dfinity · sesi200 · Apr 11, 2025 · Apr 11, 2025 · Apr 15, 2025 · Apr 22, 2025
@@ -2,6 +2,10 @@
 
 # UNRELEASED
 
+### feat!: Add safeguard to very short freezing threshold
+
+Similar to very long freezing thresholds, setting a freezing threshold below 1 week now requires confirmation with `--confirm-very-short-freezing-threshold` so that unexpected canister uninstallation is less likely.
+
 ### feat: Support 'follow' mode for 'dfx canister logs'
 Support `follow` mode for `dfx canister logs`
 - `--follow` to fetch logs continuously until interrupted with `Ctrl+C`

@@ -1255,10 +1255,11 @@ You can specify the following options for the `dfx canister update-settings` com
 | `--add-log-viewer <principal>`            | Add a principal to the list of log viewers of the canister. Can be specified more than once to add multiple log viewers. If current log visibility is `public` or `controllers`, it will be changed to the custom allowed viewer list.                                                                                                                                                   |
 | `-c`, `--compute-allocation <allocation>` | Specifies the canister's compute allocation. This should be a percent in the range [0..100].                                                                                                                                                                                                                                                                                             |
 | `--confirm-very-long-freezing-threshold`  | Freezing thresholds above ~1.5 years require this option as confirmation.                                                                                                                                                                                                                                                                                                                |
+| `--confirm-very-short-freezing-threshold` | Freezing thresholds below 1 week require this option as confirmation.                                                                                                                                                                                                                                                                                                                    |
 | `--impersonate <principal>`               | Specifies a principal on behalf of which requests to a local PocketIC instance are sent.                                                                                                                                                                                                                                                                                                 |
 | `--set-controller <principal>`            | Specifies the identity name or the principal of the new controller. Can be specified more than once, indicating the canister will have multiple controllers. If any controllers are set with this parameter, any other controllers will be removed.                                                                                                                                      |
 | `--set-log-viewer <principal>`            | Specifies the the principal of the log viewer of the canister. Can be specified more than once, indicating the canister will have multiple log viewers. If any log viewers are set with this parameter, any other log viewers will be removed. If current log visibility is `public` or `controllers`, it will be changed to the custom allowed viewer list.                             |
-| `--memory-allocation <allocation>`        | Specifies how much memory the canister is allowed to use in total. This should be a value in the range [0..12 GiB]. A setting of 0 means the canister will have access to memory on a “best-effort” basis: It will only be charged for the memory it uses, but at any point in time may stop running if it tries to allocate more memory when there isn’t space available on the subnet. |
+| `--memory-allocation <allocation>`        | Specifies how much memory the canister is allowed to use in total. This should be a value in the range [0..12 GiB]. A setting of 0 means the canister will have access to memory on a "best-effort" basis: It will only be charged for the memory it uses, but at any point in time may stop running if it tries to allocate more memory when there isn't space available on the subnet. |
 | `--reserved-cycles-limit <limit>`         | Specifies the upper limit of the canister's reserved cycles.                                                                                                                                                                                                                                                                                                                             |
 | `--wasm-memory-limit <limit>`             | Specifies a soft upper limit for the canister's heap memory.                                                                                                                                                                                                                                                                                                                             |
 | `--log-visibility <visibility>`           | Specifies who is allowed to read the canister's logs. Can be either "controllers" or "public". For custom allowed viewers, use `--set-log-viewer` or `--add-log-viewer`.                                                                                                                                                                                                                 |

@@ -40,6 +40,16 @@ teardown() {
   assert_command dfx ledger fabricate-cycles --canister hello_backend --t 100
   assert_command dfx canister status hello_backend
   assert_match "Freezing threshold: 100_000_000_000"
+
+  # trying to set threshold to 1 day, which should not work without confirmation
+  assert_command_fail dfx canister update-settings hello_backend --freezing-threshold 86400
+  assert_match "The freezing threshold is very short at less than 1 week" # error message pointing to the error
+
+  # with manual override it's ok
+  assert_command dfx canister update-settings hello_backend --freezing-threshold 86400 --confirm-very-short-freezing-threshold
+
+  assert_command dfx canister status hello_backend
+  assert_match "Freezing threshold: 86_400"
 }
 
 @test "set wasm memory limit" {

@@ -111,6 +111,10 @@ pub struct UpdateSettingsOpts {
     #[arg(long)]
     confirm_very_long_freezing_threshold: bool,
 
+    /// Freezing thresholds below 1 week require this flag as confirmation.
+    #[arg(long)]
+    confirm_very_short_freezing_threshold: bool,
+
     /// Skips yes/no checks by answering 'yes'. Such checks can result in loss of control,
     /// so this is not recommended outside of CI.
     #[arg(long, short)]
@@ -141,6 +145,13 @@ pub async fn exec(
                 "If you truly want to set a freezing threshold that is longer than a year, please run the same command, but with the flag --confirm-very-long-freezing-threshold to confirm you want to do this.",
             )).context("Misunderstanding is very likely.");
         }
+        if threshold_in_seconds < 604_800 /* 1 week */ && !opts.confirm_very_short_freezing_threshold
+        {
+            return Err(DiagnosedError::new(
+                "The freezing threshold is very short at less than 1 week. This may lead to canisters getting uninstalled with no or too little warning when cycles run out.",
+                "If you truly want to set a freezing threshold that is shorter than a week, please run the same command, but with the flag --confirm-very-short-freezing-threshold to confirm you want to do this.",
+            )).context("Dangerous operation requires confirmation.");
+        }
     }
 
     fetch_root_key_if_needed(env).await?;