Transparent chain upgrades

[michaelfig]

What is the Problem Being Solved?

We divide upgradability into two forms:

1. transparently upgrading the underlying chain
2. more or less transparently installing a new set of Agoric services at any time during the life of the chain, without any loss of data or assets used by existing third-party clients or services

This issue is a proposal for how to handle upgrades of the first form (since its mechanics are more understood by me), specifically within the cosmic-swingset package, which is the interface between the Agoric chain and the underlying Cosmos SDK.

Upgrades of the second form are crucial but not addressed by this issue.

Description of the Design

In order to replicate the current state of the chain, we need to preserve the following state in the SwingSet statedir:

• [ ] the current kernel database
• [ ] a way to recover the heap of each running vat (currently its Javascript source code and up-to-date transcript)

Upgrading a chain:

• somebody creates a cosmos-sdk governance proposal to upgrade to a given software version at a specific block height/time
• the proposal is passed
• at the proposed-upon time, the validator halts with an "upgrade required" message
• all the SwingSet state is kept intact (both on-chain and statedir)
• the validator restarts with a new cosmic-swingset program (binaries and sources) to continue the block

The https://github.com/cosmos/cosmos-sdk/tree/master/cosmovisor supervisor program can help automate the upgrade process after governance has passed.

There will be scope changes to these initial requirements. Please update the above if they change before this issue is closed.

Security Considerations

TBD.

Test Plan

TBD.

[michaelfig]

@warner, @dtribble here is the issue to start from.

[dtribble]

We need the between-blocks scheduler list. Why not preserve that as well?

[michaelfig]

We need the between-blocks scheduler list. Why not preserve that as well?

I only meant to cross it off because it didn't exist yet. Will reinstate it when it exists.

[michaelfig]

My current plan is to use https://github.com/cosmos/cosmos-sdk/tree/master/cosmovisor to manage transparent chain upgrades. To do so requires the kernel to understand prior versions' statedir (including kernel DB) and save static vat sources in the statedir so that they can be replayed.

[michaelfig]

Refs https://github.com/cosmos/cosmos-sdk/pull/7230 for a way to portably bootstrap the binaries using installed tools that meet our stated validator requirements (Node.js, Golang, etc).

[Tartuffo]

This will turn into an epic @michaelfig

[Tartuffo]

Done on Cosmic Swingset side, but not in Swingset. @warner Do you have a ticket for the Swingset side of this?

[Tartuffo]

Done and tested, for a narrow scope of underlying chain software only.