Skip to content

*: lock supporting grace period #4226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pinebit wants to merge 2 commits into
base: main
Choose a base branch
from
Open

*: lock supporting grace period #4226

pinebit wants to merge 2 commits into from

Conversation

@pinebit
Copy link
Collaborator

@pinebit pinebit commented Jan 15, 2026
edited
Loading

Add cluster lock hash validation to privkey lock file

Enhances the private key lock mechanism to prevent race conditions during cluster configuration changes.

Changes

  • Track cluster_lock_hash in the privkey lock file metadata
  • Introduce 2-epoch grace period (768s) after cluster edits before allowing restart with new configuration
  • Update privkeylock.New() signature to accept cluster lock file path
  • Handle missing cluster lock files gracefully (for DKG scenarios)
  • Skip grace period check for migrations from old format (empty hash)
  • Edit commands copying the lock file, if present.

Why

After cluster edits (adding/removing operators), validators shouldn't immediately start with the new configuration. The grace period ensures:

  • Old configuration finishes duties gracefully
  • Network has time to finalize pending attestations
  • Prevents double-signing between old/new configurations

category: feature
ticket: #4200

@codecov
Copy link

codecov bot commented Jan 15, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 73.46939% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.01%. Comparing base (941bb21) to head (41ba52c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
app/privkeylock/privkeylock.go 76.74% 5 Missing and 5 partials ⚠️
dkg/protocolsteps.go 50.00% 1 Missing and 1 partial ⚠️
app/app.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4226      +/-   ##
==========================================
+ Coverage   56.96%   57.01%   +0.05%     
==========================================
  Files         237      237              
  Lines       30688    30721      +33     
==========================================
+ Hits        17482    17517      +35     
+ Misses      10976    10974       -2     
  Partials     2230     2230

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@pinebit pinebit marked this pull request as ready for review January 16, 2026 10:33
KaloyanTanev
KaloyanTanev approved these changes Jan 16, 2026
View reviewed changes
app/privkeylock/privkeylock.go
// New returns new private key locking service. It errors if a recently-updated private key lock file exists.
func New(path, command string) (Service, error) {
content, err := os.ReadFile(path)
func New(privKeyFilePath, clusterLockFilePath, command string) (Service, error) {
Copy link
Collaborator

@KaloyanTanev KaloyanTanev Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: can we rename that to privKeyFileLockPath? Reading it as privKeyFilePath I've assumed it's the actual privKey

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KaloyanTanev KaloyanTanev KaloyanTanev approved these changes

@OisinKyne OisinKyne Awaiting requested review from OisinKyne

@DiogoSantoss DiogoSantoss Awaiting requested review from DiogoSantoss

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pinebit @KaloyanTanev