Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent NNS canister controllers #64

Open
bitdivine opened this issue Nov 7, 2023 · 1 comment
Open

Inconsistent NNS canister controllers #64

bitdivine opened this issue Nov 7, 2023 · 1 comment

Comments

@bitdivine
Copy link
Member

bitdivine commented Nov 7, 2023
edited

Hello all. I am excited to try out the nns extensions. However I've run into a problem: Internet Identity's controller seems to be wrong.

Details: When deploying the NNS canisters with the nns extension, all canisters are owned by the root canister except for Internet Identity, which is controlled by the anonymous principal. (And the root itself which is owned by governance). This matches production and previous releases of dfx nns install, apart from Internet Identity's controller. It looks as if II's controller is an error that ocurred in the migration to extensions. Correction: Previous releases of dfx had internet-identity and nns-dapp owned by the current user. So, it is still a breaking change but not what I thought at first! :-)

To be fair, the documentation doesn't declare what the controllers are expected to be so this may be intentional but if it is, it would be nice to declare it and explain in the documents how to switch the controller back to match the previous behaviour.

Setup with:

$ dfx --version
dfx 0.15.1
$ dfx start --clean

and

$ dfx nns install

From the printout, I collected the canister names and IDs and so we can get the controllers of each.

$ cat ,canisters | grep . | while read line ; do set $line ; echo ; echo $1 $2 ; dfx canister info $2 ; done

nns-registry rwlgt-iiaaa-aaaaa-aaaaa-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai  <-- This is the root canister; see below.
Module hash: 0x05c1309567bcb293153f2000a4ef7e511736ef73aaf5c7a243d7c38b57513509

nns-governance rrkah-fqaaa-aaaaa-aaaaq-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai
Module hash: 0xefedaa6727b8e0c4dc157e4de1b1853793bc12ae6386f3885cf2ef5293c4ebe7

nns-ledger ryjl3-tyaaa-aaaaa-aaaba-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai
Module hash: 0xe001f0d4d95e1a123c7fc682aa02c77774db974e4bffb827809d7d5f7baab0f6

nns-root r7inp-6aaaa-aaaaa-aaabq-cai
Controllers: rno2w-sqaaa-aaaaa-aaacq-cai
Module hash: 0xce766ab3b16b729b40255dd6dba3126fa79a3d8fb0d2621459c2bd24f2ab651d

nns-cycles-minting rkp4c-7iaaa-aaaaa-aaaca-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai
Module hash: 0xef4707a6925a1df9e13de4d92d91ce2f0aed103ef9858ba4f960c0ddf55815fe

nns-lifeline rno2w-sqaaa-aaaaa-aaacq-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai
Module hash: 0x6a9261bbedf351f1b55e18c1d3cda8733f3e1aedd8adb1fa864bc89ddbcf72e6

nns-genesis-token renrk-eyaaa-aaaaa-aaada-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai
Module hash: 0xe207f70a9889a003b3ba4ad574bde9f124cf367c3939eed8897205050575773c

nns-identity rdmx6-jaaaa-aaaaa-aaadq-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai
Module hash: None

nns-ui qoctq-giaaa-aaaaa-aaaea-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai
Module hash: None

nns-sns-wasm qaa6y-5yaaa-aaaaa-aaafa-cai
Controllers: r7inp-6aaaa-aaaaa-aaabq-cai
Module hash: 0x7d516e40347a636d3d17b8d2894309ada88d3748620643641a1d44b27eb60f69

nns-ic-ckbtc-minter qjdve-lqaaa-aaaaa-aaaeq-cai
Error: Canister qjdve-lqaaa-aaaaa-aaaeq-cai does not exist.

internet_identity qhbym-qaaaa-aaaaa-aaafq-cai
Controllers: 2vxsx-fae
Module hash: 0xcf5c88aa54d8ac43aa361f01231d5adb2dbcbf7dcd6b75c364e59ad84dc414c3

nns-dapp qsgjb-riaaa-aaaaa-aaaga-cai
Controllers: 2vxsx-fae
Module hash: 0x6876b5878ef1c4737326aa074e5ebb773f4b126c5df17e167096af2df872f378

With dfx 0.14.4 the same printout is:

internet_identity qhbym-qaaaa-aaaaa-aaafq-cai
Controllers: votl3-vuuch-u32ln-uq2c5-mgz4t-6dcko-t24rt-cg67w-bha4g-6jt24-oae
Module hash: 0xcf5c88aa54d8ac43aa361f01231d5adb2dbcbf7dcd6b75c364e59ad84dc414c3

nns-dapp qsgjb-riaaa-aaaaa-aaaga-cai
Controllers: votl3-vuuch-u32ln-uq2c5-mgz4t-6dcko-t24rt-cg67w-bha4g-6jt24-oae
Module hash: 0x6876b5878ef1c4737326aa074e5ebb773f4b126c5df17e167096af2df872f378
@bitdivine bitdivine mentioned this issue Nov 7, 2023
Merged
@bitdivine
Copy link
Member Author

bitdivine commented Nov 7, 2023
edited

This should fix the issue for anyone expecting the former behaviour:

# As of dfx 0.15, the current user is no longer a controller of the internet_identity and nns-dapp canisters.
# The current user needs to be added explicitly.
CURRENT_PRINCIPAL="$(dfx identity get-principal)"
# ... `dfx nns install` does not populate canister IDs in `dfx.json` so we need to provide the canister IDs ourselves.
II_CANISTER_ID=qhbym-qaaaa-aaaaa-aaafq-cai
ND_CANISTER_ID=qsgjb-riaaa-aaaaa-aaaga-cai
for canister in "$II_CANISTER_ID" "$ND_CANISTER_ID" ; do
  dfx canister update-settings "$canister" --add-controller "$CURRENT_PRINCIPAL" --identity anonymous
done

I think the new behaviour is actually cool, it just needs a bit of documentation to help people upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bitdivine