services/horizon: Allow starting Horizon with minimal configuration #3783
Conversation
There was a problem hiding this comment.
This test seems like a great opportunity to add a new parameter test that confirms, for example, that the TOML file being used by Horizon matches the one we expect, or that it fails (i.e. FatalTestCase.Exits()) with a standalone network passphrase.
Whether or not this needs to be Horizon 3.0 (because of --ingest=true instead of --ingest=false by default), I'm still unsure about. You could argue that a breaking change is one that requires more parameters to get started rather than less...
Also we need to update the deployment guide alongside this.
ingest/ledgerbackend/toml.go
Outdated
| // NewDefaultTestnetCaptiveCoreToml constructs a new CaptiveCoreToml instance | ||
| // based off the default testnet configuration. | ||
| func NewDefaultTestnetCaptiveCoreToml() *CaptiveCoreToml { | ||
| var captiveCoreToml CaptiveCoreToml |
There was a problem hiding this comment.
Would it be easier to maintain these defaults if we used raw strings?
For example, we could use this config for the testnet and just write it to / read it from an ioutil.TempFile. I think it'd be easier to maintain if the configs changed over time, since you could just re-copy-paste the config instead of trying to identify the delta and adapting it to our internal data structure.
There was a problem hiding this comment.
I think we should have the default pubnet and testnet validators represented in string form. Then we can implement NewDefaultTestnetCaptiveCoreToml() and NewDefaultPubnetCaptiveCoreToml() by calling newCaptiveCoreTomlFromFile(tomlFileContents string, params CaptiveCoreTomlParams) (*CaptiveCoreToml, error)
There was a problem hiding this comment.
After @jacekn comment and given that this feature will be used probably only by users who use GH release maybe instead of keeping the file in the binary we could add testnet and pubnet config files in the packed .tar.gz release file. Then we can change the code to try to load the default file from disk if the value is not explicitly set.
There was a problem hiding this comment.
I prefer the file idea to the curl idea because curl'd endpoints can change or go away (or be compromised), so less reproducible.
There was a problem hiding this comment.
I prefer the file idea to the curl idea because curl'd endpoints can change or go away (or be compromised), so less reproducible.
If you use curl it would be best to put the files in a location controlled by SDF, possibly in the go repo next to horizon source code. That way security profile won't change, we'd essentially get the same level of security as for the horizon source code itself.
There was a problem hiding this comment.
I've just pushed a change adding two default config files to release archive here: 8b85c49.
|
@jacekn what is your opinion on this?
|
I think having hidden 1h delay after which horizon will stop will be confusing and, like you say, systemd might even hide it from operators making it worse. Personally I have never seen similar behaviour in linux software so I think it would be best to avoid it. Horizon binary is likely wrong place to store default quorumset too. ubuntu packages we build ship with default configs already so I think it would be better to leverage that mechanism instead. We can do the same with docker images and we'll achieve the same goal. The benefit of doing that using package manager is that it's consistent with other linux software and operators should be familiar with the process. It also means that if quorumset changes are needed there no need to compile and rollout new horizon binary. |
|
I think there's one misconception regarding this property. This is really for development only to allow devs to start Horizon for the first time quickly. Creating a custom captive core config is actually a huge barrier of entry especially for people new to Stellar and we want to mimic the behaviour of
I agree that maybe it's not visible enough but I didn't want it to be hidden - we print
As explained in the first paragraph, feature is mostly for devs (often not using Linux) who download the binary from GH and want to start development quickly. Both ubuntu packages and docker images already have the default config (and the one here is actually copied from @stellar/horizon-committers let me know what you think about terminating Horizon with default config after 1h. |
I see. Maybe there is a middle ground that could work for both use cases? Having hardcoded testnet config feels like less or a problem, especially if we don't stop after 1h. |
|
Regarding pubnet I also proposed this: #3783 (comment). |
|
A comfortable middle ground (gentler nudging of the user) could be to do something like |
PR Checklist
PR Structure
otherwise).
services/friendbot, orallordocif the changes are broad or impact manypackages.
Thoroughness
.mdfiles, etc... affected by this change). Take a look in the
docsfolder for a given service,like this one.
Release planning
needed with deprecations, added features, breaking changes, and DB schema changes.
semver, or if it's mainly a patch change. The PR is targeted at the next
release branch if it's not a patch change.
What
This commit adds multiple changes to config parameters:
--ingestis set totrueby default,--captive-core-config-pathis generated with default values based on the network passphrase.If the pubnet Horizon is started without custom config,
it will be stopped with an error message after one hourthe warning message will be printed to log every hour.Close #3719.
Why
We want to make the time from Horizon installation to execution to be minimal. With less config values and reasonable defaults developers can start Horizon instance faster.
Known limitations
Quorum set default values for public network should be changed to to organisations developer really trust so Horizon will
be stopped after one hourprint warning messages if an admin does not provide custom config.However, service managers likesystemdmay restart the service making it worth permanently.