Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documentation Updates #1814

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions docs/source/NewNetwork/CLIInstall.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Installing the `indy-cli`

The `indy-cli` is developed under the [indy-cli-rs](https://github.com/hyperledger/indy-cli-rs). This documentation may be not up to date.


You will need to perform the following once for each `indy-cli` machine you would like to set up (only 1 is required).
It is recommended that you install the `indy-cli` in your native work environment if possible, so you always have it available even when traveling.

## Installing `indy-cli-rs`
To install `indy-cli-rs` simply download the latest release from its release pages and unpack it.

## Containerized `indy-cli` Environment

The following sections describe how to install and configure the `indy-cli` directly on a machine or VM. However, possibly the most convenient option is to use a containerized `indy-cli` environment like the one included with [von-network](https://github.com/bcgov/von-network). For information on how to use the containerized `indy-cli` in `von-network`, refer to [Using the containerized indy-cli](https://github.com/bcgov/von-network/blob/main/docs/Indy-CLI.md)
34 changes: 34 additions & 0 deletions docs/source/NewNetwork/CreateDID.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Creating a DID using the `indy-cli`

You will need to perform the following commands once for each `indy-cli` machine that you want to run on. The following commands contain suggestions to save certain values in a secure place. Please do not share those values or that place with anyone.


_If you just need to quickly generate a set of secrets (Seed and wallet key), or a Seed, DID, and Verkey and do not have an `indy-cli-rs` environment already setup, you can use the `indy-cli` features integrated into `von-network`. Refer to [Generate a set of Secrets](https://github.com/bcgov/von-network/blob/main/docs/Indy-CLI.md#generate-a-set-of-secrets), and [Generate your DID](https://github.com/bcgov/von-network/blob/main/docs/Indy-CLI.md#generate-your-did) for details._


1. Start your `indy-cli` using the instructions from [Installing the `indy-cli`](./CLIInstall.md) for your platform.

All following commands are executing inside the `indy-cli-rs`.

2. Create a wallet with:

`wallet create <wallet_name> key`

You will be prompted for a wallet key. What you type will not be displayed on the console. Your wallet key is a secure key that only you should know, and it should be randomly generated. Save it in a secure place for later use. You will use it every time you need to send transactions to the ledger from the `indy-cli`.

3. `wallet open wallet_name key`

You will be prompted for your wallet key. What you type will not be displayed on the console.

4. `did new seed`

You will be prompted for a seed. What you type will not be displayed on the console.

If you have lost your original seed or have never created one, then create a new one. This seed is used to regenerate your DID and to add your DID to your wallet(s).

The seed is a 32 character string that only you can know.

> WARNING: Whoever knows your Seed can recreate your exact DID in their own wallet and use it to manage the ledger.

Save your Seed in a secure place so that only you can recreate your DID whenever needed.
Also save the public DID and verkey generated from this step so that you will know and can verify your public DID.
144 changes: 144 additions & 0 deletions docs/source/NewNetwork/NewNetwork.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
# Setting up a New Network

## Introduction

The purpose of this document is to describe in some detail the process of building a brand-new Indy Node Network (Network) using 4 Stewards on their own separate nodes.
It goes into more details than [Starting a Network](../start-nodes.md).
These instructions are intended to be used for a distributed or “production” level environment but can be adapted to be used to build a private network.

This document is heavily based on [Create New Indy Network](https://docs.google.com/document/d/1XE2QOiGWuRzWdlxiI9LrG9Am9dCfPXBXnv52wGHorNE) and the [Steward Validator Preparation Guide v3](https://docs.google.com/document/d/18MNB7nEKerlcyZKof5AvGMy0GP9T82c4SWaxZkPzya4).

## I. Create Network Governance documents (Optional)

Network Governance describes the policies and procedures by which your new network will run and be maintained. Here’s an example: [Sovrin Governance Framework](https://docs.google.com/document/d/1K8l5MfXQWQtpT49-FHuYn_ZnRC5m0Nwk)


## II. Assign Network Trustees

Trustees are the people who manage the network and protect the integrity of the Network Governance. This includes managing the `auth_rules`.

For a production Network, at least 3 Trustees representing three different persons are required and more are preferred. For a test Network one Trustee is required and 3 or more are preferred (all Trustee DID’s may belong to the same user on a test network if needed).

Initial Trustees (3 preferred) must create and submit a Trustee DID and Verkey so that the domain genesis file can be built.

Each trustee has to [instal the `indy-cli`](./CLIInstall.md) and [create a Trustee DID](./CreateDID.md).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instal should be install here


Once the Trustees have created their DID and Verkey give the Trustees access to a spreadsheet like [this one](https://docs.google.com/spreadsheets/d/1LDduIeZp7pansd9deXeVSqGgdf0VdAHNMc7xYli3QAY/edit#gid=0) and have them fill out their own row of the Trustees sheet. The completed sheet will be used to generate the genesis transaction files for the network.


## III. Genesis Stewards

A Steward is an organization responsible for running a Node on the Network

Exactly 4 “Genesis” Stewards are needed to establish the network, more Stewards can be added later.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend changing this to:
"Exactly 4 “Genesis” Stewards are required to establish the network, but at least 7 are recommended for a production network that you expect to last for a long time. More Stewards can be added later.


Each Genesis Steward’s node information will be included in the Genesis Pool file, so they should be willing to install and maintain a Node on the new Network for an extended period of time.

The Stewards must:
1. Generate Steward DIDs as described in [Creating DID](./CreateDID.md).
1. Install their node as described in [Installation and configuration of Indy-Node](../installation-and-configuration.md) (with some small adjustments):
1. Determine a name for the new network and have the stewards substitute it in the appropriate places in the guide, such as when setting the network name and creating the directory when creating the keys for the node.
1. They all need to stop at the normal place ([3.5. Add Node to a Pool](../installation-and-configuration.md#3.5.-Add-Node-to-a-Pool)) as instructed in the guide as the steps that follow differ when creating a new network. The following sections of this guide describe the steps required to start the new network.

Once the Stewards have created their DID and Verkey, and performed the initial setup of they node, give the Stewards access to a spreadsheet like [this one](https://docs.google.com/spreadsheets/d/1LDduIeZp7pansd9deXeVSqGgdf0VdAHNMc7xYli3QAY/edit#gid=0) and have them fill out their own row of the Stewards sheet. The completed sheet will be used to generate the genesis transaction files for the network.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"setup of they node" should be "setup of their node"


## IV. Create and Distribute genesis transaction files

Save the sheets filled out by the Trustees and Stewards as separate files in csv format, and use the [genesis_from_files.py](https://github.com/sovrin-foundation/steward-tools/tree/master/create_genesis) script to generate the `pool_transactions_genesis` and `domain_transactions_genesis` files for the network.

>Tip: The `generategenesisfiles` in `von-network` provides a convenient wrapper around the `genesis_from_files.py` and runs it in a container including all of the dependencies. For more information refer to [Generate Genesis Files](https://github.com/bcgov/von-network/blob/main/docs/Indy-CLI.md#generate-genesis-files).

Double check the files contain the correct information:
- The `domain_transactions_genesis` file should contain all of the DIDs and Verkeys for the Trustees (`"role":"0"`) and the Stewards (`"role":"2"`).
- The `pool_transactions_genesis` file should contain each of the nodes with all their unique information.

Publish the genesis files to a public location, such as a GitHub repository associated with your network. The Stewards and end users will need this information.

Inform the Stewards and Trustees where they can download the genesis files.

- The Trustees and Stewards will need to register the `pool_transactions_genesis` with their `indy-cli` to complete the setup and to be able to connect to the network once it's running. How and where they need to register the `pool_transactions_genesis` depends on how they setup their `indy-cli` environment; [Installing the `indy-cli`](./CLIInstall.md)

- The Stewards will also need to download the genesis files onto their nodes while completing the setup. All of the following steps are to be completed on the node.
1. Set the network name in `/etc/indy/indy_config.py`, replacing `<the_network_name>` in the following command with the actual network name;

`sudo sed -i -re "s/(NETWORK_NAME = ')\w+/\1<the_network_name>/" /etc/indy/indy_config.py`

1. Create a network directory and download the genesis files into it. _The directory name must be the same on all of the nodes and it must match the name of the network._
1. `sudo -i -u indy mkdir /var/lib/indy/<the_network_name>`
1. `cd /var/lib/indy/<the_network_name>`
1. `sudo curl -o domain_transactions_genesis <url_to_the_raw_domain_transactions_genesis_file>`
1. `sudo curl -o pool_transactions_genesis <url_to_the_raw_pool_transactions_genesis_file>`
1. `sudo chown indy:indy *`
- It is important the files are owned by `indy:indy`.

## V. Schedule a meeting to instantiate the new network

Invite all Genesis Stewards to a meeting where they can execute commands and share their screens for both an `indy-cli` and for their Validator Nodes being added to the Network.

> NOTE: It is very useful to go through some checks for each node to verify their setup before continuing. Some large amounts of debug and recovery work can be avoided by 5-10 minutes of checking configs of each node at the beginning of the meeting.
> - `/etc/indy/indy_config.py`
> - all nodes need to have the same network name.
> - the name of the network should correspond to the `/var/lib/indy/<the_network_name>` directory on each node which contains the genesis files for the network, and the files in the directory should be owned by `indy:indy`.
> - `/etc/indy/indy.env`
> - all nodes should have local ip addresses in this file and be pointing at the correct ports.
> - Genesis files
> - Ensure both `pool_transactions_genesis` and `domain_transactions_genesis` files contain the expected content.
> - Verify the software version on all the nodes match
> ```
> dpkg -l | grep indy
> dpkg -l | grep sovrin
> ```
> - Network Connectivity
> - Use `nc -l <local_ip_address> <port>` (on the host), and `nc -vz <public_ip_address> <port>` (on the remote) to test the following.
> - Check the network connectivity between nodes using the `node_ip:port` combinations. Ensure that each node can communicate with all of the other nodes.
> - Check the network connectivity between the nodes and a client using the `client_ip:port` combinations. Ensure each node is accessible to client machines.

Once all of the checks are complete have the Stewards simultaneously start their nodes as described in section [3.5.2. Enable the Service](../installation-and-configuration.md#3.5.2.-Enable-the-Service) of the Installation and configuration of Indy-Node guide, and walk though the remainder of that guide.

## VI. Configure the Indy Network

### `auth_rules`
Update the network's `auth_rules` to help enforce the governance rules for the network.

For more information on `auth_rules` refer to:
- [Default AUTH_MAP Rules](../auth_rules.md)
- [auth_rules Walkthough](https://docs.google.com/document/d/1xk0A5FljKOZ2Fazri6J5mAfnYWXdOMl2LwrFK16MJIY)

### `TAA` (Transaction Author Agreements)
Add a `TAA` to the network.

For more information on `TAA`s refer to:
- [Transaction Author Agreement - `indy-sdk`](https://github.com/hyperledger/indy-sdk/blob/master/docs/how-tos/transaction-author-agreement.md)
- [Transaction Author Agreement - `indy-plenum`](https://github.com/hyperledger/indy-plenum/blob/master/docs/source/transaction_author_agreement.md)
- [Transaction Author Agreement Design](../../../design/txn_author_agreement.md)
- [TAA for CLI Walkthrough](https://docs.google.com/document/d/1Ma-EJkYpRfPOZApyEvcWrkb4EKn71XrIFd9KvZL0Whg)

## Where to go from here?

### Add more Nodes

For the network to remain in write consensus in the event of node failures the network needs to be comprised of `3f+1` nodes, where `f` is the number of failed nodes.

For a network of 4 nodes the network can remain in write consensus if a single node at a time fails, however if more than a single node fails at a time the network will loose write consensus and go into a read-only state. Similarly, a network comprised of 7 nodes can withstand up to 2 nodes failing at any given time. Therefore, it's recommended to have at least 7 nodes running in your network.

Examples:

| Failures to Withstand | 3f+1 | Required Nodes |
|--|--|--|
| 1 | 3(1)+1 | 4 |
| 2 | 3(2)+1 | 7 |
| 3 | 3(3)+1 | 10 |

### Network Monitoring

[hyperledger/indy-node-monitor](https://github.com/hyperledger/indy-node-monitor) is the community supported and maintained tool for network monitoring.

#### Manual
- Run `indy-node-monitor` at least three times a day to detect any issues with the network.

#### Automated
- Run `indy-node-monitor` on a schedule (every 15-30 minutes) and add a notification plugin to alert you to any issues. _Please consider contributing your work back to the project._

## Hands On Walkthrough

An example walkthrough of the above mentioned steps can be found in the `sample/Network` [folder](../../../sample/Network/README.md).
Loading