL regression passed, 3/3
  • Linux workspace tests passed
  • authenticated miner stability passed, 2/2
  • schema generation passed
  • optimized release build passed
  • systemd ordering verification passed
  • source gate stopped only because the bare regex token latest matched benign identifiers such as latest_journal_signal

Current correction at ec2ce3010af88cee37ee9d09a34ed57f41db3ad8:

  • added scripts/verify-runtime-dependencies.sh
  • scanner matches command/floating-version tokens only at identifier boundaries
  • benign identifiers containing latest with underscores remain allowed
  • curl, wget, Invoke-WebRequest, :latest, /latest/, version=latest, and *-latest.tar.gz remain rejected
  • match exit 0 is converted to policy denial exit 1
  • no-match exit 1 is accepted
  • scanner errors remain fail-closed and propagate
  • missing scan target is rejected with exit 66
  • scripts/verify.sh now delegates to the scanner instead of using the bare inline regex
  • Unix behavioral fixtures exercise benign, dangerous, and missing-target paths

Diff audit from the previous head shows exactly three intended files: scanner added, behavioral test extended, and verifier inline block replaced. No Linux source PASS is claimed until the complete gate passes at the new head. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Runtime dependency scanner formatting-only follow-up

Evidence from head ec2ce3010af88cee37ee9d09a34ed57f41db3ad8:

  • token-aware scanner passed against the real appliance tree
  • scanner behavioral integration passed, 3/3
  • dangerous fixtures were correctly rejected
  • benign latest_* identifiers were accepted
  • missing scan target was rejected with exit 66
  • complete WSL source gate stopped before behavioral execution only because cargo fmt --all -- --check required one assertion to be wrapped differently

Current head 01bf2c1766d141d30292a63c920dcd2610af6b82 applies only the exact rustfmt output in hive_exit_shell_syntax.rs. Scanner behavior, policy boundaries, verifier wiring, and fixtures are unchanged.

No Linux source PASS is claimed until the complete gate passes at this head. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Scanner integration no longer self-triggers the production command guard

Evidence from head 01bf2c1766d141d30292a63c920dcd2610af6b82:

  • formatting passed
  • token-aware runtime dependency scanner passed, 3/3
  • complete Linux workspace tests passed
  • authenticated miner stability passed, 2/2
  • schema check passed
  • optimized release build passed
  • systemd ordering verification passed
  • source gate stopped only because the Rust integration test itself used three literal Command::new("bash") calls, which the intentionally broad forbidden external command guard detected
  • worktree and Python cache checks remained clean

Current correction at 1ffb9be2343618596942df372ed1dc01dc82b9e1:

  • production verifier and its broad crates/ scan remain unchanged
  • test copies verify-runtime-dependencies.sh into its temporary directory
  • copied scanner is assigned mode 0755
  • test executes the scanner directly through its real #!/usr/bin/env bash shebang
  • no literal Bash command spawn remains in the Rust integration
  • scanner policy, negative fixtures, missing-target behavior, and verifier wiring remain unchanged

No Linux source PASS is claimed until the complete source gate passes at this head. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Runtime dependency scanner fixture topology corrected

Evidence from head 1ffb9be2343618596942df372ed1dc01dc82b9e1:

  • Windows formatting passed
  • Linux workspace tests advanced into hive_exit_shell_syntax
  • lifecycle LF and shell syntax tests passed
  • runtime dependency scanner test failed before benign fixture validation
  • root cause: the copied scanner executable lived inside the same directory passed as the scan target, so the scanner matched its own latest regex source line
  • production wiring is not affected because the real scanner lives under scripts/ while the target is build/usb/includes.chroot

Current correction at 527fdbdc49f7b94b26aab2c2386463d261672cf4:

  • temporary scanner remains at the fixture root
  • scanned content now lives under a separate scan-root/ directory
  • benign and dangerous fixtures are written only inside scan-root/
  • scanner executes outside its own target, matching production topology
  • scanner policy, target validation, negative fixtures, production verifier, and external-command guard remain unchanged

No Linux source PASS is claimed until the targeted scanner integration and complete source gate pass at this head. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Authoritative Linux source gate: PASS

Exact head: 527fdbdc49f7b94b26aab2c2386463d261672cf4

Authoritative verification completed successfully from the Windows checkout through WSL Ubuntu.

Passed:

  • clean fast-forward to the exact PR head
  • clean worktree before verification
  • cargo fmt --all -- --check
  • targeted runtime dependency scanner integration: 3/3
    • lifecycle LF attribute
    • POSIX shell parsing
    • token-aware and fail-closed dependency scan
  • complete locked Rust workspace tests and doc-tests
  • first-boot, state, recovery, identity, import, runtime publication, and exact-image source contracts
  • authenticated XMRig API authority suites
  • miner stability integration: ready, waiting_external, degraded, unknown, and blocked
  • RandomX MSR authority: 4/4
  • WSL launcher and Python bytecode isolation: 3/3
  • schema generation check
  • optimized workspace release build
  • systemd ordering verification
  • namespace, secret, runtime-command, provenance, and dependency hygiene gates
  • final source verification marker
  • clean worktree after verification
  • no source-tree __pycache__ directories after verification

Final markers:

RIGOS systemd ordering verification passed
RIGOS verification passed
RIGOS_WSL_SOURCE_GATE=PASS

This supersedes source-gate evidence for all earlier heads. The current head is now authorized for fresh exact-image construction and built-image authority verification.

No exact-image or new physical PASS is claimed by this source result. PR remains draft and unmerged until the rebuilt image and remaining physical/endurance gates pass.

Copy link
Copy Markdown
Owner Author

Exact-image construction authorized from source-PASS head

Authorized source commit:

527fdbdc49f7b94b26aab2c2386463d261672cf4

The source tree is intentionally unchanged after the authoritative PASS. Exact-image construction must use the existing builder pipeline at this commit rather than adding another launcher commit and invalidating the source evidence.

Builder contract:

  • rootful Podman
  • build/usb/Dockerfile
  • --pull=false for host Podman compatibility
  • privileged container for loop devices, mounts, GRUB, and filesystem construction
  • repository bind-mounted read/write at /source
  • existing scripts/build-usb-image-entrypoint.sh performs preflight, image construction, appliance verification, RandomX image verification, and authenticated miner-observer image verification

Expected artifacts:

  • dist/usb/rigos-usb-amd64-0.0.4-alpha.8.img
  • dist/usb/rigos-usb-amd64-0.0.4-alpha.8.img.sha256
  • dist/usb/rigos-usb-amd64-0.0.4-alpha.8.build-manifest.json
  • dist/usb/rigos-recovery-amd64-0.0.4-alpha.8.iso
  • dist/usb/rigos-recovery-amd64-0.0.4-alpha.8.iso.sha256

Required built-image evidence:

  • manifest source_commit exactly equals the authorized SHA
  • image and recovery checksums pass
  • appliance layout and embedded payload verification pass
  • no baked SSH host key
  • persistent SSH host-key authority is present and enabled
  • RandomX MSR kernel/authority/miner-gate verification passes
  • authenticated loopback XMRig observer image verification passes

No image PASS is claimed until the host build completes, the independent post-build verifier succeeds, and artifact hashes/manifest are captured. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Exact-image build attempt incomplete; source head unchanged

Authorized source head remains:

527fdbdc49f7b94b26aab2c2386463d261672cf4

Observed host evidence:

  • rootful builder image localhost/rigos-usb-builder:527fdbd built successfully
  • container preflight passed Alpha8 SSH/recovery/host-key checks, systemd ordering, authenticated miner observer suites, RandomX build entrypoint, and RandomX MSR authority
  • release binaries built and pinned XMRig 6.26.0 archive/binary hashes passed
  • Debian live-build progressed through squashfs and EFI binary stages
  • the container returned to PowerShell immediately after lb binary_checksums / Begin creating binary sha256sum.txt
  • no RIGOS appliance: output appeared
  • no appliance, RandomX image, or miner-observer image PASS marker appeared
  • no image manifest or checksum artifacts were available to the follow-up commands
  • independent verifier invocation was also corrupted by Windows PowerShell to bash -lc native argument transport and reached verify-usb-appliance.sh without its two arguments
  • the manifest/hash command likewise lost shell variables, producing empty-path jq and sha256sum errors
  • repository worktree remained clean

No exact-image PASS is claimed. The next attempt must:

  1. invoke WSL/Podman with direct argument arrays rather than bash -lc command strings containing variables or nested quoting;
  2. capture and print the Podman container exit code;
  3. stop immediately if the build returns nonzero or expected artifacts are absent;
  4. run each image verifier as a separate direct container invocation with explicit arguments;
  5. only then validate manifest source SHA and artifact checksums.

PR remains draft and unmerged. Source-gate evidence remains valid because no repository source changed.

Copy link
Copy Markdown
Owner Author

Authoritative exact-image gate: PASS

Authorized source commit:

527fdbdc49f7b94b26aab2c2386463d261672cf4

The rebuilt RIGOS image and recovery ISO completed successfully from the exact source-PASS head.

Build evidence:

  • rootful Podman builder completed with exit 0
  • Debian live-build completed successfully
  • hybrid recovery ISO was produced successfully
  • DOS/MBR appliance image was created with disk identifier 0x5249474f
  • BIOS GRUB installation passed
  • removable x86_64 UEFI installation passed
  • builder-integrated appliance verification passed
  • builder-integrated recovery ISO verification passed
  • builder-integrated RandomX performance verification passed
  • builder-integrated authenticated XMRig observer image verification passed

Produced artifacts:

  • dist/usb/rigos-usb-amd64-0.0.4-alpha.8.img2685403136 bytes
  • dist/usb/rigos-usb-amd64-0.0.4-alpha.8.img.sha256
  • dist/usb/rigos-usb-amd64-0.0.4-alpha.8.build-manifest.json3019 bytes
  • dist/usb/rigos-recovery-amd64-0.0.4-alpha.8.iso772800512 bytes
  • dist/usb/rigos-recovery-amd64-0.0.4-alpha.8.iso.sha256

Independent post-build verification also passed:

  • USB appliance layout, payload, service ordering, and embedded authority verification
  • recovery ISO verification
  • RandomX kernel MSR support detected as module
  • persistent SSH host-key image authority verification
  • authenticated loopback XMRig observer image verification
  • image checksum file matched the image
  • recovery checksum file matched the recovery ISO
  • manifest artifact name, size, SHA-256, and source commit matched

Manifest evidence:

schema              = rigos.image-build-manifest/v2
source_commit       = 527fdbdc49f7b94b26aab2c2386463d261672cf4
image_version       = 0.0.4-alpha.8
artifact            = rigos-usb-amd64-0.0.4-alpha.8.img
artifact_sha256     = c7d791f721ea41367c0d2a5256519b0028b6c2a16fd65f1d1d4724f42124d7d2
artifact_size_bytes = 2685403136
kernel              = 6.1.0-50-amd64

Final host marker:

RIGOS_EXACT_IMAGE_GATE=PASS

The repository worktree remained clean after construction and verification.

This supersedes all earlier incomplete exact-image attempts. The source and exact-image gates are now authoritative PASS at the current PR head.

No new physical-node, sustained-hash, thermal, rollback/A-B, or endurance PASS is claimed by this result. PR remains draft and unmerged until the remaining physical gates complete.

Copy link
Copy Markdown
Owner Author

Physical deployment: first boot and initial SSH identity captured

Exact image under test:

  • source commit: 527fdbdc49f7b94b26aab2c2386463d261672cf4
  • image: rigos-usb-amd64-0.0.4-alpha.8.img
  • image SHA-256: c7d791f721ea41367c0d2a5256519b0028b6c2a16fd65f1d1d4724f42124d7d2

USB write evidence from Rufus:

  • image recognized as a bootable disk image with GRUB 2.0 MBR
  • disk identifier: 0x5249474F
  • MBR partition table with four expected partitions
  • partition 1: FAT32 LBA, 256 MiB, bootable, start sector 2048
  • partition 2: ext4, 1 GiB, start sector 526336
  • partition 3: ext4, 1 GiB, start sector 2623488
  • partition 4: ext4, 256 MiB, start sector 4720640

Physical first-boot evidence:

  • exact image booted successfully on the physical node
  • SSH reached the node at 192.168.1.80
  • host key algorithm: ED25519
  • initial fingerprint captured:
SHA256:un9hvq9MHOw3SH4xpPBXphnQF1TMHbadBXgLjJRB0GA
  • rigosadmin password authentication succeeded
  • interactive shell reached on Debian kernel 6.1.0-50-amd64

This closes only the physical first-boot and initial fingerprint-capture gate.

Still pending before merge:

  • clean reboot with the exact same SSH fingerprint
  • hard power-loss reboot with the exact same SSH fingerprint
  • authenticated XMRig API loopback evidence
  • proof that the API is unreachable from non-loopback interfaces
  • observer ready state sourced from XMRig HTTP API truth
  • sustained RandomX H/s, thermal, accepted/rejected-share A/B evidence
  • rollback validation
  • 24-hour one-node endurance
  • 7-day three-node endurance

No SSH fingerprint persistence PASS is claimed yet. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Physical clean-reboot persistence and authenticated XMRig API: PASS

Exact image under test remains:

  • source commit: 527fdbdc49f7b94b26aab2c2386463d261672cf4
  • image SHA-256: c7d791f721ea41367c0d2a5256519b0028b6c2a16fd65f1d1d4724f42124d7d2

Clean reboot SSH identity persistence

First boot:

boot_id     = 690c3c24-e0b6-4fa6-ae8c-1c930f4f6ca6
fingerprint = SHA256:un9hvq9MHOw3SH4xpPBXphnQF1TMHbadBXgLjJRB0GA
reused      = false
outcome     = ready

After systemctl reboot:

boot_id     = c84bfc97-297f-47f8-96b5-c4bec3f61fb4
fingerprint = SHA256:un9hvq9MHOw3SH4xpPBXphnQF1TMHbadBXgLjJRB0GA
reused      = true
outcome     = ready

Additional evidence:

  • SSH reconnected without a new authenticity prompt
  • no host-key mismatch warning occurred
  • on-disk public key fingerprint remained exactly unchanged
  • persistent path remained /var/lib/rigos/system/ssh-hostkeys/ssh_host_ed25519_key
  • rigos-state.service, rigos-state-ready.service, rigos-ssh-hostkeys.service, and ssh.service were all active

This closes the clean-reboot SSH fingerprint persistence gate.

Authenticated XMRig API and observer truth

Physical observer result:

state           = ready
reason          = null
evidence_source = xmrig_http_api
api_available   = true
endpoint        = http://127.0.0.1:18080/2/summary
hashrate_10s    = 189.33
hashrate_60s    = 195.82
hashrate_15m    = 201.83
pool_connected  = true
accepted        = 30
rejected        = 0
hugepages       = 1170 / 1170

Direct authenticated API result:

algorithm       = rx/0
hashrate        = 195.49 / 195.85 / 201.69 H/s
highest         = 229.02 H/s
pool            = 139.99.69.109:10001
connection      = active
failures        = 0
accepted        = 30
rejected        = 0
hugepages       = 1170 / 1170

Socket binding evidence:

127.0.0.1:18080

The observer therefore reached ready from authenticated XMRig HTTP API truth rather than journal-only evidence.

Closed by this evidence:

  • clean reboot with identical persistent SSH fingerprint
  • authenticated XMRig API on loopback
  • observer ready from xmrig_http_api
  • current hashrate present
  • active pool connection
  • accepted shares with zero rejects
  • complete huge-page allocation

Still pending before merge:

  • remote negative test proving port 18080 is unreachable from a non-loopback host
  • hard power-loss reboot with the same SSH fingerprint
  • sustained RandomX 15-minute A/B comparison with thermal evidence
  • rollback validation
  • 24-hour one-node endurance
  • 7-day three-node endurance

No hard-power-loss, external API isolation, sustained-performance, rollback, or endurance PASS is claimed yet. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Physical external API isolation and hard power-loss persistence: PASS

Exact image under test remains:

  • source commit: 527fdbdc49f7b94b26aab2c2386463d261672cf4
  • image SHA-256: c7d791f721ea41367c0d2a5256519b0028b6c2a16fd65f1d1d4724f42124d7d2

External API isolation

Windows host evidence:

source address      = 192.168.1.41
target              = 192.168.1.80:18080
ping                 = successful
TCP connection       = failed
TcpTestSucceeded     = False

The node was reachable over the network while the XMRig HTTP API port remained unreachable from a non-loopback host. This closes the external API isolation gate.

Hard power-loss SSH identity persistence

Before power interruption:

boot_id     = c84bfc97-297f-47f8-96b5-c4bec3f61fb4
fingerprint = SHA256:un9hvq9MHOw3SH4xpPBXphnQF1TMHbadBXgLjJRB0GA
reused      = true
outcome     = ready

The persistent state was explicitly synchronized, then the SSH connection was reset by the physical power interruption.

After power restoration and reboot:

boot_id     = 472af469-36fe-4ca5-8bc6-3b3057199b0c
fingerprint = SHA256:un9hvq9MHOw3SH4xpPBXphnQF1TMHbadBXgLjJRB0GA
reused      = true
outcome     = ready
persistent  = /var/lib/rigos/system/ssh-hostkeys/ssh_host_ed25519_key

Additional evidence:

  • SSH reconnected without a new authenticity prompt
  • no host-key mismatch warning occurred
  • on-disk ED25519 public-key fingerprint remained unchanged
  • rigos-state.service active
  • rigos-state-ready.service active
  • rigos-ssh-hostkeys.service active
  • ssh.service active
  • rigos-miner.service active

This closes the hard power-loss SSH fingerprint persistence and core service-recovery gates.

Closed by this evidence:

  • external API isolation from a non-loopback host
  • hard power-loss reboot with identical persistent SSH fingerprint
  • persistent host-key reuse after abrupt power loss
  • state, SSH authority, SSH daemon, and miner service recovery after abrupt power loss

Still pending before merge:

  • sustained RandomX 15-minute A/B comparison with thermal evidence
  • rollback validation
  • 24-hour one-node endurance
  • 7-day three-node endurance

No sustained-performance, rollback, or endurance PASS is claimed yet. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Physical RandomX MSR rollback and reapply: PASS

Exact image under test remains:

  • source commit: 527fdbdc49f7b94b26aab2c2386463d261672cf4
  • image SHA-256: c7d791f721ea41367c0d2a5256519b0028b6c2a16fd65f1d1d4724f42124d7d2
  • physical boot ID during the test: 472af469-36fe-4ca5-8bc6-3b3057199b0c

Applied state before rollback

outcome      = ready
register     = 0x00000000000001a4
target_value = 0x000000000000000f
state file   = present

All four logical CPUs reported:

original = 0x0000000000000000
readback = 0x000000000000000f

Explicit rollback

The miner was stopped, followed by rigos-randomx-msr.service.

Result:

outcome            = restored
reason             = null
rollback.attempted = true
rollback.complete  = true
state file         = absent

All four logical CPUs reported exact restoration:

original = 0x0000000000000000
readback = 0x0000000000000000

Marker:

RIGOS_MSR_ROLLBACK_STATE_CLEARED=PASS

Reapply

After starting rigos-randomx-msr.service again:

outcome      = ready
reason       = null
target_value = 0x000000000000000f
state file   = present

All four logical CPUs reported:

original = 0x0000000000000000
readback = 0x000000000000000f

Marker:

RIGOS_MSR_REAPPLY_STATE_PRESENT=PASS

Miner recovery after reapply

After restarting the miner and allowing a 60-second recovery window:

rigos-randomx-msr.service = active
rigos-miner.service       = active
rigos-miner-health.timer  = active
state                     = ready
reason                    = null
evidence_source           = xmrig_http_api
hashrate_10s              = 204.62 H/s
pool_connected            = true
accepted                  = 1
rejected                  = 0

This closes the physical MSR rollback, exact readback restoration, state cleanup, reapply, miner-gate recovery, and post-reapply API-readiness gates.

Still pending before merge:

  • sustained RandomX 15-minute A/B comparison with thermal evidence
  • 24-hour one-node endurance
  • 7-day three-node endurance

No sustained-performance or endurance PASS is claimed yet. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Physical thread-matrix preflight captured

Exact image under test remains:

  • source commit: 527fdbdc49f7b94b26aab2c2386463d261672cf4
  • image SHA-256: c7d791f721ea41367c0d2a5256519b0028b6c2a16fd65f1d1d4724f42124d7d2

Current XMRig candidate truth:

configured max-threads-hint = 2
startup mining profile       = rx, 2 threads
READY                        = 2/2 threads
huge pages                   = 100%, 1168/1168 dataset + 2/2 mining threads
assembly                     = auto:none
miner user                   = rigos
systemd restarts             = 0
MSR 0x1a4                    = 0xf on CPUs 0-3

Current observer snapshot after approximately 298 active seconds:

state            = ready
evidence_source  = xmrig_http_api
hashrate_10s     = 206.29 H/s
hashrate_60s     = 207.80 H/s
hashrate_15m     = unavailable during warm-up
highest          = 224.39 H/s
pool_connected   = true
connection fails = 0
accepted/rejected= 4/0
hugepages        = 1170/1170
restart_count    = 0

Thermal and clock discovery:

x86 package thermal zone = 84 C
coretemp package          = 85 C
core 0                    = 85 C
core 1                    = 84 C
dell_smm CPU              = 85 C
sampled scaling clocks    = approximately 1.196-1.199 GHz
governor                  = schedutil

Interpretation:

  • current candidate is confirmed as 2 mining threads, not an unknown auto-thread count
  • XMRig command-line thread override is available, but production benchmarking must not bypass RIGOS config/miner/MSR authority
  • the current ~208 H/s sample is warm-up-only and cannot be used as a sustained result
  • thermal headroom is already narrow at 84-85 C
  • the low sampled clocks require sustained sampling during each candidate; a one-time cpufreq snapshot is not enough to distinguish idle sampling from thermal throttling

No candidate winner or sustained-performance PASS is claimed. The next action is a controlled 1/2/3/4-thread matrix with one variable changed at a time and exact JSON evidence per 15-minute candidate.

Copy link
Copy Markdown
Owner Author

Physical 2-thread candidate: thermal gate BLOCKED

Exact image under test remains:

  • source commit: 527fdbdc49f7b94b26aab2c2386463d261672cf4
  • image SHA-256: c7d791f721ea41367c0d2a5256519b0028b6c2a16fd65f1d1d4724f42124d7d2

Runtime authority wiring was confirmed:

  • production miner process uses /usr/lib/rigos/xmrig -c /run/rigos/xmrig.json
  • rigos-miner-gate, rigos-runtime-authority, and rigos-runtime-gate all passed
  • miner runs as user rigos
  • runtime status reports thread_mode=exact, exact_threads=2
  • runtime HTTP API is enabled only on 127.0.0.1:18080, restricted, with token under /run/rigos/xmrig-api-token
  • private runtime SHA-256 is published
  • production persistent revision remains unchanged

Thread placement was also correct:

  • topology: 2 physical cores / 4 logical CPUs
  • mining workers ran on logical CPUs 1 and 3, one sibling from each physical core
  • each worker consumed approximately 100% CPU
  • no affinity collapse onto one physical core was observed

Thermal evidence:

coretemp critical threshold = 85 C
package temperature         = 84-85 C
core 0                      = 85 C
core 1                      = 83-84 C

A 60-second, 12-sample clock/thermal probe showed:

package temperature = 84-85 C for every sample
logical CPU clocks   = approximately 1.10-1.30 GHz
hardware maximum     = 2.10 GHz

The low clock is therefore sustained under the 2-thread mining load and not a single idle sampling artifact. The candidate is operating at the platform thermal limit and is materially downclocked.

Decision:

  • 2-thread sustained-performance candidate is thermally blocked in the current cooling condition
  • 3-thread and 4-thread candidates are not authorized because they cannot satisfy the thermal safety gate and would add load to an already critical system
  • no performance regression is attributed to the MSR authority from this thermally constrained result
  • no sustained H/s winner or endurance PASS is claimed

The production miner should remain stopped until cooling is restored or a separately rendered 1-thread ephemeral safety candidate is used. Persistent revision, runtime config, and source head must not be edited to work around this gate.

PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Thermal context clarification and cooldown marker correction

Operator clarified that the physical node is a Dell N4110 currently operating without a working fan, and 80-85 C is its usual observed behavior.

This explains the temperature pattern but does not create thermal headroom: the platform-reported coretemp critical threshold remains 85 C, and the measured 2-thread load remained at 84-85 C while clocks stayed around 1.10-1.30 GHz.

The previous cooldown command did not actually reach its 65 C target. It was interrupted manually at 73 C, after which the unconditional trailing echo RIGOS_COOLDOWN_GATE=PASS executed. That marker is invalid and is not accepted as evidence.

Adjusted test policy:

  • use the observed fanless idle plateau rather than an unreachable 65 C target
  • allow the next 1-thread safety probe to start at or below 75 C
  • hard-stop before the reported critical threshold, at 84 C
  • keep the production miner stopped during the ephemeral candidate
  • do not claim thermal PASS for the 2-thread candidate
  • do not authorize 3-thread or 4-thread testing while 2 threads already reaches the reported critical threshold

No source, image, persistent revision, or completed gate changed. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Ephemeral 1-thread candidate cleaned; production miner restored

The temporary benchmark service was stopped and all ephemeral benchmark state under /run/rigos-bench and /run/rigos-bench-state was removed.

Production recovery evidence:

rigos-randomx-msr.service = active
rigos-miner.service       = active
rigos-miner-health.timer  = active

Exactly one XMRig process remained:

/usr/lib/rigos/xmrig -c /run/rigos/xmrig.json

Observer evidence after a 60-second recovery window:

state           = ready
reason          = null
evidence_source = xmrig_http_api
hashrate_10s    = 247.34 H/s
hashrate_60s    = not yet populated
hashrate_15m    = not yet populated
pool_connected  = true
accepted        = 1
rejected        = 0

This confirms clean restoration to the production runtime after the ephemeral candidate, with MSR authority, authenticated observer truth, pool connectivity, and zero rejected shares intact.

No sustained-performance conclusion is drawn from the 10-second recovery sample. The production miner remains running. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Physical 15-minute sustained observation: stability PASS, performance improvement NOT ESTABLISHED

Exact image under test remains:

  • source commit: 527fdbdc49f7b94b26aab2c2386463d261672cf4
  • image SHA-256: c7d791f721ea41367c0d2a5256519b0028b6c2a16fd65f1d1d4724f42124d7d2

Observed production runtime after 1,306 active seconds:

state            = ready
evidence_source  = xmrig_http_api
hashrate_10s     = 290.56 H/s
hashrate_60s     = 293.79 H/s
hashrate_15m     = 271.11 H/s
highest          = 299.46 H/s
pool_connected   = true
connection fails = 0
accepted/rejected= 31/0
hugepages        = 1170/1170
restart_count    = 0
package temp     = 84 C
sampled clocks   = 1.694-1.711 GHz

This closes the first sustained 15-minute runtime-stability observation:

  • observer remained ready from authenticated API truth
  • 15-minute hashrate window populated
  • zero systemd restarts
  • zero connection failures
  • zero rejected shares
  • huge-page allocation remained complete
  • pool connection remained active

However, the performance-improvement gate is not closed. The earlier physical baseline was approximately 340.7-341.2 H/s at 60 seconds with clocks near 2.093 GHz and package temperature around 81 C. The current 15-minute result is 271.11 H/s with clocks around 1.7 GHz and package temperature 84 C. This is consistent with a cooling-limited operating condition and cannot establish an MSR throughput gain.

No A/B winner, HiveOS parity, 24-hour endurance, or merge readiness is claimed. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

9.29-hour endurance snapshot: stable and near baseline throughput

Physical production runtime remains on the exact performance image and source authority previously recorded.

Observed after 33,455 active seconds (9 h 17 m 35 s):

state                 = ready
evidence_source       = xmrig_http_api
hashrate_10s          = 335.08 H/s
hashrate_60s          = 330.01 H/s
hashrate_15m          = 331.27 H/s
highest               = 344.16 H/s
pool_connected        = true
connection_failures   = 0
accepted/rejected     = 1069/0
hugepages             = 1170/1170
systemd restarts      = 0
package temperature   = 85 C
sampled CPU frequency = 1.993 GHz on all logical CPUs
service state         = active/running

Interpretation:

  • endurance stability remains clean
  • current 15-minute throughput is approximately 2.8% below the historical 340.7-341.2 H/s baseline
  • current clock is approximately 4.8% below the historical ~2.093 GHz baseline clock
  • normalized throughput is therefore slightly higher per MHz, but this is an inference rather than a controlled MSR A/B result
  • the current 344.16 H/s peak exceeds the historical 341.7 H/s peak, but peak rate is not used for sustained acceptance
  • package temperature remains at the platform-reported 85 C ceiling

The worker-placement command returned only the aggregate XMRig task line, so this snapshot does not re-authorize affinity placement evidence. A separate per-task /proc/<pid>/task capture is still required.

24-hour endurance is not yet complete. Remaining runtime at this snapshot: 52,945 seconds (14 h 42 m 25 s). PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

10-minute worker-placement authority: 100% physical-core separation

A read-only 10-minute placement capture sampled the two active RandomX workers every 5 seconds.

Result:

samples                       = 120
same physical-core collisions = 0
physical-core separation rate = 100.00%
worker TIDs                   = 1977, 1976

Observed placement throughout the run:

  • TID 1977 moved only between logical CPU0 and CPU1, both on physical core 0
  • TID 1976 moved only between logical CPU2 and CPU3, both on physical core 1
  • the two workers never occupied the same physical core in any sample

This establishes that the current unpinned exact-2-thread runtime already maintains one mining worker per physical core under the scheduler. Affinity pinning is therefore no longer treated as the primary suspected throughput bottleneck. It may still be tested later as a controlled A/B variable, but no material gain is expected from placement correction alone.

The current optimization priority remains:

  1. complete the uninterrupted 24-hour endurance run
  2. controlled MSR ON/OFF comparison under comparable thermal conditions
  3. only then test explicit pinning if variance remains unexplained

No service, config, affinity mask, MSR state, or persistent revision changed during this observation. PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

22.44-hour endurance checkpoint: sustained baseline parity reached

Observed at 80,793 active seconds (22 h 26 m 33 s):

state                 = ready
evidence_source       = xmrig_http_api
hashrate_10s          = 339.85 H/s
hashrate_60s          = 341.82 H/s
hashrate_15m          = 342.36 H/s
highest               = 344.16 H/s
pool_connected        = true
connection_failures   = 1
accepted/rejected     = 2517/0
hugepages             = 1170/1170
systemd restarts      = 0
package temperature   = 80 C
sampled CPU frequency = 2.093 GHz on cpu0-cpu3
service state         = active/running

Interpretation:

  • current 15-minute sustained rate is approximately 0.34-0.49% above the historical 340.7-341.2 H/s baseline at the same ~2.093 GHz clock
  • package temperature is 1 C below the historical 81 C observation
  • this establishes sustained baseline parity and a small favorable observation, but not yet a controlled MSR performance claim
  • one XMRig connection failure was recorded; the observer reads this directly from connection.failures
  • the current state is still correctly ready because the pool is connected and current hashrate is positive
  • this event is recorded as one recovered external connection event, not as zero-failure endurance
  • miner continuity remains clean: no restart, no rejected share, and complete huge pages

24-hour duration is not yet complete. Remaining time at this checkpoint: 5,607 seconds (1 h 33 m 27 s). PR remains draft and unmerged.

Copy link
Copy Markdown
Owner Author

Operator decision: close current endurance run at 22 h 26 m and proceed to controlled A/B

The operator elected not to wait the remaining 1 h 33 m because the current result already establishes the intended engineering conclusion:

active_seconds        = 80793
hashrate_15m          = 342.36 H/s
sampled clock         = 2.093 GHz
package temperature   = 80 C
accepted/rejected     = 2517/0
systemd restarts      = 0
hugepages             = 1170/1170
worker core separation= 120/120 samples
connection failures   = 1 recovered external event

Recorded outcome:

  • sustained baseline parity: PASS
  • small favorable sustained observation: RECORDED
  • long-duration single-node stability at 22 h 26 m: PASS
  • formal 24-hour gate: NOT COMPLETED
  • MSR performance gain: NOT YET PROVEN

The result must not be described as a 24-hour PASS. The next phase is a controlled MSR enabled/disabled comparison with the miner stopped during each MSR transition, exact restore/readback verification, and one variable changed at a time. PR remains draft and unmerged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant