New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mempool: Persist with XOR #28207
mempool: Persist with XOR #28207
Conversation
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
Currently opened as draft to wait for initial feedback. There is no option to disable this feature, because I am not aware of anyone reading the |
Concept ACK. It may be difficult to find out if anyone relies on parsing You may also want to use a bit flag instead of increasing the version. The added complexity of that could be an argument to not make this optional. |
I don't think bit flags make sense in this context, because the Edit: Hmm, I think just having a boolean option to say "write version 1 mempool.dat" is enough. If there are any users that need "use |
Concept ACK. I opened issue #16721 a while ago but closed it as it didn't get much attention back then.
I've written a mempool.dat parser a few years ago for fun. However, as you said, the RPCs are powerful enough and if someone really really wants to read the file, they can implement XOR functionality. Similar to block0000.dat files, these files are not something considered an interface for others to rely on. |
Just for context: For testing I used |
a7d36ce
to
fa0f249
Compare
edae44e
to
fa3276d
Compare
Added some code to make the Windows CI pass |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concept and approach ACK. I don't think there is harm in making it the default behaviour immediately.
Concept ACK, I don't think we need to concern with external programs reading this. If they do exist, they can adapt easily. |
(Although downgrading might be something we want to support?) |
It is. You can simply set |
fa3276d
to
fa6827c
Compare
concept ACK |
Concept ACK |
fa6827c
to
fac18cd
Compare
fac18cd
to
fac48d2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
light code-review ACK fac48d2
Idk why but I try testing the behavior on master 5aa67eb with the steps you provided here but no anti virus quarantined the mempool.dat
file, I used Intego, bitfinder.
When we want to drop support for writing in the legacy format (v1), mempool_compatibilty.py
functional test should be deleted along the CL I think.
Do we also want fee_estimates.dat
to be persisted with XOR?
The majority won't detect the eicar test virus I used. I used an online service to scan the
Why? IIUC correctly, it only stores integers and floating point number calculated locally, or am I missing something? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK fa52084
Code LGTM, tried a few roundtrips of stop/start/savemempool/importmempool with combinations of the options. I originally thought -persistmempool=0
should imply something for -persistmempoolv1
but makes sense that it applies to savemempool
when we're not persisting.
fa52084
to
fa6b053
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reACK fa6b053
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK fa6b053
Used this PR to successfully read a mempool.dat
saved in the legacy format.
Additionally, the persistmempoolv1
option downgraded and allowed dumping using the legacy format.
Code looks good to me.
@@ -458,6 +458,11 @@ void SetupServerArgs(ArgsManager& argsman) | |||
argsman.AddArg("-par=<n>", strprintf("Set the number of script verification threads (%u to %d, 0 = auto, <0 = leave that many cores free, default: %d)", | |||
-GetNumCores(), MAX_SCRIPTCHECK_THREADS, DEFAULT_SCRIPTCHECK_THREADS), ArgsManager::ALLOW_ANY, OptionsCategory::OPTIONS); | |||
argsman.AddArg("-persistmempool", strprintf("Whether to save the mempool on shutdown and load on restart (default: %u)", DEFAULT_PERSIST_MEMPOOL), ArgsManager::ALLOW_ANY, OptionsCategory::OPTIONS); | |||
argsman.AddArg("-persistmempoolv1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR is an improvement, this patch allows you to read mempool.dat
dumped using the legacy format.
Whats the a rationale to temporary retention of persistmempoolv1
, and when can we expect to remove this option?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be fine to remove in the second next release after this is merged. I presume the read code (// Leave XOR-key empty
) can stay forever/longer, because it is just one line of code, so no strong opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIU we are persisting with XOR
to "protect against programs that accidentally and unintentionally are trying to mess with the dat file" so I think it will be better if we completely prevent dumping without XOR
.
re-ACK fa6b053 |
Currently the
mempool.dat
file stores data received from remote peers as-is. This may be problematic when a program other than Bitcoin Core tries to interpret them by accident. For example, an anti-virus program or other program may scan the file and move it into quarantine, or delete it, or corrupt it.While the local wallet is expected to re-submit any pending transactions, unrelated transactions may be missing from the mempool after a restart. This may cause fee estimates to be off, or may cause block relay to be slower.
Fix this, similar to #6650, by rolling a random XOR pattern over the dat file when writing or reading it.
Obviously this can only protect against programs that accidentally and unintentionally are trying to mess with the dat file. Any program that intentionally wants to mess with the dat file can still trivially do so.