Extend RPC to unban peers #2850

ilblackdragon · 2020-06-14T20:02:20Z

If some peers got banned, it's really hard to unban them right now.
Given it sometimes happens due to issues with network, it would be good to be able to restore them back.
Ideally this tool should be inside neard to not require another binary.

neard peers lists all peers in the database with information if they were banned
neard unban <peerid>,<peerid> unbans list of peers

The text was updated successfully, but these errors were encountered:

mfornet · 2020-06-16T02:33:18Z

To unban peers in this way nodes will need to restart to apply the changes. Another option is adding this function to our RPC, however it needs to be protected, for example, to make an unban request it should be signed with the secret key from the node.

ilblackdragon · 2020-06-16T07:37:57Z

I was thinking indeed stop & start node, as this is not normal operation.

But through RPC might be useful. If we are going that way, we would want to have API_KEY (signing is complicated and ideally calling RPCs should not happen from the node which means there won't be any keys).
We can use http base authentication in RPC for this, e.g. curl https://x:<API_KEY>@rpc-host/unban

But I don't think we should do this for Phase 1, to let's keep this in Icebox for now.

mfornet · 2020-06-17T19:51:46Z

What is the best workflow to generate and validate an API_KEY? It needs to be generated directly with our binary from the node.

I see two ways to do this:

Random keys:

Generate an API_KEY on the fly and store its hash on a database (protected .txt/.json should work ok)
To check an API_KEY is valid just check its hash is on the database
To revoke an API_KEY remove it from the database

Signed keys:

Create a new key pair (api_key_generator)
To generate an API_KEY do:
- Generate a random number of length K
- Sign this number using the api_key_generator
- The generated API_KEY consist on the concatenation of both
To check an API_KEY is valid check the signature matches
To revoke an API_KEY change the api_key_generator (it will revoke all other existing API_KEY too).

I think, the first variant is strictly better.

Ok with doing this after phase 1. This entire mechanism will be useful not only for ban/unban peers, but with other private functionalities we want to expose through RPC.

frol · 2020-08-03T10:53:03Z

Alternatively, we can implement a separate RPC server using a separate TCP port, by default listening on 127.0.0.1, so there is no way to suddenly expose the RPC to the outside world. Exposing this RPC then can be done with a reverse-proxy basic auth configuration or even a custom managing service. This way we don't need to roll out yet another key management.

stale · 2021-09-25T22:30:15Z

This issue has been automatically marked as stale because it has not had recent activity in the last 2 months.
It will be closed in 7 days if no further activity occurs.
Thank you for your contributions.

stale · 2022-01-09T19:42:44Z

This issue has been automatically marked as stale because it has not had recent activity in the last 2 months.
It will be closed in 7 days if no further activity occurs.
Thank you for your contributions.

frol · 2022-01-11T02:57:55Z

@janewang I want to bring this up to NodeX team awareness. I feel that there might be a need for granular administration of a running node through a dedicated admin RPC. We already have adversarial features hidden under a compilation flag, which might also be moved under this admin RPC.

bowenwang1996 · 2022-01-24T15:17:39Z

If some peers got banned, it's really hard to unban them right now.

That is actually not the case. You can change ban_window in config.json to a small number (such as 1s) to unban peers

…9630) Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.13 to 1.26.17. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>1.26.17</h2> <ul> <li>Added the <code>Cookie</code> header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via <code>Retry.remove_headers_on_redirect</code>. (GHSA-v845-jxx5-vc9f)</li> </ul> <h2>1.26.16</h2> <ul> <li>Fixed thread-safety issue where accessing a <code>PoolManager</code> with many distinct origins would cause connection pools to be closed while requests are in progress (<a href="https://redirect.github.com/urllib3/urllib3/issues/2954">#2954</a>)</li> </ul> <h2>1.26.15</h2> <ul> <li>Fix socket timeout value when HTTPConnection is reused (<a href="https://redirect.github.com/urllib3/urllib3/issues/2645">urllib3/urllib3#2645</a>)</li> <li>Remove "!" character from the unreserved characters in IPv6 Zone ID parsing (<a href="https://redirect.github.com/urllib3/urllib3/issues/2899">urllib3/urllib3#2899</a>)</li> <li>Fix IDNA handling of 'x80' byte (<a href="https://redirect.github.com/urllib3/urllib3/issues/2901">urllib3/urllib3#2901</a>)</li> </ul> <h2>1.26.14</h2> <ul> <li>Fixed parsing of port 0 (zero) returning None, instead of 0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/2850">#2850</a>)</li> <li>Removed deprecated <code>HTTPResponse.getheaders()</code> calls in <code>urllib3.contrib</code> module.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>1.26.17 (2023-10-02)</h1> <ul> <li>Added the <code>Cookie</code> header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via <code>Retry.remove_headers_on_redirect</code>. (<code>[#3139](urllib3/urllib3#3139) <https://github.com/urllib3/urllib3/pull/3139></code>_)</li> </ul> <h1>1.26.16 (2023-05-23)</h1> <ul> <li>Fixed thread-safety issue where accessing a <code>PoolManager</code> with many distinct origins would cause connection pools to be closed while requests are in progress (<code>[#2954](urllib3/urllib3#2954) <https://github.com/urllib3/urllib3/pull/2954></code>_)</li> </ul> <h1>1.26.15 (2023-03-10)</h1> <ul> <li>Fix socket timeout value when <code>HTTPConnection</code> is reused (<code>[#2645](urllib3/urllib3#2645) <https://github.com/urllib3/urllib3/issues/2645></code>__)</li> <li>Remove "!" character from the unreserved characters in IPv6 Zone ID parsing (<code>[#2899](urllib3/urllib3#2899) <https://github.com/urllib3/urllib3/issues/2899></code>__)</li> <li>Fix IDNA handling of '\x80' byte (<code>[#2901](urllib3/urllib3#2901) <https://github.com/urllib3/urllib3/issues/2901></code>__)</li> </ul> <h1>1.26.14 (2023-01-11)</h1> <ul> <li>Fixed parsing of port 0 (zero) returning None, instead of 0. (<code>[#2850](urllib3/urllib3#2850) <https://github.com/urllib3/urllib3/issues/2850></code>__)</li> <li>Removed deprecated getheaders() calls in contrib module. Fixed the type hint of <code>PoolKey.key_retries</code> by adding <code>bool</code> to the union. (<code>[#2865](urllib3/urllib3#2865) <https://github.com/urllib3/urllib3/issues/2865></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/c9016bf464751a02b7e46f8b86504f47d4238784"><code>c9016bf</code></a> Release 1.26.17</li> <li><a href="https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"><code>0122035</code></a> Backport GHSA-v845-jxx5-vc9f (<a href="https://redirect.github.com/urllib3/urllib3/issues/3139">#3139</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/e63989f97d206e839ab9170c8a76e3e097cc60e8"><code>e63989f</code></a> Fix installing <code>brotli</code> extra on Python 2.7</li> <li><a href="https://github.com/urllib3/urllib3/commit/2e7a24d08713a0131f0b3c7197889466d645cc49"><code>2e7a24d</code></a> [1.26] Configure OS for RTD to fix building docs</li> <li><a href="https://github.com/urllib3/urllib3/commit/57181d6ea910ac7cb2ff83345d9e5e0eb816a0d0"><code>57181d6</code></a> [1.26] Improve error message when calling urllib3.request() (<a href="https://redirect.github.com/urllib3/urllib3/issues/3058">#3058</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/3c0148048a523325819377b23fc67f8d46afc3aa"><code>3c01480</code></a> [1.26] Run coverage even with failed jobs</li> <li><a href="https://github.com/urllib3/urllib3/commit/d94029b7e2193ff47b627906a70e06377a09aae8"><code>d94029b</code></a> Release 1.26.16</li> <li><a href="https://github.com/urllib3/urllib3/commit/18e92145e9cddbabdf51c98f54202aa37fd5d4c8"><code>18e9214</code></a> Use trusted publishing for PyPI</li> <li><a href="https://github.com/urllib3/urllib3/commit/d25cf83bbae850a290fe34ed1610ae55c0558b36"><code>d25cf83</code></a> [1.26] Fix invalid test_ssl_failure_midway_through_conn</li> <li><a href="https://github.com/urllib3/urllib3/commit/25cca389496b86ee809c21e5b641aeaa74809263"><code>25cca38</code></a> [1.26] Fix test_ssl_object_attributes</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/1.26.13...1.26.17">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=pip&previous-version=1.26.13&new-version=1.26.17)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/near/nearcore/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

ilblackdragon assigned mfornet Jun 14, 2020

ilblackdragon added C-enhancement Category: An issue proposing an enhancement or a PR with one. help wanted A-network Area: Network labels Jun 16, 2020

ilblackdragon changed the title ~~Tool to list & unban peers~~ Extend RPC to unban peers Jun 17, 2020

hendrikhofstadt mentioned this issue Jul 7, 2020

Prevent node from locking itself out of the network by banning all peers #2953

Closed

bowenwang1996 removed the help wanted label Jun 27, 2021

stale bot added the S-stale label Sep 25, 2021

bowenwang1996 removed the S-stale label Sep 26, 2021

frol added T-node Team: issues relevant to the node experience team and removed A-network Area: Network labels Oct 11, 2021

frol unassigned mfornet Oct 11, 2021

stale bot added the S-stale label Jan 9, 2022

stale bot removed the S-stale label Jan 11, 2022

janewang added this to Backlog in Node Q2 2022 via automation Jan 11, 2022

janewang moved this from Backlog to Incoming Requests in Node Q2 2022 Jan 11, 2022

bowenwang1996 added the P-low Priority: low label Jan 24, 2022

bowenwang1996 moved this from Incoming Requests to Icebox in Node Q2 2022 Jan 24, 2022

janewang added the icebox label Apr 20, 2022

exalate-issue-sync bot added T-nodeX and removed T-node Team: issues relevant to the node experience team labels May 23, 2022

matklad added the T-node Team: issues relevant to the node experience team label Aug 4, 2022

matklad removed the T-nodeX label Aug 4, 2022

exalate-issue-sync bot added the Groomed label Nov 18, 2022

gmilescu added the Node Node team label Oct 19, 2023

gmilescu mentioned this issue Oct 23, 2023

Extend RPC to unban peers #9918

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Extend RPC to unban peers #2850

Extend RPC to unban peers #2850

ilblackdragon commented Jun 14, 2020 •

edited by exalate-issue-sync bot

mfornet commented Jun 16, 2020

ilblackdragon commented Jun 16, 2020

mfornet commented Jun 17, 2020

frol commented Aug 3, 2020

stale bot commented Sep 25, 2021

stale bot commented Jan 9, 2022

frol commented Jan 11, 2022

bowenwang1996 commented Jan 24, 2022

Extend RPC to unban peers #2850

Extend RPC to unban peers #2850

Comments

ilblackdragon commented Jun 14, 2020 • edited by exalate-issue-sync bot

mfornet commented Jun 16, 2020

ilblackdragon commented Jun 16, 2020

mfornet commented Jun 17, 2020

frol commented Aug 3, 2020

stale bot commented Sep 25, 2021

stale bot commented Jan 9, 2022

frol commented Jan 11, 2022

bowenwang1996 commented Jan 24, 2022

ilblackdragon commented Jun 14, 2020 •

edited by exalate-issue-sync bot