Changelog
This page displays a full list of all the changes during our release cycle from v2024.3-eclipse
onward. Operators can find here the newest updates together with links to relevant documentation. The list is sorted so that the newest changes appear first.
Our documentation often refer to syntax annotated in <>
brackets. We use this expression for variables that are unique to each user (like path, local moniker, versions etcetra).
Any syntax in <>
brackets needs to be substituted with your correct name or version, without the <>
brackets. If you are unsure, please check our table of essential parameters and variables (opens in a new tab).
v2024.14-crunch-patched
Patch for v2024.14-crunch
release. Fixes an issue (opens in a new tab) to allow only one private IP pair & compatibility issues between nym-nodes and older clients.
- Release binaries (opens in a new tab)
nym-node
version1.2.1
nym-node
Binary Name: nym-node
Build Timestamp: 2024-12-18T10:18:42.978852430Z
Build Version: 1.2.1
Commit SHA: 8d5a41a790e96ae5e821964865affaa7d3343eab
Commit Date: 2024-12-18T11:07:49.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.83.0
rustc Channel: stable
cargo Profile: release
v2024.14-crunch
- Release binaries (opens in a new tab)
nym-node
version1.2.0
- Operators updates and tools
- Github CHANGELOG.md (opens in a new tab)
nym-node
Binary Name: nym-node
Build Timestamp: 2024-12-11T13:49:11.974104790Z
Build Version: 1.2.0
Commit SHA: a491e6a71a8cf862d77defd740a4ee8d65d8292a
Commit Date: 2024-12-11T10:28:47.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.83.0
rustc Channel: stable
cargo Profile: release
Features
-
Bump elliptic from
6.5.4
to6.5.7
in /testnet-faucet (opens in a new tab): Bumps elliptic (opens in a new tab) from6.5.4
to6.5.7
. -
build(deps): bump micromatch from
4.0.4
to4.0.8
in /nym-wallet/webdriver (opens in a new tab): Bumps micromatch (opens in a new tab) from4.0.4
to4.0.8
. -
build(deps): bump axios from 1.6.0 to 1.7.5 in /nym-api/tests (opens in a new tab) Bumps axios (opens in a new tab) from 1.6.0 to 1.7.5.
-
Sync code with
.env
in build.rs (opens in a new tab): Keepdotenv
file always up to date -
build(deps): bump lazy_static from
1.4.0
to1.5.0
(opens in a new tab): Bumps lazy_static (opens in a new tab) from1.4.0
to1.5.0
. -
Create TaskStatusEvent trait instead of piggybacking on Error (opens in a new tab)
-
build(deps): bump once_cell from
1.19.0
to1.20.2
(opens in a new tab): Bumpsonce_cell
(opens in a new tab) from1.19.0
to1.20.2
-
Bump the patch-updates group across 1 directory with 10 updates (opens in a new tab): Bumps the patch-updates group with 9 updates in the / directory:
Package | From | To |
---|---|---|
anyhow (opens in a new tab) | 1.0.89 | 1.0.90 |
clap (opens in a new tab) | 4.5.18 | 4.5.20 |
clap_complete (opens in a new tab) | 4.5.29 | 4.5.33 |
pin-project (opens in a new tab) | 1.1.5 | 1.1.6 |
serde (opens in a new tab) | 1.0.210 | 1.0.211 |
serde_json (opens in a new tab) | 1.0.128 | 1.0.132 |
wasm-bindgen (opens in a new tab) | 0.2.93 | 0.2.95 |
wasm-bindgen-futures (opens in a new tab) | 0.4.43 | 0.4.45 |
web-sys (opens in a new tab) | 0.3.70 | 0.3.72 |
Updates anyhow | 1.0.89 | 1.0.90 |
-
[Product Data] Introduce data persistence on gateways (opens in a new tab): This PR builds on top of #4974 (opens in a new tab), not changing the behavior of the data collection, but persisting them in a sqlite database so they can be kept across restarts and crashes. It also leave the door open for other stats module to use that storage if needed. Here are some points of interest:
- New
gateway_stats_storage
(opens in a new tab) crate - Config migration (opens in a new tab) resulting from the added database.
- Resulting changes in the
statistics
(opens in a new tab) module to account the new storage system
- New
-
Integrate nym-credential-proxy into workspace (opens in a new tab): Integrate
nym-credential-proxy
into the main workspace -
Node Status API (opens in a new tab): merging a long-diverged feature branch - all commits here were their own merge requests
-
[Product Data] Better unique user count on gateways (opens in a new tab): To avoid double counting clients across gateways, we add a user ID to the gateway session data.
-
chore: ecash contract migration to remove unused 'redemption_gateway_share' (opens in a new tab)
-
[Product Data] Client-side stats collection (opens in a new tab): The goal is to anonymously gather stats from nym-clients. These stats will be sent through the mixnet to a Nym run service provider that will gather them. This PR sets the scene to send stats in a mixnet message to an address. The address can be set when the client is created. Current stats include some infos on sent packets along with platform information. If a receiving address is set, the client will send a mixnet packet every 5min to this address. Otherwise, nothing happens and the client runs as usual.
-
Send mixnet packet stats using task client (opens in a new tab)
-
Add granular log on nym-node (opens in a new tab) and make use of it for
defguard_wireguard_rs
big info logs -
Rewarding for ticketbook issuance (opens in a new tab): Revamps the current validator rewarder to allow for rewards for issuing the zk-nym ticketbooks.
-
[Product Data] Add stats reporting configuration in client config (opens in a new tab): Adds the stats reporting address to client configs. It can be set in the config file, as a CLI argument and as an env var in a
.env
file. As the stats reporting config in now in theDebugConfig
, theStatsReportingConfig
is no longer required, making the propagation of these changes more readable -
config score (opens in a new tab): introduces a concept of a
config_score
to a nym node which influences performance and thus rewarding amounts and chances of being in the rewarded set. Currently it's influenced by the following factors:- Accepting terms and conditions (not accepted: 0)
- Exposing self-described API (not exposed: 0)
- Running "nym-node" binary (legacy binary: 0)
- Number of versions behind the core (
score = 0.995 ^ (X * versions_behind ^ 1.65)
) - The old performance is now treated as
routing_score
- the "new" performance =
routing_score * config_score
-
Add Dockerfile and add env vars for clap arguments (opens in a new tab)
-
Aadd GH workflow for nym-validator-rewarder (opens in a new tab)
-
[Product data] Data consumption with ecash ticket (opens in a new tab): Send an event each time an ecash ticket get successfully spent. This allows to approximate how much data each client is using.
-
[Product Data] Config deserialization bug fix (opens in a new tab): Fixes a bug where a
None
value was serialized into an empty string, and incorrectly deserialized into aSome
variant. -
NS Agent auth with NS API (opens in a new tab): NS Agent authenticates with key that was registered with NS API
- Added flag to Agent to generate keypairs
- Agent requests are signed by agent
- Server-side requests are checked for authentication
-
Removed ci-nym-api-tests.yml which was running outdated (and broken) tests (opens in a new tab)
-
[Product Data] Set up country reporting from vpn-client (opens in a new tab): Add the ability to report exit country, along with a small refactoring of a module.
-
chore: remove standalone legacy mixnode/gateway binaries (opens in a new tab)
-
Update
serde_json_path
due to compilation issue (opens in a new tab) -
Add version to clientStatsReport (opens in a new tab): Add a
kind
andapi_version
field forClientStatsReport
-
Start session collection for exit gateways (opens in a new tab): Apparently, exit gateways are also entry gateways so we need to start session stats for them as well
-
build(deps): bump mikefarah/yq from
4.44.3
to4.44.5
(opens in a new tab): Bumps mikefarah/yq (opens in a new tab) from4.44.3
to4.44.5
. -
build(deps): bump cross-spawn from
7.0.3
to7.0.6
in /testnet-faucet (opens in a new tab): Bumps cross-spawn (opens in a new tab) from7.0.3
to7.0.6
. -
Add export_to_env to NymNetworkDetails (opens in a new tab): In
nym-vpn-core
we've started to read the network environment from a json file and then try to pass aroundNymNetworkDetails
directly instead of relying on the exported environment. However we still need to bridge with old code so we need to export the network details instance to the environment. -
Add support for DELETE to nym-http-api-client (opens in a new tab): Add delete support to
http-api-client
-
Add derive_extended_private_key to DirectSecp256k1HdWallet (opens in a new tab): Add
derive_extended_private_key
toDirectSectp256k1HdWallet
to support seeding ecash keys -
Move two minor jobs to free tier github hosted runners (opens in a new tab): In an attempt to easy the load on the self-hosted runners, move two minor workflows over to GH hosted free tier runners.
-
Remove peers with no allowed ip from storage (opens in a new tab)
-
Add indexes to monitor run and testing route (opens in a new tab)
-
Add
monitor_run
and testing_route indexes (opens in a new tab) -
explorer-api
: add nym node endpoints + UI to show nym-nodes and account balances (opens in a new tab): Explorer API:-
Existing endpoints stay identical
-
Adds new endpoints to get:
-
nym-nodes
(list + by id) -
account balance + delegations + rewarding + vesting
-
Explorer UI (NextJS)
- List of nym-nodes
- Remove service providers routes (Harbour Master shows these)
- Updates summary page to show nym-nodes
- Adds legacy markers to old gateway and mixnode bond lists
-
-
Add
monitor_run
and testing_route indexes (opens in a new tab) -
improvement: make internal gateway clients use the same topology cache (opens in a new tab): This should result in 66% reduction in queries for topology within
nym-node
as all the clients should rely on the same cache -
Update Security disclosure email, public key and policy (opens in a new tab)
-
adjusted config score penalty calculation (opens in a new tab)
-
Nmv2 add debug config (opens in a new tab): Adds debug config to disable poisson process, cover traffic and min performance filtering
-
introduce UNSTABLE endpoints for returning network monitor run details (opens in a new tab)
-
Don't consider legacy nodes for rewarded set selection (opens in a new tab)
-
Derive serialize for UserAgent (#5210) (opens in a new tab): Cherry-pick PR #5210 (opens in a new tab)
-
Remove any filtering on node semver (opens in a new tab): Removed any filtering on version of nodes. however, the parameters can still be passed to
nym-api
queries to not break existing clients, but they will happily ignore them -
Further config score adjustments (opens in a new tab): I still want to add helper endpoints on
nym-api
to expose some of this data. but for now, I'll let this PR bake over the weekend.
Bugfix
-
bugfix: don't send empty BankMsg in ecash contract (opens in a new tab): If ticketbook prices were to be set so low the resultant redemption would have created
BankMsg
with value of 0, that message is no longer going to be sent -
bugfix: correctly expose ecash-related data on nym-api (opens in a new tab): This PR makes fixes to ecash-related endpoints on
nym-api
- global data (such as aggregated signatures and keys) are actually always available by all apis
- global data (such as aggregated signatures and keys) are actually always available by all apis
-
bugfix: use default value for verloc config when deserialising missing values (opens in a new tab)
-
bugfix: fixed nym-node config migrations (again) (opens in a new tab)
-
bugfix: added explicit openapi servers to account for route prefixes (opens in a new tab)
Operators Updates & Tools
Nym Network will now only allow nodes which migrated their node in Nym mixnet smart contract to Nym Node. All nodes which are still bonded as a legacy one (Mixnode or Gateway) in the wallet will have no chance to take part in the Rewarded set selection.
Operators taking part in Delegation program or Service Grant program must migrate their nodes latest by December 16th, 08:00 UTC.
Updates
- Version count as a part of config score has been introduced. To familiarize yourself with Nym Node operator rewards calculation, read this page.
- Nym nodes running as Exit Gateway in Service Grant program received delegation. Nym team is now delegating total of 64,800,000 NYM on top 241 Nym Nodes (137 in Mixnode mode and 104 as Gateways). Our delegation aims to incentivise committed operators who support bootstrapping of Nym network before paying users come.
- 250k NYM - Upgrading to magura in time - 2 nodes
- 300k NYM - Upgrading to magura + bonus for a quick patch upgrade - 102 nodes
- No delegation - not upgrading in time - 2 nodes
-
nym-node
has now implemented IPv6 support for wireguard (opens in a new tab) -
network_tunnel_manager.sh
updated: run the commands below to make sure
network_tunnel_manager.sh
These commands can be run one by one or copy-pasted and run as a block.
mkdir $HOME/nym-binaries; \
curl -L https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/network_tunnel_manager.sh -o $HOME/nym-binaries/network_tunnel_manager.sh && \
chmod +x $HOME/nym-binaries/network_tunnel_manager.sh; \
$HOME/nym-binaries/network_tunnel_manager.sh check_nymtun_iptables ; \
$HOME/nym-binaries/network_tunnel_manager.sh remove_duplicate_rules nymtun0 ;\
$HOME/nym-binaries/network_tunnel_manager.sh remove_duplicate_rules nymwg;\
$HOME/nym-binaries/network_tunnel_manager.sh check_nymtun_iptables ; \
$HOME/nym-binaries/network_tunnel_manager.sh adjust_ip_forwarding ; \
$HOME/nym-binaries/network_tunnel_manager.sh apply_iptables_rules ; \
$HOME/nym-binaries/network_tunnel_manager.sh check_nymtun_iptables ; \
$HOME/nym-binaries/network_tunnel_manager.sh apply_iptables_rules_wg ; \
$HOME/nym-binaries/network_tunnel_manager.sh configure_dns_and_icmp_wg ; \
$HOME/nym-binaries/network_tunnel_manager.sh adjust_ip_forwarding ; \
$HOME/nym-binaries/network_tunnel_manager.sh check_ipv6_ipv4_forwarding; \
systemctl daemon-reload && service nym-node restart && journalctl -u nym-node -f
Then run the jokes in a new window for control
$HOME/nym-binaries/network_tunnel_manager.sh joke_through_the_mixnet
$HOME/nym-binaries/network_tunnel_manager.sh joke_through_wg_tunnel
Tools
- New APIs documentation with interactive APIs generated from the OpenAPI specs of various API endpoints offered by bits of Nym infrastructure run both by Nym and community operators for both Mainnet and the Sandbox testnet.
- Nym Harbourmaster (opens in a new tab) has a new tab called
CONTRACT EXPLORER
querying data from Nym mixnet contract in real time. - Nym Explorer (opens in a new tab) is updated to read migrated nodes correctly
- New community explorer by SpectreDAO (opens in a new tab) offers Nym Network dashboard, Node overview and Account stats view functions for operators and delegators.
nym-vpnc
build and run documentation, for those who don't want to use the Nym VPN GUIs.
magura-drift
Second patch to v2024.13-magura
release version.
- Release binaries (opens in a new tab)
nym-node
version1.1.12
nym-node
Binary Name: nym-node
Build Timestamp: 2024-11-29T13:10:51.813092288Z
Build Version: 1.1.12
Commit SHA: 4a9a5579c40ad956163ea02e01d7b53aef2ac8ef
Commit Date: 2024-11-29T14:06:32.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.83.0
rustc Channel: stable
cargo Profile: release
- This patch adds a peer storage manager to fix issues causing external clients to be blocked, ensuring they can successfully connect to different nodes.
v2024.13-magura-patched
- Release binaries (opens in a new tab)
nym-node
version1.1.11
nym-node
Binary Name: nym-node
Build Timestamp: 2024-11-22T14:30:48.067329245Z
Build Version: 1.1.11
Commit SHA: 01c7b2819ee3d328deccd303b4113ff415d7e276
Commit Date: 2024-11-22T10:50:59.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.82.0
rustc Channel: stable
cargo Profile: release
After changes coming along with v2024.13-magura
(nym-node v1.1.10
), Nym Explorer is no longer picking all values correctly. Instead of fixing this outdated explorer, we are working on a new one, coming out soon.
Nym Harbourmaster (opens in a new tab) has cache of 90min, expect your values to be updated with delay. We are aware of some issues with Nym Harbourmaster and working hard to resolve them in the upcoming explorer v2. To check your routing values in real time, you can use nym-gateway-probe
.
Operators Updates & Tools
-
Updated
network_tunnel_manager.sh
(opens in a new tab) (moved to our monorepo) helps operators to configure their IP tables rules fornymtun
andwireguard
routing. -
Please re-run routing configuration steps (opens in a new tab) to update your routing settings.
-
We found out that some operators have a wrong value for wireguard IP. Follow these steps to ensure your value is set to
10.1.0.1
(default on new nodes):
1. Open your node config file:
nano $HOME/.nym/nym-nodes/<ID>/config/config.toml
# change <ID> for your local nym moniker for example:
# nano $HOME/.nym/nym-nodes/default-nym-node/config/config.toml
2. Control or change the value of wireguard private IP
- Scroll down to section starting with
[wireguard]
- Find line
private_ip
and ensure it's set to value10.1.0.1
- The section will look like this:
[wireguard]
# Specifies whether the wireguard service is enabled on this node.
enabled = true
# Socket address this node will use for binding its wireguard interface.
# default: `0.0.0.0:51822`
bind_address = '0.0.0.0:51822'
# Private IP address of the wireguard gateway.
# default: `10.1.0.1`
private_ip = '10.1.0.1'
3. Save, exit and restart the service
- If you used
nano
editor - pressctrl
+x
and confirm the changes - Run these commands to update the service with new values and restart your node process:
systemctl daemon-reload && service nym-node restart
-
New manual how to run
nym-node
as non-root -
Since
v2024.13-magura
, operators do not update their node version in the wallet. Manual upgrading steps has been updated accordingly. -
CLI tool
node_api_check.py
, helping operators to collect all API values about their nodes locally, is not up to date with the API changes introduced withv2024.13-magura
release version. Please treat it as unstable before we fix it.
Error Log
In case you encounter this error:
[ERROR] nym-node/src/node/mod.rs:628: the exit gateway subtask has failed with the following message: failed to start authenticator: internal wireguard error no private IP set for peer..
You can follow these steps to make a workaround:
1. Find the error
-
In the node logs, locate the ERROR message which says
the exit gateway subtask has failed with the following message: failed to start authenticator: internal wireguard error no private IP set for peer KN5GPvkC+p6G/SM4PD2Z3ObAtRGiDjHPRnQOPpbdUQk=
-
Copy the end part of that peer, later denoted as
<WG_PEER_STRING_END>
(in our exampleGiDjHPRnQOPpbdUQk=
) to use later in the sql commands
2. Fix the issue in sqlite3 db
Be careful when running commands within sqlite database.
- Navigate to the data directory:
cd $HOME/.nym/nym-nodes/<ID>/data
- Enter the database:
sqlite3 clients.sqlite
- Run these commands:
# Change with your unique <PEER_STRING_END>
select * from wireguard_peer where public_key like "%<WG_PEER_STRING_END>%"
# Make sure that only ONE line is returned and it contains the key
delete from wireguard_peer where public_key like "%<WG_PEER_STRING_END>%";
- Confirm that peer has been removed by running this again:
select * from wireguard_peer where public_key like "%<WG_PEER_STRING_END>%";
3. Exit and restart the service
Run .quit
and:
systemctl restart nym-node.service
v2024.13-magura
Magura release represents a bigger milestone in project Smoosh development where nym-node
is one binary able to perform any function in Nym Mixnet. This release is especially crucial for operators, please pay attention to the section Operators Updates & Tooling below.
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.10
nym-node
Binary Name: nym-node
Build Timestamp: 2024-11-18T17:02:50.947941194Z
Build Version: 1.1.10
Commit SHA: b49ef643df86f0c670672429812c632fbbaf6cf1
Commit Date: 2024-11-18T17:56:57.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.82.0
rustc Channel: stable
cargo Profile: release
-
New wallet version 1.2.15 (opens in a new tab) is out! - allowing operators to migrate to
nym-node
in Mixnet smart contract.
Features
-
Directory Sevices v2.1 (opens in a new tab): Read section Directory Services v2.1: API & Mixnet Contract Changes below with detailed explanation or the PR notes (opens in a new tab)
-
Switch over the last set of jobs to arc runners (opens in a new tab): Switch over the remaining GH jobs using 16-core runners to self-hosted arc runners. Since we can't currently use Docker on the ubuntu-20.04 runners, remove the matrix notification steps
Confirm that the deployment workflows work through manual testing
- cd-docs
- publish-sdk-npm
-
V2 performance monitoring feature flag (opens in a new tab): Feature flag to use v2 network monitor results in rewarding
-
Add
utoipa
feature to nym-node (opens in a new tab):cargo build -p nym-node
was failing, since its depending onQueryParams
havingutoipa
traits derived -
Extract packet processing from mixnode-common (opens in a new tab): First step on a journey of making a strong interface around packet processing, and packet processing portability. This one only moves stuff around, so it should be safe to just blindly merge.
-
expose authenticator address along other address in node-details (opens in a new tab): Expose authenticator address along ip packet router and network requester for easier parsing
-
Feature/contract state tools (opens in a new tab): Introduced/reimplemented old tools for importing cosmwasm contract states given a kv dump file. This makes it significantly easier to plan and test complex state migrations on actual chains where we risk timing out on expensive operations.
-
Add env feature to clap and make clap parameters available as env variables (opens in a new tab)
-
Product Data
First step in gateway usage data collection (opens in a new tab): This PR is the first step towards collecting data on gateway usage. It builds up on an old code for what was then nym-connect. It exposes unique users count and connection time histogram on themetrics/sessions
endpoint of the self-described API on entry-gateways. For the time being, data is collected by probing theActiveClientStore
every minute and extracting data from this. Data is stored internally and exposed on the next day, i.e. UTC day $d$ exposes data from day $d-1$. Thestatistics
(opens in a new tab) module will evolve as we add collection for product data and censorship resistance study. The collection will also eventually switch from probing to event-based for more accurate data. -
importer-cli
to correctly handle mixnet/vesting import (opens in a new tab) -
Import
nym-vpn-api
crates (opens in a new tab): Keep these crates in a separate workspace for now. The idea is to add them to the main workspace in time, but this appears to might require some changes to how sqlite is used. Alternatively these issues might go away once we upgrade sqlite in the main workspace. Also we intend to rename some of these to something likenym-credential-facade
, and the wasm lib should be incorporated in one of the existing crates incommon
. -
Product Data
Add session type based on ecash ticket received (opens in a new tab): Fire anEcashTicket
event for theGatewayStatisticsCollector
, when an Ecash ticket is being accepted. This allows to mark an active session as being a mixnet session or a vpn session. It also changes the format of the related self-described data, to accommodate that new session type. -
feature: require reporting using nym-node binary for rewarded set selection (opens in a new tab)
-
Re-enable vested delegation migration (opens in a new tab): supersedes #4956 (opens in a new tab) by removing the contract migration code as it's already been run on mainnet.
-
Resolve beta clippy issues in contracts (opens in a new tab)
-
Enable global ecash routes even if api is not a signer (opens in a new tab)
-
Rename
nym-vpn-api
tonym-credential-proxy
(opens in a new tab) -
Make accepting t&c a hard requirement for rewarded set selection (opens in a new tab)
-
chore: update itertools in compact ecash (opens in a new tab): supersedes #4916 (opens in a new tab)
-
Adjusted ticket sizes to the agreed amounts (opens in a new tab)
-
Added
get_all_described_nodes
to NymApiClient and adjusted return (opens in a new tab) -
feature: use axum_client_ip for attempting to extract source ip (opens in a new tab): improves source ip logging by extracting relevant header when nym-api is run behind a proxy
-
Added hacky routes to return nymnodes alongside legacy nodes (opens in a new tab)
-
Use unstable explorer client (opens in a new tab): Clean up stale testruns & better logging:
- use new
/unstable
endpoints on explorer for backwards compatibility - log gw identity key
- better agent testrun logging
- log responses on server side
- change response code for agents
- update sqlx data
- fix agent - probe gw bug
- use new
-
chore: deprecated old nym-api client methods and replaced them when possible (opens in a new tab): this is to that the next time those methods are used outside the monorepo, the relevant calls flag up the CI via clippy
-
Fix gateway decreasing bandwidth (opens in a new tab): Make sure to update the storage after each decrease with the new values. Also set the storage values to 0 on restart for existing peers, as kernel peers can't have those values set to 0
-
Add more translations from v2 to v3 authenticator (opens in a new tab)
-
Graceful agent 1.1.5 (opens in a new tab): API improvements:
- agent exits gracefully when no testrun available
- agent reads content of server's error message in case of 503
- API doesn't log every error (to avoid log spam)
- update network probe within NS agent image: CI rebuild (opens in a new tab) of NS agent will pick up updated network probe
-
Feature/force refresh node (opens in a new tab): currently if nodes update their role from say mixnode to entry-gateway, it might take quite a while for
nym-api
to pick up the change and thus they might be losing performance. With this change, the node will be force refreshed on its startup -
nym-credential-proxy-requests
: reqwest use rustls-tls (opens in a new tab) -
change: dont select mixnodes bonded with vested tokens into the rewarded set (opens in a new tab)
-
Respond to auth messages with same version (opens in a new tab)
Bugfix
-
Fix critical issues SI84 and SI85 from Cure53 (opens in a new tab): This pull request fixes the following issues:
- NYM-01-009 WP5: BLS12-381 EC signature bypasses in Coconut library (Critical)
- NYM-01-014 WP5: Partial signature bypass in offline eCash (Critical)
-
bugfix: correctly paginate through 'search_tx' endpoint (opens in a new tab): when
results.append(&mut res.txs);
was called,res.txs
was always empty thus it was impossible to return more than page size number of results -
Bugfix/rewarder post pruning adjustments (opens in a new tab): this PR introduces/fixes the following:
- dedicated commands to request specific blocks for processing
- decreased websocket failure timeout
- ensuring we do actually have sufficient number of blocks to process rewarding for given epoch
- additional error logging
-
bugfix: fix expected return type on /v1/gateways endpoint (opens in a new tab)
-
Bugfix/additional directory fixes (opens in a new tab): This branch introduces additional fixes to the new directory services
-
Fix critical issues SI86 and SI87 from Cure53 (opens in a new tab): This pull request fixes the following issues:
- Faulty aggregation to invalid offline eCash signatures
- Signature forgery of Pointcheval-Sanders schema
-
bugfix: client memory leak (opens in a new tab): This fixes memory leaks in all the clients. however, they were most prominent in
nym-api
during network monitoring due to the sheer amount of packets being pushed -
bugfix: directory v2.1
get_all_avg_gateway_reliability_in_interval
query (opens in a new tab): fixes query for avg gateway performance (no idea why it makes a difference, but it does...) -
bugfix: missing #[serde(default)] for announce port (opens in a new tab)
-
bugfix: verifying signed information of legacy nodes (opens in a new tab)
-
bugfix: fixed backwards incompatibility for /gateways/described endpoint (opens in a new tab)
-
bugfix: make sure to use correct highest node id when assigning role (opens in a new tab)
-
bugfix: use old name for 'epoch_role' in SkimmedNode (opens in a new tab)
-
bugfix: use human readable roles for annotations (opens in a new tab)
-
bugfix: make gateways insert themselves into [local] topology (opens in a new tab)
-
bugfix: use bonded nym-nodes for determining initial network monitor … (opens in a new tab)
-
bugfix: make sure nym-nodes are also tested by network monitor (opens in a new tab)
-
bugfix: don't assign exit gateways to standby set (opens in a new tab)
-
bugfix: restore default http port for nym-api (opens in a new tab): when it was run under 'rocket' server the port used was 8000. let's restore that value
-
bugfix: supersede 'cb13be27f8f61d9ae74d924e85d2e6787895eb14' by using… (opens in a new tab)
-
bugfix: adjust runtime storage migration (opens in a new tab): remove the panic during migration as the gateway count can actually be different if some of them have already migrated to nym-nodes before the code has been run
-
bugfix/feature: added NymApiClient method to get all skimmed nodes (opens in a new tab)
-
bugfix: use corrext axum extractors for ecash route arguments (opens in a new tab)
-
bugfix: additional checks inside credential proxy (opens in a new tab)
-
bugfix: [wallet] displaying delegations for native nymnodes (opens in a new tab)
-
bugfix: preserve as much as possible of the rewarded set during migration (opens in a new tab)
-
bugifx: assign 'node_id' when converting from 'GatewayDetails' to 'TestNode' (opens in a new tab)
Operators Updates & Tooling
Every operator has to make sure that their nodes self-described endpoint works, otherwise the node will be un-routable and thus won't get any rewards!
-
New technical documentation: All Nym documentation starts from a new entry page nymtech.net/docs (opens in a new tab). To run locally or propose collaboration, start in our repository (opens in a new tab)
-
New Tokenomics chapter with Mixnet Rewards page
-
Nym Harbourmaster (opens in a new tab) had a new tab
NODE SEARCH
where operators can easily search nodes by identity keys and owner accounts and get all public information listed. -
Simplified bonding and Mixnet smart contract migration
-
Nodes bonded with vesting tokens are not allowed to join rewarded set (opens in a new tab) - read more on Nym operators forum (opens in a new tab)
Wallet changes
New wallet version 1.2.15 (opens in a new tab) is out!
-
This version of wallet allows and prompts operators to migrate their gateway or mixnode to a
nym-node
in the Mixnet smart contract - an important step in project smoosh. To do so follow these steps:
1. Download the wallet from the release page (opens in a new tab)
2. Verify the binary and extract it if needed
- Download
hashes.json
(opens in a new tab) - Open it with your text editor or print it's content with
cat hashes.json
- Run
sha256sum <WALLET_BINARY>
for examplesha256sum ./nym-wallet_1.2.15_amd64.AppImage
- If your have to extract it (like
.tar.gz
) do it
3. Open the wallet and sign in
4. Migrate!
- Go to Bonding and you will be prompted with such message:
- In case you for some reason didn't see the prompt or you closed it - you can click in the upper right corner of the same window on this button:
- Confirm the transaction
5. Welcome to new episode of nym-node
!
- Older versions will not allow bonding new nodes!
Selection & Rewarding
- Config score is introduced: In the current version the nodes selection to the active set has a new parameter (which multiplies the existing formula) -
config_score
. Config score looks if the node binary isnym-node
(not legacynym-mixnode
ornym-gateway
) AND if Terms & Conditions are accepted. Config score has binary values of either 0 or 1, with a following logic:
Run nym-node binary | T&C's accepted | config_score |
---|---|---|
True | False | 0 |
False | True | 0 |
False | False | 0 |
True | True | 1 |
- The active set selection formula is then:
CONFIG_SCORE * STAKE_SATURATION * PERFORMANCE ^ 20
- Currently in Native rewarding, the rewards are split equally across the rewarded set of nodes (opens in a new tab) (which now = active set and it's size is 240 nodes) for both Mixnet mode and dVPN mode. Every node being assigned 1 / 240 work factor (hence naive rewarding).
Directory Services v2.1: API & Mixnet Contract Changes
Magura release brings breaking changes on API (opens in a new tab) logic of Nym. New APIs will only communicate with nym-node
from this release and newer. Also old version of APIs won't be able to communicate with the new version of nym-node
. We are also moving towards completely removing Nym Explorer API, which now has been only used to report nodes location.
Any new bonded node will provide only the bare minimum information: host, identity key and optionally custom port of its HTTP api - we highly recommend to set that one up to 8080
. Everything else will be discovered via the self-described API for maximum flexibility. This also includes the sphinx key, meaning if the API is not exposed, the node will be unable to route any traffic. Furthermore, this allows to arbitrary change of nym-node
from mixnode into a gateway modes (and vice versa) without losing any delegations.
The contract changes also mean any node functionality can get rewards. Rather than just with assigned mixing roles, gateways now also added into the pool. However, to be eligible for gateway rewarding, one must migrate into a nym-node
on a smart contract level (or bond a new node).
API High Level Changes
New/Added
- All new routes that return multiple nodes/entries/etc now wrap their responses to expect pagination. Currently, however, full data is returned for each of the endpoints since the pagination hasn't been implemented yet. But once we add it, it won't be a breaking API change.
Removed
rocket
support has been completely removed. All routes are now always served viaaxum
Changed
- Getting anything to do with all nodes (including gateways) requires knowing their
node_id
. For legacy gateway endpoints, we have a helper method that translates identity key to thenode_id
- Rewarded set is no longer populated with just mixnodes. Instead
nym-node
s are assigned to eligible roles (based on stake and performance) in the following order:- entry gateways
- exit gateways
- mixnodes
- standby
- A lot of legacy routes got deprecated. while technically they still "work" and return data, they only return data for legacy
nym-mixnode
andnym-gateway
. What it means is that as operators are migrating their nodes (in the smart contract), those endpoints will start running dry. - Since layers are only assigned during rewarded set assignment, for the purposes of network monitor (v1) and legacy mixnode routes, layerless nodes are put on random layers during annotation
- All legacy gateway queries now also include additional field in their respones:
node_id
that indicate the id pre-assigned during contract migration - Nym Node performance is a bit odd. When network monitors (v1 and v2) were made, there was no concept of a Nym Node. The solution taken is checking whther there is any mixnode performance for node with a given id, if so - return it. Otherwise we grab the equivalent gateway performance. In the future it should probably be averaged or maybe split into explicit mixing or gateway routing performance metrics.
nym-api
Changes
- Root route
/
now redirects to/swagger
nym-node
Routes
/v1/nym-nodes/annotation/<NODE_ID>
- get annotation about particularnym-node
, as gathered by thisnym-api
. Currently this just includes last 24h performance metric and the current node role/v1/nym-nodes/bonded
- get bond information about Nym Nodes, as present in the mixnet contract/v1/nym-nodes/described
- get described information about Nym Nodes, as present on their self-described API/v1/nym-nodes/historical-performance/<NODE_ID>
- return historical performance of thisnym-node
on the provided date/v1/nym-nodes/performance-history/<NODE_ID>
- return performance history of thisnym-node
(as a 0 - 1 float)/v1/nym-nodes/uptime-history/<NODE_ID>
- return current uptime of thisnym-node
(as a 0 - 100 u8); added for compatibility with existing APIs using that data format/v1/nym-nodes/performance/<NODE_ID>
- return current performance of thisnym-node
/v1/unstable/nym-nodes/noise
- returns basic information needed for the noise protocol between nodes/v1/unstable/nym-nodes/skimmed/active
- returns all: Nym Nodes and legacy mixnodes and legacy gateways, that are currently in the active set, unlessno-legacy
parameter is used/v1/unstable/nym-nodes/skimmed/mixnodes/active
- returns all: Nym Nodes and legacy mixnodes, that are currently in the active set, unlessno-legacy
parameter is used/v1/unstable/nym-nodes/skimmed/mixnodes/all
- returns all: Nym Nodes and legacy mixnodes, that are currently bonded and support mixing role, unlessno-legacy
parameter is used/v1/unstable/nym-nodes/skimmed/entry-gateways/active
- returns all: Nym Nodes and legacy gateways, that are currently in the active set and are assigned the entry role, unlessno-legacy
parameter is used/v1/unstable/nym-nodes/skimmed/exit-gateways/active
- returns all: Nym Nodes and legacy gateways, that are currently in the active set and are assigned the exit role, unlessno-legacy
parameter is used/v1/unstable/nym-nodes/skimmed/entry-gateways/all
- returns all: Nym Nodes and legacy gateways, that are currently bonded and support entry gateway role, unlessno-legacy
parameter is used/v1/unstable/nym-nodes/skimmed/exit-gateways/all
- returns all: Nym Nodes and legacy gateways, that are currently bonded and support exit gateway role, unlessno-legacy
parameter is used
Deprecated (will be removed eventually, so please migrate away from their usage)
Some endpoints got purposely deprecated without any equivalent reimplemented since they do not belong on nym-api
. This includes for example /stake-saturation
(which can be obtained directly from the contract instead) or /inclusion-probability
(for this run your own Monte Carlo simulation).
-
contract-cache
routes - all of the below got deprecated as they will only return legacynym-mixnode
andnym-gateway
data:/v1/gateways
/v1/gateways/blacklisted
/v1/mixnodes
/v1/mixnodes/active
- just to restate the obvious, it will only return a small SUBSET of the active set that since it will ignore active Nym Nodes/v1/mixnodes/active/detailed
/v1/mixnodes/blacklisted
/v1/mixnodes/detailed
/v1/mixnodes/rewarded
/v1/mixnodes/rewarded/detailed
-
status
routes - all of the below got deprecated as they will only return legacynym-mixnode
andnym-gateway
data:/v1/status/gateway/<ID_KEY>/report
/v1/status/gateway/<ID_KEY>/history
/v1/status/gateway/<ID_KEY>/core-status-count
/v1/status/gateway/<ID_KEY>/avg_uptime
/v1/status/gateways/detailed
/v1/status/gateways/detailed-unfiltered
/v1/status/mixnode/<MIX_ID>/report
/v1/status/mixnode/<MIX_ID>/history
/v1/status/mixnode/<MIX_ID>/core-status-count
/v1/status/mixnode/<MIX_ID>/avg_uptime
/v1/status/mixnodes/detailed
/v1/status/mixnodes/detailed-unfiltered
/v1/status/mixnode/<MIX_ID>/status
/v1/status/mixnode/<MIX_ID>/reward-estimation
/v1/status/mixnode/<MIX_ID>/compute-reward-estimation
/v1/status/mixnode/<MIX_ID>/stake-saturation
/v1/status/mixnode/<MIX_ID>/inclusion-probability
/v1/status/mixnodes/inclusion_probability
/v1/status/mixnodes/rewarded/detailed
/v1/status/mixnodes/active/detailed
-
nym-node
routes - all of the below got deprecated as they will only return legacynym-mixnode
andnym-gateway
data:/v1/gateways/described
/v1/mixnodes/described
-
Unstable Nym Nodes Routes
:/v1/unstable/nym-nodes/mixnodes/skimmed
- due to inconsistency in behaviour (i.e. active vs all) it is now redirected to/v1/unstable/nym-nodes/mixnodes/skimmed/active
and unwraps the pagination/v1/unstable/nym-nodes/gateways/skimmed
- due to inconsistency in behaviour (i.e. active vs all) it is now redirected to/v1/unstable/nym-nodes/entry-gateways/skimmed/all
and unwraps the pagination
Unstable Nym Nodes Routes
:/v1/unstable/nym-nodes/skimmed
- now works withexit
parameter/v1/unstable/nym-nodes/skimmed
- introducedno-legacy
flag to ignore legacynym-mixnode
andnym-gateway
(where applicable)/v1/unstable/nym-nodes/skimmed
- will now return all nodes if no query parameter is provided
Mixnet Contract
Every operator has to make sure that their nodes self-described endpoint works, otherwise the node will be un-routable and thus won't get any rewards!
High Level Changes
New/Added
- All new nodes are now bonded as Nym Nodes, even when using old
BondMixnode
orBondGateway
messages (messages are getting translated) - Operators only announce nodes identity key (
<ID_KEY>
), host and port to the directory. Everything else is discovered via self-described endpoint - All Nym Nodes in the rewarded set are eligible for rewards and staking. Even if they serve one of the gateway roles. Legacy gateways can't be staked on nor get rewards.
- All nodes, including legacy mixnodes and legacy gateways, are now uniquely identified by a monotonically increasing
node_id
- All legacy gateways are preassigned
node_id
during the contract migration
Removed
🔥 all concepts of node families got purged, removed, deleted, thrown into the abyss. they simply no longer exist and the world is all better for it.
Changed
- Bunch of types got changed/renamed with some fields being added/removed/deprecated. It's be quite a lot of work to list them all here, but whenever possible and feasible, they should be cross-compatible (but not always).
- Rewarded set is no longer just a "number". Instead it has an explicit number of all
nym-node
modes: mixnodes, entry and exit gateways as well as standby nodes - Rewarding is now based on two parameters: performance and work factor as opposed to performance and "is active" flag. However, in practice, during this transitional period, it is assumed that the work factor will be equivalent to what would have been calculated using the old "is active" flag
Transaction Messages Changes
BondNymNode
- self-explanatoryUnbondNymNode
- self-explanatoryUpdateNodeConfig
- works asUpdateMixnodeConfig
; it lets you change your announced host or http api portMigrateMixnode
- migrate your existing legacy mixnode into a Nym NodeMigrateGateway
- migrate your exsting legacy gasteway into a Nym Node. enables staking and rewardingAssignRoles
- an additional step for epoch transition transactions. think of it as a replacement forAdvanceCurrentEpoch
. it assigns nodes to particular roles for the given epoch
- As mentioned, all family-related things got killed off, so the following no longer exist:
CreateFamily
,JoinFamily
,LeaveFamily
,KickFamilyMember
,CreateFamilyOnBehalf
,JoinFamilyOnBehalf
,LeaveFamilyOnBehalf
,KickFamilyMemberOnBehalf
UpdateActiveSetSize
- the rewarded/active set are now based on the role distributionAssignNodeLayer
- we're no longer explicitly assigning roles to all mixnodes, instead they get assigned mixing rolesAdvanceCurrentEpoch
- the logic for advancing the epoch/assigning active set has changed so this message was removed
v2024.12.1-aero
- patch
- Release binaries (opens in a new tab)
nym-node
patch only, no other binaries
nym-node
Binary Name: nym-node
Build Timestamp: 2024-11-07T08:45:13.162565620Z
Build Version: 1.1.9-1
Commit SHA: ccdee808303ffcfa8ed77176d3f629512045febb
Commit Date: 2024-11-06T16:31:30.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.82.0
rustc Channel: stable
cargo Profile: release
Changes
- Fixed timeout connectivity issues with authenticator
- Amended network allowance cap
v2024.12-aero
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.9
nym-node
Binary Name: nym-node
Build Timestamp: 2024-10-17T08:57:52.525093253Z
Build Version: 1.1.9
Commit SHA: d75c7eaaaf3bb7350720cf9c7657ce3f7ee6ec2e
Commit Date: 2024-10-17T08:51:39.000000000+02:00
Commit Branch: HEAD
rustc Version: 1.81.0
rustc Channel: stable
cargo Profile: release
Features
-
Rust sdk stream abstraction (opens in a new tab): Starting to move this from being standalone binaries (as seen here (opens in a new tab)) into the sdk. EDIT this has sort of expanded a bit to include a few things:
- simple example
- example doc to
src/tcp_proxy.rs
- simple echo server in
tools/
- multithread example
- example to sdk for using different network
- go ffi for proxies
-
Build(deps): bump
toml
from0.5.11
to0.8.14
(opens in a new tab):toml
(opens in a new tab) version update
- Ensured that the
cargo.toml
is legible in various places; tested it onnym-node
,nym-api
andnymvisor
. - Ensured that updating the cargo.toml file and restarting the given binary continues to behave as normal.
-
Use
serde
from workspace (opens in a new tab): cargo autoinherit forserde
- cargo autoinherit forbs58
andvergen
incosmwasm-smart-contracts
-
Gateway database modifications for different modes (opens in a new tab): As gateway clients will not be solely from the mixnet, we need to split the table that handles shared keys from the client ids that are referenced from other tables. That way, the bandwidth table can be shared between different client types (entry mixnet, entry gateway, exit gateway), using the same
client_id
referencing. -
Remove the push trigger for
ci-nym-wallet-rust
(opens in a new tab) -
Chore: remove queued migration for adding explicit admin (opens in a new tab)
-
Allow clients to send stateless gateway requests without prior registration (opens in a new tab): in order to make changes to the registration/authentication procedure we needed a way of extracting protocol information before undergoing the handshake.
-
Feature/updated gateway registration (opens in a new tab): This PR introduces support for aes256-gcm-siv shared keys between clients and gateways.
- Those changes should be fully backwards compatible. if they're not, there's a bug.
- For the following combinations I inited the client, ran the client, stopped the client, and ran the client again:
- Fresh client on new binary && gateway on old binary
- Fresh client on old binary && gateway on new binary
- Fresh client on new binary && gateway new binary
- Existing old client on old binary & new gateway
-
Entry wireguard tickets (opens in a new tab): Note: The behaviour of the nodes and vpn client (as a test) has not changed, it still works as it used to. Obtaining ticketbooks also is unchanged
-
Update
nym-vpn
metapackage and replacenymvpn-x
withnym-vpn-app
(opens in a new tab): Change dependency fromnymvpn-x
tonym-vpn-app
to reflect the new package name of the tauri client -
Remove clippy github PR annotations (opens in a new tab): It eats up CI resources and time to run the clippy annotation checks that likely no one uses anyway. We keep the clippy checks of course.
-
Update cargo deny (opens in a new tab): Update to use latest
cargo-deny
. Here are the steps done:- Regenerate
deny.toml
- Backport old settings to
deny.toml
- Explicitly allow GPL-3 only on our own specific crates
- Update
deny.toml
for latest changes - Fix
cargo-deny
warnings for duplicate crates - Update
cargo-deny-action
to v2
- Regenerate
-
Data Observatory stub (opens in a new tab): You need Postgres up for
sqlx
compile-time checked queries to work
./pg_up.sh
- Play with the database:
docker exec -it nym-data-observatory-pg /bin/bash
psql -U youruser -d yourdb
-
Proxy ffi (opens in a new tab): Updates Go & CPP FFI with the proxy code from #4743 (opens in a new tab)
-
Bump
http-api-client
default timeout to 30 sec (opens in a new tab) -
Check both version and type in message header (opens in a new tab)
-
nym-node
: don't use bloomfilters for double spending checks (opens in a new tab): this PR disables gateways polling for double spending bloomfilters and alsonym-apis
from providing this data.
Bugfix
-
Fix
apt install
inci-build-upload-binaries.yml
(opens in a new tab) -
Fix missing duplication of modified tables (opens in a new tab)
-
Fix nymvpn.com url in mainnet defaults (opens in a new tab): The old URL (nympvn.net) works since it is redirected to nymvpn.com, but the extra round-trip adds latency to all the API calls the vpn client does. So this PR should help speed things up, in particular when these API calls happen across the mixnet.
-
Replace unreachable macro with an error return (opens in a new tab)
Operators Guide, Tooling & Updates
Documentation Updates
- Update FAQ sphinx size (opens in a new tab): This PR upgrades url to our code base sphinx creation from an outdated branch to develop.
Fast & Furious - WireGuard edition
Nym team started another round of load and speed testing. This time the tests are limited to Wireguard mode Gateways - to find out any weak spots for needed improvement. The load testing is happening directly on mainnet as it simulates a real user traffic which the network components must be able to handle in order.
Over past week we ran a total of three tests, with 450 clients at most. We've managed to push around 300 GB in total. Around 50% of requests failed. Over the course of those three tests, we did about 5000 requests, and bandwidth per client varies between 50Mb/s and 150Mb/s.
We already caught two bugs and fixed (opens in a new tab) it in this release.
The faster the operators upgrade to this latest release (opens in a new tab), the better. A that will allow us to do more precise testing through the nodes without the registry bug, leading to more precise specs for nym-node
.
Here are the aims of these tests:
- Understanding of the wireguard network behavior under full load
- How many client users can all entry gateways and exit gateways handle simultaneously?
- How much sustained IP traffic can a subset of mainnet nodes sustain?
- Needed improvements of Nym Node binaries to improve the throughput on mainnet
- Measurement of required machine specs
- Releasing a new spec requirements
- Raw data record
- Increase quality of Nym Nodes
Meanwhile we started to research pricing of stronger servers with unlimited bandwidth and higher (and stable) port speed, to arrive to a better understanding of needed rewards and grants to bootstrap the network before NymVPN launch.
More info about testing and tools for performance monitoring can be found in this chapter.
We would like to call out to operators to join the efforts and reach out to us if they know of solid ISPs who offer reliable dedicated services for good price or may even be interested in partnership.
Delegation Program
In October we again proceeded with our Delegation Program. 22 nodes didn't meet the program rules and got their delegation removed and 25 nodes from the que received delegation. Below is a complete list.
Delegated:
Ce6kcPckNfQsga2z645VFQYadtoTjqXrS1YXMTtNNv98
2XSCWy1vAoJRaYBJXx4KWwjU1cfoS2wNBXVQZvi8Jtdr
Bu4sUGjJqkje4vSncTH2KgrnojmfESdaYwamC6DbpJGZ
7TWEw9qQxsc8w4WhPAX6zjZ8vuNBdtP21zUVN8K26RkD
HejyqervmGTCEwi1JbRBXV5My463336huBn8ZgSpuhc3
CXcCVGiamYSwgVwaxW3mEkXkZh1sKY2TXnWjjTjxDxzA
FScLfnKUPv9wSef3R4N2pQ9ft7DiwdivLW1i65Dqfc9L
2vuZZJjyYN27fvDbhyqeGosewGWaRh6iVsFtqbJoYAR7
B9QiBsSAx7MRcTpYMs1fu9AFJurAZTPWMispHZXPbaVW
E3e2a9kXZjQXsKAfvmCf2WqwmVkiGR2LbjCwoadZgEJt
Dk4fCLM7idHPqfsUucLQtSMtYaYCLhi4T7vwvw88jG3P
9xZUp4sYWUNJesWy3MPVjh5kTorNqj3RxcFgBmYjV1xV
HK9QxPpdJfNtNpLJZHTN5M113jeBbFzTkMtPt9eouimx
ECkzyHfoiNGKyDTtbbH5HDCWa8KMGh92mtGbGHLZ3Y9n
9jQQV9vQ2mFFXywwVhACCKefjUFpyBoCU6KXNfjAEi45
6QguhCfnDPKJe8bQXg9myuPB89yYFk6R77vMhLTbipK7
4hAJJQhLTFve8FZGd28ksjavbch8STMax2rytzKmDPCV
EZLFq5HGXFKRpxu78nVjf7kuuUaKPLAbezR6mXbZrP6y
FtAAA5GMxY1Ge9wKYDrQgaSfJEUp4XvBLptBwy3GU8ap
tUiLPjz5nkPn5ZJT5ZXLPGDcZ3caQsfkMAp1epoAuSQ
4ScsM6AVowhKTMWaH98NLntKDwbu2ZMEycUk4mZiZppG
Hb34PTth6CeFziPAAEUMEjJFHWJg1dDex5QxUXKNqRBE
9ek1PMvLhpbwZe7kTMyCVY5VNqrdSPPoruFPQtbxnZyf
Undelegated due to the use of an outdated binary:
9UHXFYuMLhuugndt8xCFRydmDPFyEEUHYc72tNANEtHp
5Y86A7fUX3LYVDDeoujtAiZFudYcHJq6gw8nsp71wN7U
HYWjn6yL8y7TBPFL9bTgDm6tHgyoEQupgJuBhLLoA5EY
4JCpbdhiQFKWwhrbkNDbwcwBGZnvU4WQrF2vqQLfmZvW
2f7JaYmmrMQQMczLX32ogfP7PBHeyPKbAVNjjEsExZVd
9TW55JrsFhsMoe3Tf8LBR4bPSCX86VXyvioMmCw9tWB
AyN34XqUi5XxgjmivWG2z6TftkqAFjVV5C9zCbx8Fvp5
skNS4zNsKdbbUR9wFTJoPdmReW4NdrDEpp8512TNG4f
DztUnMKM545sdipgqhCsPNhK3YVmBbS2fp9HZgM5Jpw9
GnLmx1s7g9nH3uLRhGpaXTbQEhCSKB6YenBQWQhthSx9
GoJjAkH5hpcPYeW7JDUVfHdqgcufjwdhY2PLwBGJV3Ar
EdHVMTXpLiBbvCUnEoSPQ86pBNY1h9HtL34Q7cpNPWCy
Undelegated due to increased operation costs or profit margin:
Erw9AQ4UJCgCiAWisUWbFk9Yedm8qvW4YQqmJRrBrE5p
BVDVtmNbZRgPKU81uBkrgfj5TnhtZqQcPAwxD48jcfMd
36nmH3kawhAsNA6sxFva2HgTnQHQDbcrRefvWWbmhHvY
2831fyXRAJ88x1Pd5aW7utw7WH1XkHZEfoWhLk2foLxJ
AMDS4cib433iRstwP9mWnZ4zPqb6hm6uPF7PpvhSkpYC
DE9eEeVsuiKeVfwebg5HYsebqRUvxd7LWsT9hQUtVrTQ
FAKhiQ8nW5sAWAxks1WB8u1MAWsapToCSE3KmF9LuGRQ
Undelegated due to being blacklisted for extensive period
sjL9n9ymxfWWwkQJxXdsMkdwamXfh3AJ3vCe7rJ8RrT
E2HAJrHnk56QZDUCkcjc4i4pVEqtyuPYL5bNFYtweQuL
4PytR3tmodsvqGTKdY47yie8kmrkARQdb5Ht3Ro3ChH4
v2024.11-wedel
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.8
Binary Name: nym-node
Build Timestamp: 2024-09-27T11:02:37.073944654Z
Build Version: 1.1.8
Commit SHA: c3ec970a377adb25d57be5428551fada2ec55128
Commit Date: 2024-09-26T08:24:53.000000000+02:00
Commit Branch: master
rustc Version: 1.80.1
rustc Channel: stable
cargo Profile: release
Features
-
New Network Monitor (opens in a new tab): Monitors the Nym network by sending itself packages across the mixnet. Network monitor is running two tokio tasks, one manages mixnet clients and another manages monitoring itself. Monitor is designed to be driven externally, via an
HTTP api
. This means that it does not do any monitoring unless driven by something likelocust
(opens in a new tab). This allows us to tailor the load externally, potentially distributing it across multiple monitors. Includes a dockerised setup for automatically spinning up monitor and driving it with locust.- Note: NNM is not deployed on mainnet yet!
-
Add get_mixnodes_described to validator_client (opens in a new tab)
-
Remove deprecated mark_as_success and use new disarm (opens in a new tab): Update function name to keep terminology consistent with tokio
CancellationToken DropGuard
. -
Update peer refresh value (opens in a new tab):
lso
expose the value by moving it to wireguard types, and separate the refresh time to the database sync time, so that more probable and needed actions happen faster (refresh) and more improbable ones don't overload the system (peer suspended or stale)
- Noted that the constants
DEFAULT_PEER_TIMEOUT
andDEFAULT_PEER_TIMEOUT_CHECK
have been moved tocommon/wireguard-types/src/lib.rs
and are now being used across modules for consistency - Observed that the
peer_controller.rs
now separates the in-memory updates from the storage sync operations to reduce system load - Identified that in-memory updates of peer bandwidth usage happen every
DEFAULT_PEER_TIMEOUT_CHECK
(every 5 seconds), while storage updates occur every 5 *DEFAULT_PEER_TIMEOUT_CHECK
(every 25 seconds)
Checked System Load and Performance:
-
Monitored system resource usage (CPU, memory, I/O) during the test to assess the impact of the changes
-
Confirmed that the separation of in-memory updates and storage syncs resulted in reduced system load, particularly I/O operations, compared to previous versions where storage updates occurred more frequently
-
Ensured that the system remained responsive and no performance bottlenecks were introduced
-
Efficiency Improvement: The separation of in-memory updates and storage syncs effectively reduced unnecessary database writes, improving system efficiency without compromising data accuracy
-
Remove duplicate stat count for retransmissions (opens in a new tab)
-
Make gateway latency check generic (opens in a new tab): Replace concrete gateway type with trait in latency check, so we can make use of it in the vpn client.
- Initialised new
nym-client
with the--latency-based-selection
flag and ensured it still works as normal.
-
Avoid race on ip and registration structures (opens in a new tab): To avoid a state where the ip is being cleared out before the registration is also cleared out, couple the two structures under the same lock, since they are anyway very inter-dependent.
-
- Checked out the release/2024.10-wedel branch containing the fix for the race condition on IP and registration structures
- Deployed the on a controlled test environment to prevent interference
-
Monitored Logs:
- Enabled debug logging to capture all events
- Monitored logs in real-time to observe the handling of concurrent registration requests
- Checked for any error messages, warnings, or indications of race conditions
-
Verified Client Responses:
- Ensured that all clients received appropriate responses:
- Successful registration with assigned IP and registration data
- Appropriate error messages if no IPs were available or if other issues occurred
- Confirmed that no clients were left in an inconsistent state (e.g., assigned an IP but not fully registered)
-
Validated Normal Operation:
- Conducted standard registration processes with individual clients to confirm that regular functionality is unaffected via
nym-vpn-cli
- Ensured that authenticated clients could communicate over the network as expected
- Conducted standard registration processes with individual clients to confirm that regular functionality is unaffected via
-
Enable dependabot version upgrades for root rust workspace (opens in a new tab)
-
Fix clippy for
unwrap_or_default
(opens in a new tab): Fix nightly build for beta toolchain (opens in a new tab) -
Update dependabot (opens in a new tab): Bump max number of dependabot rust PRs to 10. Add readme entry to workspace package.
-
Run
cargo-autoinherit
for a few new crates (opens in a new tab): Run cargo-autoinherit for a few new crates - Sort crates list. -
Add
axum
server tonym-api
(opens in a new tab): Summary PR to add axum functionality behind a feature flagaxum
, alongside rocket. -
Expose wireguard details on self described endpoint (opens in a new tab)
Wireguard details are now visible at the nym-node endpoint /api/v1/gateway/client-interfaces
as well as on the nym-api self-described endpoint /api/v1/gateways/described
, above the existing data displaying mixnet_websocket information.
An example of what will be shown is:
"wireguard": {
"port": 51822,
"public_key": "<some public key here>"
}
- Revamped ticketbook serialisation and exposed additional cli methods (opens in a new tab):
wip
branch that includes changes needed forvpn-api
alongside additionalecash utils
Checked the following commands:
show-ticket-books # which displays the information about all ticketbooks associated to the client
import-ticket-book # which imports a normal ticketbook to the client alongside `--full` flag
On the cli, the following were added: import-coin-index-signatures
, import-expiration-date-signatures
and import-master-verification-key
.
-
Run cargo autoinherit following last weeks dependabot updates (opens in a new tab)
-
Create nym-repo-setup debian package and nym-vpn meta package (opens in a new tab): Create nym-repo-setup debian package that sets up the nymtech debian repo on the system it's installed on. It does 2 things:
- Copy the keyring to
/usr/share/keyrings/nymtech.gpg
- Copy the repo spec to
/etc/apt/sources.list.d/nymtech.list
- Also create a meta package
nym-vpn
which only purpose is to depend on the daemon and UI.
- Copy the keyring to
- Install with
sudo dpkg -i ./nym-repo-setup.deb
- Once it's installed, it should be possible to install the vpn client with
sudo apt install nym-vpnc
- To remove the repo, use
sudo apt remove nym-repo-setup
NOTE: removing the repo will not remove any installed nym-vpn packages
-
Downloaded the
nym-repo-setup.deb
package to a Debian-based test system -
Installed the repository setup package using the command:
sudo dpkg -i ./nym-repo-setup.deb
- Verified that the GPG keyring was copied to
/usr/share/keyrings/nymtech.gpg
:
ls -l /usr/share/keyrings/nymtech.gpg
- Checked that the repository specification was added to
/etc/apt/sources.list.d/nymtech.list
:
cat /etc/apt/sources.list.d/nymtech.list
- Updated the package list:
sudo apt update
- Installed the VPN client meta-package:
sudo apt install nym-vpnc
-
Confirmed that the
nym-vpnc
package and its dependencies (daemon and UI) were installed successfully -
Tested the VPN client to ensure it operates as expected
-
Removed the repository setup package:
sudo apt remove nym-repo-setup
-
Verified that the repository specification file
/etc/apt/sources.list.d/nymtech.list
was removed -
Ensured that the installed
nym-vpnc
packages remained installed and functional after removing the repo setup package
-
Use ecash credential type for bandwidth value (opens in a new tab)
-
Start switching over jobs to arc-ubuntu-20.04 (opens in a new tab)
ci-binary-config-checker
- ci-build-upload-binaries
- ci-build
- ci-cargo-deny
- ci-contracts-schema
- ci-contracts-upload-binaries
- ci-contracts
- ci-docs
- ci-nym-wallet-rust
- ci-sdk-wasm
-
Move credential verification into common crate (opens in a new tab)
-
Remove
golang
workaround inci-sdk-wasm
(opens in a new tab) -
Disable push trigger and add missing paths in
ci-build
(opens in a new tab) -
chore: removed completed queued mixnet migration (opens in a new tab)
Bugfix
-
Fix test failure in ipr request size (opens in a new tab): Nightly build started failing due to a unit test using
now()
, changing the serialized size. Fixed to use a fixed date. -
Fix clippy for nym-wallet and latest rustc (opens in a new tab)
-
Allow updating globally stored signatures (opens in a new tab)
-
Bugfix/ticketbook false double spending (opens in a new tab)
Tested running a client in mixnet mode, with a standard ticketbook, as well as a client using an imported ticketbook. The double spending bug is no longer an issue, bandwidth is consumed properly, and upon consumption of one ticket another ticket is properly obtained.
Operators Guide, Tooling & Updates
-
WSS setup guide updates (opens in a new tab): Operators setting up WSS and reverse proxy on Gateways have now cleaner and simpler guide to configure their VPS.
-
Updat hostname instruction for WSS (opens in a new tab): Adding a hostname instruction for clarity
nym-node
patch from release/2024.10-caramello
Binary Name: nym-node
Build Timestamp: 2024-09-16T15:00:41.019107021Z
Build Version: 1.1.7
Commit SHA: 65c8982cab0ff3a1154966e7d61956cb42a065fc
Commit Date: 2024-09-16T15:59:34.000000000+02:00
Commit Branch: HEAD
rustc Version: 1.81.0
rustc Channel: stable
cargo Profile: release
This patch fixes v202410-caramello
release bug where one of the used dependencies - DefGuard
(opens in a new tab), was failing.
Updating to this patched version and running nym-node --mode exit-gateway
with --wireguard-enabled true
should result in a smooth node start without the defguard_wireguard
error, occuring to some operators before:
/home/ubuntu/.cargo/registry/src/index.crates.io-6f17d22bba15001f/defguard_wireguard_rs-0.4.2/src/netlink.rs:155: Serialized netlink packet (23240 bytes) larger than maximum size 12288: NetlinkMessage.
This release is a patch only, there are no additional features, everything else stays the same like in the latest release v202410-caramello
.
v2024.10-caramello
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.7
- Backport 4844 and 4845 (#4857 (opens in a new tab))
- Bugfix/client registration vol2 (#4856 (opens in a new tab))
- Remove wireguard feature flag and pass runtime enabled flag (#4839 (opens in a new tab))
- Eliminate cancel unsafe sig awaiting (#4834 (opens in a new tab))
- added explicit updateable admin to the mixnet contract (#4822 (opens in a new tab))
- using legacy signing payload in CLI and verifying both variants in contract (#4821 (opens in a new tab))
- adding ecash contract address (#4819 (opens in a new tab))
- Check profit margin of node before defaulting to hardcoded value (#4802 (opens in a new tab))
- Sync last_seen_bandwidth immediately (#4774 (opens in a new tab))
- Feature/additional ecash nym cli utils (#4773 (opens in a new tab))
- Better storage error logging (#4772 (opens in a new tab))
- bugfix: make sure DKG parses data out of events if logs are empty (#4764 (opens in a new tab))
- Fix clippy on rustc beta toolchain (#4746 (opens in a new tab))
- Fix clippy for beta toolchain (#4742 (opens in a new tab))
- Disable testnet-manager on non-unix (#4741 (opens in a new tab))
- Don't set NYM_VPN_API to default (#4740 (opens in a new tab))
- Update publish-nym-binaries.yml (#4739 (opens in a new tab))
- Update ci-build-upload-binaries.yml (#4738 (opens in a new tab))
- Add NYM_VPN_API to network config (#4736 (opens in a new tab))
- Re-export RecipientFormattingError in nym sdk (#4735 (opens in a new tab))
- Persist wireguard peers (#4732 (opens in a new tab))
- Fix tokio error in 1.39 (#4730 (opens in a new tab))
- Feature/vesting purge plus ranged cost params (#4716 (opens in a new tab))
- Fix (some) feature unification build failures (#4681 (opens in a new tab))
- Feature Compact Ecash : The One PR (#4623 (opens in a new tab))
Features
Scenario 1: Bandwidth Decreasing Continuously
- Started the client and noted the initial bandwidth (e.g., 1GB).
- Used the client and tracked bandwidth usage over time (e.g., decrease by 100MB every hour).
- Restarted the client after some usage.
- Verified the bandwidth continued from the last recorded value, not reset.
The bandwidth continued decreasing without resetting upon restart. Logs and reports correctly reflected the decreasing bandwidth.
Scenario 2: Bandwidth Reset Next Day
- Used the client normally until the end of the day.
- Suspended some clients and kept others active.
- Checked bandwidth at midnight.
- Verified that bandwidth reset to 1GB for both suspended and active clients.
Bandwidth reset to 1GB for all clients at midnight. Logs and reports correctly showed the reset.
Scenario 3: Bandwidth Reset at a Different Time (e.g., Midday)
- Configured the system to reset bandwidth at midday.
- Used the client and monitored bandwidth until midday.
- Kept the client connected during the reset time.
- Verified that bandwidth reset to 1GB live at midday.
Bandwidth reset to 1GB at midday while the client was connected. Logs and reports correctly reflected the reset.
Scenario 4: Stale Check for 3 Days
- Kept a client inactive for 3 days.
- Verified removal from the peer list after 3 days.
- Reconnected the client after 3 days and checked for a new private IP.
- Restarted a client within 3 days and verified it retained the same private IP.
The client was removed from the peer list after 3 days of inactivity. Upon re-connection after 3 days, the client received a new private IP. The client retained the same private IP when restarted within 3 days.
-
Feature/merge back (opens in a new tab): Merge back from the release branch the changes that fix the
nym-node
upgrades -
Removed mixnode/gateway config migration code and disabled cli without explicit flag (opens in a new tab): Commands for archived / legacy binaries
nym-gateway
andnym-mixnode
won't do anything without explicit--force-run
to bypass the deprecation. The next step, in say a month or so, is to completely remove allcli
related things.
- Verify that the
nym-gateway
binary andnym-mixnode
binary commands return the error message stating to update to nym-node - Check that when adding the
--force-run
flag, it still allows the command to be run (aside frominit
which has been removed) and the message stating to update to nym-node is a warning now - Check
nym-node
is not affected - Reviewed the changes in the PR
- Handle clients with different versions in IPR (opens in a new tab): Allow the IPR to handle clients connecting both using
v6
andv7
, independently. The motivation is that we want to be able to roll out a API version change gradually for VPN clients without breaking backwards compatibility. The main feature on the newv7
format that is not yet used, is that it adds signatures for connect/disconnect.
Run the same command (using same gateways deployed from this PR) on different versions of the nym-vpn-cli
.
Example:
sudo -E ./nym-vpn-cli -c ../qa.env run --entry-gateway-id $entry_gateway --exit-gateway-id $exit_gateway --enable-two-hop
sudo -E ./nym-vpn-cli -c ../qa.env run --entry-gateway-id $entry_gateway --exit-gateway-id $exit_gateway --enable-two-hop
-
Remove wireguard feature flag and pass runtime enabled flag (opens in a new tab)
-
Added explicit updateable admin to the mixnet contract (opens in a new tab)
-
Using legacy signing payload in CLI and verifying both variants in contract (opens in a new tab)
-
Check profit margin of node before defaulting to hardcoded value (opens in a new tab)
-
Update publish-nym-binaries.yml (opens in a new tab): Adds wireguard to builds
-
Update ci-build-upload-binaries.yml (opens in a new tab): Adds wireguard for ci-builds
-
Re-export RecipientFormattingError in nym sdk (opens in a new tab)
-
Feature/vesting purge plus ranged cost params (opens in a new tab): Combines #4715 (opens in a new tab) and #4711 (opens in a new tab) into one.
- Disables all non-essential operations on the vesting contract => you can no longer bond mixnodes/make delegations/etc. (you can still, however, withdraw your vested tokens and so on)
- Introduces admin-controlled minimum (and maximum) profit margin and interval operating costs.
- both contracts have to be migrated at the same time. ideally within the same transaction
- mixnet contract migration is not allowed (and will fail) if there are any pending actions involving vesting tokens, like delegating, increasing pledge, etc
-
Bump braces from
3.0.2
to3.0.3
in/nym-wallet/webdriver
(opens in a new tab): Bumps braces (opens in a new tab) from3.0.2
to3.0.3
.
Bugfix
- Building all binaries is ok
- Running
cargo fmt
returns no issues
Tested updating an old nym-node
version and ensuring it did not throw any errors.
-
Fix tokio error in
1.39
(opens in a new tab):- Bump tokio to
1.39.2
, skipping the issue with1.39.1
- Bump tokio to
-
Fix (some) feature unification build failures (opens in a new tab): Running a script in the root workspace that builds each crate independently
#!/bin/bash
packages=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[].name')
# Loop through each package and build
for package in $packages; do
echo "Building $package"
cargo clean
cargo check -p "$package"
if [ $? -ne 0 ]; then
echo "Build failed for $package. Stopping."
exit 1
fi
done
-
bugfix: make sure DKG parses data out of events if logs are empty (opens in a new tab): This will be the case on post
0.50
chains -
Fix clippy on rustc beta toolchain (opens in a new tab): Fix clippy warnings for rust beta toolchain
-
Fix clippy for beta toolchain (opens in a new tab): Fix beta toolchain clippy by removing unused module
- Add
nym-
prefix toserde-common
crate - Remove ignored
default-features = false
attribute for workspace dependency
- Add
Crypto
Operators Guide, Tooling & Updates
-
More explicit setup for
nym-node
with a new option explanation, including syntax examples -
Wireguard builds from source together with
nym-node
, no need to specify with a feature flag anymore -
Wireguard peers stay connected for longer time, re-connections are also faster
-
Profit margin and operating cost values are set to the values agreed by operators off-chain vote, the values can be changed in the future through Nym Operators governance process (opens in a new tab)
Minimum profit margin = 20%
Maximum profit margin = 50%
Minimum operating cost = 0 NYM
Maximum operating cost = 1000 NYM
-
Nym Harbourmater (opens in a new tab) has several new functionalities:
- Version counting graph for Gateways and Mixnodes
- Several new columns with larger nodes performance and settings overview.
- Top routing score now includes:
- Wireguard registration and complete handshake test, to configure see tasklist below
- DNS resolution check, to configure see tasklist below
- Wireguard perfomance bigger than 0.75, to configure see tasklist below
-
New Nym Wallet (opens in a new tab) is out!
- Vesting contract functionalities have been purged, users can only remove tokens from vesting
- Migrating from
mixnode
orgateway
smart contracts to a new unifyingnym-node
smart contract will be available soon using Nym desktop wallet, just like you are used to for bonding and node settings. After this migration allnym-nodes
will be able to receive delegation and rewards. We will share a step by step guide once this migration will be deployed. No action needed now.
-
Nym API Check CLI is upgraded according to the latest API endpoints, output is cleaner and more concise.
Operators Tasks
The steps below are highly recommended for all operators and mandatory for everyone who is a part of Nym Delegation or Grant program. Deadline is Friday, September 20th, 2024.
Every nym-node
should be upgraded to the latest version! Operators can test using Sandbox env during the pre-release period, then upgrade on mainnet. During the upgrade, please follow the points below before you restart the node:
nym-node
- Make sure to fill in basic description info, into the file located at
.nym/nym-nodes/<ID>/data/description.toml
(all nodes) - Configure wireguard routing with new
network_tunnel_manager.sh
(opens in a new tab) following these steps (Gateways only for the time being) - Enable Wireguard with
--wireguard-enabled true
flag included in your run command (Gateways only for the time being)- Note: On some VPS this setup may not be enough to get the correct results as some ISPs have their own security groups setup below the individual VPS. In that case a ticket to ISP will have to be issued to open the needed settings. We are working on a template for such ticket.
- Setup reverse proxy and WSS on
nym-node
(Gateways only for the time being) - Don't forget to restart your node - or (preferably using systemd automation) reload daemon and restart the service
- Optional: Use
nym-gateway-probe
and NymVPN CLI (opens in a new tab) to test your own Gateway - Optional: Run the script below to measure ping speed of your Gateway and share your results in Nym Operators channel (opens in a new tab)
We made a script for pinging nymtech.net from your GWs. Can you please install it and then share the result together with your Gateway ID:
- Get the script onto your machine (soon on github for curl or wget):
# paste all this block as one command
cat <<'EOL' > ping_with_curl_average_for_wg_check.sh
#!/bin/bash
ping_with_curl_average_for_wg_check() {
total_connect_time=0
total_total_time=0
iterations=5
timeout=2
for ((i=1; i<=iterations; i++)); do
echo "ping attempt $i..."
echo "curling nymtech.net to check ping response times"
times=$(curl -I https://nymtech.net --max-time $timeout \
-w "time_connect=%{time_connect}\ntime_total=%{time_total}" -o /dev/null -s)
time_connect=$(echo "$times" | grep "time_connect" | cut -d"=" -f2)
time_total=$(echo "$times" | grep "time_total" | cut -d"=" -f2)
total_connect_time=$(echo "$total_connect_time + $time_connect" | bc)
total_total_time=$(echo "$total_total_time + $time_total" | bc)
echo "time to connect: $time_connect s"
echo "total time: $time_total s"
done
average_connect_time=$(echo "scale=3; $total_connect_time / $iterations" | bc)
average_total_time=$(echo "scale=3; $total_total_time / $iterations" | bc)
echo "-----------------------------------"
echo "average time to connect: $average_connect_time s"
echo "average total time: $average_total_time s"
}
ping_with_curl_average_for_wg_check
EOL
- Make executable:
chmod +x ping_with_curl_average_for_wg_check.sh
- In case you don't have
bc
, install it:
sudo apt install bc
- Run:
./ping_with_curl_average_for_wg_check.sh
- Share results and ID key in Nym Operators channel (opens in a new tab)
THANK YOU!
validators
- Validators need to update and prepare for ecash implementation.
Known Bugs & Undone features
- New
nym-nodes
without a performance 24h history above 50% don't show routing properly onnym-gateway-probe
, on Nym Harbourmaster the page may appear blank - we are working on a fix. - Wireguard works on IPv4 only for the time being, we are working on IPv6 implementation.
- Harbourmaster Role column shows
nym-node --mode exit-gateway
asEntryGateway
, we are working to fix it. - In rare occassions Harbourmaster shows only "panda" without the "smiley" badge even for nodes, which have T&C's accepted. We are working to fix it.
- Sometimes
nym-node
running with--wireguard-enabled true
gives this error on restart:Serialized netlink packet .. larger than maximum size ..
/home/ubuntu/.cargo/registry/src/index.crates.io-6f17d22bba15001f/defguard_wireguard_rs-0.4.2/src/netlink.rs:155: Serialized netlink packet (23240 bytes) larger than maximum size 12288: NetlinkMessage.
From what we found out it seems that one of our dependencies - DefGuard
- is failing (opens in a new tab). Based on the reading on their fix, it seems that when node operators try to re-create a wireguard interface with too many previous peers (like on Gateway restart, with restoring from storage), there's an overflow. So their fix is to just add them one by one. To be sure that bumping the dependency version fixes the problem there's still two things we'd need to check - and your feedback would help us a lot:
- Did operators only encounter this error after a
nym-node
(Gateway) restart? - Reprouce this error ourselves and see if it actually fixes our problem.
Please share your experience with us to help faster fix of this issue.
v2024.9-topdeck
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.6
- chore: fix 1.80 lint issues (#4731 (opens in a new tab))
- Handle clients with different versions in IPR (#4723 (opens in a new tab))
- Add 1GB/day/user bandwidth cap (#4717 (opens in a new tab))
- Feature/merge back (#4710 (opens in a new tab))
- removed mixnode/gateway config migration code and disabled cli without explicit flag (#4706 (opens in a new tab))
Features
- Removed
nym-mixnode
andnym-gateway
config migration code and disabled CLI without explicit flag (opens in a new tab): Gateway and Mixnode commands now won't do anything without explicit--force-run
to bypass the deprecation, instead it will tell an operator to run anym-node
. The next step, in say a month or so, is to completely remove allcli
related things.
- Verify that the
nym-gateway
binary andnym-mixnode
binary commands return the_error message_
stating to update tonym-node
- Check that when adding the
--force-run
flag, it still allows the command to be run (aside frominit
which has been removed) and the message stating to update tonym-node
is a_warning_
now - Check
nym-node
is not affected - Review the changes in the PR
Scenario 1: Bandwidth Decreasing Continuously'
- Start the client and noted the initial bandwidth (e.g., 1GB).
- Us the client and track bandwidth usage over time (e.g., decrease by 100MB every hour).
- Restart the client after some usage.
- Verify the bandwidth continued from the last recorded value, not reset.
Notes: The bandwidth continued decreasing without resetting upon restart. Logs and reports correctly reflected the decreasing bandwidth.
Scenario 2: Bandwidth Reset Next Day'
- Use the client normally until the end of the day.
- Suspend some clients and kept others active.
- Check bandwidth at midnight.
- Verify that bandwidth reset to 1GB for both suspended and active clients.
Notes: Bandwidth reset to 1GB for all clients at midnight. Logs and reports correctly showed the reset.
Scenario 3: Bandwidth Reset at a Different Time (e.g., Midday)'
- Configure the system to reset bandwidth at midday.
- Use the client and monitored bandwidth until midday.
- Keep the client connected during the reset time.
- Verify that bandwidth reset to 1GB live at midday.
Notes: Bandwidth reset to 1GB at midday while the client was connected. Logs and reports correctly reflected the reset.
- Handle clients with different versions in IPR (opens in a new tab): Allow the IPR to handle clients connecting both using
v6
andv7
, independently. The motivation is that we want to be able to roll out an API version change gradually for NymVPN clients without breaking backwards compatibility. The main feature on the newv7
format that is not yet used, is that it adds signatures for connect/disconnect.
Run the same command (using same gateways deployed from this PR) on different versions of the nym-vpn-cli
.
Example:
sudo -E ./nym-vpn-cli -c ../qa.env run --entry-gateway-id $entry_gateway --exit-gateway-id $exit_gateway --enable-two-hop
sudo -E ./nym-vpn-cli -c ../qa.env run --entry-gateway-id $entry_gateway --exit-gateway-id $exit_gateway --enable-two-hop
Bugfix
-
Feature/merge back (opens in a new tab): Merge back from the release branch the changes that fix the
nym-node
upgrades. -
Fix version
1.x.x
not having template correspondent initially (opens in a new tab): This should fix the problem of config deserialisation when operators upgrade nodes and skip over multiple versions.
- Tested updating an old nym-node version and ensuring it did not throw any errors.
- Building all binaries is ok
- Running
cargo fmt
returns no issues
Operators Guide updates
- WireGuard tunnel configuration guide for
nym-node
(currently Gateways functionalities). For simplicity we made a detailed step by step guide to upgrade an existingnym-node
to the latest version and configure your VPS routing for WireGuard. Open by clicking on the example block below.
Prerequisites
-
Nym Node Version: You must be running the
2024.9-topdeck
release branch, which operates asnym-node
version1.1.6
. You can find the release here: Nym 2024.9-topdeck Release (opens in a new tab). -
Important: Before proceeding, make sure to back up your current
nym-node
configuration to avoid any potential data loss or issues. -
Download Nym Node:
-
You can download the
nym-node
binary directly using the following command:
curl -L https://github.com/nymtech/nym/releases/download/nym-binaries-v2024.9-topdeck/nym-node -o nym-node && chmod u+x nym-node
Step 1: Update UFW Firewall Rules
- Warning: Enabling the firewall with UFW without allowing SSH port 22 first will lead to losing access over SSH. Make sure port 22 is allowed before proceeding with any UFW configurations.
Run the following as root or with sudo
prefix:
- Check the current status of UFW (Uncomplicated Firewall):
ufw status
- Ensure that the following ports are allowed on your machine before adding the WireGuard port:
ufw allow 22/tcp # SSH - you're in control of these ports
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
ufw allow 1789/tcp # Nym specific
ufw allow 1790/tcp # Nym specific
ufw allow 8080/tcp # Nym specific - nym-node-api
ufw allow 9000/tcp # Nym Specific - clients port
ufw allow 9001/tcp # Nym specific - wss port
ufw allow 51822/udp # WireGuard
- Confirm that the UFW rules have been updated:
ufw status
Step 2: Download and Prepare the Network Tunnel Manager Script
- Download the
network_tunnel_manager.sh
(opens in a new tab) script:
curl -L -o network_tunnel_manager.sh https://github.com/nymtech/nym/blob/develop/scripts/network_tunnel_manager.sh
- Make the script executable:
chmod u+x network_tunnel_manager.sh
- Apply the WireGuard IPTables rules:
./network_tunnel_manager.sh apply_iptables_rules_wg
Step 3: Update the Nym Node Service File
- Modify your
nym-node
service file to enable WireGuard. Open the file (usually located at/etc/systemd/system/nym-node.service
) and update the[Service]
section as follows:
[Service]
User=<YOUR_USER_NAME>
Type=simple
#Environment=RUST_LOG=debug
# CAHNGE PATH IF YOU DON'T RUN IT FROM ROOT HOME DIRECTORY
ExecStart=/root/nym-node run --mode exit-gateway --id <YOUR_NODE_LOCAL_ID> --accept-operator-terms-and-conditions --wireguard-enabled true
Restart=on-failure
RestartSec=30
StartLimitInterval=350
StartLimitBurst=10
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
# ADD OR TWEAK ANY CUSTOM SETTINGS
- Reload the systemd daemon to apply the changes:
systemctl daemon-reload
- Restart the
nym-node service
:
systemctl restart nym-node.service
- Optionally, you can check if the node is running correctly by monitoring the service logs:
journalctl -u nym-node.service -f -n 100
Step 4: Run the Network Tunnel Manager Script
Finally, run the following command to initiate our favorite routing test - run the joke through the WireGuard tunnel:
./network_tunnel_manager.sh joke_through_wg_tunnel
- Note: Wireguard will return only IPv4 joke, not IPv6. WG IPv6 is under development. Running IPR joke through the mixnet with
./network_tunnel_manager.sh joke_through_the_mixnet
should work with both IPv4 and IPv6!
- Change
--wireguard-enabled
flag totrue
: With a proper routing configurationnym-nodes
running as Gateways can now enable WG. See the example below:
For Exit Gateway:
./nym-node run --id <ID> --mode exit-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname <HOSTNAME> --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --location <LOCATION> --accept-operator-terms-and-conditions --wireguard-enabled true
# wireguard can be enabled from version 1.1.6 onwards
For Entry Gateway:
./nym-node run --id <ID> --mode entry-gateway --public-ips "$(curl -4 https://ifconfig.me)" --hostname <HOSTNAME> --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --accept-operator-terms-and-conditions --wireguard-enabled true
# wireguard can be enabled from version 1.1.6 onwards
- Update Nym exit policy (opens in a new tab): Based on the survey, AMA and following discussions we added several ports to Nym exit policy. The ports voted upon in the forum governance (opens in a new tab) have not been added yet due to the concerns raised. These ports were unrestricted:
22 # SSH
123 # NTP
445 # SMB file share Windows
465 # URD for SSM
587 # SMTP
853 # DNS over TLS
1433 # databases
1521 # databases
2049 # NFS
3074 # Xbox Live
3306 # databases
5000-5005 # RTP / VoIP
5432 # databases
6543 # databases
8080 # HTTP Proxies
8767 # TeamSpeak
8883 # Secure MQ Telemetry Transport - MQTT over SSL
9053 # Tari
9339 # gaming
9443 # alternative HTTPS
9735 # Lightning
25565 # Minecraft
27000-27050 # Steam and game servers
60000-61000 # MOSH
-
Create a NymConnect archive page (opens in a new tab), PR #4750 (opens in a new tab): Archive deprecated NymConnect for backward compatibility, show PEApps examples for both NC and maintained
nym-socks5-client
. -
Fix broken URLs and correct redirection. PRs: #4745 (opens in a new tab), #4752 (opens in a new tab) #4755 (opens in a new tab), #4737 (opens in a new tab)
- Use deadlinkchecker.com (opens in a new tab) to go over
nymtech.net
and correct all docs URLs - Go over search engines and old medium articles and check that all dead URLs re-directing correctly
- Clarify syntax on
nym-nodes
ports on VPS setup page (opens in a new tab), PR #4734 (opens in a new tab): Make crystal clear that the addresses and ports in operatorsconfig.toml
must be opened usingufw
(opens in a new tab) and set up as in the example below:
[host]
public_ips = [
'<PUBLIC_IP>'
]
[mixnet]
bind_address = '0.0.0.0:1789'
[http]
bind_address = '0.0.0.0:8080'
[mixnode]
[mixnode.verloc]
bind_address = '0.0.0.0:1790'
[entry_gateway]
bind_address = '0.0.0.0:9000'
Tooling
-
Nym Harbourmaster (opens in a new tab) has now several new functionalities:
- Tab for Mixnodes
- Tab with Charts
- New columns with: Moniker (node description), DP delegatee, Accepted T&Cs - also part of a new category 🐼😀
-
Nym has a new Token page (opens in a new tab)
v2024.8-wispa
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.5
- add event parsing to support cosmos_sdk to 0.50 (#4697 (opens in a new tab))
- Fix NR config compatibility (#4690 (opens in a new tab))
- Remove UserAgent constructor since it's weakly typed (#4689 (opens in a new tab))
- [bugfix]: Node_api_check CLI looked over roles on blacklisted nodes (#4687 (opens in a new tab))
- Add mixnodes to self describing api cache (#4684 (opens in a new tab))
- Move and whole bump of crates to workspace and upgrade some (#4680 (opens in a new tab))
- Remove code that refers to removed nym-network-statistics (#4679 (opens in a new tab))
- Remove nym-network-statistics (#4678 (opens in a new tab))
- Create UserAgent that can be passed from the binary to the nym api client (#4677 (opens in a new tab))
- Add authenticator (#4667 (opens in a new tab))
Features
- Default construct NodeRole (opens in a new tab): To preserve compatibility with newer clients interacting with older
nym-api
- Reviewed the changes in the
nym-api-requests/src/models.rs
file. - Verified that the
NymNodeDescription
struct includes the newrole
field with a default value set bydefault_node_role
. - Checked the implementation of the
default_node_role
function to ensure it returnsNodeRole::Inactive
. - Ran the updated code in the sandbox environment.
- Monitored the sandbox environment for any issues or errors related to the changes.
Notes (if any):
The test was successful. No issues were flagged during the testing in the sandbox environment. The new default value for NodeRole
ensures backward compatibility without causing disruptions.
- [Default construct NodeRole for backwards compatibility (apply #4721 (opens in a new tab) on develop)](https://github.com/nymtech/nym/pull/4722 (opens in a new tab))
- Add upgrades to
nym-node
forauthenticator
changes (opens in a new tab)
- Reviewed the changes in the
gateway/src/error.rs
andgateway/src/node/mod.rs
files. - Verified the new error enum
AuthenticatorStartupFailure
was added toGatewayError
. - Confirmed the implementation of the
StartedAuthenticator
struct and its usage in thestart_authenticator
function. - Ran the updated code in the canary environment.
- Monitored the canary environment for any issues or errors related to the changes.
- Reviewed the changes in
common/client-libs/validator-client/src/nyxd/cosmwasm_client/client_traits/signing_client.rs
,logs.rs
,types.rs
, andnym-api/src/coconut/tests/mod.rs
files. - Verified the addition of event parsing in the relevant functions and structs.
- Ensured that the
find_attribute
function correctly parses event attributes. - Ran the updated code in the sandbox environment.
- Broadcasted transactions on the sandbox network to test the changes.
- Monitored the sandbox network for any malformed responses or errors after the test chain upgrade.
- Send bandwidth status messages when connecting (opens in a new tab): When connecting to the gateway we get received the available bandwidth left. Emit a status messages for this, for consumption by the application layer.
- Reviewed the changes in
common/bandwidth-controller/src/event.rs
,common/bandwidth-controller/src/lib.rs
, andcommon/client-libs/gateway-client/src/client.rs
files. - Verified the implementation of
BandwidthStatusMessage
enum for emitting status messages. - Ensured
GatewayClient
is updated to send bandwidth status messages when connecting. - Deployed the updated code on the canary environment.
- Connected to the gateway and checked for the emission of bandwidth status messages.
- Verified that the messages were correctly parsed and consumed by the application layer.
- Ran the VPN client to observe the parsed events.
- Fix NR config compatibility (opens in a new tab): Recently we deleted the old statistics service provider. This fixes some issues where old configs didn't work with the latest changes.
- Make NR able to read config with old keys in
- Remove deleted config keys from NR template
- Reviewed the changes in the
service-providers/network-requester/src/config/mod.rs
andservice-providers/network-requester/src/config/template.rs
files. - Ensured
NetworkRequester
config is able to read old keys for compatibility. - Removed old and deleted config keys from the
NetworkRequester
template. - Compiled the project to verify no issues or warnings appeared.
- Ran all tests to ensure that the changes did not affect the functionality.
- Validated that no leftover code from the old statistics service provider caused any issues.
- Reviewed the changes in
common/http-api-client/src/user_agent.rs
file. - Verified the removal of the
UserAgent
constructor and ensured that all instances ofUserAgent::new
are updated accordingly. - Checked the implementation of
UserAgent
struct usingBinaryBuildInformation
andBinaryBuildInformationOwned
. - Deployed the updated code across different environments (QA, sandbox, and canary).
- Ran tests to ensure that the
UserAgent
struct functions correctly without the constructor.
- Add mixnodes to self describing api cache (opens in a new tab):
- Abstracts getting the self describing info a bit
- Adds mixnodes to the cache refresher as well
- Adds
role
field to theNodeDescription
struct, to be able to distinguish between mixnodes and gateways - Switched to using
NodeStatusCache
instead ofContractCache
Called the new /mixnodes/described
endpoint as well as the existing /gateways/described
endpoint and verified that the data returned for each was correct based on the settings that different nodes have when they are setup.
For gateway endpoint, the “role” for now does not differentiate between entry and exit gateways, this will be implemented in the future.
- Move and whole bump of crates to workspace and upgrade some (opens in a new tab):
- Fix cargo warning for
default_features
- Move dirs 4.0 to workspace
- Use workspace
base64
dep - Move
rand_chacha
andx25519-dalek
to workspace - Use workspace
ed25519-dalek
dep - Move
itertools
to workspace deps and upgrade - Move a few partial deps to workspace while preserving versions
- Fix cargo warning for
- Reviewed the changes to move and upgrade crates to the workspace.
- Verified the updated dependencies:
- Moved
dirs
to version 4.0 in the workspace. - Updated the
base64
dependency to use the workspace version. - Moved
rand_chacha
andx25519-dalek
to the workspace. - Updated
ed25519-dalek
to use the workspace version. - Moved and upgraded
itertools
in the workspace. - Moved other partial dependencies to the workspace while preserving their versions.
- Moved
- Ensured the
Cargo.toml
files across the project reflect these changes correctly. - Compiled the entire project to check for any issues or warnings.
- Verified that all tests pass successfully after the changes.
- Remove
nym-network-statistics
(opens in a new tab): Removenym-network-statistics
service provider that is no longer used.
- Reviewed the project to identify all references to
nym-network-statistics
. - Removed all code and dependencies associated with
nym-network-statistics
. - Ensured that no references to
nym-network-statistics
remain in the codebase, including comments, imports, and configuration files. - Compiled the project to check for any issues or warnings.
- Ran all tests to ensure the removal did not affect the functionality of the project.
- Remove code that refers to removed
nym-network-statistics
(opens in a new tab): Follow up to #4678 (opens in a new tab) where all code interacting with it is removed.
- Reviewed the project to identify all references to
nym-network-statistics
. - Removed all code and dependencies associated with
nym-network-statistics
. - Ensured that no references to
nym-network-statistics
remain in the codebase, including comments, imports, and configuration files. - Compiled the project to check for any issues or warnings.
- Ran all tests to ensure the removal did not affect the functionality of the project.
- Create
UserAgent
that can be passed from the binary to thenym-api
client (opens in a new tab):- Support setting
UserAgent
for the validator client - Support setting
UserAgent
in the SDKMixnetClient
- Set
UserAgent
when getting the list of gateways and topology innym-client
nym-socks5-client
- Standalone
ip-packet-router
- Support setting
Used the nym-vpn-cli to test this, and we can visibly see the UserAgent
, no issues with the comments mentioned above.
Example of the user agent sent:
nym-client/1.1.36/x86_64-unknown-linux-gnu/e18bb70
Connected with no problems
Bugfix
Node_api_check.py
CLI looked over roles on blacklisted nodes (opens in a new tab): Removing/correcting this redundant function which results in unwanted error print, will resolve in the program not looking up theroles
endpoint for blacklisted GWs, instead just ignores the role description and still return all other endpoints.
Operators Guide updates
- Create a guide to backup and restore
nym-node
(opens in a new tab), PR #4720 (opens in a new tab) - Add manual IPv6 ifup/down network configuration (opens in a new tab), PR #4651 (opens in a new tab)
- Extend ISP list (opens in a new tab)
- Add SSL cert bot block to WSS setup (opens in a new tab), PR here (opens in a new tab): WSS setup fully works!
- Correct
HTTP API port
in bonding page (opens in a new tab) , PR #4707 (opens in a new tab): ChangeHTTP API port
to8080
on everynym-node
by openingconfig.toml
and making sure that your binding addresses and ports are as in the block below. Then go to desktop wallet and open the box calledShow advanced options
and make sure all your ports are set correctly (usually this means to changeHTTP api port
to8080
formixnode
mode).
[host]
public_ips = [
'<PUBLIC_IP>'
]
[mixnet]
bind_address = '0.0.0.0:1789'
[http]
bind_address = '0.0.0.0:8080'
[mixnode]
[mixnode.verloc]
bind_address = '0.0.0.0:1790'
[entry_gateway]
bind_address = '0.0.0.0:9000'
- Comment our deprecated node pages in
/docs
(opens in a new tab) - Remove redundant syntax from the setup guide (opens in a new tab)
v2024.7-doubledecker
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.4
- Add an early return in
parse_raw_str_logs
for empty raw log strings. (#4686 (opens in a new tab)) - Bump braces from 3.0.2 to 3.0.3 in /wasm/mix-fetch/internal-dev (#4672 (opens in a new tab))
- add expiry returned on import (#4670 (opens in a new tab))
- [bugfix] missing rustls feature (#4666 (opens in a new tab))
- Bump ws from 8.13.0 to 8.17.1 in /wasm/client/internal-dev-node (#4665 (opens in a new tab))
- Bump braces from 3.0.2 to 3.0.3 in /clients/native/examples/js-examples/websocket (#4663 (opens in a new tab))
- Bump ws from 8.14.2 to 8.17.1 in /sdk/typescript/packages/nodejs-client (#4662 (opens in a new tab))
- Update setup.md (#4661 (opens in a new tab))
- New clippy lints (#4660 (opens in a new tab))
- Bump braces from 3.0.2 to 3.0.3 in /nym-api/tests (#4659 (opens in a new tab))
- Bump braces from 3.0.2 to 3.0.3 in /docker/typescript_client/upload_contract (#4658 (opens in a new tab))
- Update vps-setup.md (#4656 (opens in a new tab))
- Update configuration.md (#4655 (opens in a new tab))
- Remove old PR template (#4639 (opens in a new tab))
Features
- Remove the
nym-mixnode
andnym-gateway
binaries from the CI upload builds action (opens in a new tab) - Add an early return in
parse_raw_str_logs
for empty raw log strings. (opens in a new tab): This accommodates for the v50 + chain upgrade. - Bump braces from
3.0.2
to3.0.3
in/wasm/mix-fetch/internal-dev
(opens in a new tab): Version update of braces (opens in a new tab) - Bump braces from
3.0.2
to3.0.3
in/clients/native/examples/js-examples/websocket
(opens in a new tab): Version update of braces (opens in a new tab). - Bump braces from
3.0.2
to3.0.3
in/nym-api/tests
(opens in a new tab): Version update of braces (opens in a new tab). - Bump braces from
3.0.2
to3.0.3
in/docker/typescript_client/upload_contract
(opens in a new tab): Version update of braces (opens in a new tab). - Bump
ws
from8.13.0
to8.17.1
in/wasm/client/internal-dev-node
(opens in a new tab): Version update ofws
(opens in a new tab). - Bump
ws
from8.14.2
to8.17.1
in/sdk/typescript/packages/nodejs-client
(opens in a new tab): Version update ofws
(opens in a new tab). - Add expiry returned on import (opens in a new tab): We need to return the expiry on import for desktop daemon
nym-vpnd
. - New clippy lints (opens in a new tab)
- Remove
nym-connect
directory (opens in a new tab): Since thenym-vpn
has supersedednym-connect
, removenym-connect
from the repo. - Remove old PR template (opens in a new tab)
Bugfix
- missing rustls feature (opens in a new tab): It just happens to work due to
feature-unification
. It should probably have this feature inbuild.
Operators Guide updates
- Node description guide: Steps to add self-description to
nym-node
and query this information from any node. - Web Secure Socket (WSS) guide and reverse proxy update, PR here (opens in a new tab): A guide to setup
nym-node
in a secure fashion, using WSS via Nginx and Certbot. Landing page (reversed proxy) is updated and simplified.
v2024.6-chomp
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.3
- Standalone
nym-gateway
andnym-mixnode
binaries are no longer released
- Remove additional code as part of Ephemera Purge and SP and contracts (#4650 (opens in a new tab))
- bugfix: make sure nym-api can handle non-cw2 (or without detailed build info) compliant contracts (#4648 (opens in a new tab))
- introduced a flag to accept toc and exposed it via self-described API (#4647 (opens in a new tab))
- bugfix: make sure to return an error on invalid public ip (#4646 (opens in a new tab))
- Add ci check for PR having an assigned milestone (#4644 (opens in a new tab))
- Removed ephemera code (#4642 (opens in a new tab))
- Remove stale peers (#4640 (opens in a new tab))
- Add generic wg private network routing (#4636 (opens in a new tab))
- Feature/new node endpoints (#4635 (opens in a new tab))
- standarised ContractBuildInformation and added it to all contracts (#4631 (opens in a new tab))
- validate nym-node public ips on startup (#4630 (opens in a new tab))
- Bump defguard wg (#4625 (opens in a new tab))
- Fix cargo warnings (#4624 (opens in a new tab))
- Update kernel peers on peer modification (#4622 (opens in a new tab))
- Handle v6 and v7 requests in the IPR, but reply with v6 (#4620 (opens in a new tab))
- fix typo (#4619 (opens in a new tab))
- Update crypto and rand crates (#4607 (opens in a new tab))
- Purge name service and service provider directory contracts (#4603 (opens in a new tab))
Features
- Make embedded NR/IPR ignore performance of the Gateway (opens in a new tab): fixes bug in relation to scoring issue on nym-nodes operating as exit gateways failing to come online.
- Introduce a flag to accept Operators Terms and Conditions and exposed it via self-described API (opens in a new tab)
- Verify that the
execute
function correctly checks if theaccept_operator_terms
flag is set. - Test that a warning is displayed when the
accept_operator_terms
flag is not set. - Confirm that the
NymNode
instance is initialized withwith_accepted_toc(accepted_toc)
when the flag is set. - Apply the
--accept-toc
flag in the service and confirmed the change by running:
curl -s -X 'GET' 'http://18.171.251.41:8080/api/v1/auxiliary-details?output=json' -H 'accept: application/json' | jq .accepted_toc
- Verify that the output is
true
.
- Rename 'accept-toc' flag and fields into explicit 'accept-operator-terms-and-conditions' (opens in a new tab): makes the
accept-toc
flag more explicit. - Validate nym-node public ips on startup (opens in a new tab): makes sure
nym-node
is not run with an emptypublic_ips
and that they do not correspond to common misconfigurations like127.0.0.1
or0.0.0.0
unless run with--local
flag.
- Use the latest release/chomp binary with nym-node and input a dodgy ip
- Validation:
When restarting the node it complains within the service launch file
- New node endpoints (opens in a new tab): introduces new endpoints on nym-api (and creates scaffolding for additional ones) for providing unfiltered network topology alongside performance score of all nodes.
NymApiTopologyProvider
got modified to use those endpoints alongside (configurable) filtering of nodes with score < 50% (like our current blacklist)- Old clients should work as before as no existing endpoint got removed
- Validate that the
skimmed
endpoints are working, keeping in mind that they are unstable. The full-fat and semi-skimmed have not yet been implemented.
- Check references to everything named SP and Ephemera and removed any additional references
- Remove additional code as part of Ephemera Purge and SP and contracts (opens in a new tab): in line with #4642 (opens in a new tab) and #4603 (opens in a new tab)
- Check references to everything named SP and Ephemera and removed any additional references
- Add ci check for PR having an assigned milestone (opens in a new tab): add a CI check for checking that a PR is assigned to a milestone. Can bypassed the check by adding a
no-milestone
label to a PR
- CI complains if no milestone is associated with the an issue.
- Bump defguard wireguard (opens in a new tab)
- Add generic wireguard private network routing (opens in a new tab): as defguard wireguard only allows for peer routing modifications, we will configure the entire wireguard private network to be routed to the wg device. Configuring per peer is also not desirable, as the interface doesn't allow removing routes, so unused ip routing won't be cleaned until gateway restart (and it would also pollute to routing table with a lot of rules when many peers are added).
- This is a part of a bigger ticket, but initial testing has proven to shown that launching nym-nodes (entry and exit gateways) in WG enable mode to be working
QA will use this template for the other related WG tickets in this release milestone.
- Standarise
ContractBuildInformation
and add it to all contracts (opens in a new tab): Similarly tocw2
, we're now savingContractBuildInformation
under a constant storage key, i.e.b"contract_build_info"
that standarises the retrieval by nym-api.- Also each of our contracts now saves and updates that information upon init and migration.
- Use the latest release/chomp contracts and deploy these to QA
- Use the
nym-api
to query for the results of these new contracts
curl -X 'GET' \
'https://qa-nym-api.qa.nymte.ch/api/v1/network/nym-contracts-detailed' \
-H 'accept: application/json'
- It returns a detailed view of the contracts and which branch they were built from, alongside rust versions and so forth.
- This is a part of a bigger ticket, but initial testing has proven to shown that launching nym-nodes (entry and exit gateways) in WG enable mode to be working. QA will use this template for the other related WG tickets in this release milestone.
- Handle v6 and v7 requests in the IPR, but reply with v6 (opens in a new tab): teach the IPR to read both v6 and v7 requests, but always reply with v6. This is to prepare for bumping to v7 and signed connect/disconnect messages. Follow up PRs will add
- Verify signature
- Send v7 in client with signatures included
- Purge name service and service provider directory contracts (opens in a new tab): this is a compiler assisted purge of the
nym-name-service
andnym-service-provider-directory
contracts that were never deployed on mainnet, and will anyhow be superseded by the new mixnode directory that is being worked on.
It works insofar that it compiles, we need to deploy and test this on non-mainnet before merging in
- Purge
nym-name-service
contract - Purge
nym-name-service-common
- Purge
nym-service-provider-directory
contract - Purge
nym-service-provider-directory-common
- Remove everywhere name-service contract is used
- Remove everywhere sp contract is used
Performed:
- Check references to everything named SP and Ephemera and removed any additional references
Crypto
- Update crypto and rand crates (opens in a new tab): Update sphinx crate to
0.1.1
along with 25519 crates andrand
crates
This PR contains a test failure due to the update here (opens in a new tab)
- This is due a change in
x25519-dalek
from1.1.1
to2
. - Crypto operations should be identical, but the byte representation has changed (sphinx clamps at creation, x25519 clamps at use). This cannot be changed in the sphinx crate without breaking changes.
- There is a good chance that this failure doesn't impact anything else, but it has to be tested to see.
- A mix of old and new clients with a mix of old and new mixnodes should do
Bugfix
- Make sure nym-api can handle non-cw2 (or without detailed build info) compliant contracts (opens in a new tab): fixes the issue (even if some contracts aren't uploaded on chain it doesn't prohibit the api from working - caveat, the essential vesting and mixnet contract are required)
- Use the latest release/chomp contracts and deploy these to QA
- If the contract was not found, the API would complain of invalid contracts, thus not starting the rest of the operations of the API (network monitor / rewarding etc)
Jun 11 16:27:34 qa-v2-nym-api bash[1352642]: 2024-06-11T16:27:34.551Z ERROR nym_api::nym_contract_cache::cache::refresher - Failed to refresh validator cache - Abci query failed with code 6 - address n14y2x8a60knc5jjfeztt84kw8x8l5pwdgnqg256v0p9v4p7t2q6eswxyusw: no such contract: unknown request
- Make sure to return an error on
nym-node
invalid public ip (opens in a new tab): bugfix for #4630 (opens in a new tab) that interestingly hasn't been detected by clippy.
- Use the latest release/chomp binary with nym-node and input a dodgy ip
- Validation:
- Verify that the
establish_connection
function correctly attempts to establish a connection to the gateway. - Test error handling for
NetworkConnectionFailed
by simulating a failed connection. - Ensure that the
NetworkConnectionFailed
error includes theaddress
andsource
details as expected. - Checked that
SocketState::Available
is set correctly when a connection is successfully established.
- Fix Cargo warnings (opens in a new tab): On every cargo command we have the set warnings:
warning: /home/alice/src/nym/nym/common/dkg/Cargo.toml: default-features
is ignored for bls12_381, since default-features
was not specified for workspace.dependencies.bls12_381
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/dkg/Cargo.toml: default-features
is ignored for ff, since default-features
was not specified for workspace.dependencies.ff
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/dkg/Cargo.toml: default-features
is ignored for group, since default-features
was not specified for workspace.dependencies.group
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/client-libs/validator-client/Cargo.toml: default-features
is ignored for bip32, since default-features
was not specified for workspace.dependencies.bip32
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/client-libs/validator-client/Cargo.toml: default-features
is ignored for prost, since default-features
was not specified for workspace.dependencies.prost
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/credentials-interface/Cargo.toml: default-features
is ignored for bls12_381, since default-features
was not specified for workspace.dependencies.bls12_381
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/credentials/Cargo.toml: default-features
is ignored for bls12_381, since default-features
was not specified for workspace.dependencies.bls12_381
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/nymcoconut/Cargo.toml: default-features
is ignored for bls12_381, since default-features
was not specified for workspace.dependencies.bls12_381
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/nymcoconut/Cargo.toml: default-features
is ignored for ff, since default-features
was not specified for workspace.dependencies.ff
, this could become a hard error in the future warning: /home/alice/src/nym/nym/common/nymcoconut/Cargo.toml: default-features
is ignored for group, since default-features
was not specified for workspace.dependencies.group
, this could become a hard error in the future.
- This PR adds
default-features = false
to the workspace dependencies to fix these. An alternative way would be to removedefault-features = false
in the crates, but we assume these were put there for a good reason. Also we might have other crates outside of the main workspace that depends on these crates having default features disabled. - We also have the warning
warning: profile package spec nym-wasm-sdk in profile release did not match any packages
which we fix by commenting out the profile settings, since the crate is currently commented out in the workspace crate list.
- All binaries have been built and deployed from this branch and no issues have surfaced.
Operators Guide updates
- New Release Cycle introduced: a transparent release flow, including:
- New environments
- Stable testnet
- Testnet token faucet (opens in a new tab)
- Flow chart
- Sandbox testnet guide: teaching Nym node operators how to run their nodes in Nym Sandbox testnet environment.
- Terms & Conditions flag
- Node API Check CLI
- Pruning VPS
syslog
scripts - Black-xit: Exiting the blacklist
v2024.5-ragusa
- Release binaries (opens in a new tab)
- Release CHANGELOG.md (opens in a new tab)
nym-node
version1.1.2
- Feature/nym node api location (#4605 (opens in a new tab))
- Add optional signature to IPR request/response (#4604 (opens in a new tab))
- Feature/unstable tested nodes endpoint (#4601 (opens in a new tab))
- nym-api: make report/avg_uptime endpoints ignore blacklist (#4599 (opens in a new tab))
- removed blocking for coconut in the final epoch state (#4598 (opens in a new tab))
- allow using explicit admin address for issuing freepasses (#4595 (opens in a new tab))
- Use rfc3339 for last_polled in described nym-api endpoint (#4591 (opens in a new tab))
- Explicitly handle constraint unique violation when importing credential (#4588 (opens in a new tab))
- [bugfix] noop flag for nym-api for nymvisor compatibility (#4586 (opens in a new tab))
- Chore/additional helpers (#4585 (opens in a new tab))
- Feature/wasm coconut (#4584 (opens in a new tab))
- upgraded axum and related deps to the most recent version (#4573 (opens in a new tab))
- Feature/nyxd scraper pruning (#4564 (opens in a new tab))
- Run cargo autoinherit on the main workspace (#4553 (opens in a new tab))
- Add rustls-tls to reqwest in validator-client (#4552 (opens in a new tab))
- Feature/rewarder voucher issuance (#4548 (opens in a new tab))
Features
- New
nym-node
API endpoint/api/v1/auxiliary-details
: to expose any additional information. Currently it's just the location.nym-api
will then query all nodes for that information and put it in theself-described
endpoint. - New
nym-node
location available - use one of the three options to add this to your node config:- Update the
location
field under[host]
section ofconfig.toml
- For new nodes: Initialise the node with
--location
flag, where they have to provide the country info. Either full country name (e.g. 'Jamaica'), two-letter alpha2 (e.g. 'JM'), three-letter alpha3 (e.g. 'JAM') or three-digit numeric-3 (e.g. '388') can be provided. - For existing nodes: It's also possible to use exactly the same
--location
argument as above, but make sure to also provide--write-changes
(or-w
) flag to persist those changes!
- Update the
- Feature/unstable tested nodes endpoint (opens in a new tab): Adds new data structures (
TestNode
,TestRoute
,PartialTestResult
) to handle test results for Mixnodes and Gateways. With the inclusion of pagination to handle large API responses efficiently. Lastly, introducing a new route with the tagunstable
thus meaning not to be consumed without a user risk, prefixes in endpoints with unstable, are what it says on the tin.
- Deploy new api changes to sandbox environment
- Ensure current operations are transactional and standed operations are working
- Run a script to ensure that the new endpoints are working as expected with pagination
nym-api
: make report/avg_uptime endpoints ignore blacklist (opens in a new tab): When querying for node specific data, it's no longer going to go through the entire list of all cached (and filtered nodes) to find it; instead it will attempt to retrieve a single unfiltered entry.
- Build the project and deployed it in a test environment.
- Manually test API endpoints for mixnode and gateway data.
- Verify that the endpoints return the expected data and handle blacklists correctly.
- API performance improved due to the efficient
HashMap
lookups - Data in mainnet will differ from test nets due to the increased amount of gateways and mixnodes in that environment
- Test standard uptime routes:
curl -X 'GET' 'https://validator.nymtech.net/api/v1/status/gateway/Fo4f4SQLdoyoGkFae5TpVhRVoXCF8UiypLVGtGjujVPf/avg_uptime' -H 'accept: application/json'
- Use rfc3339 for last_polled in described nym-api endpoint (opens in a new tab): Fix issue where the validator-client can't parse the nym-api response for the described endpoint, in particular the
latest_polled
field that was recently added, by making the field userfc3339
- Note: This will require upgrading
nym-api
and everything that depends on the described endpoint.
- Note: This will require upgrading
- Update a
nym-api
to the binary built from this branch, then restart the api - Check the
journalctl
for error messages - Connected via client and could not see the error messages, this is backwards compatible
- Local testing using sdk examples:
cd <PATH_TO>/nym/sdk/rust/nym-sdk
cargo run --example simple
# outcome
thread 'main' panicked at sdk/rust/nym-sdk/examples/simple.rs:9:64:
called Result::unwrap() on an Err value: ClientCoreError(ValidatorClientError(NymAPIError { source: ReqwestClientError { source: reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None,
- Upgrade
axum
and related dependencies to the most recent version (opens in a new tab) - Run cargo autoinherit on the main workspace (opens in a new tab): Move several dependencies to the workspace level using cargo autoinherit, to make it easier to keep our dependencies up to date.
- Run cargo autoinherit in the root
- Merge in the new workspace deps in the main list
- We made sure to not mix in other changes as well - all features flags for all crates should be the same as before
- Run
cargo autoinherit
in the root directory to move dependencies to the workspace level - Merge the new workspace dependencies into the main list
- Ensure no other changes were mixed in during the process
- Verify that all feature flags for all crates remained the same as before
- Build all the binaries from this branch to confirm successful compilation
- Deploy the built binaries across different environments to ensure there were no issues
- Add rustls-tls to reqwest in validator-client (opens in a new tab): An attempt to make possible to end up in a situation where use use the validator-client but without functioning TLS support. For the monorepo this is masked by cargo feature unification, but becomes a problem for outside consumers, as as been noticed in many of the vpn client implementations.
- In
validator-client
:reqwest
, enablerustls-tls
fornon-wasm32
- In
client-core
: Use default features enabled fornon-wasm32
and switch towebpki
roots, since that's what we're using withreqwest
anyway - In
gateway-client
: Switch towebpki
roots, since that's what we're using withreqwest
anyway
- In
Crypto
- Build the project to ensure no compilation errors
- Run tests to verify the functionality of the
issue_credential
function - Execute integration tests to check the behaviour during an epoch transition.
- Allow using explicit admin address for issuing freepasses (opens in a new tab)
- Explicitly handle constraint unique violation when importing credential (opens in a new tab): Add a strong type for when a duplicate credential is imported so the vpn lib can handle this.
- Feature/wasm coconut (opens in a new tab): This pull request requires #4585 (opens in a new tab) to be merged first
- Feature/nyxd scraper pruning (opens in a new tab): This PR introduces storage pruning to
nyxd
scraper which is then used by the validators rewarder.
- Add a
main.rs
file in thenyxd
scraper dir, underneathlib.rs
, amendconfig.pruning_options.validate()?;
to belet _ = config.pruning_options.validate();
in the mod.rs file - Test the different variations of
pruning_options
:- Check the default option:
pruning_options: PruningOptions::default()
- Check the nothing option:
pruning_options: PruningOptions::nothing()
- Check the custom option, example:
pruning_options: PruningOptions { keep_recent: (500), interval: (10), strategy: (PruningStrategy::Custom) }
- Check the pruning in real life for the validator rewarder
- Check the default option:
- Validate that the database table
blocks
was being updated accordingly
- Feature/rewarder voucher issuance (opens in a new tab)
- Introduces signature checks on issued credential data
- Stores evidence of any failures/malicious behaviour in the internal db
Bugfix
noop
flag fornym-api
fornymvisor
compatibility (opens in a new tab)- The application starts correctly and logs the starting message
- The
--no_banner
flag works as intended, providing compatibility withnymvisor
- Build the project to ensure no compilation errors
- Run the binary with different command-line arguments to verify the CLI functionality
- Test with and without the
--no_banner
flag to ensure compatibility and expected behavior - Verify logging setup and configuration file parsing
Operators Guide updates
nym-gateway-probe
: A CLI tool to check in-real-time networking status of any Gateway locally.- Where to host your
nym-node
?: A list of Internet Service Providers (ISPs) by Nym Operators community. We invite all operators to add their experiences with different ISPs to strengthen the community knowledge and Nym mixnet performance. - Make sure you run
nym-node
with--wireguard-enabled false
and add a location description to yourconfig.toml
, both documented innym-node
setup manual.
v2024.4-nutella
- Merged PRs (opens in a new tab)
nym-node
version1.1.1
- This release also contains:
nym-gateway
andnym-network-requester
binaries - core improvements on nym-node configuration
- Nym wallet changes:
- Adding
nym-node
command to bonding screens - Fixed the delegation issues with fixing RPC
- Adding
- Network configuration section updates, in particular for
--mode mixnode
operators - VPS IPv6 troubleshooting updates
v2024.3-eclipse
- Release Changelog.md (opens in a new tab)
nym-node
initial release- New tool for monitoring Gateways performance harbourmaster.nymtech.net (opens in a new tab)
- New versioning
1.1.0+nymnode
mainly for internal migration testing, not essential for operational use. We aim to correct this in a future release to ensure mixnodes feature correctly in the main API - New VPS specs & configuration page
- New configuration page with connectivity setup guide - a new requirement for
exit-gateway
- API endpoints redirection: Nym-mixnode and nym-gateway endpoints will eventually be deprecated; due to this, their endpoints will be redirected to new routes once the
nym-node
has been migrated and is running
API endpoints redirection
Previous endpoint | New endpoint |
---|---|
http://<IP>:8000/stats | http://<IP>:8000/api/v1/metrics/mixing |
http://<IP>:8000/hardware | http://<IP>:8000/api/v1/system-info |
http://<IP>:8000/description | http://<IP>:8000/api/v1/description |