feat: restart federation setup

[okjodom]

After setting config gen params and before starting consensus, any peer can initiate a restart of the federation setup using restart_federation_setup rpc.

server-side behavior

• This API sets the peer server in SetupRestarted status.
• The Leader server waits for all peers to progress to SetupRestarted.
• Leader then automatically makes progress to AwaitingPassword.
• Followers watch leader status and when they see AwaitingPassword, they also make progress to the same state

All peers can then begin the setup process

suggested user experience

While the server is in any of these states SharingConfigGenParams | ReadyForConfigGen | ConfigGenFailed | VerifyingConfigs | VerifiedConfigs, the setup UI should watch peer information in consensus status. Should any peer be in SetupRestarted, the setup UI should immediately prompt the user to initiate restart by make a call to restart_federation_setup. Suggestion here it to make this some blocking but interactive UX

closes #3535

[codecov]

Codecov Report

Attention: 15 lines in your changes are missing coverage. Please review.

Comparison is base (e882197) 57.13% compared to head (4471ada) 57.38%.
Report is 13 commits behind head on master.

❗ Current head 4471ada differs from pull request most recent head f82f234. Consider uploading reports for the commit f82f234 to get more accurate results

Files	Patch %	Lines
fedimint-server/src/config/api.rs	93.30%	15 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3669      +/-   ##
==========================================
+ Coverage   57.13%   57.38%   +0.25%     
==========================================
  Files         193      193              
  Lines       42861    42778      -83     
==========================================
+ Hits        24487    24548      +61     
+ Misses      18374    18230     -144     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[elsirion]

Looks good, does anyone more familiar with the setup take a look? @justinmoon

[elsirion]

This is very brittle if we ever add any files. In another PR we should introduce a list of files that FM potentially creates and have a test that checks that data dirs contain only these and nothing more.

[okjodom]

tracking here #3692

[elsirion]

CI is failing and it seems related to the PR

[okjodom]

@elsirion , now green on CI

[elsirion]

Looks good to me, but I'll leave @justinmoon a chance to take another look

[elsirion]

One concern is that we could accidentally delete important key material if we ever called these delete fns by accident somewhere. To reduce that problem I'd propose to chmod -w config files right before starting the consensus, so that deletes are prevented.

[dpc]

One concern is that we could accidentally delete important key material if we ever called these delete fns by accident somewhere. To reduce that problem I'd propose to chmod -w config files right before starting the consensus, so that deletes are prevented.

That's a good point, but probably best practice to keep the in-progress things in a temp directory (randomized) and rename it atomically on success.

[okjodom]

One concern is that we could accidentally delete important key material if we ever called these delete fns by accident somewhere. To reduce that problem I'd propose to chmod -w config files right before starting the consensus, so that deletes are prevented.

That's a good point, but probably best practice to keep the in-progress things in a temp directory (randomized) and rename it atomically on success.

marked as draft while applying this

[elsirion]

Are you on this @okjodom? @justinmoon should this get into 0.2?

[okjodom]

Are you on this @okjodom? @justinmoon should this get into 0.2?

Trying to debug the failing reconnect test now. Been up and down

I think an api changed?

[okjodom]

Ps, this was originally marked for 0.2.1
I bumped it after first round of reviews because thinking I'd be able to land it fast

[okjodom]

@elsirion, @justinmoon I'm tracking two issues as follow-ups to this. Take a look

[okjodom]

fixes #3788

[elsirion]

Looks mostly good, left some questions.

I don't think this is stability-relevant, we don't need to guarantee stability of the setup API, just need to release the admin UI in lockstep (but any reasonable deployment should use the admin UI that fits the Fedimint version).

I also didn't find any Rust API breakage, so in principle this could be backported to 0.2 if we saw the need (I'd like to avoid that though).

[elsirion]

What's the reason to put this into a separate block?

[okjodom]

this allows us to acquire lock on self.state, use it and and releasing lock, before we call update_leader. update leader creates a separate lock on state

[elsirion]

I didn't remember that require_any_status returned a mutex guard, makes sense!

[elsirion]

Do we need to reset any on-disk state? I think the PASSWORD file has been written already at that point?

[okjodom]

at this point, PASSWORD or any other config file is already written to a file in a temporary dir. remove_staged_config() resets disk state by deleting the whole dir, and this function finally resets server state

[justinmoon]

LGTM

[elsirion]

Thx for bearing with us, the release took a lot of bandwidth and this PR a few iterations, but I think we arrived at a good result at the end!