I think a way for delegate to perform maintenance is needed. This should keep delegate's votes and position but transfer the delegate's slot to another delegate.
I agree this is needful. A delegate may very well decide to resign from their position and stop being a delegate, due to a change in life circumstances, business circumstances, regulatory / legal issues, etc. They currently have no way to voluntarily do this except by trying to get in contact with voters and convincing them to vote for someone else. We need a signed message that says "I no longer want to be a delegate, please do not consider me as a candidate in the delegate election."
Temporary resignation for maintenance should be discouraged; this is what manual failover is for (have client running on two nodes, wait for block, then stop block production on the current node and start it on the backup). Since this is 2014 (soon to be 2015) and you can rent VPS's by the hour from many providers, the costs of having a backup node online for a few hours while the main node undergoes maintenance is small.
They will get fired automatically in a future release.
So how is automatic failover supposed to work then? Suppose a backup node loses contact with the main node (the main node doesn't respond to any network service, ping, RPC, ssh, etc.). Then the backup node can't start producing blocks because it can't distinguish between (a) the main node is down and (b) the network path between the backup node and main node is down. Thus, producing blocks on the backup node might cause a fork.
I'd like to make the following recommendations for delegates then:
- If running automatic failover nodes, DO NOT start producing blocks unless the main node can be CONFIRMED dead (i.e. you can get into the VPS admin function and tell the machine to reboot, get into SSH and see the process is gone, etc.)
- Best practice is to just have one node with automatic failover wrapper script that monitors the connection and kills / restarts the process, re-unlocking the wallet, if RPC dies.
- Put the client in your /etc/init.d, including putting your wallet password on permanent storage, so rebooting the machine should start the delegate automatically.
Of course this means your key is exposed to anyone who has physical access to the storage. For this reason:
- Use active key instead of owner key and have a script that withdraws pay several times a day
- Use block production key when that functionality is released