[#79] cli: Fix panic when setting domain for container

Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>

.docker/Dockerfile.adm

@@ -1,19 +1,19 @@
-FROM golang:1.16 as builder
+FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 
-RUN make bin/neofs-adm
+RUN make bin/frostfs-adm
 
 # Executable image
-FROM alpine AS neofs-adm
+FROM alpine AS frostfs-adm
 RUN apk add --no-cache bash
 
 WORKDIR /
 
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /src/bin/neofs-adm /bin/neofs-adm
+COPY --from=builder /src/bin/frostfs-adm /bin/frostfs-adm
 
-CMD ["neofs-adm"]
+CMD ["frostfs-adm"]

.docker/Dockerfile.cli

@@ -1,19 +1,19 @@
-FROM golang:1.16 as builder
+FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 
-RUN make bin/neofs-cli
+RUN make bin/frostfs-cli
 
 # Executable image
-FROM alpine AS neofs-cli
+FROM alpine AS frostfs-cli
 RUN apk add --no-cache bash
 
 WORKDIR /
 
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /src/bin/neofs-cli /bin/neofs-cli
+COPY --from=builder /src/bin/frostfs-cli /bin/frostfs-cli
 
-CMD ["neofs-cli"]
+CMD ["frostfs-cli"]

.docker/Dockerfile.dirty-adm

@@ -3,6 +3,6 @@ RUN apk add --no-cache bash ca-certificates
 
 WORKDIR /
 
-COPY bin/neofs-adm /bin/neofs-adm
+COPY bin/frostfs-adm /bin/frostfs-adm
 
-CMD ["neofs-adm"]
+CMD ["frostfs-adm"]

.docker/Dockerfile.dirty-cli

@@ -3,6 +3,6 @@ RUN apk add --no-cache bash ca-certificates
 
 WORKDIR /
 
-COPY bin/neofs-cli /bin/neofs-cli
+COPY bin/frostfs-cli /bin/frostfs-cli
 
-CMD ["neofs-cli"]
+CMD ["frostfs-cli"]

.docker/Dockerfile.dirty-ir

@@ -3,6 +3,6 @@ RUN apk add --no-cache bash ca-certificates
 
 WORKDIR /
 
-COPY bin/neofs-ir /bin/neofs-ir
+COPY bin/frostfs-ir /bin/frostfs-ir
 
-CMD ["neofs-ir"]
+CMD ["frostfs-ir"]

.docker/Dockerfile.dirty-storage

@@ -3,6 +3,6 @@ RUN apk add --no-cache bash ca-certificates
 
 WORKDIR /
 
-COPY bin/neofs-node /bin/neofs-node
+COPY bin/frostfs-node /bin/frostfs-node
 
-CMD ["neofs-node"]
+CMD ["frostfs-node"]

.docker/Dockerfile.ir

@@ -1,18 +1,18 @@
-FROM golang:1.16 as builder
+FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 
-RUN make bin/neofs-ir
+RUN make bin/frostfs-ir
 
 # Executable image
-FROM alpine AS neofs-ir
+FROM alpine AS frostfs-ir
 RUN apk add --no-cache bash
 
 WORKDIR /
 
-COPY --from=builder /src/bin/neofs-ir /bin/neofs-ir
+COPY --from=builder /src/bin/frostfs-ir /bin/frostfs-ir
 
-CMD ["neofs-ir"]
+CMD ["frostfs-ir"]

.docker/Dockerfile.storage

@@ -1,18 +1,18 @@
-FROM golang:1.16 as builder
+FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 
-RUN make bin/neofs-node
+RUN make bin/frostfs-node
 
 # Executable image
-FROM alpine AS neofs-node
+FROM alpine AS frostfs-node
 RUN apk add --no-cache bash
 
 WORKDIR /
 
-COPY --from=builder /src/bin/neofs-node /bin/neofs-node
+COPY --from=builder /src/bin/frostfs-node /bin/frostfs-node
 
-CMD ["neofs-node"]
+CMD ["frostfs-node"]

.docker/Dockerfile.storage-testnet

@@ -1,19 +1,19 @@
-FROM golang:1.16 as builder
+FROM golang:1.18 as builder
 ARG BUILD=now
 ARG VERSION=dev
 ARG REPO=repository
 WORKDIR /src
 COPY . /src
 
-RUN make bin/neofs-node
+RUN make bin/frostfs-node
 
 # Executable image
-FROM alpine AS neofs-node
+FROM alpine AS frostfs-node
 RUN apk add --no-cache bash
 
 WORKDIR /
 
-COPY --from=builder /src/bin/neofs-node /bin/neofs-node
+COPY --from=builder /src/bin/frostfs-node /bin/frostfs-node
 COPY --from=builder /src/config/testnet/config.yml /config.yml
 
-CMD ["neofs-node", "--config", "/config.yml"]
+CMD ["frostfs-node", "--config", "/config.yml"]

.github/CODEOWNERS

@@ -0,0 +1 @@
+*   @TrueCloudLab/storage-core @TrueCloudLab/committers

.github/ISSUE_TEMPLATE/bug_report.md

@@ -41,3 +41,10 @@ assignees: ''
 * Version used:
 * Server setup and configuration:
 * Operating System and version (`uname -a`):
+
+## Don't forget to add labels!
+- component label (`frostfs-adm`, `frostfs-storage`, ...)
+- `goodfirstissue`, `helpwanted` if needed
+- does this issue belong to an epic?
+- priority (`P0`-`P4`) if already triaged
+- quarter label (`202XQY`) if possible

.github/ISSUE_TEMPLATE/feature_request.md

@@ -18,3 +18,11 @@ assignees: ''
 
 ## Additional context
 <!-- Add any other context or screenshots about the feature request here. -->
+
+## Don't forget to add labels!
+- component label (`neofs-adm`, `neofs-storage`, ...)
+- issue type (`enhancement`, `refactor`, ...)
+- `goodfirstissue`, `helpwanted` if needed
+- does this issue belong to an epic?
+- priority (`P0`-`P4`) if already triaged
+- quarter label (`202XQY`) if possible

.github/logo.svg

@@ -1,129 +1,70 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   sodipodi:docname="logo_fs.svg"
-   inkscape:version="1.0 (4035a4fb49, 2020-05-01)"
-   id="svg57"
-   version="1.1"
-   viewBox="0 0 105 25"
-   height="25mm"
-   width="105mm">
-  <defs
-     id="defs51">
-    <clipPath
-       clipPathUnits="userSpaceOnUse"
-       id="clipPath434">
-      <path
-         d="M 0,0 H 1366 V 768 H 0 Z"
-         id="path432" />
-    </clipPath>
-  </defs>
-  <sodipodi:namedview
-     inkscape:window-maximized="0"
-     inkscape:window-y="0"
-     inkscape:window-x="130"
-     inkscape:window-height="1040"
-     inkscape:window-width="1274"
-     height="50mm"
-     units="mm"
-     showgrid="false"
-     inkscape:document-rotation="0"
-     inkscape:current-layer="layer1"
-     inkscape:document-units="mm"
-     inkscape:cy="344.49897"
-     inkscape:cx="468.64708"
-     inkscape:zoom="0.7"
-     inkscape:pageshadow="2"
-     inkscape:pageopacity="0.0"
-     borderopacity="1.0"
-     bordercolor="#666666"
-     pagecolor="#ffffff"
-     id="base" />
-  <metadata
-     id="metadata54">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <g
-     id="layer1"
-     inkscape:groupmode="layer"
-     inkscape:label="Layer 1">
-    <g
-       id="g424"
-       transform="matrix(0.35277777,0,0,-0.35277777,63.946468,10.194047)">
-      <path
-         d="m 0,0 v -8.093 h 12.287 v -3.94 H 0 V -24.067 H -4.534 V 3.898 H 15.677 V 0 Z"
-         style="fill:#00e396;fill-opacity:1;fill-rule:nonzero;stroke:none"
-         id="path426" />
-    </g>
-    <g
-       transform="matrix(0.35277777,0,0,-0.35277777,-315.43002,107.34005)"
-       id="g428">
-      <g
-         id="g430"
-         clip-path="url(#clipPath434)">
-        <g
-           id="g436"
-           transform="translate(1112.874,278.2981)">
-          <path
-             d="M 0,0 C 1.822,-0.932 3.354,-2.359 4.597,-4.28 L 1.165,-7.373 c -0.791,1.695 -1.779,2.924 -2.966,3.686 -1.186,0.763 -2.768,1.145 -4.745,1.145 -1.949,0 -3.461,-0.389 -4.534,-1.166 -1.074,-0.777 -1.61,-1.772 -1.61,-2.987 0,-1.13 0.523,-2.027 1.568,-2.69 1.045,-0.664 2.909,-1.236 5.593,-1.716 2.514,-0.452 4.512,-1.024 5.995,-1.716 1.483,-0.693 2.564,-1.554 3.242,-2.585 0.677,-1.031 1.016,-2.309 1.016,-3.834 0,-1.639 -0.466,-3.079 -1.398,-4.322 -0.932,-1.243 -2.239,-2.197 -3.919,-2.86 -1.681,-0.664 -3.623,-0.996 -5.826,-0.996 -5.678,0 -9.689,1.892 -12.033,5.678 l 3.178,3.178 c 0.903,-1.695 2.068,-2.939 3.495,-3.729 1.426,-0.791 3.199,-1.186 5.318,-1.186 2.005,0 3.58,0.345 4.724,1.038 1.144,0.692 1.716,1.674 1.716,2.945 0,1.017 -0.516,1.835 -1.547,2.457 -1.031,0.621 -2.832,1.172 -5.402,1.653 -2.571,0.479 -4.618,1.073 -6.143,1.779 -1.526,0.706 -2.635,1.582 -3.326,2.627 -0.693,1.045 -1.039,2.316 -1.039,3.813 0,1.582 0.438,3.023 1.314,4.322 0.875,1.299 2.14,2.33 3.792,3.093 1.653,0.763 3.58,1.144 5.783,1.144 C -4.018,1.398 -1.822,0.932 0,0"
-             style="fill:#00e396;fill-opacity:1;fill-rule:nonzero;stroke:none"
-             id="path438" />
-        </g>
-        <g
-           id="g440"
-           transform="translate(993.0239,277.5454)">
-          <path
-             d="m 0,0 c 2.054,-1.831 3.083,-4.465 3.083,-7.902 v -17.935 h -4.484 v 16.366 c 0,2.914 -0.626,5.024 -1.877,6.332 -1.253,1.308 -2.924,1.962 -5.016,1.962 -1.495,0 -2.896,-0.327 -4.204,-0.981 -1.308,-0.654 -2.381,-1.719 -3.222,-3.194 -0.841,-1.477 -1.261,-3.335 -1.261,-5.576 v -14.909 h -4.484 V 1.328 l 4.086,-1.674 0.118,-1.84 c 0.933,1.681 2.222,2.923 3.867,3.727 1.643,0.803 3.493,1.205 5.548,1.205 C -4.671,2.746 -2.055,1.83 0,0"
-             style="fill:#000033;fill-opacity:1;fill-rule:nonzero;stroke:none"
-             id="path442" />
-        </g>
-        <g
-           id="g444"
-           transform="translate(1027.9968,264.0386)">
-          <path
-             d="m 0,0 h -21.128 c 0.261,-2.84 1.205,-5.044 2.83,-6.613 1.625,-1.57 3.727,-2.355 6.305,-2.355 2.054,0 3.763,0.356 5.128,1.065 1.363,0.71 2.288,1.738 2.774,3.083 l 3.755,-1.961 c -1.121,-1.981 -2.616,-3.495 -4.484,-4.54 -1.868,-1.046 -4.259,-1.569 -7.173,-1.569 -4.223,0 -7.538,1.289 -9.948,3.867 -2.41,2.578 -3.615,6.146 -3.615,10.704 0,4.558 1.149,8.127 3.447,10.705 2.298,2.578 5.557,3.867 9.779,3.867 2.615,0 4.876,-0.58 6.782,-1.738 1.905,-1.158 3.343,-2.728 4.315,-4.707 C -0.262,7.827 0.224,5.605 0.224,3.139 0.224,2.092 0.149,1.046 0,0 m -18.298,10.144 c -1.513,-1.457 -2.438,-3.512 -2.775,-6.165 h 16.982 c -0.3,2.615 -1.159,4.661 -2.578,6.137 -1.42,1.476 -3.307,2.214 -5.661,2.214 -2.466,0 -4.455,-0.728 -5.968,-2.186"
-             style="fill:#000033;fill-opacity:1;fill-rule:nonzero;stroke:none"
-             id="path446" />
-        </g>
-        <g
-           id="g448"
-           transform="translate(1057.8818,276.4246)">
-          <path
-             d="m 0,0 c 2.41,-2.578 3.615,-6.147 3.615,-10.705 0,-4.558 -1.205,-8.126 -3.615,-10.704 -2.41,-2.578 -5.726,-3.867 -9.948,-3.867 -4.222,0 -7.537,1.289 -9.947,3.867 -2.41,2.578 -3.615,6.146 -3.615,10.704 0,4.558 1.205,8.127 3.615,10.705 2.41,2.578 5.725,3.867 9.947,3.867 C -5.726,3.867 -2.41,2.578 0,0 m -16.617,-2.858 c -1.607,-1.906 -2.41,-4.522 -2.41,-7.847 0,-3.326 0.803,-5.94 2.41,-7.846 1.607,-1.905 3.83,-2.858 6.669,-2.858 2.839,0 5.063,0.953 6.67,2.858 1.606,1.906 2.41,4.52 2.41,7.846 0,3.325 -0.804,5.941 -2.41,7.847 C -4.885,-0.953 -7.109,0 -9.948,0 c -2.839,0 -5.062,-0.953 -6.669,-2.858"
-             style="fill:#000033;fill-opacity:1;fill-rule:nonzero;stroke:none"
-             id="path450" />
-        </g>
-      </g>
-    </g>
-    <g
-       id="g452"
-       transform="matrix(0.35277777,0,0,-0.35277777,5.8329581,6.5590171)">
-      <path
-         d="m 0,0 0.001,-38.946 25.286,-9.076 V -8.753 L 52.626,1.321 27.815,10.207 Z"
-         style="fill:#00e599;fill-opacity:1;fill-rule:nonzero;stroke:none"
-         id="path454" />
-    </g>
-    <g
-       id="g456"
-       transform="matrix(0.35277777,0,0,-0.35277777,15.479008,10.041927)">
-      <path
-         d="M 0,0 V -21.306 L 25.293,-30.364 25.282,9.347 Z"
-         style="fill:#00b091;fill-opacity:1;fill-rule:nonzero;stroke:none"
-         id="path458" />
-    </g>
-  </g>
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 25.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Слой_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 184.2 51.8" style="enable-background:new 0 0 184.2 51.8;" xml:space="preserve">
+<style type="text/css">
+	.st0{display:none;}
+	.st1{display:inline;}
+	.st2{fill:#01E397;}
+	.st3{display:inline;fill:#010032;}
+	.st4{display:inline;fill:#00E599;}
+	.st5{display:inline;fill:#00AF92;}
+	.st6{fill:#00C3E5;}
+</style>
+<g id="Layer_2">
+	<g id="Layer_1-2" class="st0">
+		<g class="st1">
+			<path class="st2" d="M146.6,18.3v7.2h10.9V29h-10.9v10.7h-4V14.8h18v3.5H146.6z"/>
+			<path class="st2" d="M180,15.7c1.7,0.9,3,2.2,4,3.8l-3,2.7c-0.6-1.3-1.5-2.4-2.6-3.3c-1.3-0.7-2.8-1-4.3-1
+				c-1.4-0.1-2.8,0.3-4,1.1c-0.9,0.5-1.5,1.5-1.4,2.6c0,1,0.5,1.9,1.4,2.4c1.5,0.8,3.2,1.3,4.9,1.5c1.9,0.3,3.7,0.8,5.4,1.6
+				c1.2,0.5,2.2,1.3,2.9,2.3c0.6,1,1,2.2,0.9,3.4c0,1.4-0.5,2.7-1.3,3.8c-0.9,1.2-2.1,2.1-3.5,2.6c-1.7,0.6-3.4,0.9-5.2,0.8
+				c-5,0-8.6-1.6-10.7-5l2.9-2.8c0.7,1.4,1.8,2.5,3.1,3.3c1.5,0.7,3.1,1.1,4.7,1c1.5,0.1,2.9-0.2,4.2-0.9c0.9-0.5,1.5-1.5,1.5-2.6
+				c0-0.9-0.5-1.8-1.3-2.2c-1.5-0.7-3.1-1.2-4.8-1.5c-1.9-0.3-3.7-0.8-5.5-1.5c-1.2-0.5-2.2-1.4-3-2.4c-0.6-1-1-2.2-0.9-3.4
+				c0-1.4,0.4-2.7,1.2-3.8c0.8-1.2,2-2.2,3.3-2.8c1.6-0.7,3.4-1.1,5.2-1C176.1,14.3,178.2,14.8,180,15.7z"/>
+		</g>
+		<path class="st3" d="M73.3,16.3c1.9,1.9,2.9,4.5,2.7,7.1v15.9h-4V24.8c0-2.6-0.5-4.5-1.6-5.7c-1.2-1.2-2.8-1.8-4.5-1.7
+			c-1.3,0-2.5,0.3-3.7,0.8c-1.2,0.7-2.2,1.7-2.9,2.9c-0.8,1.5-1.1,3.2-1.1,4.9v13.3h-4V15.1l3.6,1.5v1.7c0.8-1.5,2.1-2.6,3.6-3.3
+			c1.5-0.8,3.2-1.2,4.9-1.1C68.9,13.8,71.3,14.7,73.3,16.3z"/>
+		<path class="st3" d="M104.4,28.3H85.6c0.1,2.2,1,4.3,2.5,5.9c1.5,1.4,3.5,2.2,5.6,2.1c1.6,0.1,3.2-0.2,4.6-0.9
+			c1.1-0.6,2-1.6,2.5-2.8l3.3,1.8c-0.9,1.7-2.3,3.1-4,4c-2,1-4.2,1.5-6.4,1.4c-3.7,0-6.7-1.1-8.8-3.4s-3.2-5.5-3.2-9.6s1-7.2,3-9.5
+			s5-3.4,8.7-3.4c2.1-0.1,4.2,0.5,6.1,1.5c1.6,1,3,2.5,3.8,4.2c0.9,1.8,1.3,3.9,1.3,5.9C104.6,26.4,104.6,27.4,104.4,28.3z
+			 M88.1,19.3c-1.4,1.5-2.2,3.4-2.4,5.5h15.1c-0.2-2-1-3.9-2.3-5.5c-1.4-1.3-3.2-2-5.1-1.9C91.5,17.3,89.6,18,88.1,19.3z"/>
+		<path class="st3" d="M131,17.3c2.2,2.3,3.2,5.5,3.2,9.5s-1,7.3-3.2,9.6s-5.1,3.4-8.8,3.4s-6.7-1.1-8.9-3.4s-3.2-5.5-3.2-9.6
+			s1.1-7.2,3.2-9.5s5.1-3.4,8.9-3.4S128.9,15,131,17.3z M116.2,19.9c-1.5,2-2.2,4.4-2.1,6.9c-0.2,2.5,0.6,5,2.1,7
+			c1.5,1.7,3.7,2.7,6,2.6c2.3,0.1,4.4-0.9,5.9-2.6c1.5-2,2.3-4.5,2.1-7c0.1-2.5-0.6-4.9-2.1-6.9c-1.5-1.7-3.6-2.7-5.9-2.6
+			C119.9,17.2,117.7,18.2,116.2,19.9z"/>
+		<polygon class="st4" points="0,9.1 0,43.7 22.5,51.8 22.5,16.9 46.8,7.9 24.8,0 		"/>
+		<polygon class="st5" points="24.3,17.9 24.3,36.8 46.8,44.9 46.8,9.6 		"/>
+	</g>
+	<g>
+		<g>
+			<path class="st6" d="M41.6,17.5H28.2v6.9h10.4v3.3H28.2v10.2h-3.9V14.2h17.2V17.5z"/>
+			<path class="st6" d="M45.8,37.9v-18h3.3l0.4,3.2c0.5-1.2,1.2-2.1,2.1-2.7c0.9-0.6,2.1-0.9,3.5-0.9c0.4,0,0.7,0,1.1,0.1
+				c0.4,0.1,0.7,0.2,0.9,0.3l-0.5,3.4c-0.3-0.1-0.6-0.2-0.9-0.2C55.4,23,54.9,23,54.4,23c-0.7,0-1.5,0.2-2.2,0.6
+				c-0.7,0.4-1.3,1-1.8,1.8s-0.7,1.8-0.7,3v9.5H45.8z"/>
+			<path class="st6" d="M68.6,19.6c1.8,0,3.3,0.4,4.6,1.1c1.3,0.7,2.4,1.8,3.1,3.2s1.1,3.1,1.1,5c0,1.9-0.4,3.6-1.1,5
+				c-0.8,1.4-1.8,2.5-3.1,3.2c-1.3,0.7-2.9,1.1-4.6,1.1s-3.3-0.4-4.6-1.1c-1.3-0.7-2.4-1.8-3.2-3.2c-0.8-1.4-1.2-3.1-1.2-5
+				c0-1.9,0.4-3.6,1.2-5s1.8-2.5,3.2-3.2C65.3,19.9,66.8,19.6,68.6,19.6z M68.6,22.6c-1.1,0-2,0.2-2.8,0.7c-0.8,0.5-1.3,1.2-1.7,2.1
+				s-0.6,2.1-0.6,3.5c0,1.3,0.2,2.5,0.6,3.4s1,1.7,1.7,2.2s1.7,0.7,2.8,0.7c1.1,0,2-0.2,2.7-0.7c0.7-0.5,1.3-1.2,1.7-2.2
+				s0.6-2.1,0.6-3.4c0-1.4-0.2-2.5-0.6-3.5s-1-1.6-1.7-2.1C70.6,22.8,69.6,22.6,68.6,22.6z"/>
+			<path class="st6" d="M89.2,38.3c-1.8,0-3.4-0.3-4.9-1c-1.5-0.7-2.7-1.7-3.5-3l2.7-2.3c0.5,1,1.3,1.8,2.3,2.4
+				c1,0.6,2.2,0.9,3.6,0.9c1.1,0,2-0.2,2.6-0.6c0.6-0.4,1-0.9,1-1.6c0-0.5-0.2-0.9-0.5-1.2s-0.9-0.6-1.7-0.8l-3.8-0.8
+				c-1.9-0.4-3.3-1-4.1-1.9c-0.8-0.9-1.2-1.9-1.2-3.3c0-1,0.3-1.9,0.9-2.7c0.6-0.8,1.4-1.5,2.5-2s2.5-0.8,4-0.8c1.8,0,3.3,0.3,4.6,1
+				c1.3,0.6,2.2,1.5,2.9,2.7l-2.7,2.2c-0.5-1-1.1-1.7-2-2.1c-0.9-0.5-1.8-0.7-2.8-0.7c-0.8,0-1.4,0.1-2,0.3c-0.6,0.2-1,0.5-1.3,0.8
+				c-0.3,0.3-0.4,0.7-0.4,1.2c0,0.5,0.2,0.9,0.5,1.3s1,0.6,1.9,0.8l4.1,0.9c1.7,0.3,2.9,0.9,3.7,1.7c0.7,0.8,1.1,1.8,1.1,2.9
+				c0,1.2-0.3,2.2-0.9,3c-0.6,0.9-1.5,1.6-2.6,2C92.1,38.1,90.7,38.3,89.2,38.3z"/>
+			<path class="st6" d="M112.8,19.9v3H99.3v-3H112.8z M106.6,14.6v17.9c0,0.9,0.2,1.5,0.7,1.9c0.5,0.4,1.1,0.6,1.9,0.6
+				c0.6,0,1.2-0.1,1.7-0.3c0.5-0.2,0.9-0.5,1.3-0.8l0.9,2.8c-0.6,0.5-1.2,0.9-2,1.1c-0.8,0.3-1.7,0.4-2.7,0.4c-1,0-2-0.2-2.8-0.5
+				s-1.5-0.9-2-1.6c-0.5-0.8-0.7-1.7-0.8-3V15.7L106.6,14.6z"/>
+			<path d="M137.9,17.5h-13.3v6.9h10.4v3.3h-10.4v10.2h-3.9V14.2h17.2V17.5z"/>
+			<path d="M150.9,13.8c2.1,0,4,0.4,5.5,1.2c1.6,0.8,2.9,2,4,3.5l-2.6,2.5c-0.9-1.4-1.9-2.4-3.1-3c-1.1-0.6-2.5-0.9-4-0.9
+				c-1.2,0-2.1,0.2-2.8,0.5c-0.7,0.3-1.3,0.7-1.6,1.2c-0.3,0.5-0.5,1.1-0.5,1.7c0,0.7,0.3,1.4,0.8,1.9c0.5,0.6,1.5,1,2.9,1.3
+				l4.8,1.1c2.3,0.5,3.9,1.3,4.9,2.3c1,1,1.4,2.3,1.4,3.9c0,1.5-0.4,2.7-1.2,3.8c-0.8,1.1-1.9,1.9-3.3,2.5s-3.1,0.9-5,0.9
+				c-1.7,0-3.2-0.2-4.5-0.6c-1.3-0.4-2.5-1-3.5-1.8c-1-0.7-1.8-1.6-2.5-2.6l2.7-2.7c0.5,0.8,1.1,1.6,1.9,2.2
+				c0.8,0.7,1.7,1.2,2.7,1.5c1,0.4,2.2,0.5,3.4,0.5c1.1,0,2.1-0.1,2.9-0.4c0.8-0.3,1.4-0.7,1.8-1.2c0.4-0.5,0.6-1.1,0.6-1.9
+				c0-0.7-0.2-1.3-0.7-1.8c-0.5-0.5-1.3-0.9-2.6-1.2l-5.2-1.2c-1.4-0.3-2.6-0.8-3.6-1.3c-0.9-0.6-1.6-1.3-2.1-2.1s-0.7-1.8-0.7-2.8
+				c0-1.3,0.4-2.6,1.1-3.7c0.7-1.1,1.8-2,3.2-2.6C147.3,14.1,148.9,13.8,150.9,13.8z"/>
+		</g>
+	</g>
+</g>
 </svg>

.github/workflows/changelog.yml

@@ -0,0 +1,29 @@
+name: CHANGELOG check
+
+on:
+  pull_request:
+    branches:
+      - master
+      - support/**
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Check for updates
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Get changed CHANGELOG
+        id: changelog-diff
+        uses: tj-actions/changed-files@v29
+        with:
+          files: CHANGELOG.md
+
+      - name: Fail if changelog not updated
+        if: steps.changelog-diff.outputs.any_changed == 'false'
+        uses: actions/github-script@v3
+        with:
+          script: |
+            core.setFailed('CHANGELOG.md has not been updated')

.github/workflows/config-update.yml

@@ -0,0 +1,37 @@
+name: Configuration check
+
+on:
+  pull_request:
+    branches:
+      - master
+      - support/**
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: config-check
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Get changed config-related files
+        id: config-diff
+        uses: tj-actions/changed-files@v29
+        with:
+          files: |
+            config/**
+            cmd/neofs-node/config/**
+
+      - name: Get changed doc files
+        id: docs-diff
+        uses: tj-actions/changed-files@v29
+        with:
+          files: docs/**
+
+      - name: Fail if config files are changed but the documentation is not updated
+        if: steps.config-diff.outputs.any_changed == 'true' && steps.docs-diff.outputs.any_changed == 'false'
+        uses: actions/github-script@v3
+        with:
+          script: |
+            core.setFailed('Documentation has not been updated')

.github/workflows/dco.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - master
+      - support/**
 
 jobs:
   commits_check_job:

.github/workflows/go.yml

@@ -1,14 +1,16 @@
-name: neofs-node tests
+name: frostfs-node tests
 
 on:
   push:
     branches:
       - master
+      - support/**
     paths-ignore:
       - '*.md'
   pull_request:
     branches:
       - master
+      - support/**
     paths-ignore:
       - '*.md'
 
@@ -17,18 +19,18 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        go: [ '1.16.x', '1.17.x' ]
+        go: [ '1.18.x', '1.19.x' ]
     steps:
       - name: Setup go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ matrix.go }}
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache go mod
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ matrix.go }}-${{ hashFiles('**/go.sum') }}
@@ -46,12 +48,13 @@ jobs:
   lint:
     runs-on: ubuntu-20.04
     steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+      - uses: actions/setup-go@v3
         with:
-          version: v1.42.1
+          go-version: 1.19
+      - uses: actions/checkout@v3
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.50.0
           args: --timeout=5m
           only-new-issues: true

.gitignore

@@ -1,12 +1,51 @@
+# IDE
 .idea
-bin
-release
+.vscode
+
+# Vendoring
+vendor
+
+# tempfiles
+.DS_Store
+*~
+.cache
+
 temp
+tmp
+
+# binary
+bin/
+release/
+
+# coverage
+coverage.txt
+coverage.html
+
+# testing
 cmd/test
 /plugins/
-/vendor/
-
 testfile
+
+# misc
 .neofs-cli.yml
 
-.cache
+# debhelpers
+debian/*debhelper*
+
+# logfiles
+debian/*.log
+
+# .substvars
+debian/*.substvars
+
+# .bash-completion
+debian/*.bash-completion
+
+# Install folders and files
+debian/frostfs-cli/
+debian/frostfs-ir/
+debian/files
+debian/frostfs-storage/
+debian/changelog
+man/
+debs/

.golangci.yml

@@ -34,16 +34,23 @@ linters:
     # some default golangci-lint linters
     - errcheck
     - gosimple
+    - godot
     - ineffassign
     - staticcheck
     - typecheck
+    - unused
 
     # extra linters
+    - bidichk
+    - durationcheck
     - exhaustive
+    - exportloopref
     - gofmt
-    - whitespace
     - goimports
-    - unused
+    - misspell
+    - predeclared
+    - reassign
+    - whitespace
   disable-all: true
   fast: false
 

CHANGELOG.md

@@ -1,8 +1,663 @@
 # Changelog
-Changelog for NeoFS Node
+Changelog for FrostFS Node
 
 ## [Unreleased]
 
+### Added
+- Separate batching for replicated operations over the same container in pilorama (#1621)
+- Doc for extended headers (#2128)
+- New `frostfs_node_object_container_size` metric for tracking size of reqular objects in a container (#2116)
+- New `frostfs_node_object_payload_size` metric for tracking size of reqular objects on a single shard (#1794)
+- Add command `frostfs-adm morph netmap-candidates` (#1889)
+- `object.delete.tombstone_lifetime` config parameter to set tombstone lifetime in the DELETE service (#2246)
+- Reload config for pprof and metrics on SIGHUP in `neofs-node` (#1868)
+- Multiple configs support (#44)
+- Parameters `nns-name` and `nns-zone` for command `frostfs-cli container create` (#37)
+
+### Changed
+- Change `frostfs_node_engine_container_size` to counting sizes of logical objects
+- `common.PrintVerbose` prints via `cobra.Command.Printf` (#1962)
+- Env prefix in configuration changed to `FROSTFS_*` (#43)
+- Link object is broadcast throughout the whole container now (#57)
+- Pilorama now can merge multiple batches into one (#2231)
+- Storage engine now can start even when some shard components are unavailable (#2238)
+- `neofs-cli` buffer for object put increased from 4 KiB to 3 MiB (#2243)
+- Expired locked object is available for reading (#56)
+
+### Fixed
+- Increase payload size metric on shards' `put` operation (#1794)
+- Big object removal with non-local parts (#1978)
+- Disable pilorama when moving to degraded mode (#2197)
+- Fetching blobovnicza objects that not found in write-cache (#2206)
+- Do not search for the small objects in FSTree (#2206)
+- Correct status error for expired session token (#2207)
+- Set flag `mode` required for `frostfs-cli control shards set-mode` (#8)
+- Fix `dirty` suffix in debian package version (#53)
+- Prevent node process from killing by systemd when shutting down (#1465)
+- Restore subscriptions correctly on morph client switch (#2212)
+- Expired objects could be returned if not marked with GC yet (#2213)
+- `neofs-adm morph dump-hashes` now properly iterates over custom domain (#2224)
+- Possible deadlock in write-cache (#2239)
+- Fix `*_req_count` and `*_req_count_success` metric values (#2241)
+- Storage ID update by write-cache (#2244)
+- `neo-go` client deadlock on subscription restoration (#2244)
+- Possible panic during write-cache initialization (#2234)
+- Do not fetch an object if `meta` is missing it (#61)
+- Create contract wallet only by `init` and `update-config` command (#63)
+- Actually use `object.put.pool_size_local` and independent pool for local puts (#64).
+
+### Removed
+### Updated
+- `neo-go` to `v0.100.1`
+- `github.com/klauspost/compress` to `v1.15.13`
+- `github.com/multiformats/go-multiaddr` to `v0.8.0`
+- `golang.org/x/term` to `v0.3.0`
+- `google.golang.org/grpc` to `v1.51.0`
+- `github.com/nats-io/nats.go` to `v1.22.1`
+- `github.com/TrueCloudLab/hrw` to `v.1.1.1`
+- Minimum go version to v1.18
+
+### Updating from v0.35.0
+
+You need to change configuration environment variables to `FROSTFS_*` if you use any.
+
+New config field `object.delete.tombstone_lifetime` allows to set tombstone lifetime
+more appropriate for a specific deployment.
+
+## [0.35.0] - 2022-12-28 - Sindo (신도, 信島)
+
+### Added
+- `morph list-containers` in `neofs-adm` (#1689)
+- `--binary` flag in `neofs-cli object put/get/delete` commands (#1338)
+- `session` flag support to `neofs-cli object hash` (#2029)
+- Shard can now change mode when encountering background disk errors (#2035)
+- Background workers and object service now use separate client caches (#2048)
+- `replicator.pool_size` config field to tune replicator pool size (#2049)
+- Fix NNS hash parsing in morph client (#2063)
+- `neofs-cli neofs-cli acl basic/extended print` commands (#2012)
+- `neofs_node_object_*_req_count_success` prometheus metrics for tracking successfully executed requests (#1984)
+- Metric 'readonly' to get shards mode (#2022)
+- Tree service replication timeout (#2159)
+- `apiclient.reconnect_timeout` setting allowing to ignore failed clients for some time (#2164)
+
+### Changed
+- `object lock` command reads CID and OID the same way other commands do (#1971)
+- `LOCK` object are stored on every container node (#1502)
+- `neofs-cli container get-eacl` print ACL table in json format only with arg `--json' (#2012)
+- Side chain notary deposits use max uint32 as till parameter (#1486)
+- Allow object removal without linking object (#2100)
+- `neofs-cli container delete` command pre-checks container ownership (#2106)
+- Policer cache size is now 1024 (#2158)
+- Tree service now synchronizes with container nodes in a random order (#2127)
+- Pilorama no longer tries to apply already applied operations (#2161)
+- Use `sync.Pool` in Object.PUT service (#2139)
+- Shard uses metabase for `HEAD` requests by default, not write-cache (#2167)
+- Clarify help for `--expire-at` parameter for commands `object lock/put` and `bearer create` (#2097)
+- Node spawns `GETRANGE` requests signed with the node's key if session key was not found for `RANGEHASH` (#2144)
+- Full list of container is no longer cached (#2176)
+
+### Fixed
+- Open FSTree in sync mode by default (#1992)
+- `neofs-cli container nodes`'s output (#1991)
+- Increase error counter for write-cache flush errors (#1818)
+- Correctly select the shard for applying tree service operations (#1996)
+- Do not panic and return correct errors for bad inputs in `GET_RANGE` (#2007, #2024)
+- Physical child object removal by GC (#1699)
+- Broadcasting helper objects (#1972)
+- `neofs-cli lock object`'s `lifetime` flag handling (#1972)
+- Do not move write-cache in read-only mode for flushing (#1906)
+- Child object collection on CLI side with a bearer token (#2000)
+- Fix concurrent map writes in `Object.Put` service (#2037)
+- Malformed request errors' reasons in the responses (#2028)
+- Session token's IAT and NBF checks in ACL service (#2028)
+- Losing meta information on request forwarding (#2040)
+- Assembly process triggered by a request with a bearer token (#2040)
+- Losing locking context after metabase resync (#1502)
+- Removing all trees by container ID if tree ID is empty in `pilorama.Forest.TreeDrop` (#1940)
+- Concurrent mode changes in the metabase and blobstor (#2057)
+- Panic in IR when performing HEAD requests (#2069)
+- Write-cache flush duplication (#2074)
+- Ignore error if a transaction already exists in a morph client (#2075)
+- ObjectID signature output in the CLI (#2104)
+- Pack arguments of `setPrice` invocation during contract update (#2078)
+- `neofs-cli object hash` panic (#2079)
+- Closing `neo-go` WS clients on shutdown and switch processes (#2080)
+- Making notary deposits with a zero GAS balance (#2080)
+- Notary requests on shutdown (#2075)
+- `neofs-cli container create ` check the sufficiency of the number of nodes in the selector for replicas (#2038)
+- Data duplication during request forwarding (#2047)
+- Tree service panic on `TreeMove` operation (#2140)
+- Panic in `GETRANGE` with zero length (#2095)
+- Spawning useless `GETRANGE` with zero length for a big object (#2101)
+- Incomplete object put errors do contain the deepest error's message (#2092)
+- Prioritize internal addresses for clients (#2156)
+- Force object removal via control service (#2145)
+- Synchronizing a tree now longer reports an error for a single-node container (#2154)
+- Prevent leaking goroutines in the tree service (#2162)
+- Do not search for LOCK objects when delete container when session provided (#2152)
+- Race conditions on shard's mode switch (#1956)
+- Returning expired/removed objects from write-cache (#2016)
+
+### Removed
+- `-g` option from `neofs-cli control ...` and `neofs-cli container create` commands (#2089)
+- `--header` from `neofs-cli object get` (#2090)
+
+### Updated
+- `neo-go` to `v0.100.0`
+- `spf13/cobra` to `v1.6.1`
+- `spf13/viper` to `v1.8.0`
+- `google.golang.org/grpc` to `v1.50.1`
+
+### Updating from v0.34.0
+Pass CID and OID parameters via the `--cid` and `--oid` flags, not as the command arguments.
+
+Replicator pool size can now be fine-tuned with `replicator.pool_size` config field.
+The default value is taken from `object.put.pool_size_remote` as in earlier versions.
+
+Added `neofs_node_object_*_req_count_success` metrics for tracking successfully executed requests.
+
+`neofs-cli container delete` command now requires given account or session issuer
+to match the container owner. Use `--force` (`-f`) flag to bypass this requirement.
+
+Tree service network replication can now be fine-tuned with `tree.replication_timeout` config field.
+
+## [0.34.0] - 2022-10-31 - Marado (마라도, 馬羅島)
+
+### Added
+- `--timeout` flag in `neofs-cli control` commands (#1917)
+- Document shard modes of operation (#1909)
+- `tree list` CLI command (#1332)
+- `TreeService.GetTrees` RPC (#1902)
+- All trees synchronization on bootstrap (#1902)
+- `--force` flag to `neofs-cli control set-status` command (#1916)
+- Logging `SessionService.Create` RPC on the server for debug (#1930)
+- Debian packages can now be built with `make debpackage` (#409)
+
+### Changed
+- Path to a metabase can now be reloaded with a SIGHUP (#1869)
+
+### Fixed
+- `writecache.max_object_size` is now correctly handled (#1925)
+- Correctly handle setting ONLINE netmap status after maintenance (#1922)
+- Correctly reset shard errors in `ControlService.SetShardMode` RPC (#1931)
+- Setting node's network state to `MAINTENANCE` while network settings forbid it (#1916)
+- Do not panic during API client creation (#1936)
+- Correctly sign new epoch transaction in neofs-adm for a committee of more than 4 nodes (#1949)
+- Inability to provide session to NeoFS CLI in a NeoFS-binary format (#1933)
+- `neofs-adm` now works correctly with a committee of more than 4 nodes (#1949, #1959)
+- Closing a shard now waits until GC background workers stop (#1964)
+- Make it possible to use `shard.ContainerSize` in read-only mode (#1975)
+- Storage node now starts if at least one gRPC endpoint is available (#1893)
+- Panic in API multy client (#1961)
+- Blobstor object removal log messages (#1953)
+- Missing object relatives in object removal session opened by NeoFS CLI (#1978)
+- Bringing a node back online during maintenance (#1900)
+
+### Updated
+- `neo-go` to `v0.99.4`
+- `protoc` to `v3.21.7`
+- `neofs-sdk` to `v1.0.0-rc.7`
+ 
+### Updating from v0.33.0
+Now storage node serves Control API `SetNemapStatus` request with `MAINTENANCE`
+status only if the mode is allowed in the network settings. To force starting the local
+maintenance on the node, provide `--force` flag to the `neofs-cli control set-status`
+command.
+
+## [0.33.0] - 2022-10-17 - Anmado (안마도, 鞍馬島)
+
+### Added
+- Serving `NetmapService.NetmapSnapshot` RPC (#1793)
+- `netmap snapshot` command of NeoFS CLI (#1793)
+- `apiclient.allow_external` config flag to fallback to node external addresses (#1817)
+- Support `MAINTENANCE` state of the storage nodes (#1680, #1681)
+- Changelog updates CI step (#1808)
+- Validate storage node configuration before node startup (#1805)
+- `neofs-node -check` command to check the configuration file (#1805)
+- `flush-cache` control service command to flush write-cache (#1806)
+- `wallet-address` flag in `neofs-adm morph refill-gas` command (#1820)
+- Validate policy before container creation (#1704)
+- `--timeout` flag in `neofs-cli` subcommands (#1837)
+- `container nodes` command to output list of nodes for container, grouped by replica (#1704)
+- Configuration flag to ignore shard in `neofs-node` (#1840)
+- Add new RPC `TreeService.Healthcheck`
+- Fallback to `GET` if `GET_RANGE` from one storage nodes to another is denied by basic ACL (#1884)
+- List of shards and logger level runtime reconfiguration (#1770)
+- `neofs-adm morph set-config` now supports well-known `MaintenanceModeAllowed` key (#1892)
+- `add`, `get-by-path` and `add-by-path` tree service CLI commands (#1332)
+- Tree synchronisation on startup (#1329)
+- Morph client returns to the highest priority endpoint after the switch (#1615)
+
+### Changed
+- Allow to evacuate shard data with `EvacuateShard` control RPC (#1800)
+- Flush write-cache when moving shard to DEGRADED mode (#1825)
+- Make `morph.cache_ttl` default value equal to morph block time (#1846)
+- Policer marks nodes under maintenance as OK without requests (#1680)
+- Unify help messages in CLI (#1854)
+- `evacuate`, `set-mode` and `flush-cache` control subcommands now accept a list of shard ids (#1867)
+- Reading `object` commands of NeoFS CLI don't open remote sessions (#1865) 
+- Use hex format to print storage node ID (#1765)
+
+### Fixed
+- Description of command `netmap nodeinfo` (#1821)
+- Proper status for object.Delete if session token is missing (#1697)
+- Fail startup if metabase has an old version (#1809)
+- Storage nodes could enter the network with any state (#1796)
+- Missing check of new state value in `ControlService.SetNetmapStatus` (#1797)
+- Correlation of object session to request (#1420)
+- Do not increase error counter in `engine.Inhume` if shard is read-only (#1839)
+- `control drop-objects` can remove split objects (#1830)
+- Node's status in `neofs-cli netmap nodeinfo` command (#1833)
+- Child check in object assembly process of `ObjectService.Get` handler (#1878)
+- Shard ID in the object counter metrics (#1863)
+- Metabase migration from the first version (#1860)
+
+### Removed
+- Remove WIF and NEP2 support in `neofs-cli`'s --wallet flag (#1128)
+- Remove --generate-key option in `neofs-cli container delete` (#1692)
+- Serving `ControlService.NetmapSnapshot` RPC (#1793)
+- `control netmap-snapshot` command of NeoFS CLI (#1793)
+
+### Updated
+
+- `neofs-contract` to `v0.16.0`
+- `neofs-api-go` to `v2.14.0`
+
+### Updating from v0.32.0 
+Replace using the `control netmap-snapshot` command with `netmap snapshot` one in NeoFS CLI.
+Node can now specify additional addresses in `ExternalAddr` attribute. To allow a node to dial
+other nodes external address, use `apiclient.allow_external` config setting.
+Add `--force` option to skip placement validity check for container creation.
+
+Pass `maintenance` state to `neofs-cli control set-status` to enter maintenance mode.
+If network allows maintenance state (*), it will be reflected in the network map.
+Storage nodes under maintenance are not excluded from the network map, but don't
+serve object operations. (*) can be fetched from network configuration via
+`neofs-cli netmap netinfo` command.    
+
+To allow maintenance mode during neofs-adm deployments, set
+`network.maintenance_mode_allowed` parameter in config.
+
+When issuing an object session token for root (virtual, "big") objects,
+additionally include all members of the split-chain. If session context
+includes root object only, it is not spread to physical ("small") objects.
+
+`neofs-node` configuration now supports `mode: disabled` flag for a shard.
+This can be used to temporarily ignore shards without completely removing them
+from the config file.
+
+## [0.32.0] - 2022-09-14 - Pungdo (풍도, 楓島)
+
+### Added
+
+- Objects counter metric (#1712)
+- `meta` subcommand to `neofs-lens` (#1714)
+- Storage node metrics with global and per-shard object counters (#1658)
+- Removal of trees on container removal (#1630)
+- Logging new epoch events on storage node (#1763)
+- Timeout for streaming RPC (#1746)
+- `neofs-adm` is now able to dump hashes from a custom zone (#1748)
+- Empty filename support in the Tree Service (#1698)
+- Flag to `neofs-cli container list-objects` command for attribute printing (#1649)
+
+### Changed
+
+- `neofs-cli object put`'s object ID output has changed from "ID" to "OID" (#1296)
+- `neofs-cli container set-eacl` command now pre-checks container ACL's extensibility (#1652)
+- Access control in Tree service (#1628)
+- Tree service doesn't restrict depth in `rpc GetSubTree` (#1753)
+- `neofs-adm` registers contract hashes in both hex and string address formats (#1749)
+- Container list cache synchronization with the Sidechain (#1632)
+- Blobstor components are unified (#1584, #1686, #1523)
+
+### Fixed
+
+- Panic on write-cache's `Delete` operation (#1664)
+- Payload duplication in `neofs-cli storagegroup put` (#1706)
+- Contract calls in notary disabled environments (#1743)
+- `Blobovnicza.Get` op now iterates over all size buckets (#1707)
+- Object expiration time (#1670)
+- Parser of the placement policy (#1775)
+- Tree service timeout logs (#1759)
+- Object flushing on writecache side (#1745)
+- Active blobovniczas caching (#1691)
+- `neofs-adm` TX waiting (#1738)
+- `neofs-adm` registers contracts with a minimal GAS payment (#1683)
+- Permissions of the file created by `neofs-cli` (#1719)
+- `neofs-adm` creates TX with a high priority attribute (#1702)
+- Storage node's restart after a hard reboot (#1647)
+
+### Updated
+
+- `neo-go` to `v0.99.2`
+- `nspcc-dev/neofs-contract` to `v0.15.5`
+- `prometheus/client_golang` to `v1.13.0`
+- `google.golang.org/protobuf` to `v1.28.1`
+
+### Updating from v0.31.0
+
+Storage Node now collects object count prometheus metrics: `neofs_node_object_counter`.
+
+Provide `--no-precheck` flag to `neofs-cli container set-eacl` for unconditional sending of a request
+(previous default behavior).
+
+## [0.31.0] - 2022-08-04 - Baengnyeongdo (백령도, 白翎島)
+
+### Added
+
+- `neofs-adm` allows deploying arbitrary contracts (#1629)
+
+### Changed
+
+- Priority order in the Morph client (#1648)
+
+### Fixed
+
+- Losing request context in eACL response checks (#1595)
+- Do not return expired objects that have not been handled by the GC yet (#1634)
+- Setting CID field in `neofs-cli acl extended create` (#1650)
+- `neofs-ir` no longer hangs if it cannot bind to the control endpoint (#1643)
+- Do not require `lifetime` flag in `session create` CLI command (#1655)
+- Using deprecated gRPC options (#1644)
+- Increasing metabase error counter on disabled pilorama (#1642)
+- Deadlock in the morph client related to synchronous notification handling (#1653)
+- Slow metabase `COMMON_PREFIX` search for empty prefix (#1656)
+
+### Removed
+
+- Deprecated `profiler` and `metrics` configuration sections (#1654)
+
+### Updated
+
+- `chzyer/realine` to `v1.5.1`
+- `google/uuid` to `v1.3.0`
+- `nats-io/nats.go` to `v1.16.0`
+- `prometheus/client_golang` to `v1.12.2`
+- `spf13/cast` to `v1.5.0`
+- `spf13/viper` to `v1.12.0`
+- `go.uber.org/zap` to `v1.21.0`
+- `google.golang.org/grpc` to `v1.48.0`
+
+### Updating from v0.30.0
+1. Change `morph.endpoint.client` priority values using the following rule:
+the higher the priority the lower the value (non-specified or `0` values are
+interpreted as the highest priority -- `1`).
+2. Deprecated `profiler` and `metrics` configuration sections are dropped,
+use `pprof` and `prometheus` instead.
+
+## [0.30.2] - 2022-08-01
+
+### Added
+- `EACL_NOT_FOUND` status code support (#1645).
+
+## [0.30.1] - 2022-07-29
+
+### Fixed
+
+- `GetRange` operation now works correctly with objects stored in write-cache (#1638)
+- Losing request context in eACL response checks (#1595)
+- Wrong balance contract in innerring processor (#1636)
+- `neofs-adm` now sets groups in manifest for all contracts properly (#1631)
+
+### Updated
+
+- `neo-go` to `v0.99.1`
+- `neofs-sdk-go` to `v1.0.0-rc.6`
+
+## [0.30.0] - 2022-07-22 - Saengildo (생일도, 生日島)
+
+### Added
+
+- Profiler and metrics services now should be enabled with a separate flag
+- Experimental support for the tree-service, disabled by default (#1607)
+- Homomorphic hashes calculation can be disabled across the whole network (#1365)
+- Improve `neofs-adm` auto-completion (#1594)
+
+### Changed
+
+- Require SG members to be unique (#1490)
+- `neofs-cli` now doesn't remove container with LOCK objects without `--force` flag (#1500)
+- LOCK objects are now required to have an expiration epoch (#1461)
+- `morph` sections in IR and storage node configuration now accept an address and a priority of an endpoint (#1609)
+- Morph client now retries connecting to the failed endpoint too (#1609)
+- Redirecting `GET` and `GETRANGE` requests now does not store full object copy in memory (#1605)
+- `neofs-adm` now registers candidates during initialization in a single transaction (#1608)
+
+### Fixed
+- Invalid smart contract address in balance contract listener (#1636)
+
+- Shard now can start in degraded mode if the metabase is unavailable (#1559)
+- Shard can now be disabled completely on init failure (#1559)
+- Storage group members are now required to be unique (#1490)
+- Print shard ID in component logs (#1611)
+
+### Updated
+- `neofs-contract` to `v0.15.3`
+- `neo-go` to the pre-release version
+- `github.com/spf13/cobra` to v1.5.0
+
+### Updating from v0.29.0
+1. Change morph endpoints from simple string to a pair of `address` and `priority`. The second can be omitted.
+For inner ring node this resides in `morph.endpoint.client` section,
+for storage node -- in `morph.rpc_endpoint` section. See `config/example` for an example.
+
+2. Move `storage.default` section to `storage.shard.default`.
+3. Rename `metrics` and `profiler` sections to `prometheus` and `pprof` respectively, though old versions are supported.
+In addition, these sections must now be explicitly enabled with `enabled: true` flag.
+
+## [0.29.0] - 2022-07-07 - Yeonpyeongdo (연평도, 延坪島)
+
+Support WalletConnect signature scheme.
+
+### Added
+- Retrieve passwords for storage wallets from the configuration in neofs-adm (#1539)
+- Metabase format versioning (#1483)
+- `neofs-adm` generates wallets in a pretty JSON format
+- `Makefile` supports building from sources without a git repo
+
+### Fixed
+- Do not replicate object twice to the same node (#1410)
+- Concurrent object handling by the Policer (#1411)
+- Attaching API version to the forwarded requests (#1581)
+- Node OOM panics on `GetRange` request with extremely huge range length (#1590)
+
+### Updated
+- `neofs-sdk-go` to latest pre-release version
+- `tzhash` to `v1.6.1`
+
+## [0.28.3] - 2022-06-08
+
+### Updated
+- Neo-go 0.98.3 => 0.99.0 (#1480)
+
+### Changed
+- Replace pointers with raw structures in results for local storage (#1460)
+- Move common CLI's functions in a separate package (#1452)
+
+### Fixed
+- Confirmation of eACL tables by alphabet nodes when ACL extensibility is disabled (#1485)
+- Do not use WS neo-go client in `neofs-adm` (#1378)
+- Log more detailed network errors by the Alphabet (#1487)
+- Fix container verification by the Alphabet (#1464)
+- Include alphabet contracts to the base group in `neofs-adm` (#1489)
+
+## [0.28.2] - 2022-06-03
+
+### Updated
+- Neo-go 0.98.2 => 0.98.3 (#1430)
+- NeoFS SDK v1.0.0-rc.3 => v1.0.0-rc.4
+- NeoFS API v2.12.1 => v2.12.2
+- NeoFS Contracts v0.14.2 => v0.15.1
+
+### Added
+- Config examples for Inner ring application (#1358)
+- Command for documentation generation for `neofs-cli`, `neofs-adm` and `neofs-lens` (#1396)
+
+### Fixed
+- Do not ask for contract wallet password twice (#1346)
+- Do not update NNS group if the key is the same (#1375)
+- Make LOCODE messages more descriptive (#1394)
+- Basic income transfer's incorrect log message (#1374)
+- Listen to subnet removal events in notary-enabled env (#1224)
+- Update/remove nodes whose subnet has been removed (#1162)
+- Potential removal of local object when policy isn't complied (#1335)
+- Metabase `Select` is now slightly faster (#1433)
+- Fix a number of bugs in writecache (#1462)
+- Refactor eACL processing and fix bugs (#1471)
+- Do not validate subnet removal by IR (#1441)
+- Replace pointers with raw structures in parameters for local storage (#1418)
+
+#### Removed
+- Remove `num` and `shard_num` parameters from the configuration (#1474)
+
+## [0.28.1] - 2022-05-05
+
+### Fixed
+- Loss of the connection scheme during address parsing in NeoFS CLI (#1351)
+
+## [0.28.0] - 2022-04-29 - Heuksando (흑산도, 黑山島)
+
+### Added
+
+- `morph dump-balances` command to NeoFS Adm (#1308)
+- Ability to provide session token from file in NeoFS CLI (#1216)
+
+### Fixed
+
+- Panic in `netmap netinfo` command of NeoFS CLI (#1312)
+- Container cache invalidation on DELETE op (#1313)
+- Subscription to side-chain events in shards (#1321)
+- Trusted object creation without session token (#1283)
+- Storing invalid objects during trusted PUT op (#1286)
+- RAM overhead when writing objects to local storage (#1343)
+
+### Changed
+
+- NeoFS Adm output from stderr to stdout (#1311)
+- Node's object GC mechanism (#1318)
+
+### Updating from v0.28.0-rc.3
+Clean up all metabases  and re-sync them using `resync_metabase` config flag.
+
+## [0.28.0-rc.3] - 2022-04-08
+
+### Fixed
+- Check expiration epoch of provided session token (#1168)
+- Prevent corruption in `writecache.Head` (#1149)
+- Use separate caches in N3 RPC multi client (#1213)
+- `neofs-adm` fixes (#1288, #1294, #1295)
+- Don't stop notification listener twice (#1291)
+- Metabase panic (#1293)
+- Disallow to tick block timer twice on the same height (#1208)
+
+### Added
+- Persistent storage for session tokens (#1189)
+- Cache for Inner Ring list fetcher (#1278)
+- Degraded mode of storage engine (#1143)
+- Command to change native Policy contract in `neofs-adm` (#1289)
+- Single websocket endpoint pool for RPC and notifications (#1053)
+
+### Changed
+- Cache NeoFS clients based only on public key (#1157)
+- Make `blobovnicza.Put` idempotent (#1262)
+- Optimize metabase list operations (#1262)
+- PDP check ranges are now asked in random order (#1163)
+- Update go version up to v1.17 (#1250)
+
+### Removed
+- Reduced amount of slices with pointers (#1239)
+
+### Updating from v0.28.0-rc.2
+Remove `NEOFS_IR_MAINNET_ENDPOINT_NOTIFICATION`, 
+`NEOFS_IR_MORPH_ENDPOINT_NOTIFICATION`,  and `NEOFS_MORPH_NOTIFICATION_ENDPOINT`
+from Inner Ring and Storage configurations. 
+
+Specify _WebSocket_ endpoints in `NEOFS_IR_MAINNET_ENDPOINT_CLIENT`,
+`NEOFS_IR_MORPH_ENDPOINT_CLIENT`, and `NEOFS_MORPH_RPC_ENDPOINT` at Inner Ring
+and Storage configurations.
+
+Specify path to persistent session token db in Storage configuration with 
+`NEOFS_NODE_PERSISTENT_SESSIONS_PATH`.
+
+## [0.28.0-rc.2] - 2022-03-24
+
+### Fixed
+- Respect format flags for `SplitInfo` output (#1233)
+- Output errors in neofs-cli to stderr where possible (#1259)
+
+### Added
+- Print details for AccessDenied errors in neofs-cli (#1252)
+- Split client creation into 2 stages (#1244)
+- Update morph client to work with v0.15.0 (#1253)
+
+## [0.28.0-rc.1] - 2022-03-18
+
+Native RFC-6979 signatures of messages and tokens, LOCK object types, 
+experimental notifications over NATS with NeoFS API v2.12 support
+
+### Fixed
+- Remove session tokens from local storage of storage node after expiration (#1133)
+- Readme typos (#1167)
+- LOCODE attribute and announced address are not mandatory for relay node config (#1114)
+- Check session token verb (#1191)
+- Fix data race leading to reputation data loss (#1210)
+
+### Added
+- Look for `CustomGroup` scope in NNS contract before contract invocation (#749)
+- Cache of notary transaction heights (#1151)
+- NATS notifications (#1183)
+- LOCK object type (#1175, #1176, #1181)
+- Progress bar for object upload/download in neofs-cli (#1185)
+- Support of new status codes (#1247)
+
+### Changed
+- Update neofs-api-go and neofs-sdk-go (#1101, #1131, #1195, #1209, #1231)
+- Use `path/filepath` package for OS path management (#1132)
+- Shard sets mode to `read-only` if it hits threshold limit (#1118)
+- Use request timeout in chain client of neofs-adm (#1115)
+- Generate wallets with 0644 permissions in neofs-adm (#1115)
+- Use cache of parsed addresses in GC (#1115)
+- Determine config type based on file extension in neofs-ir (#1115)
+- Reuse some error defined in contracts (#1115)
+- Improved neofs-cli usability (#1103)
+- Refactor v2 / SDK packages in eACL (#596)
+
+### Removed
+- Remove some wrappers from `morph` package (#625)
+- `GetRange` method in blobovnicza (#1115)
+- Deprecated structures from SDK v1.0.0 rc (#1181)
+
+### Updating from neofs-node v0.27.5
+Set shard error threshold for read-only mode switch with 
+`NEOFS_STORAGE_SHARD_RO_ERROR_THRESHOLD` (default: 0, deactivated). 
+
+Set NATS configuration for notifications in `NEOFS_NODE_NOTIFICATION` section.
+See example config for more details.
+
+## [0.27.7] - 2022-03-30
+
+### Fixed
+- Shard ID is now consistent between restarts (#1204)
+
+### Added
+- More N3 RPC caches in object service (#1278)
+
+## [0.27.6] - 2022-03-28
+
+### Fixed
+- Allow empty passwords in neofs-cli config (#1136)
+- Set correct audit range hash type in neofs-ir (#1180)
+- Read objects directly from blobstor in case of shard inconsistency (#1186)
+- Fix `-w` flag in subnet commands of neofs-adm (#1223)
+- Do not use explicit mutex lock in chain caches (#1236)
+- Force gRPC server stop if it can't shut down gracefully in storage node (#1270)
+- Return non-zero exit code in `acl extended create` command failures and fix
+  help message (#1259)
+
+### Added
+- Interactive storage node configurator in neofs-adm (#1090)
+- Logs in metabase operations (#1188)
+
 ## [0.27.5] - 2022-01-31
 
 ### Fixed
@@ -915,8 +1570,25 @@ NeoFS-API v2.0 support and updated brand-new storage node application.
 ## [0.10.0] - 2020-07-10
 
 First public review release.
-
-[Unreleased]: https://github.com/nspcc-dev/neofs-node/compare/v0.27.5...master
+[Unreleased]: https://github.com/nspcc-dev/neofs-node/compare/v0.35.0...master
+[0.35.0]: https://github.com/nspcc-dev/neofs-node/compare/v0.34.0...v0.35.0
+[0.34.0]: https://github.com/nspcc-dev/neofs-node/compare/v0.33.0...v0.34.0
+[0.33.0]: https://github.com/nspcc-dev/neofs-node/compare/v0.32.0...v0.33.0
+[0.32.0]: https://github.com/nspcc-dev/neofs-node/compare/v0.31.0...v0.32.0
+[0.31.0]: https://github.com/nspcc-dev/neofs-node/compare/v0.30.2...v0.31.0
+[0.30.2]: https://github.com/nspcc-dev/neofs-node/compare/v0.30.1...v0.30.2
+[0.30.1]: https://github.com/nspcc-dev/neofs-node/compare/v0.30.0...v0.30.1
+[0.30.0]: https://github.com/nspcc-dev/neofs-node/compare/v0.29.0...v0.30.0
+[0.29.0]: https://github.com/nspcc-dev/neofs-node/compare/v0.28.3...v0.29.0
+[0.28.3]: https://github.com/nspcc-dev/neofs-node/compare/v0.28.2...v0.28.3
+[0.28.2]: https://github.com/nspcc-dev/neofs-node/compare/v0.28.1...v0.28.2
+[0.28.1]: https://github.com/nspcc-dev/neofs-node/compare/v0.28.0...v0.28.1
+[0.28.0]: https://github.com/nspcc-dev/neofs-node/compare/v0.28.0-rc.3...v0.28.0
+[0.28.0-rc.3]: https://github.com/nspcc-dev/neofs-node/compare/v0.28.0-rc.2...v0.28.0-rc.3
+[0.28.0-rc.2]: https://github.com/nspcc-dev/neofs-node/compare/v0.28.0-rc.1...v0.28.0-rc.2
+[0.28.0-rc.1]: https://github.com/nspcc-dev/neofs-node/compare/v0.27.7...v0.28.0-rc.1
+[0.27.7]: https://github.com/nspcc-dev/neofs-node/compare/v0.27.6...v0.27.7
+[0.27.6]: https://github.com/nspcc-dev/neofs-node/compare/v0.27.5...v0.27.6
 [0.27.5]: https://github.com/nspcc-dev/neofs-node/compare/v0.27.4...v0.27.5
 [0.27.4]: https://github.com/nspcc-dev/neofs-node/compare/v0.27.3...v0.27.4
 [0.27.3]: https://github.com/nspcc-dev/neofs-node/compare/v0.27.2...v0.27.3

CONTRIBUTING.md

@@ -3,8 +3,8 @@
 First, thank you for contributing! We love and encourage pull requests from
 everyone. Please follow the guidelines:
 
-- Check the open [issues](https://github.com/nspcc-dev/neofs-node/issues) and
-  [pull requests](https://github.com/nspcc-dev/neofs-node/pulls) for existing
+- Check the open [issues](https://github.com/TrueCloudLab/frostfs-node/issues) and
+  [pull requests](https://github.com/TrueCloudLab/frostfs-node/pulls) for existing
   discussions.
 
 - Open an issue first, to discuss a new feature or enhancement.
@@ -23,23 +23,23 @@ everyone. Please follow the guidelines:
 
 ## Development Workflow
 
-Start by forking the `neofs-node` repository, make changes in a branch and then
+Start by forking the `frostfs-node` repository, make changes in a branch and then
 send a pull request. We encourage pull requests to discuss code changes. Here
 are the steps in details:
 
 ### Set up your GitHub Repository
-Fork [NeoFS node upstream](https://github.com/nspcc-dev/neofs-node/fork) source
+Fork [FrostFS node upstream](https://github.com/TrueCloudLab/frostfs-node/fork) source
 repository to your own personal repository. Copy the URL of your fork (you will
 need it for the `git clone` command below).
 
 ```sh
-$ git clone https://github.com/nspcc-dev/neofs-node
+$ git clone https://github.com/TrueCloudLab/frostfs-node
 ```
 
 ### Set up git remote as ``upstream``
 ```sh
-$ cd neofs-node
-$ git remote add upstream https://github.com/nspcc-dev/neofs-node
+$ cd frostfs-node
+$ git remote add upstream https://github.com/TrueCloudLab/frostfs-node
 $ git fetch upstream
 $ git merge upstream/master
 ...
@@ -79,7 +79,7 @@ Description
 ```
 
 ```
-$ git commit -am '[#123] Add some feature'
+$ git commit -sam '[#123] Add some feature'
 ```
 
 ### Push to the branch
@@ -106,7 +106,8 @@ contributors".
 To sign your work, just add a line like this at the end of your commit message:
 
 ```
-Signed-off-by: Samii Sakisaka <samii@nspcc.ru>
+Signed-off-by: Samii Sakisaka <samii@ivunojikan.co.jp>
+
 ```
 
 This can easily be done with the `--signoff` option to `git commit`.

CREDITS.md

@@ -1,5 +1,7 @@
 # Credits
 
+FrostFS continues the development of NeoFS.
+
 Initial NeoFS research and development (2018-2020) was done by
 [NeoSPCC](https://nspcc.ru) team.
 

Makefile

@@ -2,14 +2,13 @@
 SHELL = bash
 
 REPO ?= $(shell go list -m)
-VERSION ?= $(shell git describe --tags --dirty --always)
-BUILD ?= $(shell date -u --iso=seconds)
-DEBUG ?= false
+VERSION ?= $(shell git describe --tags --dirty --match "v*" --always --abbrev=8 2>/dev/null || cat VERSION 2>/dev/null || echo "develop")
 
-HUB_IMAGE ?= nspccdev/neofs
+HUB_IMAGE ?= truecloudlab/frostfs
 HUB_TAG ?= "$(shell echo ${VERSION} | sed 's/^v//')"
 
-GO_VERSION ?= 1.16
+GO_VERSION ?= 1.19
+LINT_VERSION ?= 1.50.0
 ARCH = amd64
 
 BIN = bin
@@ -17,24 +16,31 @@ RELEASE = release
 DIRS = $(BIN) $(RELEASE)
 
 # List of binaries to build.
-CMDS = $(notdir $(basename $(wildcard cmd/*)))
+CMDS = $(notdir $(basename $(wildcard cmd/frostfs-*)))
 BINS = $(addprefix $(BIN)/, $(CMDS))
 
-.PHONY: help all images dep clean fmts fmt imports test lint docker/lint prepare-release
+# .deb package versioning
+OS_RELEASE = $(shell lsb_release -cs)
+PKG_VERSION ?= $(shell echo $(VERSION) | sed "s/^v//" | \
+			sed -E "s/(.*)-(g[a-fA-F0-9]{6,8})(.*)/\1\3~\2/" | \
+			sed "s/-/~/")-${OS_RELEASE}
+
+.PHONY: help all images dep clean fmts fmt imports test lint docker/lint
+		prepare-release debpackage
 
 # To build a specific binary, use it's name prefix with bin/ as a target
-# For example `make bin/neofs-node` will build only storage node binary
+# For example `make bin/frostfs-node` will build only storage node binary
 # Just `make` will build all possible binaries
 all: $(DIRS) $(BINS)
 
+# help target
+include help.mk
+
 $(BINS): $(DIRS) dep
 	@echo "⇒ Build $@"
 	CGO_ENABLED=0 \
-	GO111MODULE=on \
 	go build -v -trimpath \
-	-ldflags "-X $(REPO)/misc.Version=$(VERSION) \
-	-X $(REPO)/misc.Build=$(BUILD) \
-	-X $(REPO)/misc.Debug=$(DEBUG)" \
+	-ldflags "-X $(REPO)/misc.Version=$(VERSION)" \
 	-o $@ ./cmd/$(notdir $@)
 
 $(DIRS):
@@ -44,7 +50,7 @@ $(DIRS):
 # Prepare binaries and archives for release
 .ONESHELL:
 prepare-release: docker/all
-	@for file in `ls -1 $(BIN)/neofs-*`; do
+	@for file in `ls -1 $(BIN)/frostfs-*`; do
 		cp $$file $(RELEASE)/`basename $$file`-$(ARCH)
 		strip $(RELEASE)/`basename $$file`-$(ARCH)
 		tar -czf $(RELEASE)/`basename $$file`-$(ARCH).tar.gz $(RELEASE)/`basename $$file`-$(ARCH)
@@ -54,32 +60,33 @@ prepare-release: docker/all
 dep:
 	@printf "⇒ Download requirements: "
 	CGO_ENABLED=0 \
-	GO111MODULE=on \
 	go mod download && echo OK
 	@printf "⇒ Tidy requirements : "
 	CGO_ENABLED=0 \
-	GO111MODULE=on \
 	go mod tidy -v && echo OK
 
 # Regenerate proto files:
 protoc:
-	@GOPRIVATE=github.com/nspcc-dev go mod vendor
+	@GOPRIVATE=github.com/TrueCloudLab go mod vendor
 	# Install specific version for protobuf lib
 	@go list -f '{{.Path}}/...@{{.Version}}' -m  github.com/golang/protobuf | xargs go install -v
+	@GOBIN=$(abspath $(BIN)) go install -mod=mod -v github.com/TrueCloudLab/frostfs-api-go/v2/util/protogen
 	# Protoc generate
 	@for f in `find . -type f -name '*.proto' -not -path './vendor/*'`; do \
 		echo "⇒ Processing $$f "; \
 		protoc \
 			--proto_path=.:./vendor:/usr/local/include \
+			--plugin=protoc-gen-go-frostfs=$(BIN)/protogen \
+			--go-frostfs_out=. --go-frostfs_opt=paths=source_relative \
 			--go_out=. --go_opt=paths=source_relative \
 			--go-grpc_opt=require_unimplemented_servers=false \
 			--go-grpc_out=. --go-grpc_opt=paths=source_relative $$f; \
 	done
 	rm -rf vendor
 
-# Build NeoFS component's docker image
+# Build FrostFS component's docker image
 image-%:
-	@echo "⇒ Build NeoFS $* docker image "
+	@echo "⇒ Build FrostFS $* docker image "
 	@docker build \
 		--build-arg REPO=$(REPO) \
 		--build-arg VERSION=$(VERSION) \
@@ -109,17 +116,17 @@ fmts: fmt imports
 # Reformat code
 fmt:
 	@echo "⇒ Processing gofmt check"
-	@GO111MODULE=on gofmt -s -w cmd/ pkg/ misc/
+	@gofmt -s -w cmd/ pkg/ misc/
 
 # Reformat imports
 imports:
 	@echo "⇒ Processing goimports check"
-	@GO111MODULE=on goimports -w cmd/ pkg/ misc/
+	@goimports -w cmd/ pkg/ misc/
 
 # Run Unit Test with go test
 test:
 	@echo "⇒ Running go test"
-	@GO111MODULE=on go test ./...
+	@go test ./...
 
 # Run linters
 lint:
@@ -131,23 +138,26 @@ docker/lint:
 	-v `pwd`:/src \
 	-u `stat -c "%u:%g" .` \
 	--env HOME=/src \
-	golangci/golangci-lint:v1.42.1 bash -c 'cd /src/ && make lint'
+	golangci/golangci-lint:v$(LINT_VERSION) bash -c 'cd /src/ && make lint'
 
 # Print version
 version:
 	@echo $(VERSION)
 
-# Show this help prompt
-help:
-	@echo '  Usage:'
-	@echo ''
-	@echo '    make <target>'
-	@echo ''
-	@echo '  Targets:'
-	@echo ''
-	@awk '/^#/{ comment = substr($$0,3) } comment && /^[a-zA-Z][a-zA-Z0-9_-]+ ?:/{ print "   ", $$1, comment }' $(MAKEFILE_LIST) | column -t -s ':' | grep -v 'IGNORE' | sort -u
-
 clean:
 	rm -rf vendor
+	rm -rf .cache
 	rm -rf $(BIN)
 	rm -rf $(RELEASE)
+
+# Package for Debian
+debpackage:
+	dch -b --package frostfs-node \
+			--controlmaint \
+			--newversion $(PKG_VERSION) \
+			--distribution $(OS_RELEASE) \
+			"Please see CHANGELOG.md for code changes for $(VERSION)"
+	dpkg-buildpackage --no-sign -b
+
+debclean:
+	dh clean

README.md

@@ -1,49 +1,80 @@
 <p align="center">
-<img src="./.github/logo.svg" width="500px" alt="NeoFS">
+  <img src="./.github/logo.svg" width="500px" alt="FrostFS">
 </p>
+
 <p align="center">
-  <a href="https://fs.neo.org">NeoFS</a> is a decentralized distributed object storage integrated with the <a href="https://neo.org">NEO Blockchain</a>.
+  <a href="https://frostfs.info">FrostFS</a> is a decentralized distributed object storage integrated with the <a href="https://neo.org">NEO Blockchain</a>.
 </p>
 
 ---
-[![Report](https://goreportcard.com/badge/github.com/nspcc-dev/neofs-node)](https://goreportcard.com/report/github.com/nspcc-dev/neofs-node)
-![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/nspcc-dev/neofs-node?sort=semver)
-![License](https://img.shields.io/github/license/nspcc-dev/neofs-node.svg?style=popout)
+[![Report](https://goreportcard.com/badge/github.com/TrueCloudLab/frostfs-node)](https://goreportcard.com/report/github.com/TrueCloudLab/frostfs-node)
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/TrueCloudLab/frostfs-node?sort=semver)
+![License](https://img.shields.io/github/license/TrueCloudLab/frostfs-node.svg?style=popout)
 
 # Overview
 
-NeoFS Nodes are organized in peer-to-peer network that takes care of storing and
-distributing user's data. Any Neo user may participate in the network and get
-paid for providing storage resources to other users or store his data in NeoFS
-and pay a competitive price for it.
+FrostFS Nodes are organized in a peer-to-peer network that takes care of storing
+and distributing user's data. Any Neo user may participate in the network and
+get paid for providing storage resources to other users or store their data in
+FrostFS and pay a competitive price for it.
 
-Users can reliably store object data in the NeoFS network and have a transparent
-data placement process due to decentralized architecture and flexible storage
+Users can reliably store object data in the FrostFS network and have a transparent
+data placement process due to a decentralized architecture and flexible storage
 policies. Each node is responsible for executing the storage policies that the
 users select for geographical location, reliability level, number of nodes, type
-of disks, capacity, etc. Thus, NeoFS gives full control over data to users.
+of disks, capacity, etc. Thus, FrostFS gives full control over data to users.
 
-Deep [Neo Blockchain](https://neo.org) integration allows NeoFS to be used by
-dApp directly from
+Deep [Neo Blockchain](https://neo.org) integration allows FrostFS to be used by
+dApps directly from
 [NeoVM](https://docs.neo.org/docs/en-us/basic/technology/neovm.html) on the
 [Smart Contract](https://docs.neo.org/docs/en-us/intro/glossary.html)
 code level. This way dApps are not limited to on-chain storage and can
 manipulate large amounts of data without paying a prohibitive price.
 
-NeoFS has native [gRPC API](https://github.com/nspcc-dev/neofs-api) and popular
-protocol gates such as [AWS S3](https://github.com/nspcc-dev/neofs-s3-gw),
-[HTTP](https://github.com/nspcc-dev/neofs-http-gw),
+FrostFS has a native [gRPC API](https://github.com/TrueCloudLab/frostfs-api) and has
+protocol gateways for popular protocols such as [AWS
+S3](https://github.com/TrueCloudLab/frostfs-s3-gw),
+[HTTP](https://github.com/TrueCloudLab/frostfs-http-gw),
 [FUSE](https://wikipedia.org/wiki/Filesystem_in_Userspace) and
 [sFTP](https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol) allowing
 developers to integrate applications without rewriting their code.
 
 # Supported platforms
 
-For now we only support GNU/Linux on amd64 CPUs with AVX/AVX2 instructions. More
-platforms will be officially supported after '1.0' release.
+Now, we only support GNU/Linux on amd64 CPUs with AVX/AVX2 instructions. More
+platforms will be officially supported after release `1.0`.
 
-Latest version of neofs-node works with neofs-contract 
-[v0.13.0](https://github.com/nspcc-dev/neofs-contract/releases/tag/v0.13.0).
+The latest version of frostfs-node works with frostfs-contract
+[v0.16.0](https://github.com/TrueCloudLab/frostfs-contract/releases/tag/v0.16.0).
+
+# Building
+
+To make all binaries you need Go 1.18+ and `make`:
+```
+make all
+```
+The resulting binaries will appear in `bin/` folder.
+
+To make a specific binary use:
+```
+make bin/frostfs-<name>
+```
+See the list of all available commands in the `cmd` folder.
+
+## Building with Docker
+
+Building can also be performed in a container:
+```
+make docker/all                     # build all binaries
+make docker/bin/frostfs-<name> # build a specific binary
+```
+
+## Docker images
+
+To make docker images suitable for use in [frostfs-dev-env](https://github.com/TrueCloudLab/frostfs-dev-env/) use:
+```
+make images
+```
 
 # Contributing
 
@@ -55,7 +86,7 @@ the feature/topic you are going to implement.
 
 # Credits
 
-NeoFS is maintained by [NeoSPCC](https://nspcc.ru) with the help and
+FrostFS is maintained by [True Cloud Lab](https://github.com/TrueCloudLab/) with the help and
 contributions from community members.
 
 Please see [CREDITS](CREDITS.md) for details.

VERSION

@@ -0,0 +1 @@
+v0.35.0

cmd/frostfs-adm/README.md

@@ -1,42 +1,42 @@
-# NeoFS Admin Tool
+# FrostFS Admin Tool
 
 ## Overview
 
 Admin tool provides an easier way to deploy and maintain private installation
-of NeoFS. Private installation provides a set of N3 consensus nodes, NeoFS 
+of FrostFS. Private installation provides a set of N3 consensus nodes, FrostFS 
 Alphabet, and Storage nodes. Admin tool generates consensus keys, initializes 
-side chain, and provides functions to update the network and register new
+the sidechain, and provides functions to update the network and register new
 Storage nodes.
 
 ## Build
 
-To build binary locally, use `make bin/neofs-adm` command. 
+To build binary locally, use `make bin/frostfs-adm` command. 
 
-For clean build inside a docker container use `make docker/bin/neofs-adm`. 
+For clean build inside a docker container, use `make docker/bin/frostfs-adm`. 
 
 Build docker image with `make image-adm`.
 
-At NeoFS private install deployment, neofs-adm requires compiled NeoFS 
+At FrostFS private install deployment, frostfs-adm requires compiled FrostFS 
 contracts. Find them in the latest release of 
-[neofs-contract repository](https://github.com/nspcc-dev/neofs-contract/releases).
+[frostfs-contract repository](https://github.com/TrueCloudLab/frostfs-contract/releases).
 
 
 ## Commands
 
 ### Config
 
-Config section provides `init` command that creates configuration file for the
+Config section provides `init` command that creates a configuration file for
 private installation deployment and updates. Config file is optional, all
 parameters can be passed by arguments or read from standard input (wallet 
 passwords).
 
 Config example:
 ```yaml
-rpc-endpoint: https://address:port # side chain RPC node endpoint
+rpc-endpoint: https://address:port # sidechain RPC node endpoint
 alphabet-wallets: /path            # path to consensus node / alphabet wallets storage
 network:
-  max_object_size: 67108864 # max size of single NeoFS object, bytes
-  epoch_duration: 240       # duration of NeoFS epoch in blocks, consider block generation frequency in side chain
+  max_object_size: 67108864 # max size of a single FrostFS object, bytes
+  epoch_duration: 240       # duration of a FrostFS epoch in blocks, consider block generation frequency in the sidechain
   basic_income_rate: 0      # basic income rate, for private consider 0
   fee:
     audit: 0     # network audit fee, for private installation consider 0
@@ -61,38 +61,42 @@ credentials:     # passwords for consensus node / alphabet wallets
 - `generate-alphabet` generates a set of wallets for consensus and 
   Alphabet nodes. 
 
-- `init` initializes side chain by deploying smart contracts and
-  setting provided NeoFS network configuration.
+- `init` initializes the sidechain by deploying smart contracts and
+  setting provided FrostFS network configuration.
 
-- `generate-storage-wallet` generates wallet for the Storage node that 
-  is ready for deployment. It also transfers a bit of side chain GAS, so this 
-  wallet can be used for NeoFS bootstrap.
+- `generate-storage-wallet` generates a wallet for the Storage node that 
+  is ready for deployment. It also transfers a bit of sidechain GAS, so this 
+  wallet can be used for FrostFS bootstrap.
 
 #### Network maintenance
 
-- `force-new-epoch` increments NeoFS epoch number and executes new epoch
-  handlers in NeoFS nodes.
+- `set-config` add/update configuration values in the Netmap contract.
 
-- `refill-gas` transfers side chain GAS to the specified wallet. 
+- `force-new-epoch` increments FrostFS epoch number and executes new epoch
+  handlers in FrostFS nodes.
+
+- `refill-gas` transfers sidechain GAS to the specified wallet. 
 
 - `update-contracts` updates contracts to a new version.
 
 #### Container migration
 
-If the network has to be redeployed, these commands will migrate all container meta
+If a network has to be redeployed, these commands will migrate all container meta
 info. These commands **do not migrate actual objects**.
 
 - `dump-containers` saves all containers and metadata registered in the container
   contract to a file.
 
 - `restore-containers` restores previously saved containers by their repeated registration in 
- container contract.
+ the container contract.
+
+- `list-containers` output all containers ids.
 
 #### Network info
 
-- `dump-config` prints NeoFS network configuration.
+- `dump-config` prints FrostFS network configuration.
 
-- `dump-hashes` prints NeoFS contract addresses stored in NNS.
+- `dump-hashes` prints FrostFS contract addresses stored in NNS.
 
 
 ## Private network deployment

cmd/frostfs-adm/docs/deploy.md

@@ -1,30 +1,30 @@
-# Step-by-step private NeoFS deployment
+# Step-by-step private FrostFS deployment
 
-This is a short guide on how to deploy private NeoFS storage network on bare
+This is a short guide on how to deploy a private FrostFS storage network on bare
 metal without docker images. This guide does not cover details on how to start
-consensus, Alphabet, or Storage nodes. This guide covers only `neofs-adm` 
+consensus, Alphabet, or Storage nodes. This guide covers only `frostfs-adm` 
 related configuration details.
 
 ## Prerequisites
 
 To follow this guide you need:
 - latest released version of [neo-go](https://github.com/nspcc-dev/neo-go/releases) (v0.97.2 at the moment),
-- latest released version of [neofs-adm](https://github.com/nspcc-dev/neofs-node/releases) utility (v0.25.1 at the moment),
-- latest released version of compiled [neofs-contract](https://github.com/nspcc-dev/neofs-contract/releases) (v0.11.0 at the moment).
+- latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases) utility (v0.25.1 at the moment),
+- latest released version of compiled [frostfs-contract](https://github.com/TrueCloudLab/frostfs-contract/releases) (v0.11.0 at the moment).
 
 ## Step 1: Prepare network configuration 
 
-To start the network, you need a set of consensus nodes, the same number of 
+To start a network, you need a set of consensus nodes, the same number of 
 Alphabet nodes and any number of Storage nodes. While the number of Storage 
 nodes can be scaled almost infinitely, the number of consensus and Alphabet 
 nodes can't be changed so easily right now. Consider this before going any further.
 
-It is easier to use`neofs-adm` with predefined configuration. First, create
-network configuration file. In this example, there is going to be only one
+It is easier to use`frostfs-adm` with a predefined configuration. First, create
+a network configuration file. In this example, there is going to be only one
 consensus / Alphabet node in the network.
 
 ```
-$ neofs-adm config init --path foo.network.yml
+$ frostfs-adm config init --path foo.network.yml
 Initial config file saved to foo.network.yml
 
 $ cat foo.network.yml 
@@ -43,7 +43,7 @@ credentials:
   az: hunter2
 ```
 
-For private installation it is recommended to set all **fees** and **basic 
+For private installation, it is recommended to set all **fees** and **basic 
 income rate** to 0. 
 
 As for **epoch duration**, consider consensus node block generation frequency. 
@@ -57,13 +57,13 @@ wallets will be used for Alphabet nodes. Make sure, that dir for alphabet
 wallets already exists.
 
 ```
-$ neofs-adm -c foo.network.yml morph generate-alphabet --size 1
+$ frostfs-adm -c foo.network.yml morph generate-alphabet --size 1
 size: 1
 alphabet-wallets: /home/user/deploy/alphabet-wallets
 wallet[0]: hunter2
 ```
 
-Do not lose wallet files and network config. Store it in encrypted backed up
+Do not lose wallet files and network config. Store it in an encrypted backed up
 storage.
 
 ## Step 2: Launch consensus nodes
@@ -72,7 +72,7 @@ Configure blockchain nodes with the generated wallets from the previous step.
 Config examples can be found in 
 [neo-go repository](https://github.com/nspcc-dev/neo-go/tree/master/config).
 
-Gather public keys from **all** generated wallets. We are interested in first
+Gather public keys from **all** generated wallets. We are interested in the first
 `simple signature contract` public key.
 
 ```
@@ -90,7 +90,7 @@ NiMKabp3ddi3xShmLAXhTfbnuWb4cSJT6E (1 out of 1 multisig contract):
 Put the list of public keys into `ProtocolConfiguration.StandbyCommittee` 
 section. Specify the wallet path and the password in `ApplicationConfiguration.P2PNotary`
 and `ApplicationConfiguration.UnlockWallet` sections. If config includes
-`ProtocolConfiguration.NativeActivations` section, then add notary 
+`ProtocolConfiguration.NativeActivations` section, add notary 
 contract `Notary: [0]`.
 
 ```yaml
@@ -110,27 +110,27 @@ ApplicationConfiguration:
     Password: "hunter2"
 ```
 
-Then, launch consensus node. They should connect to each other and start
+Then, launch consensus nodes. They should connect to each other and start
 producing blocks in consensus. You might want to deploy additional RPC
 nodes at this stage because Storage nodes should be connected to the chain too.
-It is not recommended to use consensus node as an RPC node due to security policies
+It is not recommended to use a consensus node as an RPC node due to security policies
 and possible overload issues.
 
-## Step 3: Initialize side chain
+## Step 3: Initialize sidechain
 
-Use archive with compiled NeoFS contracts to initialize side chain.
+Use archive with compiled FrostFS contracts to initialize the sidechain.
 
 ```
-$ tar -xzvf neofs-contract-v0.11.0.tar.gz 
+$ tar -xzvf frostfs-contract-v0.11.0.tar.gz 
 
-$ ./neofs-adm -c foo.network.yml morph init --contracts ./neofs-contract-v0.11.0
+$ ./frostfs-adm -c foo.network.yml morph init --contracts ./frostfs-contract-v0.11.0
 Stage 1: transfer GAS to alphabet nodes.
 Waiting for transactions to persist...
 Stage 2: set notary and alphabet nodes in designate contract.
 Waiting for transactions to persist...
 Stage 3: deploy NNS contract.
 Waiting for transactions to persist...
-Stage 4: deploy NeoFS contracts.
+Stage 4: deploy FrostFS contracts.
 Waiting for transactions to persist...
 Stage 4.1: Transfer GAS to proxy contract.
 Waiting for transactions to persist...
@@ -140,21 +140,21 @@ Stage 6: transfer NEO to alphabet contracts.
 Waiting for transactions to persist...
 Stage 7: set addresses in NNS.
 Waiting for transactions to persist...
-NNS: Set alphabet0.neofs -> f692dfb4d43a15b464eb51a7041160fb29c44b6a
-NNS: Set audit.neofs -> 7df847b993affb3852074345a7c2bd622171ee0d
-NNS: Set balance.neofs -> 103519b3067a66307080a66570c0491ee8f68879
-NNS: Set container.neofs -> cae60bdd689d185901e495352d0247752ce50846
-NNS: Set neofsid.neofs -> c421fb60a3895865a8f24d197d6a80ef686041d2
-NNS: Set netmap.neofs -> 894eb854632f50fb124412ce7951ebc00763525e
-NNS: Set proxy.neofs -> ac6e6fe4b373d0ca0ca4969d1e58fa0988724e7d
-NNS: Set reputation.neofs -> 6eda57c9d93d990573646762d1fea327ce41191f
+NNS: Set alphabet0.frostfs -> f692dfb4d43a15b464eb51a7041160fb29c44b6a
+NNS: Set audit.frostfs -> 7df847b993affb3852074345a7c2bd622171ee0d
+NNS: Set balance.frostfs -> 103519b3067a66307080a66570c0491ee8f68879
+NNS: Set container.frostfs -> cae60bdd689d185901e495352d0247752ce50846
+NNS: Set frostfsid.frostfs -> c421fb60a3895865a8f24d197d6a80ef686041d2
+NNS: Set netmap.frostfs -> 894eb854632f50fb124412ce7951ebc00763525e
+NNS: Set proxy.frostfs -> ac6e6fe4b373d0ca0ca4969d1e58fa0988724e7d
+NNS: Set reputation.frostfs -> 6eda57c9d93d990573646762d1fea327ce41191f
 Waiting for transactions to persist...
 ```
 
 ## Step 4: Launch Alphabet nodes
 
 Configure Alphabet nodes with the wallets generated in step 1. For 
-`morph.validators` use list of public keys from 
+`morph.validators` use a list of public keys from 
 `ProtocolConfiguration.StandbyCommittee`.
 
 ```yaml
@@ -174,10 +174,10 @@ contracts:
 
 ## Step 4: Launch Storage node
 
-Generate a new wallet for Storage node.
+Generate a new wallet for a Storage node.
 
 ```
-$ neofs-adm -c foo.network.yml morph generate-storage-wallet --storage-wallet ./sn01.json --initial-gas 10.0
+$ frostfs-adm -c foo.network.yml morph generate-storage-wallet --storage-wallet ./sn01.json --initial-gas 10.0
 New password > 
 Waiting for transactions to persist...
 
@@ -186,7 +186,7 @@ Ngr7p8Z9S22XDH6VkUG9oXobv8zZRAWwwv (simple signature contract):
 0355eccb72cd46f09a3e5237eaa0f4949cceb5ecfa5a225bd3bb9fd021c4d75b85
 ```
 
-Configure Storage node to use this wallet.
+Configure the Storage node to use this wallet.
 
 ```
 node:
@@ -196,16 +196,16 @@ node:
     password: "foobar"
 ```
 
-Storage node will be included in the network map in next NeoFS epoch. To
+The storage node will be included in the network map in the next FrostFS epoch. To
 speed up this process, you can increment epoch counter immediately.
 
 ```
-$ neofs-adm -c foo.network.yml morph force-new-epoch
+$ frostfs-adm -c foo.network.yml morph force-new-epoch
 Current epoch: 8, increase to 9.
 Waiting for transactions to persist...
 ```
 
 --- 
 
-After that NeoFS Storage is ready to work. You can access it directly or
+After that, FrostFS Storage is ready to work. You can access it directly or
 with protocol gates.

cmd/frostfs-adm/docs/subnetwork-creation.md

@@ -0,0 +1,39 @@
+# FrostFS subnetwork creation
+
+This is a short guide on how to create FrostFS subnetworks. This guide 
+considers that the sidechain and the inner ring (alphabet nodes) have already been 
+deployed and the sidechain contains a deployed `subnet` contract.
+
+## Prerequisites
+
+To follow this guide, you need:
+- neo-go sidechain RPC endpoint;
+- latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases);
+- wallet with FrostFS account.
+
+## Creation
+
+```shell
+$ frostfs-adm morph subnet create \
+    -r <side_chain_RPC_endpoint> \
+    -w </path/to/owner/wallet> \
+    --notary
+Create subnet request sent successfully. ID: 4223489767.
+```
+
+**NOTE:** in notary-enabled environment you should have a sufficient
+notary deposit (not expired, with enough GAS balance). Your subnet ID
+will differ from the example.
+
+The default account in the wallet that has been passed with `-w` flag is the owner
+of the just created subnetwork.
+
+You can check if your subnetwork was created successfully:
+
+```shell
+$ frostfs-adm morph subnet get \
+    -r <side_chain_RPC_endpoint> \
+    --subnet <subnet_ID>
+Owner: NUc734PMJXiqa2J9jRtvskU3kCdyyuSN8Q
+```
+Your owner will differ from the example.

cmd/frostfs-adm/docs/subnetwork-usage.md

@@ -1,27 +1,27 @@
 # Managing Subnetworks
 
-This is a short guide on how to manage NeoFS subnetworks. This guide
-considers that side chain and inner ring (alphabet nodes) have already
-been deployed and side chain contains deployed `subnet` contract.
+This is a short guide on how to manage FrostFS subnetworks. This guide
+considers that the sidechain and the inner ring (alphabet nodes) have already been
+deployed, and the sidechain contains a deployed `subnet` contract.
 
 ## Prerequisites
 
-- neo-go side chain RPC endpoint;
-- latest released version of [neofs-adm](https://github.com/nspcc-dev/neofs-node/releases);
+- neo-go sidechain RPC endpoint;
+- latest released version of [frostfs-adm](https://github.com/TrueCloudLab/frostfs-node/releases);
 - [created](subnetwork-creation.md) subnetwork;
-- wallet with account that owns the subnetwork;
+- wallet with the account that owns the subnetwork;
 - public key of the Storage Node;
 - public keys of the node and client administrators;
-- owner IDs of the NeoFS users.
+- owner IDs of the FrostFS users.
 
 ## Add node administrator
 
-Node administrators are the accounts that can manage (add and delete nodes)
-whitelist of the nodes that could be included to the subnetwork. Only subnet
-owner is allowed to add and remove node administrators from subnetwork.
+Node administrators are accounts that can manage (add and delete nodes)
+the whitelist of the nodes which can be included to a subnetwork. Only the subnet
+owner is allowed to add and remove node administrators from the subnetwork.
 
 ```shell
-$ neofs-adm morph subnet admin add \
+$ frostfs-adm morph subnet admin add \
     -r <side_chain_RPC_endpoint> \
     -w </path/to/owner/wallet> \
     --admin <HEX_admin_public_key> \
@@ -33,11 +33,11 @@ Add admin request sent successfully.
 
 Adding a node to a subnetwork means that the node becomes able to service
 containers that have been created in that subnetwork. Addition only changes
-list of the allowed nodes. Node is not required to be bootstrapped at the
+the list of the allowed nodes. Node is not required to be bootstrapped at the
 moment of its inclusion.
 
 ```shell
-$ neofs-adm morph subnet node add \
+$ frostfs-adm morph subnet node add \
     -r <side_chain_RPC_endpoint> \
     -w </path/to/node_admin/wallet> \
     --node <HEX_node_public_key> \
@@ -45,17 +45,17 @@ $ neofs-adm morph subnet node add \
 Add node request sent successfully.
 ```
 
-**NOTE:** owner of the subnetwork is also allowed to add nodes.
+**NOTE:** the owner of the subnetwork is also allowed to add nodes.
 
 ## Add client administrator
 
-Client administrators are the accounts that can manage (add and delete
-nodes) whitelist of the clients that can creates containers in the
-subnetwork. Only subnet owner is allowed to add and remove client
-administrators from subnetwork.
+Client administrators are accounts that can manage (add and delete
+nodes) the whitelist of the clients that can create containers in the
+subnetwork. Only the subnet owner is allowed to add and remove client
+administrators from the subnetwork.
 
 ```shell
-$ neofs-adm morph subnet admin add \
+$ frostfs-adm morph subnet admin add \
     -r <side_chain_RPC_endpoint> \
     -w </path/to/owner/wallet> \
     --admin <HEX_admin_public_key> \
@@ -65,14 +65,14 @@ $ neofs-adm morph subnet admin add \
 Add admin request sent successfully.
 ```
 
-**NOTE:** you do not need to create group explicitly, it would be created
-right after the first client admin has been added. Group ID is 4-byte
+**NOTE:** you do not need to create a group explicitly, it will be created
+right after the first client admin is added. Group ID is a 4-byte
 positive integer number.
 
 ## Add client
 
 ```shell
-$ neofs-adm morph subnet client add \
+$ frostfs-adm morph subnet client add \
     -r <side_chain_RPC_endpoint> \
     -w </path/to/client_admin/wallet> \
     --client <client_ownerID> \
@@ -81,17 +81,17 @@ $ neofs-adm morph subnet client add \
 Add client request sent successfully.
 ```
 
-**NOTE:** owner of the subnetwork is also allowed to add clients. This is
+**NOTE:** the owner of the subnetwork is also allowed to add clients. This is
 the only one command that accepts `ownerID`, not the public key.
-Administrator can manage only his group (a group where that administrator
-has been added by subnet owner).
+Administrator can manage only their group (a group where that administrator
+has been added by the subnet owner).
 
 # Bootstrapping Storage Node
 
-After subnetwork [creation](subnetwork-creation.md) and inclusion node to it, the 
+After a subnetwork [is created](subnetwork-creation.md) and a node is included into it, the 
 node could be bootstrapped and service subnetwork containers.
 
-For bootstrapping you need to specify ID of the subnetwork in the node's 
+For bootstrapping, you need to specify the ID of the subnetwork in the node's 
 configuration: 
 
 ```yaml
@@ -99,7 +99,7 @@ configuration:
 node:
   ...
   subnet:
-    entries: # list of IDs of subnets to enter in a text format of NeoFS API protocol (overrides corresponding attributes)
+    entries: # list of IDs of subnets to enter in a text format of FrostFS API protocol (overrides corresponding attributes)
       - <subnetwork_ID>
   ...
 ...
@@ -108,7 +108,7 @@ node:
 **NOTE:** specifying subnetwork that is denied for the node is not an error:
 that configuration value would be ignored. You do not need to specify zero 
 (with 0 ID) subnetwork: its inclusion is implicit. On the contrary, to exclude
-node from the default zero subnetwork you need to specify it explicitly:
+a node from the default zero subnetwork, you need to specify it explicitly:
 
 ```yaml
 ...
@@ -122,16 +122,16 @@ node:
 
 # Creating container in non-zero subnetwork
 
-Creating containers without using `--subnet` flag is equivalent to the 
+Creating containers without using `--subnet` flag is equivalent to 
 creating container in the zero subnetwork.
 
-To create container in a private network your wallet must have been added to
-the client whitelist by client admins or subnet owners:
+To create a container in a private network, your wallet must be added to
+the client whitelist by the client admins or the subnet owners:
 
 ```shell
-$ neofs-cli container create \
+$ frostfs-cli container create \
     --policy 'REP 1' \
     -w </path/to/wallet> \
-    -r s01.neofs.devenv:8080 \
+    -r s01.frostfs.devenv:8080 \
     --subnet <subnet_ID>
 ```

cmd/frostfs-adm/internal/commonflags/flags.go

@@ -0,0 +1,14 @@
+package commonflags
+
+const (
+	ConfigFlag          = "config"
+	ConfigFlagShorthand = "c"
+	ConfigFlagUsage     = "Config file"
+
+	ConfigDirFlag      = "config-dir"
+	ConfigDirFlagUsage = "Config directory"
+
+	Verbose          = "verbose"
+	VerboseShorthand = "v"
+	VerboseUsage     = "Verbose output"
+)

cmd/frostfs-adm/internal/modules/config/config.go

@@ -4,28 +4,28 @@ import (
 	"bytes"
 	"fmt"
 	"os"
-	"path"
 	"path/filepath"
 	"text/template"
 
+	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/cli/input"
-	"github.com/nspcc-dev/neofs-node/pkg/innerring"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 
 type configTemplate struct {
-	Endpoint          string
-	AlphabetDir       string
-	MaxObjectSize     int
-	EpochDuration     int
-	BasicIncomeRate   int
-	AuditFee          int
-	CandidateFee      int
-	ContainerFee      int
-	ContainerAliasFee int
-	WithdrawFee       int
-	Glagolitics       []string
+	Endpoint                string
+	AlphabetDir             string
+	MaxObjectSize           int
+	EpochDuration           int
+	BasicIncomeRate         int
+	AuditFee                int
+	CandidateFee            int
+	ContainerFee            int
+	ContainerAliasFee       int
+	WithdrawFee             int
+	Glagolitics             []string
+	HomomorphicHashDisabled bool
 }
 
 const configTxtTemplate = `rpc-endpoint: {{ .Endpoint}}
@@ -34,14 +34,16 @@ network:
   max_object_size: {{ .MaxObjectSize}}
   epoch_duration: {{ .EpochDuration}}
   basic_income_rate: {{ .BasicIncomeRate}}
+  homomorphic_hash_disabled: {{ .HomomorphicHashDisabled}}
   fee:
     audit: {{ .AuditFee}}
     candidate: {{ .CandidateFee}}
     container: {{ .ContainerFee}}
     container_alias: {{ .ContainerAliasFee }}
     withdraw: {{ .WithdrawFee}}
-# if credentials section is omitted, then neofs-adm will require manual password input
-credentials:{{ range.Glagolitics}}
+# if credentials section is omitted, then frostfs-adm will require manual password input
+credentials:
+  contract: password # wallet for contract group signature{{ range.Glagolitics}}
   {{.}}: password{{end}}
 `
 
@@ -51,7 +53,7 @@ func initConfig(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	pathDir := path.Dir(configPath)
+	pathDir := filepath.Dir(configPath)
 	err = os.MkdirAll(pathDir, 0700)
 	if err != nil {
 		return fmt.Errorf("create dir %s: %w", pathDir, err)
@@ -97,7 +99,7 @@ func defaultConfigPath() (string, error) {
 		return "", fmt.Errorf("getting home dir path: %w", err)
 	}
 
-	return path.Join(home, ".neofs", "adm", "config.yml"), nil
+	return filepath.Join(home, ".frostfs", "adm", "config.yml"), nil
 }
 
 // generateConfigExample builds .yml representation of the config file. It is
@@ -106,23 +108,24 @@ func defaultConfigPath() (string, error) {
 // some comments as well.
 func generateConfigExample(appDir string, credSize int) (string, error) {
 	tmpl := configTemplate{
-		Endpoint:          "https://neo.rpc.node:30333",
-		MaxObjectSize:     67108864,      // 64 MiB
-		EpochDuration:     240,           // 1 hour with 15s per block
-		BasicIncomeRate:   1_0000_0000,   // 0.0001 GAS per GiB (Fixed12)
-		AuditFee:          1_0000,        // 0.00000001 GAS per audit (Fixed12)
-		CandidateFee:      100_0000_0000, // 100.0 GAS (Fixed8)
-		ContainerFee:      1000,          // 0.000000001 * 7 GAS per container (Fixed12)
-		ContainerAliasFee: 500,           // ContainerFee / 2
-		WithdrawFee:       1_0000_0000,   // 1.0 GAS (Fixed8)
-		Glagolitics:       make([]string, 0, credSize),
+		Endpoint:                "https://neo.rpc.node:30333",
+		MaxObjectSize:           67108864,      // 64 MiB
+		EpochDuration:           240,           // 1 hour with 15s per block
+		BasicIncomeRate:         1_0000_0000,   // 0.0001 GAS per GiB (Fixed12)
+		HomomorphicHashDisabled: false,         // object homomorphic hash is enabled
+		AuditFee:                1_0000,        // 0.00000001 GAS per audit (Fixed12)
+		CandidateFee:            100_0000_0000, // 100.0 GAS (Fixed8)
+		ContainerFee:            1000,          // 0.000000001 * 7 GAS per container (Fixed12)
+		ContainerAliasFee:       500,           // ContainerFee / 2
+		WithdrawFee:             1_0000_0000,   // 1.0 GAS (Fixed8)
+		Glagolitics:             make([]string, 0, credSize),
 	}
 
 	appDir, err := filepath.Abs(appDir)
 	if err != nil {
 		return "", fmt.Errorf("making absolute path for %s: %w", appDir, err)
 	}
-	tmpl.AlphabetDir = path.Join(appDir, "alphabet-wallets")
+	tmpl.AlphabetDir = filepath.Join(appDir, "alphabet-wallets")
 
 	var i innerring.GlagoliticLetter
 	for i = 0; i < innerring.GlagoliticLetter(credSize); i++ {
@@ -144,13 +147,20 @@ func generateConfigExample(appDir string, credSize int) (string, error) {
 	return buf.String(), nil
 }
 
-func AlphabetPassword(v *viper.Viper, index int) (string, error) {
-	letter := innerring.GlagoliticLetter(index)
-	key := "credentials." + letter.String()
+func GetPassword(v *viper.Viper, name string) (string, error) {
+	key := "credentials." + name
 	if v.IsSet(key) {
 		return v.GetString(key), nil
 	}
 
-	prompt := "Password for " + letter.String() + " wallet > "
+	prompt := "Password for " + name + " wallet > "
 	return input.ReadPassword(prompt)
 }
+
+func GetStoragePassword(v *viper.Viper, name string) (string, error) {
+	key := "storage." + name
+	if name != "" && v.IsSet(key) {
+		return v.GetString(key), nil
+	}
+	return input.ReadPassword("New password > ")
+}

cmd/frostfs-adm/internal/modules/config/config_test.go

@@ -2,10 +2,10 @@ package config
 
 import (
 	"bytes"
-	"path"
+	"path/filepath"
 	"testing"
 
-	"github.com/nspcc-dev/neofs-node/pkg/innerring"
+	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 )
@@ -13,7 +13,7 @@ import (
 func TestGenerateConfigExample(t *testing.T) {
 	const (
 		n      = 10
-		appDir = "/home/example/.neofs"
+		appDir = "/home/example/.frostfs"
 	)
 
 	configText, err := generateConfigExample(appDir, n)
@@ -25,7 +25,7 @@ func TestGenerateConfigExample(t *testing.T) {
 	require.NoError(t, v.ReadConfig(bytes.NewBufferString(configText)))
 
 	require.Equal(t, "https://neo.rpc.node:30333", v.GetString("rpc-endpoint"))
-	require.Equal(t, path.Join(appDir, "alphabet-wallets"), v.GetString("alphabet-wallets"))
+	require.Equal(t, filepath.Join(appDir, "alphabet-wallets"), v.GetString("alphabet-wallets"))
 	require.Equal(t, 67108864, v.GetInt("network.max_object_size"))
 	require.Equal(t, 240, v.GetInt("network.epoch_duration"))
 	require.Equal(t, 100000000, v.GetInt("network.basic_income_rate"))
@@ -39,6 +39,7 @@ func TestGenerateConfigExample(t *testing.T) {
 		key := "credentials." + i.String()
 		require.Equal(t, "password", v.GetString(key))
 	}
+	require.Equal(t, "password", v.GetString("credentials.contract"))
 
 	key := "credentials." + i.String()
 	require.Equal(t, "", v.GetString(key))

cmd/frostfs-adm/internal/modules/config/root.go

@@ -0,0 +1,29 @@
+package config
+
+import (
+	"github.com/spf13/cobra"
+)
+
+const configPathFlag = "path"
+
+var (
+	// RootCmd is a root command of config section.
+	RootCmd = &cobra.Command{
+		Use:   "config",
+		Short: "Section for frostfs-adm config related commands",
+	}
+
+	initCmd = &cobra.Command{
+		Use:   "init",
+		Short: "Initialize basic frostfs-adm configuration file",
+		Example: `frostfs-adm config init
+frostfs-adm config init --path .config/frostfs-adm.yml`,
+		RunE: initConfig,
+	}
+)
+
+func init() {
+	RootCmd.AddCommand(initCmd)
+
+	initCmd.Flags().String(configPathFlag, "", "Path to config (default ~/.frostfs/adm/config.yml)")
+}

cmd/frostfs-adm/internal/modules/morph/balance.go

@@ -0,0 +1,241 @@
+package morph
+
+import (
+	"crypto/elliptic"
+	"errors"
+	"fmt"
+	"math/big"
+
+	"github.com/TrueCloudLab/frostfs-contract/nns"
+	"github.com/TrueCloudLab/frostfs-sdk-go/netmap"
+	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/rolemgmt"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+type accBalancePair struct {
+	scriptHash util.Uint160
+	balance    *big.Int
+}
+
+const (
+	dumpBalancesStorageFlag       = "storage"
+	dumpBalancesAlphabetFlag      = "alphabet"
+	dumpBalancesProxyFlag         = "proxy"
+	dumpBalancesUseScriptHashFlag = "script-hash"
+
+	// notaryEnabled signifies whether contracts were deployed in a notary-enabled environment.
+	// The setting is here to simplify testing and building the command for testnet (notary currently disabled).
+	// It will be removed eventually.
+	notaryEnabled = true
+)
+
+func dumpBalances(cmd *cobra.Command, _ []string) error {
+	var (
+		dumpStorage, _  = cmd.Flags().GetBool(dumpBalancesStorageFlag)
+		dumpAlphabet, _ = cmd.Flags().GetBool(dumpBalancesAlphabetFlag)
+		dumpProxy, _    = cmd.Flags().GetBool(dumpBalancesProxyFlag)
+		nnsCs           *state.Contract
+		nmHash          util.Uint160
+	)
+
+	c, err := getN3Client(viper.GetViper())
+	if err != nil {
+		return err
+	}
+
+	inv := invoker.New(c, nil)
+
+	if !notaryEnabled || dumpStorage || dumpAlphabet || dumpProxy {
+		nnsCs, err = c.GetContractStateByID(1)
+		if err != nil {
+			return fmt.Errorf("can't get NNS contract info: %w", err)
+		}
+
+		nmHash, err = nnsResolveHash(inv, nnsCs.Hash, netmapContract+".frostfs")
+		if err != nil {
+			return fmt.Errorf("can't get netmap contract hash: %w", err)
+		}
+	}
+
+	irList, err := fetchIRNodes(c, nmHash, rolemgmt.Hash)
+	if err != nil {
+		return err
+	}
+
+	if err := fetchBalances(inv, gas.Hash, irList); err != nil {
+		return err
+	}
+	printBalances(cmd, "Inner ring nodes balances:", irList)
+
+	if dumpStorage {
+		arr, err := unwrap.Array(inv.Call(nmHash, "netmap"))
+		if err != nil {
+			return errors.New("can't fetch the list of storage nodes")
+		}
+
+		snList := make([]accBalancePair, len(arr))
+		for i := range arr {
+			node, ok := arr[i].Value().([]stackitem.Item)
+			if !ok || len(node) == 0 {
+				return errors.New("can't parse the list of storage nodes")
+			}
+			bs, err := node[0].TryBytes()
+			if err != nil {
+				return errors.New("can't parse the list of storage nodes")
+			}
+			var ni netmap.NodeInfo
+			if err := ni.Unmarshal(bs); err != nil {
+				return fmt.Errorf("can't parse the list of storage nodes: %w", err)
+			}
+			pub, err := keys.NewPublicKeyFromBytes(ni.PublicKey(), elliptic.P256())
+			if err != nil {
+				return fmt.Errorf("can't parse storage node public key: %w", err)
+			}
+			snList[i].scriptHash = pub.GetScriptHash()
+		}
+
+		if err := fetchBalances(inv, gas.Hash, snList); err != nil {
+			return err
+		}
+		printBalances(cmd, "\nStorage node balances:", snList)
+	}
+
+	if dumpProxy {
+		h, err := nnsResolveHash(inv, nnsCs.Hash, proxyContract+".frostfs")
+		if err != nil {
+			return fmt.Errorf("can't get hash of the proxy contract: %w", err)
+		}
+
+		proxyList := []accBalancePair{{scriptHash: h}}
+		if err := fetchBalances(inv, gas.Hash, proxyList); err != nil {
+			return err
+		}
+		printBalances(cmd, "\nProxy contract balance:", proxyList)
+	}
+
+	if dumpAlphabet {
+		alphaList := make([]accBalancePair, len(irList))
+
+		w := io.NewBufBinWriter()
+		for i := range alphaList {
+			emit.AppCall(w.BinWriter, nnsCs.Hash, "resolve", callflag.ReadOnly,
+				getAlphabetNNSDomain(i),
+				int64(nns.TXT))
+		}
+		if w.Err != nil {
+			panic(w.Err)
+		}
+
+		alphaRes, err := c.InvokeScript(w.Bytes(), nil)
+		if err != nil {
+			return fmt.Errorf("can't fetch info from NNS: %w", err)
+		}
+
+		for i := range alphaList {
+			h, err := parseNNSResolveResult(alphaRes.Stack[i])
+			if err != nil {
+				return fmt.Errorf("can't fetch the alphabet contract #%d hash: %w", i, err)
+			}
+			alphaList[i].scriptHash = h
+		}
+
+		if err := fetchBalances(inv, gas.Hash, alphaList); err != nil {
+			return err
+		}
+		printBalances(cmd, "\nAlphabet contracts balances:", alphaList)
+	}
+
+	return nil
+}
+
+func fetchIRNodes(c Client, nmHash, desigHash util.Uint160) ([]accBalancePair, error) {
+	var irList []accBalancePair
+
+	inv := invoker.New(c, nil)
+
+	if notaryEnabled {
+		height, err := c.GetBlockCount()
+		if err != nil {
+			return nil, fmt.Errorf("can't get block height: %w", err)
+		}
+
+		arr, err := getDesignatedByRole(inv, desigHash, noderoles.NeoFSAlphabet, height)
+		if err != nil {
+			return nil, errors.New("can't fetch list of IR nodes from the netmap contract")
+		}
+
+		irList = make([]accBalancePair, len(arr))
+		for i := range arr {
+			irList[i].scriptHash = arr[i].GetScriptHash()
+		}
+	} else {
+		arr, err := unwrap.ArrayOfBytes(inv.Call(nmHash, "innerRingList"))
+		if err != nil {
+			return nil, errors.New("can't fetch list of IR nodes from the netmap contract")
+		}
+
+		irList = make([]accBalancePair, len(arr))
+		for i := range arr {
+			pub, err := keys.NewPublicKeyFromBytes(arr[i], elliptic.P256())
+			if err != nil {
+				return nil, fmt.Errorf("can't parse IR node public key: %w", err)
+			}
+			irList[i].scriptHash = pub.GetScriptHash()
+		}
+	}
+	return irList, nil
+}
+
+func printBalances(cmd *cobra.Command, prefix string, accounts []accBalancePair) {
+	useScriptHash, _ := cmd.Flags().GetBool(dumpBalancesUseScriptHashFlag)
+
+	cmd.Println(prefix)
+	for i := range accounts {
+		var addr string
+		if useScriptHash {
+			addr = accounts[i].scriptHash.StringLE()
+		} else {
+			addr = address.Uint160ToString(accounts[i].scriptHash)
+		}
+		cmd.Printf("%s: %s\n", addr, fixedn.ToString(accounts[i].balance, 8))
+	}
+}
+
+func fetchBalances(c *invoker.Invoker, gasHash util.Uint160, accounts []accBalancePair) error {
+	w := io.NewBufBinWriter()
+	for i := range accounts {
+		emit.AppCall(w.BinWriter, gasHash, "balanceOf", callflag.ReadStates, accounts[i].scriptHash)
+	}
+	if w.Err != nil {
+		panic(w.Err)
+	}
+
+	res, err := c.Run(w.Bytes())
+	if err != nil || res.State != vmstate.Halt.String() || len(res.Stack) != len(accounts) {
+		return errors.New("can't fetch account balances")
+	}
+
+	for i := range accounts {
+		bal, err := res.Stack[i].TryInteger()
+		if err != nil {
+			return fmt.Errorf("can't parse account balance: %w", err)
+		}
+		accounts[i].balance = bal
+	}
+	return nil
+}

cmd/frostfs-adm/internal/modules/morph/config.go

@@ -0,0 +1,192 @@
+package morph
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const forceConfigSet = "force"
+
+func dumpNetworkConfig(cmd *cobra.Command, _ []string) error {
+	c, err := getN3Client(viper.GetViper())
+	if err != nil {
+		return fmt.Errorf("can't create N3 client: %w", err)
+	}
+
+	inv := invoker.New(c, nil)
+
+	cs, err := c.GetContractStateByID(1)
+	if err != nil {
+		return fmt.Errorf("can't get NNS contract info: %w", err)
+	}
+
+	nmHash, err := nnsResolveHash(inv, cs.Hash, netmapContract+".frostfs")
+	if err != nil {
+		return fmt.Errorf("can't get netmap contract hash: %w", err)
+	}
+
+	arr, err := unwrap.Array(inv.Call(nmHash, "listConfig"))
+	if err != nil {
+		return errors.New("can't fetch list of network config keys from the netmap contract")
+	}
+
+	buf := bytes.NewBuffer(nil)
+	tw := tabwriter.NewWriter(buf, 0, 2, 2, ' ', 0)
+
+	for _, param := range arr {
+		tuple, ok := param.Value().([]stackitem.Item)
+		if !ok || len(tuple) != 2 {
+			return errors.New("invalid ListConfig response from netmap contract")
+		}
+
+		k, err := tuple[0].TryBytes()
+		if err != nil {
+			return errors.New("invalid config key from netmap contract")
+		}
+
+		v, err := tuple[1].TryBytes()
+		if err != nil {
+			return invalidConfigValueErr(k)
+		}
+
+		switch string(k) {
+		case netmapAuditFeeKey, netmapBasicIncomeRateKey,
+			netmapContainerFeeKey, netmapContainerAliasFeeKey,
+			netmapEigenTrustIterationsKey,
+			netmapEpochKey, netmapInnerRingCandidateFeeKey,
+			netmapMaxObjectSizeKey, netmapWithdrawFeeKey:
+			nbuf := make([]byte, 8)
+			copy(nbuf[:], v)
+			n := binary.LittleEndian.Uint64(nbuf)
+			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%d (int)\n", k, n)))
+		case netmapEigenTrustAlphaKey:
+			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%s (str)\n", k, v)))
+		case netmapHomomorphicHashDisabledKey, netmapMaintenanceAllowedKey:
+			vBool, err := tuple[1].TryBool()
+			if err != nil {
+				return invalidConfigValueErr(k)
+			}
+
+			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%t (bool)\n", k, vBool)))
+		default:
+			_, _ = tw.Write([]byte(fmt.Sprintf("%s:\t%s (hex)\n", k, hex.EncodeToString(v))))
+		}
+	}
+
+	_ = tw.Flush()
+	cmd.Print(buf.String())
+
+	return nil
+}
+
+func setConfigCmd(cmd *cobra.Command, args []string) error {
+	if len(args) == 0 {
+		return errors.New("empty config pairs")
+	}
+
+	wCtx, err := newInitializeContext(cmd, viper.GetViper())
+	if err != nil {
+		return fmt.Errorf("can't initialize context: %w", err)
+	}
+
+	cs, err := wCtx.Client.GetContractStateByID(1)
+	if err != nil {
+		return fmt.Errorf("can't get NNS contract info: %w", err)
+	}
+
+	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
+	if err != nil {
+		return fmt.Errorf("can't get netmap contract hash: %w", err)
+	}
+
+	forceFlag, _ := cmd.Flags().GetBool(forceConfigSet)
+
+	bw := io.NewBufBinWriter()
+	for _, arg := range args {
+		k, v, err := parseConfigPair(arg, forceFlag)
+		if err != nil {
+			return err
+		}
+
+		// In NeoFS this is done via Notary contract. Here, however, we can form the
+		// transaction locally. The first `nil` argument is required only for notary
+		// disabled environment which is not supported by that command.
+		emit.AppCall(bw.BinWriter, nmHash, "setConfig", callflag.All, nil, k, v)
+		if bw.Err != nil {
+			return fmt.Errorf("can't form raw transaction: %w", bw.Err)
+		}
+	}
+
+	err = wCtx.sendConsensusTx(bw.Bytes())
+	if err != nil {
+		return err
+	}
+
+	return wCtx.awaitTx()
+}
+
+func parseConfigPair(kvStr string, force bool) (key string, val any, err error) {
+	k, v, found := strings.Cut(kvStr, "=")
+	if !found {
+		return "", nil, fmt.Errorf("invalid parameter format: must be 'key=val', got: %s", kvStr)
+	}
+
+	key = k
+	valRaw := v
+
+	switch key {
+	case netmapAuditFeeKey, netmapBasicIncomeRateKey,
+		netmapContainerFeeKey, netmapContainerAliasFeeKey,
+		netmapEigenTrustIterationsKey,
+		netmapEpochKey, netmapInnerRingCandidateFeeKey,
+		netmapMaxObjectSizeKey, netmapWithdrawFeeKey:
+		val, err = strconv.ParseInt(valRaw, 10, 64)
+		if err != nil {
+			err = fmt.Errorf("could not parse %s's value '%s' as int: %w", key, valRaw, err)
+		}
+	case netmapEigenTrustAlphaKey:
+		// just check that it could
+		// be parsed correctly
+		_, err = strconv.ParseFloat(v, 64)
+		if err != nil {
+			err = fmt.Errorf("could not parse %s's value '%s' as float: %w", key, valRaw, err)
+		}
+
+		val = valRaw
+	case netmapHomomorphicHashDisabledKey, netmapMaintenanceAllowedKey:
+		val, err = strconv.ParseBool(valRaw)
+		if err != nil {
+			err = fmt.Errorf("could not parse %s's value '%s' as bool: %w", key, valRaw, err)
+		}
+
+	default:
+		if !force {
+			return "", nil, fmt.Errorf(
+				"'%s' key is not well-known, use '--%s' flag if want to set it anyway",
+				key, forceConfigSet)
+		}
+
+		val = valRaw
+	}
+
+	return
+}
+
+func invalidConfigValueErr(key []byte) error {
+	return fmt.Errorf("invalid %s config value from netmap contract", key)
+}

cmd/frostfs-adm/internal/modules/morph/container.go

@@ -4,23 +4,55 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"sort"
 
+	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
 	"github.com/nspcc-dev/neo-go/pkg/io"
-	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
-	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 
 var errInvalidContainerResponse = errors.New("invalid response from container contract")
 
+func getContainerContractHash(cmd *cobra.Command, inv *invoker.Invoker, c Client) (util.Uint160, error) {
+	s, err := cmd.Flags().GetString(containerContractFlag)
+	var ch util.Uint160
+	if err == nil {
+		ch, err = util.Uint160DecodeStringLE(s)
+	}
+	if err != nil {
+		nnsCs, err := c.GetContractStateByID(1)
+		if err != nil {
+			return util.Uint160{}, fmt.Errorf("can't get NNS contract state: %w", err)
+		}
+		ch, err = nnsResolveHash(inv, nnsCs.Hash, containerContract+".frostfs")
+		if err != nil {
+			return util.Uint160{}, err
+		}
+	}
+	return ch, nil
+}
+
+func getContainersList(inv *invoker.Invoker, ch util.Uint160) ([][]byte, error) {
+	res, err := inv.Call(ch, "list", "")
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
+	}
+	itm, err := unwrap.Item(res, err)
+	if _, ok := itm.(stackitem.Null); !ok {
+		return unwrap.ArrayOfBytes(res, err)
+	}
+	return nil, nil
+}
+
 func dumpContainers(cmd *cobra.Command, _ []string) error {
 	filename, err := cmd.Flags().GetString(containerDumpFlag)
 	if err != nil {
@@ -32,42 +64,18 @@ func dumpContainers(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}
 
-	nnsCs, err := c.GetContractStateByID(1)
+	inv := invoker.New(c, nil)
+
+	ch, err := getContainerContractHash(cmd, inv, c)
 	if err != nil {
-		return fmt.Errorf("can't get NNS contract state: %w", err)
+		return fmt.Errorf("unable to get contaract hash: %w", err)
 	}
 
-	var ch util.Uint160
-	s, err := cmd.Flags().GetString(containerContractFlag)
-	if err == nil {
-		ch, err = util.Uint160DecodeStringLE(s)
-	}
-	if err != nil {
-		ch, err = nnsResolveHash(c, nnsCs.Hash, containerContract+".neofs")
-		if err != nil {
-			return err
-		}
-	}
-
-	res, err := c.InvokeFunction(ch, "list",
-		[]smartcontract.Parameter{{Type: smartcontract.StringType, Value: ""}}, nil)
+	cids, err := getContainersList(inv, ch)
 	if err != nil {
 		return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 	}
 
-	var cids [][]byte
-	arr, ok := res.Stack[0].Value().([]stackitem.Item)
-	if !ok {
-		return fmt.Errorf("%w: not a struct", errInvalidContainerResponse)
-	}
-	for _, item := range arr {
-		id, err := item.TryBytes()
-		if err != nil {
-			return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
-		}
-		cids = append(cids, id)
-	}
-
 	isOK, err := getCIDFilterFunc(cmd)
 	if err != nil {
 		return err
@@ -82,7 +90,7 @@ func dumpContainers(cmd *cobra.Command, _ []string) error {
 		bw.Reset()
 		emit.AppCall(bw.BinWriter, ch, "get", callflag.All, id)
 		emit.AppCall(bw.BinWriter, ch, "eACL", callflag.All, id)
-		res, err := c.InvokeScript(bw.Bytes(), nil)
+		res, err := inv.Run(bw.Bytes())
 		if err != nil {
 			return fmt.Errorf("can't get container info: %w", err)
 		}
@@ -112,7 +120,36 @@ func dumpContainers(cmd *cobra.Command, _ []string) error {
 	if err != nil {
 		return err
 	}
-	return ioutil.WriteFile(filename, out, 0o660)
+	return os.WriteFile(filename, out, 0o660)
+}
+
+func listContainers(cmd *cobra.Command, _ []string) error {
+	c, err := getN3Client(viper.GetViper())
+	if err != nil {
+		return fmt.Errorf("can't create N3 client: %w", err)
+	}
+
+	inv := invoker.New(c, nil)
+
+	ch, err := getContainerContractHash(cmd, inv, c)
+	if err != nil {
+		return fmt.Errorf("unable to get contaract hash: %w", err)
+	}
+
+	cids, err := getContainersList(inv, ch)
+	if err != nil {
+		return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
+	}
+
+	for _, id := range cids {
+		var idCnr cid.ID
+		err = idCnr.Decode(id)
+		if err != nil {
+			return fmt.Errorf("unable to decode container id: %w", err)
+		}
+		cmd.Println(idCnr)
+	}
+	return nil
 }
 
 func restoreContainers(cmd *cobra.Command, _ []string) error {
@@ -125,18 +162,19 @@ func restoreContainers(cmd *cobra.Command, _ []string) error {
 	if err != nil {
 		return err
 	}
+	defer wCtx.close()
 
 	nnsCs, err := wCtx.Client.GetContractStateByID(1)
 	if err != nil {
 		return fmt.Errorf("can't get NNS contract state: %w", err)
 	}
 
-	ch, err := nnsResolveHash(wCtx.Client, nnsCs.Hash, containerContract+".neofs")
+	ch, err := nnsResolveHash(wCtx.ReadOnlyInvoker, nnsCs.Hash, containerContract+".frostfs")
 	if err != nil {
 		return fmt.Errorf("can't fetch container contract hash: %w", err)
 	}
 
-	data, err := ioutil.ReadFile(filename)
+	data, err := os.ReadFile(filename)
 	if err != nil {
 		return fmt.Errorf("can't read dump file: %w", err)
 	}
@@ -173,7 +211,7 @@ func restoreContainers(cmd *cobra.Command, _ []string) error {
 			return fmt.Errorf("%w: %v", errInvalidContainerResponse, err)
 		}
 		if len(old.Value) != 0 {
-			id := cid.New()
+			var id cid.ID
 			id.SetSHA256(hv)
 			cmd.Printf("Container %s is already deployed.\n", id)
 			continue
@@ -190,7 +228,7 @@ func restoreContainers(cmd *cobra.Command, _ []string) error {
 			panic(bw.Err)
 		}
 
-		if err := wCtx.sendCommitteeTx(bw.Bytes(), -1); err != nil {
+		if err := wCtx.sendConsensusTx(bw.Bytes()); err != nil {
 			return err
 		}
 	}
@@ -316,7 +354,7 @@ func getCIDFilterFunc(cmd *cobra.Command) (func([]byte) bool, error) {
 	}
 
 	for i := range rawIDs {
-		err := cid.New().Parse(rawIDs[i])
+		err := new(cid.ID).DecodeString(rawIDs[i])
 		if err != nil {
 			return nil, fmt.Errorf("can't parse CID %s: %w", rawIDs[i], err)
 		}
@@ -326,9 +364,9 @@ func getCIDFilterFunc(cmd *cobra.Command) (func([]byte) bool, error) {
 		var v [32]byte
 		copy(v[:], rawID)
 
-		id := cid.New()
+		var id cid.ID
 		id.SetSHA256(v)
-		idStr := id.String()
+		idStr := id.EncodeToString()
 		n := sort.Search(len(rawIDs), func(i int) bool { return rawIDs[i] >= idStr })
 		return n < len(rawIDs) && rawIDs[n] == idStr
 	}, nil

cmd/frostfs-adm/internal/modules/morph/deploy.go

@@ -0,0 +1,224 @@
+package morph
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/TrueCloudLab/frostfs-contract/nns"
+	"github.com/nspcc-dev/neo-go/cli/cmdargs"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
+	"github.com/nspcc-dev/neo-go/pkg/services/rpcsrv/params"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	contractPathFlag = "contract"
+	updateFlag       = "update"
+	customZoneFlag   = "domain"
+)
+
+var deployCmd = &cobra.Command{
+	Use:   "deploy",
+	Short: "Deploy additional smart-contracts",
+	Long: `Deploy additional smart-contract which are not related to core.
+All contracts are deployed by the committee, so access to the alphabet wallets is required.
+Optionally, arguments can be provided to be passed to a contract's _deploy function.
+The syntax is the same as for 'neo-go contract testinvokefunction' command.
+Compiled contract file name must contain '_contract.nef' suffix.
+Contract's manifest file name must be 'config.json'.
+NNS name is taken by stripping '_contract.nef' from the NEF file (similar to frostfs contracts).`,
+	PreRun: func(cmd *cobra.Command, _ []string) {
+		_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+		_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+	},
+	RunE: deployContractCmd,
+}
+
+func init() {
+	ff := deployCmd.Flags()
+
+	ff.String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	_ = deployCmd.MarkFlagFilename(alphabetWalletsFlag)
+
+	ff.StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	ff.String(contractPathFlag, "", "Path to the contract directory")
+	_ = deployCmd.MarkFlagFilename(contractPathFlag)
+
+	ff.Bool(updateFlag, false, "Update an existing contract")
+	ff.String(customZoneFlag, "frostfs", "Custom zone for NNS")
+}
+
+func deployContractCmd(cmd *cobra.Command, args []string) error {
+	v := viper.GetViper()
+	c, err := newInitializeContext(cmd, v)
+	if err != nil {
+		return fmt.Errorf("initialization error: %w", err)
+	}
+	defer c.close()
+
+	ctrPath, _ := cmd.Flags().GetString(contractPathFlag)
+	ctrName, err := probeContractName(ctrPath)
+	if err != nil {
+		return err
+	}
+
+	cs, err := readContract(ctrPath, ctrName)
+	if err != nil {
+		return err
+	}
+
+	nnsCs, err := c.Client.GetContractStateByID(1)
+	if err != nil {
+		return fmt.Errorf("can't fetch NNS contract state: %w", err)
+	}
+
+	callHash := management.Hash
+	method := deployMethodName
+	zone, _ := cmd.Flags().GetString(customZoneFlag)
+	domain := ctrName + "." + zone
+	isUpdate, _ := cmd.Flags().GetBool(updateFlag)
+	if isUpdate {
+		cs.Hash, err = nnsResolveHash(c.ReadOnlyInvoker, nnsCs.Hash, domain)
+		if err != nil {
+			return fmt.Errorf("can't fetch contract hash from NNS: %w", err)
+		}
+		callHash = cs.Hash
+		method = updateMethodName
+	} else {
+		cs.Hash = state.CreateContractHash(
+			c.CommitteeAcc.Contract.ScriptHash(),
+			cs.NEF.Checksum,
+			cs.Manifest.Name)
+	}
+
+	w := io.NewBufBinWriter()
+	if err := emitDeploymentArguments(w.BinWriter, args); err != nil {
+		return err
+	}
+	emit.Bytes(w.BinWriter, cs.RawManifest)
+	emit.Bytes(w.BinWriter, cs.RawNEF)
+	emit.Int(w.BinWriter, 3)
+	emit.Opcodes(w.BinWriter, opcode.PACK)
+	emit.AppCallNoArgs(w.BinWriter, callHash, method, callflag.All)
+	emit.Opcodes(w.BinWriter, opcode.DROP) // contract state on stack
+	if !isUpdate {
+		bw := io.NewBufBinWriter()
+		emit.Instruction(bw.BinWriter, opcode.INITSSLOT, []byte{1})
+		emit.AppCall(bw.BinWriter, nnsCs.Hash, "getPrice", callflag.All)
+		emit.Opcodes(bw.BinWriter, opcode.STSFLD0)
+		emit.AppCall(bw.BinWriter, nnsCs.Hash, "setPrice", callflag.All, 1)
+
+		start := bw.Len()
+		needRecord := false
+
+		ok, err := c.nnsRootRegistered(nnsCs.Hash, zone)
+		if err != nil {
+			return err
+		} else if !ok {
+			needRecord = true
+
+			emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
+				zone, c.CommitteeAcc.Contract.ScriptHash(),
+				"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+			emit.Opcodes(bw.BinWriter, opcode.ASSERT)
+
+			emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
+				domain, c.CommitteeAcc.Contract.ScriptHash(),
+				"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+			emit.Opcodes(bw.BinWriter, opcode.ASSERT)
+		} else {
+			s, ok, err := c.nnsRegisterDomainScript(nnsCs.Hash, cs.Hash, domain)
+			if err != nil {
+				return err
+			}
+			needRecord = !ok
+			if len(s) != 0 {
+				bw.WriteBytes(s)
+			}
+		}
+		if needRecord {
+			emit.AppCall(bw.BinWriter, nnsCs.Hash, "deleteRecords", callflag.All, domain, int64(nns.TXT))
+			emit.AppCall(bw.BinWriter, nnsCs.Hash, "addRecord", callflag.All,
+				domain, int64(nns.TXT), address.Uint160ToString(cs.Hash))
+		}
+
+		if bw.Err != nil {
+			panic(fmt.Errorf("BUG: can't create deployment script: %w", w.Err))
+		} else if bw.Len() != start {
+			w.WriteBytes(bw.Bytes())
+			emit.Opcodes(w.BinWriter, opcode.LDSFLD0, opcode.PUSH1, opcode.PACK)
+			emit.AppCallNoArgs(w.BinWriter, nnsCs.Hash, "setPrice", callflag.All)
+
+			if needRecord {
+				c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
+			}
+		}
+	}
+
+	if w.Err != nil {
+		panic(fmt.Errorf("BUG: can't create deployment script: %w", w.Err))
+	}
+
+	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
+		return err
+	}
+	return c.awaitTx()
+}
+
+func emitDeploymentArguments(w *io.BinWriter, args []string) error {
+	_, ps, err := cmdargs.ParseParams(args, true)
+	if err != nil {
+		return err
+	}
+
+	if len(ps) == 0 {
+		emit.Opcodes(w, opcode.NEWARRAY0)
+		return nil
+	}
+
+	if len(ps) != 1 {
+		return fmt.Errorf("at most one argument is expected for deploy, got %d", len(ps))
+	}
+
+	// We could emit this directly, but round-trip through JSON is more robust.
+	// This a CLI, so optimizing the conversion is not worth the effort.
+	data, err := json.Marshal(ps)
+	if err != nil {
+		return err
+	}
+
+	var pp params.Params
+	if err := json.Unmarshal(data, &pp); err != nil {
+		return err
+	}
+	return params.ExpandArrayIntoScript(w, pp)
+}
+
+func probeContractName(ctrPath string) (string, error) {
+	ds, err := os.ReadDir(ctrPath)
+	if err != nil {
+		return "", fmt.Errorf("can't read directory: %w", err)
+	}
+
+	var ctrName string
+	for i := range ds {
+		if strings.HasSuffix(ds[i].Name(), "_contract.nef") {
+			ctrName = strings.TrimSuffix(ds[i].Name(), "_contract.nef")
+			break
+		}
+	}
+
+	if ctrName == "" {
+		return "", fmt.Errorf("can't find any NEF files in %s", ctrPath)
+	}
+	return ctrName, nil
+}

cmd/frostfs-adm/internal/modules/morph/download.go

@@ -14,7 +14,7 @@ import (
 
 func downloadContractsFromGithub(cmd *cobra.Command) (io.ReadCloser, error) {
 	gcl := github.NewClient(nil)
-	release, _, err := gcl.Repositories.GetLatestRelease(context.Background(), "nspcc-dev", "neofs-contract")
+	release, _, err := gcl.Repositories.GetLatestRelease(context.Background(), "nspcc-dev", "frostfs-contract")
 	if err != nil {
 		return nil, fmt.Errorf("can't fetch release info: %w", err)
 	}
@@ -23,7 +23,7 @@ func downloadContractsFromGithub(cmd *cobra.Command) (io.ReadCloser, error) {
 
 	var url string
 	for _, a := range release.Assets {
-		if strings.HasPrefix(a.GetName(), "neofs-contract") {
+		if strings.HasPrefix(a.GetName(), "frostfs-contract") {
 			url = a.GetBrowserDownloadURL()
 			break
 		}

cmd/frostfs-adm/internal/modules/morph/dump_hashes.go

@@ -0,0 +1,250 @@
+package morph
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/TrueCloudLab/frostfs-contract/nns"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const lastGlagoliticLetter = 41
+
+type contractDumpInfo struct {
+	hash    util.Uint160
+	name    string
+	version string
+}
+
+func dumpContractHashes(cmd *cobra.Command, _ []string) error {
+	c, err := getN3Client(viper.GetViper())
+	if err != nil {
+		return fmt.Errorf("can't create N3 client: %w", err)
+	}
+
+	cs, err := c.GetContractStateByID(1)
+	if err != nil {
+		return err
+	}
+
+	zone, _ := cmd.Flags().GetString(customZoneFlag)
+	if zone != "" {
+		return dumpCustomZoneHashes(cmd, cs.Hash, zone, c)
+	}
+
+	infos := []contractDumpInfo{{name: nnsContract, hash: cs.Hash}}
+
+	irSize := 0
+	for ; irSize < lastGlagoliticLetter; irSize++ {
+		ok, err := nnsIsAvailable(c, cs.Hash, getAlphabetNNSDomain(irSize))
+		if err != nil {
+			return err
+		} else if ok {
+			break
+		}
+	}
+
+	bw := io.NewBufBinWriter()
+
+	if irSize != 0 {
+		bw.Reset()
+		for i := 0; i < irSize; i++ {
+			emit.AppCall(bw.BinWriter, cs.Hash, "resolve", callflag.ReadOnly,
+				getAlphabetNNSDomain(i),
+				int64(nns.TXT))
+		}
+
+		alphaRes, err := c.InvokeScript(bw.Bytes(), nil)
+		if err != nil {
+			return fmt.Errorf("can't fetch info from NNS: %w", err)
+		}
+
+		for i := 0; i < irSize; i++ {
+			info := contractDumpInfo{name: fmt.Sprintf("alphabet %d", i)}
+			if h, err := parseNNSResolveResult(alphaRes.Stack[i]); err == nil {
+				info.hash = h
+			}
+			infos = append(infos, info)
+		}
+	}
+
+	for _, ctrName := range contractList {
+		bw.Reset()
+		emit.AppCall(bw.BinWriter, cs.Hash, "resolve", callflag.ReadOnly,
+			ctrName+".frostfs", int64(nns.TXT))
+
+		res, err := c.InvokeScript(bw.Bytes(), nil)
+		if err != nil {
+			return fmt.Errorf("can't fetch info from NNS: %w", err)
+		}
+
+		info := contractDumpInfo{name: ctrName}
+		if len(res.Stack) != 0 {
+			if h, err := parseNNSResolveResult(res.Stack[0]); err == nil {
+				info.hash = h
+			}
+		}
+		infos = append(infos, info)
+	}
+
+	fillContractVersion(cmd, c, infos)
+	printContractInfo(cmd, infos)
+
+	return nil
+}
+
+func dumpCustomZoneHashes(cmd *cobra.Command, nnsHash util.Uint160, zone string, c Client) error {
+	const nnsMaxTokens = 100
+
+	inv := invoker.New(c, nil)
+
+	if !strings.HasPrefix(zone, ".") {
+		zone = "." + zone
+	}
+
+	var infos []contractDumpInfo
+	processItem := func(item stackitem.Item) {
+		bs, err := item.TryBytes()
+		if err != nil {
+			cmd.PrintErrf("Invalid NNS record: %v\n", err)
+			return
+		}
+
+		if !bytes.HasSuffix(bs, []byte(zone)) {
+			// Related https://github.com/nspcc-dev/neofs-contract/issues/316.
+			return
+		}
+
+		h, err := nnsResolveHash(inv, nnsHash, string(bs))
+		if err != nil {
+			cmd.PrintErrf("Could not resolve name %s: %v\n", string(bs), err)
+			return
+		}
+
+		infos = append(infos, contractDumpInfo{
+			hash: h,
+			name: strings.TrimSuffix(string(bs), zone),
+		})
+	}
+
+	sessionID, iter, err := unwrap.SessionIterator(inv.Call(nnsHash, "tokens"))
+	if err != nil {
+		if errors.Is(err, unwrap.ErrNoSessionID) {
+			items, err := unwrap.Array(inv.CallAndExpandIterator(nnsHash, "tokens", nnsMaxTokens))
+			if err != nil {
+				return fmt.Errorf("can't get a list of NNS domains: %w", err)
+			}
+			if len(items) == nnsMaxTokens {
+				cmd.PrintErrln("Provided RPC endpoint doesn't support sessions, some hashes might be lost.")
+			}
+			for i := range items {
+				processItem(items[i])
+			}
+		} else {
+			return err
+		}
+	} else {
+		defer func() {
+			_ = inv.TerminateSession(sessionID)
+		}()
+
+		items, err := inv.TraverseIterator(sessionID, &iter, nnsMaxTokens)
+		for err == nil && len(items) != 0 {
+			for i := range items {
+				processItem(items[i])
+			}
+			items, err = inv.TraverseIterator(sessionID, &iter, nnsMaxTokens)
+		}
+		if err != nil {
+			return fmt.Errorf("error during NNS domains iteration: %w", err)
+		}
+	}
+
+	fillContractVersion(cmd, c, infos)
+	printContractInfo(cmd, infos)
+
+	return nil
+}
+
+func parseContractVersion(item stackitem.Item) string {
+	bi, err := item.TryInteger()
+	if err != nil || bi.Sign() == 0 || !bi.IsInt64() {
+		return "unknown"
+	}
+
+	v := bi.Int64()
+	major := v / 1_000_000
+	minor := (v % 1_000_000) / 1000
+	patch := v % 1_000
+	return fmt.Sprintf("v%d.%d.%d", major, minor, patch)
+}
+
+func printContractInfo(cmd *cobra.Command, infos []contractDumpInfo) {
+	if len(infos) == 0 {
+		return
+	}
+
+	buf := bytes.NewBuffer(nil)
+	tw := tabwriter.NewWriter(buf, 0, 2, 2, ' ', 0)
+	for _, info := range infos {
+		if info.version == "" {
+			info.version = "unknown"
+		}
+		_, _ = tw.Write([]byte(fmt.Sprintf("%s\t(%s):\t%s\n",
+			info.name, info.version, info.hash.StringLE())))
+	}
+	_ = tw.Flush()
+
+	cmd.Print(buf.String())
+}
+
+func fillContractVersion(cmd *cobra.Command, c Client, infos []contractDumpInfo) {
+	bw := io.NewBufBinWriter()
+	sub := io.NewBufBinWriter()
+	for i := range infos {
+		if infos[i].hash.Equals(util.Uint160{}) {
+			emit.Int(bw.BinWriter, 0)
+		} else {
+			sub.Reset()
+			emit.AppCall(sub.BinWriter, infos[i].hash, "version", callflag.NoneFlag)
+			if sub.Err != nil {
+				panic(fmt.Errorf("BUG: can't create version script: %w", bw.Err))
+			}
+
+			script := sub.Bytes()
+			emit.Instruction(bw.BinWriter, opcode.TRY, []byte{byte(3 + len(script) + 2), 0})
+			bw.BinWriter.WriteBytes(script)
+			emit.Instruction(bw.BinWriter, opcode.ENDTRY, []byte{2 + 1})
+			emit.Opcodes(bw.BinWriter, opcode.PUSH0)
+		}
+	}
+	emit.Opcodes(bw.BinWriter, opcode.NOP) // for the last ENDTRY target
+	if bw.Err != nil {
+		panic(fmt.Errorf("BUG: can't create version script: %w", bw.Err))
+	}
+
+	res, err := c.InvokeScript(bw.Bytes(), nil)
+	if err != nil {
+		cmd.Printf("Can't fetch version from NNS: %v\n", err)
+		return
+	}
+
+	if res.State == vmstate.Halt.String() {
+		for i := range res.Stack {
+			infos[i].version = parseContractVersion(res.Stack[i])
+		}
+	}
+}

cmd/frostfs-adm/internal/modules/morph/epoch.go

@@ -4,11 +4,10 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/io"
-	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
-	"github.com/nspcc-dev/neo-go/pkg/vm"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -25,34 +24,34 @@ func forceNewEpochCmd(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("can't get NNS contract info: %w", err)
 	}
 
-	nmHash, err := nnsResolveHash(wCtx.Client, cs.Hash, netmapContract+".neofs")
+	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
 	if err != nil {
 		return fmt.Errorf("can't get netmap contract hash: %w", err)
 	}
 
-	res, err := wCtx.Client.InvokeFunction(nmHash, "epoch", []smartcontract.Parameter{}, []transaction.Signer{{
-		Account: wCtx.CommitteeAcc.Contract.ScriptHash(),
-		Scopes:  transaction.Global, // Scope is important, as we have nested call to container contract.
-	}})
-	if err != nil || res.State != vm.HaltState.String() || len(res.Stack) == 0 {
-		return errors.New("can't fetch current epoch from the netmap contract")
-	}
-
-	bi, err := res.Stack[0].TryInteger()
-	if err != nil {
-		return fmt.Errorf("can't parse current epoch: %w", err)
-	}
-
-	newEpoch := bi.Int64() + 1
-	cmd.Printf("Current epoch: %s, increase to %d.\n", bi, newEpoch)
-
-	// In NeoFS this is done via Notary contract. Here, however, we can form the
-	// transaction locally.
 	bw := io.NewBufBinWriter()
-	emit.AppCall(bw.BinWriter, nmHash, "newEpoch", callflag.All, newEpoch)
-	if err := wCtx.sendCommitteeTx(bw.Bytes(), -1); err != nil {
+	if err := emitNewEpochCall(bw, wCtx, nmHash); err != nil {
+		return err
+	}
+
+	if err := wCtx.sendConsensusTx(bw.Bytes()); err != nil {
 		return err
 	}
 
 	return wCtx.awaitTx()
 }
+
+func emitNewEpochCall(bw *io.BufBinWriter, wCtx *initializeContext, nmHash util.Uint160) error {
+	curr, err := unwrap.Int64(wCtx.ReadOnlyInvoker.Call(nmHash, "epoch"))
+	if err != nil {
+		return errors.New("can't fetch current epoch from the netmap contract")
+	}
+
+	newEpoch := curr + 1
+	wCtx.Command.Printf("Current epoch: %d, increase to %d.\n", curr, newEpoch)
+
+	// In NeoFS this is done via Notary contract. Here, however, we can form the
+	// transaction locally.
+	emit.AppCall(bw.BinWriter, nmHash, "newEpoch", callflag.All, newEpoch)
+	return bw.Err
+}

cmd/frostfs-adm/internal/modules/morph/generate.go

@@ -3,19 +3,22 @@ package morph
 import (
 	"errors"
 	"fmt"
-	"path"
+	"os"
+	"path/filepath"
 
-	"github.com/nspcc-dev/neo-go/cli/input"
-	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
 	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
-	"github.com/nspcc-dev/neofs-node/cmd/neofs-adm/internal/modules/config"
-	"github.com/nspcc-dev/neofs-node/pkg/innerring"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -36,8 +39,14 @@ func generateAlphabetCreds(cmd *cobra.Command, args []string) error {
 		return errors.New("size must be > 0")
 	}
 
+	v := viper.GetViper()
 	walletDir := config.ResolveHomePath(viper.GetString(alphabetWalletsFlag))
-	pwds, err := initializeWallets(walletDir, int(size))
+	pwds, err := initializeWallets(v, walletDir, int(size))
+	if err != nil {
+		return err
+	}
+
+	_, err = initializeContractWallet(v, walletDir)
 	if err != nil {
 		return err
 	}
@@ -51,19 +60,25 @@ func generateAlphabetCreds(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func initializeWallets(walletDir string, size int) ([]string, error) {
+func initializeWallets(v *viper.Viper, walletDir string, size int) ([]string, error) {
 	wallets := make([]*wallet.Wallet, size)
 	pubs := make(keys.PublicKeys, size)
 	passwords := make([]string, size)
 
 	for i := range wallets {
-		password, err := config.AlphabetPassword(viper.GetViper(), i)
+		password, err := config.GetPassword(v, innerring.GlagoliticLetter(i).String())
 		if err != nil {
 			return nil, fmt.Errorf("can't fetch password: %w", err)
 		}
 
-		p := path.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
-		// TODO(@fyrchik): file is created with 0666 permissions, consider changing.
+		p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
+		f, err := os.OpenFile(p, os.O_CREATE, 0644)
+		if err != nil {
+			return nil, fmt.Errorf("can't create wallet file: %w", err)
+		}
+		if err := f.Close(); err != nil {
+			return nil, fmt.Errorf("can't close wallet file: %w", err)
+		}
 		w, err := wallet.NewWallet(p)
 		if err != nil {
 			return nil, fmt.Errorf("can't create wallet: %w", err)
@@ -94,10 +109,9 @@ func initializeWallets(walletDir string, size int) ([]string, error) {
 	}
 
 	for _, w := range wallets {
-		if err := w.Save(); err != nil {
+		if err := w.SavePretty(); err != nil {
 			return nil, fmt.Errorf("can't save wallet: %w", err)
 		}
-		w.Close()
 	}
 
 	return passwords, nil
@@ -121,37 +135,55 @@ func generateStorageCreds(cmd *cobra.Command, _ []string) error {
 	return refillGas(cmd, storageGasConfigFlag, true)
 }
 
-func refillGas(cmd *cobra.Command, gasFlag string, createWallet bool) error {
+func refillGas(cmd *cobra.Command, gasFlag string, createWallet bool) (err error) {
 	// storage wallet path is not part of the config
-	storageWalletPath, err := cmd.Flags().GetString(storageWalletFlag)
-	if err != nil {
-		return err
-	}
-	if storageWalletPath == "" {
-		return fmt.Errorf("missing wallet path (use '--%s <out.json>')", storageWalletFlag)
-	}
+	storageWalletPath, _ := cmd.Flags().GetString(storageWalletFlag)
+	// wallet address is not part of the config
+	walletAddress, _ := cmd.Flags().GetString(walletAddressFlag)
 
-	var w *wallet.Wallet
+	var gasReceiver util.Uint160
 
-	if createWallet {
-		w, err = wallet.NewWallet(storageWalletPath)
-	} else {
-		w, err = wallet.NewWalletFromFile(storageWalletPath)
-	}
-
-	if err != nil {
-		return fmt.Errorf("can't create wallet: %w", err)
-	}
-
-	if createWallet {
-		password, err := input.ReadPassword("New password > ")
+	if len(walletAddress) != 0 {
+		gasReceiver, err = address.StringToUint160(walletAddress)
 		if err != nil {
-			return fmt.Errorf("can't fetch password: %w", err)
+			return fmt.Errorf("invalid wallet address %s: %w", walletAddress, err)
+		}
+	} else {
+		if storageWalletPath == "" {
+			return fmt.Errorf("missing wallet path (use '--%s <out.json>')", storageWalletFlag)
 		}
 
-		if err := w.CreateAccount(singleAccountName, password); err != nil {
-			return fmt.Errorf("can't create account: %w", err)
+		var w *wallet.Wallet
+
+		if createWallet {
+			w, err = wallet.NewWallet(storageWalletPath)
+		} else {
+			w, err = wallet.NewWalletFromFile(storageWalletPath)
 		}
+
+		if err != nil {
+			return fmt.Errorf("can't create wallet: %w", err)
+		}
+
+		if createWallet {
+			var password string
+
+			label, _ := cmd.Flags().GetString(storageWalletLabelFlag)
+			password, err := config.GetStoragePassword(viper.GetViper(), label)
+			if err != nil {
+				return fmt.Errorf("can't fetch password: %w", err)
+			}
+
+			if label == "" {
+				label = singleAccountName
+			}
+
+			if err := w.CreateAccount(label, password); err != nil {
+				return fmt.Errorf("can't create account: %w", err)
+			}
+		}
+
+		gasReceiver = w.Accounts[0].Contract.ScriptHash()
 	}
 
 	gasStr := viper.GetString(gasFlag)
@@ -166,16 +198,15 @@ func refillGas(cmd *cobra.Command, gasFlag string, createWallet bool) error {
 		return err
 	}
 
-	gasHash := wCtx.nativeHash(nativenames.Gas)
-
 	bw := io.NewBufBinWriter()
-	emit.AppCall(bw.BinWriter, gasHash, "transfer", callflag.All,
-		wCtx.CommitteeAcc.Contract.ScriptHash(), w.Accounts[0].Contract.ScriptHash(), int64(gasAmount), nil)
+	emit.AppCall(bw.BinWriter, gas.Hash, "transfer", callflag.All,
+		wCtx.CommitteeAcc.Contract.ScriptHash(), gasReceiver, int64(gasAmount), nil)
+	emit.Opcodes(bw.BinWriter, opcode.ASSERT)
 	if bw.Err != nil {
 		return fmt.Errorf("BUG: invalid transfer arguments: %w", bw.Err)
 	}
 
-	if err := wCtx.sendCommitteeTx(bw.Bytes(), -1); err != nil {
+	if err := wCtx.sendCommitteeTx(bw.Bytes(), false); err != nil {
 		return err
 	}
 

cmd/frostfs-adm/internal/modules/morph/generate_test.go

@@ -2,26 +2,29 @@ package morph
 
 import (
 	"bytes"
-	"io/ioutil"
+	"io"
 	"math/rand"
 	"os"
-	"path"
+	"path/filepath"
 	"strconv"
 	"testing"
 
+	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
-	"github.com/nspcc-dev/neofs-node/pkg/innerring"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/term"
 )
 
+const testContractPassword = "grouppass"
+
 func TestGenerateAlphabet(t *testing.T) {
 	const size = 4
 
-	walletDir := newTempDir(t)
+	walletDir := t.TempDir()
 	buf := setupTestTerminal(t)
 
 	cmd := generateAlphabetCmd
@@ -42,24 +45,34 @@ func TestGenerateAlphabet(t *testing.T) {
 	})
 	t.Run("missing directory", func(t *testing.T) {
 		buf.Reset()
-		dir := path.Join(os.TempDir(), "notexist."+strconv.FormatUint(rand.Uint64(), 10))
+		dir := filepath.Join(os.TempDir(), "notexist."+strconv.FormatUint(rand.Uint64(), 10))
 		v.Set(alphabetWalletsFlag, dir)
 		require.NoError(t, cmd.Flags().Set(alphabetSizeFlag, "1"))
 		buf.WriteString("pass\r")
 		require.Error(t, generateAlphabetCreds(cmd, nil))
 	})
+	t.Run("no password for contract group wallet", func(t *testing.T) {
+		buf.Reset()
+		v.Set(alphabetWalletsFlag, walletDir)
+		require.NoError(t, cmd.Flags().Set(alphabetSizeFlag, strconv.FormatUint(size, 10)))
+		for i := uint64(0); i < size; i++ {
+			buf.WriteString(strconv.FormatUint(i, 10) + "\r")
+		}
+		require.Error(t, generateAlphabetCreds(cmd, nil))
+	})
 
 	buf.Reset()
 	v.Set(alphabetWalletsFlag, walletDir)
-	require.NoError(t, cmd.Flags().Set(alphabetSizeFlag, strconv.FormatUint(size, 10)))
+	require.NoError(t, generateAlphabetCmd.Flags().Set(alphabetSizeFlag, strconv.FormatUint(size, 10)))
 	for i := uint64(0); i < size; i++ {
 		buf.WriteString(strconv.FormatUint(i, 10) + "\r")
 	}
 
-	require.NoError(t, generateAlphabetCreds(cmd, nil))
+	buf.WriteString(testContractPassword + "\r")
+	require.NoError(t, generateAlphabetCreds(generateAlphabetCmd, nil))
 
 	for i := uint64(0); i < size; i++ {
-		p := path.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
+		p := filepath.Join(walletDir, innerring.GlagoliticLetter(i).String()+".json")
 		w, err := wallet.NewWalletFromFile(p)
 		require.NoError(t, err, "wallet doesn't exist")
 		require.Equal(t, 3, len(w.Accounts), "not all accounts were created")
@@ -68,33 +81,32 @@ func TestGenerateAlphabet(t *testing.T) {
 			require.NoError(t, err, "can't decrypt account")
 			switch a.Label {
 			case consensusAccountName:
-				require.Equal(t, size/2+1, len(a.Contract.Parameters))
+				require.Equal(t, smartcontract.GetDefaultHonestNodeCount(size), len(a.Contract.Parameters))
 			case committeeAccountName:
-				require.Equal(t, size*2/3+1, len(a.Contract.Parameters))
+				require.Equal(t, smartcontract.GetMajorityHonestNodeCount(size), len(a.Contract.Parameters))
 			default:
 				require.Equal(t, singleAccountName, a.Label)
 			}
 		}
 	}
+
+	t.Run("check contract group wallet", func(t *testing.T) {
+		p := filepath.Join(walletDir, contractWalletFilename)
+		w, err := wallet.NewWalletFromFile(p)
+		require.NoError(t, err, "contract wallet doesn't exist")
+		require.Equal(t, 1, len(w.Accounts), "contract wallet must have 1 accout")
+		require.NoError(t, w.Accounts[0].Decrypt(testContractPassword, keys.NEP2ScryptParams()))
+	})
 }
 
 func setupTestTerminal(t *testing.T) *bytes.Buffer {
 	in := bytes.NewBuffer(nil)
 	input.Terminal = term.NewTerminal(input.ReadWriter{
 		Reader: in,
-		Writer: ioutil.Discard,
+		Writer: io.Discard,
 	}, "")
 
 	t.Cleanup(func() { input.Terminal = nil })
 
 	return in
 }
-
-func newTempDir(t *testing.T) string {
-	dir := path.Join(os.TempDir(), "neofs-adm.test."+strconv.FormatUint(rand.Uint64(), 10))
-	require.NoError(t, os.Mkdir(dir, os.ModePerm))
-	t.Cleanup(func() {
-		require.NoError(t, os.RemoveAll(dir))
-	})
-	return dir
-}

cmd/frostfs-adm/internal/modules/morph/group.go

@@ -0,0 +1,106 @@
+package morph
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/manifest"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	contractWalletFilename    = "contract.json"
+	contractWalletPasswordKey = "contract"
+)
+
+func initializeContractWallet(v *viper.Viper, walletDir string) (*wallet.Wallet, error) {
+	password, err := config.GetPassword(v, contractWalletPasswordKey)
+	if err != nil {
+		return nil, err
+	}
+
+	w, err := wallet.NewWallet(filepath.Join(walletDir, contractWalletFilename))
+	if err != nil {
+		return nil, err
+	}
+
+	acc, err := wallet.NewAccount()
+	if err != nil {
+		return nil, err
+	}
+
+	err = acc.Encrypt(password, keys.NEP2ScryptParams())
+	if err != nil {
+		return nil, err
+	}
+
+	w.AddAccount(acc)
+	if err := w.SavePretty(); err != nil {
+		return nil, err
+	}
+
+	return w, nil
+}
+
+func openContractWallet(v *viper.Viper, cmd *cobra.Command, walletDir string) (*wallet.Wallet, error) {
+	p := filepath.Join(walletDir, contractWalletFilename)
+	w, err := wallet.NewWalletFromFile(p)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return nil, fmt.Errorf("can't open wallet: %w", err)
+		}
+
+		cmd.Printf("Contract group wallet is missing, initialize at %s\n", p)
+		return initializeContractWallet(v, walletDir)
+	}
+
+	password, err := config.GetPassword(v, contractWalletPasswordKey)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := range w.Accounts {
+		if err := w.Accounts[i].Decrypt(password, keys.NEP2ScryptParams()); err != nil {
+			return nil, fmt.Errorf("can't unlock wallet: %w", err)
+		}
+	}
+
+	return w, nil
+}
+
+func (c *initializeContext) addManifestGroup(h util.Uint160, cs *contractState) error {
+	priv := c.ContractWallet.Accounts[0].PrivateKey()
+	pub := priv.PublicKey()
+
+	sig := priv.Sign(h.BytesBE())
+	found := false
+
+	for i := range cs.Manifest.Groups {
+		if cs.Manifest.Groups[i].PublicKey.Equal(pub) {
+			cs.Manifest.Groups[i].Signature = sig
+			found = true
+			break
+		}
+	}
+	if !found {
+		cs.Manifest.Groups = append(cs.Manifest.Groups, manifest.Group{
+			PublicKey: pub,
+			Signature: sig,
+		})
+	}
+
+	data, err := json.Marshal(cs.Manifest)
+	if err != nil {
+		return err
+	}
+
+	cs.RawManifest = data
+	return nil
+}

cmd/frostfs-adm/internal/modules/morph/initialize.go

@@ -0,0 +1,465 @@
+package morph
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
+	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
+	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+type cache struct {
+	nnsCs    *state.Contract
+	groupKey *keys.PublicKey
+}
+
+type initializeContext struct {
+	clientContext
+	cache
+	// CommitteeAcc is used for retrieving the committee address and the verification script.
+	CommitteeAcc *wallet.Account
+	// ConsensusAcc is used for retrieving the committee address and the verification script.
+	ConsensusAcc *wallet.Account
+	Wallets      []*wallet.Wallet
+	// ContractWallet is a wallet for providing the contract group signature.
+	ContractWallet *wallet.Wallet
+	// Accounts contains simple signature accounts in the same order as in Wallets.
+	Accounts     []*wallet.Account
+	Contracts    map[string]*contractState
+	Command      *cobra.Command
+	ContractPath string
+}
+
+func initializeSideChainCmd(cmd *cobra.Command, args []string) error {
+	initCtx, err := newInitializeContext(cmd, viper.GetViper())
+	if err != nil {
+		return fmt.Errorf("initialization error: %w", err)
+	}
+	defer initCtx.close()
+
+	// 1. Transfer funds to committee accounts.
+	cmd.Println("Stage 1: transfer GAS to alphabet nodes.")
+	if err := initCtx.transferFunds(); err != nil {
+		return err
+	}
+
+	cmd.Println("Stage 2: set notary and alphabet nodes in designate contract.")
+	if err := initCtx.setNotaryAndAlphabetNodes(); err != nil {
+		return err
+	}
+
+	// 3. Deploy NNS contract.
+	cmd.Println("Stage 3: deploy NNS contract.")
+	if err := initCtx.deployNNS(deployMethodName); err != nil {
+		return err
+	}
+
+	// 4. Deploy NeoFS contracts.
+	cmd.Println("Stage 4: deploy NeoFS contracts.")
+	if err := initCtx.deployContracts(); err != nil {
+		return err
+	}
+
+	cmd.Println("Stage 4.1: Transfer GAS to proxy contract.")
+	if err := initCtx.transferGASToProxy(); err != nil {
+		return err
+	}
+
+	cmd.Println("Stage 5: register candidates.")
+	if err := initCtx.registerCandidates(); err != nil {
+		return err
+	}
+
+	cmd.Println("Stage 6: transfer NEO to alphabet contracts.")
+	if err := initCtx.transferNEOToAlphabetContracts(); err != nil {
+		return err
+	}
+
+	cmd.Println("Stage 7: set addresses in NNS.")
+	if err := initCtx.setNNS(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (c *initializeContext) close() {
+	if local, ok := c.Client.(*localClient); ok {
+		err := local.dump()
+		if err != nil {
+			c.Command.PrintErrf("Can't write dump: %v\n", err)
+			os.Exit(1)
+		}
+	}
+}
+
+func newInitializeContext(cmd *cobra.Command, v *viper.Viper) (*initializeContext, error) {
+	walletDir := config.ResolveHomePath(viper.GetString(alphabetWalletsFlag))
+	wallets, err := openAlphabetWallets(v, walletDir)
+	if err != nil {
+		return nil, err
+	}
+
+	needContracts := cmd.Name() == "update-contracts" || cmd.Name() == "init"
+
+	var w *wallet.Wallet
+	if needContracts {
+		w, err = openContractWallet(v, cmd, walletDir)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var c Client
+	if v.GetString(localDumpFlag) != "" {
+		if v.GetString(endpointFlag) != "" {
+			return nil, fmt.Errorf("`%s` and `%s` flags are mutually exclusive", endpointFlag, localDumpFlag)
+		}
+		c, err = newLocalClient(cmd, v, wallets)
+	} else {
+		c, err = getN3Client(v)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("can't create N3 client: %w", err)
+	}
+
+	committeeAcc, err := getWalletAccount(wallets[0], committeeAccountName)
+	if err != nil {
+		return nil, fmt.Errorf("can't find committee account: %w", err)
+	}
+
+	consensusAcc, err := getWalletAccount(wallets[0], consensusAccountName)
+	if err != nil {
+		return nil, fmt.Errorf("can't find consensus account: %w", err)
+	}
+
+	var ctrPath string
+	if cmd.Name() == "init" {
+		if viper.GetInt64(epochDurationInitFlag) <= 0 {
+			return nil, fmt.Errorf("epoch duration must be positive")
+		}
+
+		if viper.GetInt64(maxObjectSizeInitFlag) <= 0 {
+			return nil, fmt.Errorf("max object size must be positive")
+		}
+	}
+
+	if needContracts {
+		ctrPath, err = cmd.Flags().GetString(contractsInitFlag)
+		if err != nil {
+			return nil, fmt.Errorf("invalid contracts path: %w", err)
+		}
+	}
+
+	if err := checkNotaryEnabled(c); err != nil {
+		return nil, err
+	}
+
+	accounts := make([]*wallet.Account, len(wallets))
+	for i, w := range wallets {
+		acc, err := getWalletAccount(w, singleAccountName)
+		if err != nil {
+			return nil, fmt.Errorf("wallet %s is invalid (no single account): %w", w.Path(), err)
+		}
+		accounts[i] = acc
+	}
+
+	cliCtx, err := defaultClientContext(c, committeeAcc)
+	if err != nil {
+		return nil, fmt.Errorf("client context: %w", err)
+	}
+
+	initCtx := &initializeContext{
+		clientContext:  *cliCtx,
+		ConsensusAcc:   consensusAcc,
+		CommitteeAcc:   committeeAcc,
+		ContractWallet: w,
+		Wallets:        wallets,
+		Accounts:       accounts,
+		Command:        cmd,
+		Contracts:      make(map[string]*contractState),
+		ContractPath:   ctrPath,
+	}
+
+	if needContracts {
+		err := initCtx.readContracts(fullContractList)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return initCtx, nil
+}
+
+func openAlphabetWallets(v *viper.Viper, walletDir string) ([]*wallet.Wallet, error) {
+	walletFiles, err := os.ReadDir(walletDir)
+	if err != nil {
+		return nil, fmt.Errorf("can't read alphabet wallets dir: %w", err)
+	}
+
+	var size int
+loop:
+	for i := 0; i < len(walletFiles); i++ {
+		name := innerring.GlagoliticLetter(i).String() + ".json"
+		for j := range walletFiles {
+			if walletFiles[j].Name() == name {
+				size++
+				continue loop
+			}
+		}
+		break
+	}
+	if size == 0 {
+		return nil, errors.New("alphabet wallets dir is empty (run `generate-alphabet` command first)")
+	}
+
+	wallets := make([]*wallet.Wallet, size)
+	for i := 0; i < size; i++ {
+		letter := innerring.GlagoliticLetter(i).String()
+		p := filepath.Join(walletDir, letter+".json")
+		w, err := wallet.NewWalletFromFile(p)
+		if err != nil {
+			return nil, fmt.Errorf("can't open wallet: %w", err)
+		}
+
+		password, err := config.GetPassword(v, letter)
+		if err != nil {
+			return nil, fmt.Errorf("can't fetch password: %w", err)
+		}
+
+		for i := range w.Accounts {
+			if err := w.Accounts[i].Decrypt(password, keys.NEP2ScryptParams()); err != nil {
+				return nil, fmt.Errorf("can't unlock wallet: %w", err)
+			}
+		}
+
+		wallets[i] = w
+	}
+
+	return wallets, nil
+}
+
+func (c *initializeContext) awaitTx() error {
+	return c.clientContext.awaitTx(c.Command)
+}
+
+func (c *initializeContext) nnsContractState() (*state.Contract, error) {
+	if c.nnsCs != nil {
+		return c.nnsCs, nil
+	}
+
+	cs, err := c.Client.GetContractStateByID(1)
+	if err != nil {
+		return nil, err
+	}
+
+	c.nnsCs = cs
+	return cs, nil
+}
+
+func (c *initializeContext) getSigner(tryGroup bool, acc *wallet.Account) transaction.Signer {
+	if tryGroup && c.groupKey != nil {
+		return transaction.Signer{
+			Account:       acc.Contract.ScriptHash(),
+			Scopes:        transaction.CustomGroups,
+			AllowedGroups: keys.PublicKeys{c.groupKey},
+		}
+	}
+
+	signer := transaction.Signer{
+		Account: acc.Contract.ScriptHash(),
+		Scopes:  transaction.Global, // Scope is important, as we have nested call to container contract.
+	}
+
+	if !tryGroup {
+		return signer
+	}
+
+	nnsCs, err := c.nnsContractState()
+	if err != nil {
+		return signer
+	}
+
+	groupKey, err := nnsResolveKey(c.ReadOnlyInvoker, nnsCs.Hash, morphClient.NNSGroupKeyName)
+	if err == nil {
+		c.groupKey = groupKey
+
+		signer.Scopes = transaction.CustomGroups
+		signer.AllowedGroups = keys.PublicKeys{groupKey}
+	}
+	return signer
+}
+
+func (c *clientContext) awaitTx(cmd *cobra.Command) error {
+	if len(c.SentTxs) == 0 {
+		return nil
+	}
+
+	if local, ok := c.Client.(*localClient); ok {
+		if err := local.putTransactions(); err != nil {
+			return fmt.Errorf("can't persist transactions: %w", err)
+		}
+	}
+
+	err := awaitTx(cmd, c.Client, c.SentTxs)
+	c.SentTxs = c.SentTxs[:0]
+
+	return err
+}
+
+func awaitTx(cmd *cobra.Command, c Client, txs []hashVUBPair) error {
+	cmd.Println("Waiting for transactions to persist...")
+
+	const pollInterval = time.Second
+
+	tick := time.NewTicker(pollInterval)
+	defer tick.Stop()
+
+	at := trigger.Application
+
+	var retErr error
+
+	currBlock, err := c.GetBlockCount()
+	if err != nil {
+		return fmt.Errorf("can't fetch current block height: %w", err)
+	}
+
+loop:
+	for i := range txs {
+		res, err := c.GetApplicationLog(txs[i].hash, &at)
+		if err == nil {
+			if retErr == nil && len(res.Executions) > 0 && res.Executions[0].VMState != vmstate.Halt {
+				retErr = fmt.Errorf("tx %d persisted in %s state: %s",
+					i, res.Executions[0].VMState, res.Executions[0].FaultException)
+			}
+			continue loop
+		}
+		if txs[i].vub < currBlock {
+			return fmt.Errorf("tx was not persisted: vub=%d, height=%d", txs[i].vub, currBlock)
+		}
+		for range tick.C {
+			// We must fetch current height before application log, to avoid race condition.
+			currBlock, err = c.GetBlockCount()
+			if err != nil {
+				return fmt.Errorf("can't fetch current block height: %w", err)
+			}
+			res, err := c.GetApplicationLog(txs[i].hash, &at)
+			if err == nil {
+				if retErr == nil && len(res.Executions) > 0 && res.Executions[0].VMState != vmstate.Halt {
+					retErr = fmt.Errorf("tx %d persisted in %s state: %s",
+						i, res.Executions[0].VMState, res.Executions[0].FaultException)
+				}
+				continue loop
+			}
+			if txs[i].vub < currBlock {
+				return fmt.Errorf("tx was not persisted: vub=%d, height=%d", txs[i].vub, currBlock)
+			}
+		}
+	}
+
+	return retErr
+}
+
+// sendCommitteeTx creates transaction from script, signs it by committee nodes and sends it to RPC.
+// If tryGroup is false, global scope is used for the signer (useful when
+// working with native contracts).
+func (c *initializeContext) sendCommitteeTx(script []byte, tryGroup bool) error {
+	return c.sendMultiTx(script, tryGroup, false)
+}
+
+// sendConsensusTx creates transaction from script, signs it by alphabet nodes and sends it to RPC.
+// Not that because this is used only after the contracts were initialized and deployed,
+// we always try to have a group scope.
+func (c *initializeContext) sendConsensusTx(script []byte) error {
+	return c.sendMultiTx(script, true, true)
+}
+
+func (c *initializeContext) sendMultiTx(script []byte, tryGroup bool, withConsensus bool) error {
+	var act *actor.Actor
+	var err error
+
+	withConsensus = withConsensus && !c.ConsensusAcc.Contract.ScriptHash().Equals(c.CommitteeAcc.ScriptHash())
+	if tryGroup {
+		// Even for consensus signatures we need the committee to pay.
+		signers := make([]actor.SignerAccount, 1, 2)
+		signers[0] = actor.SignerAccount{
+			Signer:  c.getSigner(tryGroup, c.CommitteeAcc),
+			Account: c.CommitteeAcc,
+		}
+		if withConsensus {
+			signers = append(signers, actor.SignerAccount{
+				Signer:  c.getSigner(tryGroup, c.ConsensusAcc),
+				Account: c.ConsensusAcc,
+			})
+		}
+		act, err = actor.New(c.Client, signers)
+	} else {
+		if withConsensus {
+			panic("BUG: should never happen")
+		}
+		act, err = c.CommitteeAct, nil
+	}
+	if err != nil {
+		return fmt.Errorf("could not create actor: %w", err)
+	}
+
+	tx, err := act.MakeUnsignedRun(script, []transaction.Attribute{{Type: transaction.HighPriority}})
+	if err != nil {
+		return fmt.Errorf("could not perform test invocation: %w", err)
+	}
+
+	if err := c.multiSign(tx, committeeAccountName); err != nil {
+		return err
+	}
+	if withConsensus {
+		if err := c.multiSign(tx, consensusAccountName); err != nil {
+			return err
+		}
+	}
+
+	return c.sendTx(tx, c.Command, false)
+}
+
+func getWalletAccount(w *wallet.Wallet, typ string) (*wallet.Account, error) {
+	for i := range w.Accounts {
+		if w.Accounts[i].Label == typ {
+			return w.Accounts[i], nil
+		}
+	}
+	return nil, fmt.Errorf("account for '%s' not found", typ)
+}
+
+func checkNotaryEnabled(c Client) error {
+	ns, err := c.GetNativeContracts()
+	if err != nil {
+		return fmt.Errorf("can't get native contract hashes: %w", err)
+	}
+
+	notaryEnabled := false
+	nativeHashes := make(map[string]util.Uint160, len(ns))
+	for i := range ns {
+		if ns[i].Manifest.Name == nativenames.Notary {
+			notaryEnabled = len(ns[i].UpdateHistory) > 0
+		}
+		nativeHashes[ns[i].Manifest.Name] = ns[i].Hash
+	}
+	if !notaryEnabled {
+		return errors.New("notary contract must be enabled")
+	}
+	return nil
+}

cmd/frostfs-adm/internal/modules/morph/initialize_deploy.go

@@ -0,0 +1,592 @@
+package morph
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/TrueCloudLab/frostfs-contract/common"
+	"github.com/TrueCloudLab/frostfs-contract/nns"
+	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
+	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	io2 "github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/manifest"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/nef"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
+	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+	"github.com/spf13/viper"
+)
+
+const (
+	nnsContract        = "nns"
+	frostfsContract    = "frostfs"    // not deployed in side-chain.
+	processingContract = "processing" // not deployed in side-chain.
+	alphabetContract   = "alphabet"
+	auditContract      = "audit"
+	balanceContract    = "balance"
+	containerContract  = "container"
+	frostfsIDContract  = "frostfsid"
+	netmapContract     = "netmap"
+	proxyContract      = "proxy"
+	reputationContract = "reputation"
+	subnetContract     = "subnet"
+)
+
+const (
+	netmapEpochKey                   = "EpochDuration"
+	netmapMaxObjectSizeKey           = "MaxObjectSize"
+	netmapAuditFeeKey                = "AuditFee"
+	netmapContainerFeeKey            = "ContainerFee"
+	netmapContainerAliasFeeKey       = "ContainerAliasFee"
+	netmapEigenTrustIterationsKey    = "EigenTrustIterations"
+	netmapEigenTrustAlphaKey         = "EigenTrustAlpha"
+	netmapBasicIncomeRateKey         = "BasicIncomeRate"
+	netmapInnerRingCandidateFeeKey   = "InnerRingCandidateFee"
+	netmapWithdrawFeeKey             = "WithdrawFee"
+	netmapHomomorphicHashDisabledKey = "HomomorphicHashingDisabled"
+	netmapMaintenanceAllowedKey      = "MaintenanceModeAllowed"
+
+	defaultEigenTrustIterations = 4
+	defaultEigenTrustAlpha      = "0.1"
+)
+
+var (
+	contractList = []string{
+		auditContract,
+		balanceContract,
+		containerContract,
+		frostfsIDContract,
+		netmapContract,
+		proxyContract,
+		reputationContract,
+		subnetContract,
+	}
+
+	fullContractList = append([]string{
+		frostfsContract,
+		processingContract,
+		nnsContract,
+		alphabetContract,
+	}, contractList...)
+)
+
+type contractState struct {
+	NEF         *nef.File
+	RawNEF      []byte
+	Manifest    *manifest.Manifest
+	RawManifest []byte
+	Hash        util.Uint160
+}
+
+const (
+	updateMethodName = "update"
+	deployMethodName = "deploy"
+)
+
+func (c *initializeContext) deployNNS(method string) error {
+	cs := c.getContract(nnsContract)
+	h := cs.Hash
+
+	nnsCs, err := c.nnsContractState()
+	if err == nil {
+		if nnsCs.NEF.Checksum == cs.NEF.Checksum {
+			if method == deployMethodName {
+				c.Command.Println("NNS contract is already deployed.")
+			} else {
+				c.Command.Println("NNS contract is already updated.")
+			}
+			return nil
+		}
+		h = nnsCs.Hash
+	}
+
+	err = c.addManifestGroup(h, cs)
+	if err != nil {
+		return fmt.Errorf("can't sign manifest group: %v", err)
+	}
+
+	params := getContractDeployParameters(cs, nil)
+	signer := transaction.Signer{
+		Account: c.CommitteeAcc.Contract.ScriptHash(),
+		Scopes:  transaction.CalledByEntry,
+	}
+
+	invokeHash := management.Hash
+	if method == updateMethodName {
+		invokeHash = nnsCs.Hash
+	}
+
+	res, err := invokeFunction(c.Client, invokeHash, method, params, []transaction.Signer{signer})
+	if err != nil {
+		return fmt.Errorf("can't deploy NNS contract: %w", err)
+	}
+	if res.State != vmstate.Halt.String() {
+		return fmt.Errorf("can't deploy NNS contract: %s", res.FaultException)
+	}
+
+	tx, err := c.Client.CreateTxFromScript(res.Script, c.CommitteeAcc, res.GasConsumed, 0, []rpcclient.SignerAccount{{
+		Signer:  signer,
+		Account: c.CommitteeAcc,
+	}})
+	if err != nil {
+		return fmt.Errorf("failed to create deploy tx for %s: %w", nnsContract, err)
+	}
+
+	if err := c.multiSignAndSend(tx, committeeAccountName); err != nil {
+		return fmt.Errorf("can't send deploy transaction: %w", err)
+	}
+
+	return c.awaitTx()
+}
+
+func (c *initializeContext) updateContracts() error {
+	alphaCs := c.getContract(alphabetContract)
+
+	nnsCs, err := c.nnsContractState()
+	if err != nil {
+		return err
+	}
+	nnsHash := nnsCs.Hash
+
+	w := io2.NewBufBinWriter()
+
+	var keysParam []any
+
+	// Update script size for a single-node committee is close to the maximum allowed size of 65535.
+	// Because of this we want to reuse alphabet contract NEF and manifest for different updates.
+	// The generated script is as following.
+	// 1. Initialize static slot for alphabet NEF.
+	// 2. Store NEF into the static slot.
+	// 3. Push parameters for each alphabet contract on stack.
+	// 4. Add contract group to the manifest.
+	// 5. For each alphabet contract, invoke `update` using parameters on stack and
+	//    NEF from step 2 and manifest from step 4.
+	emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
+	emit.Bytes(w.BinWriter, alphaCs.RawNEF)
+	emit.Opcodes(w.BinWriter, opcode.STSFLD0)
+
+	baseGroups := alphaCs.Manifest.Groups
+
+	// alphabet contracts should be deployed by individual nodes to get different hashes.
+	for i, acc := range c.Accounts {
+		ctrHash, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, getAlphabetNNSDomain(i))
+		if err != nil {
+			return fmt.Errorf("can't resolve hash for contract update: %w", err)
+		}
+
+		keysParam = append(keysParam, acc.PrivateKey().PublicKey().Bytes())
+
+		params := c.getAlphabetDeployItems(i, len(c.Wallets))
+		emit.Array(w.BinWriter, params...)
+
+		alphaCs.Manifest.Groups = baseGroups
+		err = c.addManifestGroup(ctrHash, alphaCs)
+		if err != nil {
+			return fmt.Errorf("can't sign manifest group: %v", err)
+		}
+
+		emit.Bytes(w.BinWriter, alphaCs.RawManifest)
+		emit.Opcodes(w.BinWriter, opcode.LDSFLD0)
+		emit.Int(w.BinWriter, 3)
+		emit.Opcodes(w.BinWriter, opcode.PACK)
+		emit.AppCallNoArgs(w.BinWriter, ctrHash, updateMethodName, callflag.All)
+	}
+
+	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
+		if !strings.Contains(err.Error(), common.ErrAlreadyUpdated) {
+			return err
+		}
+		c.Command.Println("Alphabet contracts are already updated.")
+	}
+
+	w.Reset()
+
+	emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
+	emit.AppCall(w.BinWriter, nnsHash, "getPrice", callflag.All)
+	emit.Opcodes(w.BinWriter, opcode.STSFLD0)
+	emit.AppCall(w.BinWriter, nnsHash, "setPrice", callflag.All, 1)
+
+	for _, ctrName := range contractList {
+		cs := c.getContract(ctrName)
+
+		method := updateMethodName
+		ctrHash, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, ctrName+".frostfs")
+		if err != nil {
+			if errors.Is(err, errMissingNNSRecord) {
+				// if contract not found we deploy it instead of update
+				method = deployMethodName
+			} else {
+				return fmt.Errorf("can't resolve hash for contract update: %w", err)
+			}
+		}
+
+		err = c.addManifestGroup(ctrHash, cs)
+		if err != nil {
+			return fmt.Errorf("can't sign manifest group: %v", err)
+		}
+
+		invokeHash := management.Hash
+		if method == updateMethodName {
+			invokeHash = ctrHash
+		}
+
+		params := getContractDeployParameters(cs, c.getContractDeployData(ctrName, keysParam))
+		res, err := c.CommitteeAct.MakeCall(invokeHash, method, params...)
+		if err != nil {
+			if method != updateMethodName || !strings.Contains(err.Error(), common.ErrAlreadyUpdated) {
+				return fmt.Errorf("deploy contract: %w", err)
+			}
+			c.Command.Printf("%s contract is already updated.\n", ctrName)
+			continue
+		}
+
+		w.WriteBytes(res.Script)
+
+		if method == deployMethodName {
+			// same actions are done in initializeContext.setNNS, can be unified
+			domain := ctrName + ".frostfs"
+			script, ok, err := c.nnsRegisterDomainScript(nnsHash, cs.Hash, domain)
+			if err != nil {
+				return err
+			}
+			if !ok {
+				w.WriteBytes(script)
+				emit.AppCall(w.BinWriter, nnsHash, "deleteRecords", callflag.All, domain, int64(nns.TXT))
+				emit.AppCall(w.BinWriter, nnsHash, "addRecord", callflag.All,
+					domain, int64(nns.TXT), cs.Hash.StringLE())
+				emit.AppCall(w.BinWriter, nnsHash, "addRecord", callflag.All,
+					domain, int64(nns.TXT), address.Uint160ToString(cs.Hash))
+			}
+			c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
+		}
+	}
+
+	groupKey := c.ContractWallet.Accounts[0].PrivateKey().PublicKey()
+	_, _, err = c.emitUpdateNNSGroupScript(w, nnsHash, groupKey)
+	if err != nil {
+		return err
+	}
+	c.Command.Printf("NNS: Set %s -> %s\n", morphClient.NNSGroupKeyName, hex.EncodeToString(groupKey.Bytes()))
+
+	emit.Opcodes(w.BinWriter, opcode.LDSFLD0)
+	emit.Int(w.BinWriter, 1)
+	emit.Opcodes(w.BinWriter, opcode.PACK)
+	emit.AppCallNoArgs(w.BinWriter, nnsHash, "setPrice", callflag.All)
+
+	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
+		return err
+	}
+	return c.awaitTx()
+}
+
+func (c *initializeContext) deployContracts() error {
+	alphaCs := c.getContract(alphabetContract)
+
+	var keysParam []any
+
+	baseGroups := alphaCs.Manifest.Groups
+
+	// alphabet contracts should be deployed by individual nodes to get different hashes.
+	for i, acc := range c.Accounts {
+		ctrHash := state.CreateContractHash(acc.Contract.ScriptHash(), alphaCs.NEF.Checksum, alphaCs.Manifest.Name)
+		if c.isUpdated(ctrHash, alphaCs) {
+			c.Command.Printf("Alphabet contract #%d is already deployed.\n", i)
+			continue
+		}
+
+		alphaCs.Manifest.Groups = baseGroups
+		err := c.addManifestGroup(ctrHash, alphaCs)
+		if err != nil {
+			return fmt.Errorf("can't sign manifest group: %v", err)
+		}
+
+		keysParam = append(keysParam, acc.PrivateKey().PublicKey().Bytes())
+		params := getContractDeployParameters(alphaCs, c.getAlphabetDeployItems(i, len(c.Wallets)))
+
+		act, err := actor.NewSimple(c.Client, acc)
+		if err != nil {
+			return fmt.Errorf("could not create actor: %w", err)
+		}
+
+		txHash, vub, err := act.SendCall(management.Hash, deployMethodName, params...)
+		if err != nil {
+			return fmt.Errorf("can't deploy alphabet #%d contract: %w", i, err)
+		}
+
+		c.SentTxs = append(c.SentTxs, hashVUBPair{hash: txHash, vub: vub})
+	}
+
+	for _, ctrName := range contractList {
+		cs := c.getContract(ctrName)
+
+		ctrHash := cs.Hash
+		if c.isUpdated(ctrHash, cs) {
+			c.Command.Printf("%s contract is already deployed.\n", ctrName)
+			continue
+		}
+
+		err := c.addManifestGroup(ctrHash, cs)
+		if err != nil {
+			return fmt.Errorf("can't sign manifest group: %v", err)
+		}
+
+		params := getContractDeployParameters(cs, c.getContractDeployData(ctrName, keysParam))
+		res, err := c.CommitteeAct.MakeCall(management.Hash, deployMethodName, params...)
+		if err != nil {
+			return fmt.Errorf("can't deploy %s contract: %w", ctrName, err)
+		}
+
+		if err := c.sendCommitteeTx(res.Script, false); err != nil {
+			return err
+		}
+	}
+
+	return c.awaitTx()
+}
+
+func (c *initializeContext) isUpdated(ctrHash util.Uint160, cs *contractState) bool {
+	realCs, err := c.Client.GetContractStateByHash(ctrHash)
+	return err == nil && realCs.NEF.Checksum == cs.NEF.Checksum
+}
+
+func (c *initializeContext) getContract(ctrName string) *contractState {
+	return c.Contracts[ctrName]
+}
+
+func (c *initializeContext) readContracts(names []string) error {
+	var (
+		fi  os.FileInfo
+		err error
+	)
+	if c.ContractPath != "" {
+		fi, err = os.Stat(c.ContractPath)
+		if err != nil {
+			return fmt.Errorf("invalid contracts path: %w", err)
+		}
+	}
+
+	if c.ContractPath != "" && fi.IsDir() {
+		for _, ctrName := range names {
+			cs, err := readContract(filepath.Join(c.ContractPath, ctrName), ctrName)
+			if err != nil {
+				return err
+			}
+			c.Contracts[ctrName] = cs
+		}
+	} else {
+		var r io.ReadCloser
+		if c.ContractPath == "" {
+			c.Command.Println("Contracts flag is missing, latest release will be fetched from Github.")
+			r, err = downloadContractsFromGithub(c.Command)
+		} else {
+			r, err = os.Open(c.ContractPath)
+		}
+		if err != nil {
+			return fmt.Errorf("can't open contracts archive: %w", err)
+		}
+		defer r.Close()
+
+		m, err := readContractsFromArchive(r, names)
+		if err != nil {
+			return err
+		}
+		for _, name := range names {
+			if err := m[name].parse(); err != nil {
+				return err
+			}
+			c.Contracts[name] = m[name]
+		}
+	}
+
+	for _, ctrName := range names {
+		if ctrName != alphabetContract {
+			cs := c.Contracts[ctrName]
+			cs.Hash = state.CreateContractHash(c.CommitteeAcc.Contract.ScriptHash(),
+				cs.NEF.Checksum, cs.Manifest.Name)
+		}
+	}
+	return nil
+}
+
+func readContract(ctrPath, ctrName string) (*contractState, error) {
+	rawNef, err := os.ReadFile(filepath.Join(ctrPath, ctrName+"_contract.nef"))
+	if err != nil {
+		return nil, fmt.Errorf("can't read NEF file for %s contract: %w", ctrName, err)
+	}
+	rawManif, err := os.ReadFile(filepath.Join(ctrPath, "config.json"))
+	if err != nil {
+		return nil, fmt.Errorf("can't read manifest file for %s contract: %w", ctrName, err)
+	}
+
+	cs := &contractState{
+		RawNEF:      rawNef,
+		RawManifest: rawManif,
+	}
+
+	return cs, cs.parse()
+}
+
+func (cs *contractState) parse() error {
+	nf, err := nef.FileFromBytes(cs.RawNEF)
+	if err != nil {
+		return fmt.Errorf("can't parse NEF file: %w", err)
+	}
+
+	m := new(manifest.Manifest)
+	if err := json.Unmarshal(cs.RawManifest, m); err != nil {
+		return fmt.Errorf("can't parse manifest file: %w", err)
+	}
+
+	cs.NEF = &nf
+	cs.Manifest = m
+	return nil
+}
+
+func readContractsFromArchive(file io.Reader, names []string) (map[string]*contractState, error) {
+	m := make(map[string]*contractState, len(names))
+	for i := range names {
+		m[names[i]] = new(contractState)
+	}
+
+	gr, err := gzip.NewReader(file)
+	if err != nil {
+		return nil, fmt.Errorf("contracts file must be tar.gz archive: %w", err)
+	}
+
+	r := tar.NewReader(gr)
+	for h, err := r.Next(); ; h, err = r.Next() {
+		if err != nil {
+			break
+		}
+
+		dir, _ := filepath.Split(h.Name)
+		ctrName := filepath.Base(dir)
+
+		cs, ok := m[ctrName]
+		if !ok {
+			continue
+		}
+
+		switch {
+		case strings.HasSuffix(h.Name, filepath.Join(ctrName, ctrName+"_contract.nef")):
+			cs.RawNEF, err = io.ReadAll(r)
+			if err != nil {
+				return nil, fmt.Errorf("can't read NEF file for %s contract: %w", ctrName, err)
+			}
+		case strings.HasSuffix(h.Name, "config.json"):
+			cs.RawManifest, err = io.ReadAll(r)
+			if err != nil {
+				return nil, fmt.Errorf("can't read manifest file for %s contract: %w", ctrName, err)
+			}
+		}
+		m[ctrName] = cs
+	}
+
+	for ctrName, cs := range m {
+		if cs.RawNEF == nil {
+			return nil, fmt.Errorf("NEF for %s contract wasn't found", ctrName)
+		}
+		if cs.RawManifest == nil {
+			return nil, fmt.Errorf("manifest for %s contract wasn't found", ctrName)
+		}
+	}
+	return m, nil
+}
+
+func getContractDeployParameters(cs *contractState, deployData []any) []any {
+	return []any{cs.RawNEF, cs.RawManifest, deployData}
+}
+
+func (c *initializeContext) getContractDeployData(ctrName string, keysParam []any) []any {
+	items := make([]any, 1, 6)
+	items[0] = false // notaryDisabled is false
+
+	switch ctrName {
+	case frostfsContract:
+		items = append(items,
+			c.Contracts[processingContract].Hash,
+			keysParam,
+			smartcontract.Parameter{})
+	case processingContract:
+		items = append(items, c.Contracts[frostfsContract].Hash)
+		return items[1:] // no notary info
+	case auditContract:
+		items = append(items, c.Contracts[netmapContract].Hash)
+	case balanceContract:
+		items = append(items,
+			c.Contracts[netmapContract].Hash,
+			c.Contracts[containerContract].Hash)
+	case containerContract:
+		// In case if NNS is updated multiple times, we can't calculate
+		// it's actual hash based on local data, thus query chain.
+		nnsCs, err := c.Client.GetContractStateByID(1)
+		if err != nil {
+			panic("NNS is not yet deployed")
+		}
+		items = append(items,
+			c.Contracts[netmapContract].Hash,
+			c.Contracts[balanceContract].Hash,
+			c.Contracts[frostfsIDContract].Hash,
+			nnsCs.Hash,
+			"container")
+	case frostfsIDContract:
+		items = append(items,
+			c.Contracts[netmapContract].Hash,
+			c.Contracts[containerContract].Hash)
+	case netmapContract:
+		configParam := []any{
+			netmapEpochKey, viper.GetInt64(epochDurationInitFlag),
+			netmapMaxObjectSizeKey, viper.GetInt64(maxObjectSizeInitFlag),
+			netmapAuditFeeKey, viper.GetInt64(auditFeeInitFlag),
+			netmapContainerFeeKey, viper.GetInt64(containerFeeInitFlag),
+			netmapContainerAliasFeeKey, viper.GetInt64(containerAliasFeeInitFlag),
+			netmapEigenTrustIterationsKey, int64(defaultEigenTrustIterations),
+			netmapEigenTrustAlphaKey, defaultEigenTrustAlpha,
+			netmapBasicIncomeRateKey, viper.GetInt64(incomeRateInitFlag),
+			netmapInnerRingCandidateFeeKey, viper.GetInt64(candidateFeeInitFlag),
+			netmapWithdrawFeeKey, viper.GetInt64(withdrawFeeInitFlag),
+			netmapHomomorphicHashDisabledKey, viper.GetBool(homomorphicHashDisabledInitFlag),
+			netmapMaintenanceAllowedKey, viper.GetBool(maintenanceModeAllowedInitFlag),
+		}
+		items = append(items,
+			c.Contracts[balanceContract].Hash,
+			c.Contracts[containerContract].Hash,
+			keysParam,
+			configParam)
+	case proxyContract:
+		items = nil
+	case reputationContract:
+	case subnetContract:
+	default:
+		panic(fmt.Sprintf("invalid contract name: %s", ctrName))
+	}
+	return items
+}
+
+func (c *initializeContext) getAlphabetDeployItems(i, n int) []any {
+	items := make([]any, 6)
+	items[0] = false
+	items[1] = c.Contracts[netmapContract].Hash
+	items[2] = c.Contracts[proxyContract].Hash
+	items[3] = innerring.GlagoliticLetter(i).String()
+	items[4] = int64(i)
+	items[5] = int64(n)
+	return items
+}

cmd/frostfs-adm/internal/modules/morph/initialize_nns.go

@@ -0,0 +1,291 @@
+package morph
+
+import (
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/TrueCloudLab/frostfs-contract/nns"
+	morphClient "github.com/TrueCloudLab/frostfs-node/pkg/morph/client"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+)
+
+const defaultExpirationTime = 10 * 365 * 24 * time.Hour / time.Second
+
+func (c *initializeContext) setNNS() error {
+	nnsCs, err := c.Client.GetContractStateByID(1)
+	if err != nil {
+		return err
+	}
+
+	ok, err := c.nnsRootRegistered(nnsCs.Hash, "frostfs")
+	if err != nil {
+		return err
+	} else if !ok {
+		bw := io.NewBufBinWriter()
+		emit.AppCall(bw.BinWriter, nnsCs.Hash, "register", callflag.All,
+			"frostfs", c.CommitteeAcc.Contract.ScriptHash(),
+			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
+		if err := c.sendCommitteeTx(bw.Bytes(), true); err != nil {
+			return fmt.Errorf("can't add domain root to NNS: %w", err)
+		}
+		if err := c.awaitTx(); err != nil {
+			return err
+		}
+	}
+
+	alphaCs := c.getContract(alphabetContract)
+	for i, acc := range c.Accounts {
+		alphaCs.Hash = state.CreateContractHash(acc.Contract.ScriptHash(), alphaCs.NEF.Checksum, alphaCs.Manifest.Name)
+
+		domain := getAlphabetNNSDomain(i)
+		if err := c.nnsRegisterDomain(nnsCs.Hash, alphaCs.Hash, domain); err != nil {
+			return err
+		}
+		c.Command.Printf("NNS: Set %s -> %s\n", domain, alphaCs.Hash.StringLE())
+	}
+
+	for _, ctrName := range contractList {
+		cs := c.getContract(ctrName)
+
+		domain := ctrName + ".frostfs"
+		if err := c.nnsRegisterDomain(nnsCs.Hash, cs.Hash, domain); err != nil {
+			return err
+		}
+		c.Command.Printf("NNS: Set %s -> %s\n", domain, cs.Hash.StringLE())
+	}
+
+	groupKey := c.ContractWallet.Accounts[0].PrivateKey().PublicKey()
+	err = c.updateNNSGroup(nnsCs.Hash, groupKey)
+	if err != nil {
+		return err
+	}
+	c.Command.Printf("NNS: Set %s -> %s\n", morphClient.NNSGroupKeyName, hex.EncodeToString(groupKey.Bytes()))
+
+	return c.awaitTx()
+}
+
+func (c *initializeContext) updateNNSGroup(nnsHash util.Uint160, pub *keys.PublicKey) error {
+	bw := io.NewBufBinWriter()
+	needUpdate, needRegister, err := c.emitUpdateNNSGroupScript(bw, nnsHash, pub)
+	if !needUpdate || err != nil {
+		return err
+	}
+
+	script := bw.Bytes()
+	if needRegister {
+		w := io.NewBufBinWriter()
+		emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
+		wrapRegisterScriptWithPrice(w, nnsHash, script)
+		script = w.Bytes()
+	}
+
+	return c.sendCommitteeTx(script, true)
+}
+
+// emitUpdateNNSGroupScript emits script for updating group key stored in NNS.
+// First return value is true iff the key is already there and nothing should be done.
+// Second return value is true iff a domain registration code was emitted.
+func (c *initializeContext) emitUpdateNNSGroupScript(bw *io.BufBinWriter, nnsHash util.Uint160, pub *keys.PublicKey) (bool, bool, error) {
+	isAvail, err := nnsIsAvailable(c.Client, nnsHash, morphClient.NNSGroupKeyName)
+	if err != nil {
+		return false, false, err
+	}
+
+	if !isAvail {
+		currentPub, err := nnsResolveKey(c.ReadOnlyInvoker, nnsHash, morphClient.NNSGroupKeyName)
+		if err != nil {
+			return false, false, err
+		}
+
+		if pub.Equal(currentPub) {
+			return true, false, nil
+		}
+	}
+
+	if isAvail {
+		emit.AppCall(bw.BinWriter, nnsHash, "register", callflag.All,
+			morphClient.NNSGroupKeyName, c.CommitteeAcc.Contract.ScriptHash(),
+			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
+	}
+
+	emit.AppCall(bw.BinWriter, nnsHash, "deleteRecords", callflag.All, "group.frostfs", int64(nns.TXT))
+	emit.AppCall(bw.BinWriter, nnsHash, "addRecord", callflag.All,
+		"group.frostfs", int64(nns.TXT), hex.EncodeToString(pub.Bytes()))
+
+	return false, isAvail, nil
+}
+
+func getAlphabetNNSDomain(i int) string {
+	return alphabetContract + strconv.FormatUint(uint64(i), 10) + ".frostfs"
+}
+
+// wrapRegisterScriptWithPrice wraps a given script with `getPrice`/`setPrice` calls for NNS.
+// It is intended to be used for a single transaction, and not as a part of other scripts.
+// It is assumed that script already contains static slot initialization code, the first one
+// (with index 0) is used to store the price.
+func wrapRegisterScriptWithPrice(w *io.BufBinWriter, nnsHash util.Uint160, s []byte) {
+	if len(s) == 0 {
+		return
+	}
+
+	emit.AppCall(w.BinWriter, nnsHash, "getPrice", callflag.All)
+	emit.Opcodes(w.BinWriter, opcode.STSFLD0)
+	emit.AppCall(w.BinWriter, nnsHash, "setPrice", callflag.All, 1)
+
+	w.WriteBytes(s)
+
+	emit.Opcodes(w.BinWriter, opcode.LDSFLD0, opcode.PUSH1, opcode.PACK)
+	emit.AppCallNoArgs(w.BinWriter, nnsHash, "setPrice", callflag.All)
+
+	if w.Err != nil {
+		panic(fmt.Errorf("BUG: can't wrap register script: %w", w.Err))
+	}
+}
+
+func (c *initializeContext) nnsRegisterDomainScript(nnsHash, expectedHash util.Uint160, domain string) ([]byte, bool, error) {
+	ok, err := nnsIsAvailable(c.Client, nnsHash, domain)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if ok {
+		bw := io.NewBufBinWriter()
+		emit.AppCall(bw.BinWriter, nnsHash, "register", callflag.All,
+			domain, c.CommitteeAcc.Contract.ScriptHash(),
+			"ops@nspcc.ru", int64(3600), int64(600), int64(defaultExpirationTime), int64(3600))
+		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
+
+		if bw.Err != nil {
+			panic(bw.Err)
+		}
+		return bw.Bytes(), false, nil
+	}
+
+	s, err := nnsResolveHash(c.ReadOnlyInvoker, nnsHash, domain)
+	if err != nil {
+		return nil, false, err
+	}
+	return nil, s == expectedHash, nil
+}
+
+func (c *initializeContext) nnsRegisterDomain(nnsHash, expectedHash util.Uint160, domain string) error {
+	script, ok, err := c.nnsRegisterDomainScript(nnsHash, expectedHash, domain)
+	if ok || err != nil {
+		return err
+	}
+
+	w := io.NewBufBinWriter()
+	emit.Instruction(w.BinWriter, opcode.INITSSLOT, []byte{1})
+	wrapRegisterScriptWithPrice(w, nnsHash, script)
+
+	emit.AppCall(w.BinWriter, nnsHash, "deleteRecords", callflag.All, domain, int64(nns.TXT))
+	emit.AppCall(w.BinWriter, nnsHash, "addRecord", callflag.All,
+		domain, int64(nns.TXT), expectedHash.StringLE())
+	emit.AppCall(w.BinWriter, nnsHash, "addRecord", callflag.All,
+		domain, int64(nns.TXT), address.Uint160ToString(expectedHash))
+	return c.sendCommitteeTx(w.Bytes(), true)
+}
+
+func (c *initializeContext) nnsRootRegistered(nnsHash util.Uint160, zone string) (bool, error) {
+	res, err := c.CommitteeAct.Call(nnsHash, "isAvailable", "name."+zone)
+	if err != nil {
+		return false, err
+	}
+
+	return res.State == vmstate.Halt.String(), nil
+}
+
+var errMissingNNSRecord = errors.New("missing NNS record")
+
+// Returns errMissingNNSRecord if invocation fault exception contains "token not found".
+func nnsResolveHash(inv *invoker.Invoker, nnsHash util.Uint160, domain string) (util.Uint160, error) {
+	item, err := nnsResolve(inv, nnsHash, domain)
+	if err != nil {
+		return util.Uint160{}, err
+	}
+	return parseNNSResolveResult(item)
+}
+
+func nnsResolve(inv *invoker.Invoker, nnsHash util.Uint160, domain string) (stackitem.Item, error) {
+	return unwrap.Item(inv.Call(nnsHash, "resolve", domain, int64(nns.TXT)))
+}
+
+func nnsResolveKey(inv *invoker.Invoker, nnsHash util.Uint160, domain string) (*keys.PublicKey, error) {
+	item, err := nnsResolve(inv, nnsHash, domain)
+	if err != nil {
+		return nil, err
+	}
+	v, ok := item.Value().(stackitem.Null)
+	if ok {
+		return nil, errors.New("NNS record is missing")
+	}
+	bs, err := v.TryBytes()
+	if err != nil {
+		return nil, errors.New("malformed response")
+	}
+
+	return keys.NewPublicKeyFromString(string(bs))
+}
+
+// parseNNSResolveResult parses the result of resolving NNS record.
+// It works with multiple formats (corresponding to multiple NNS versions).
+// If array of hashes is provided, it returns only the first one.
+func parseNNSResolveResult(res stackitem.Item) (util.Uint160, error) {
+	arr, ok := res.Value().([]stackitem.Item)
+	if !ok {
+		arr = []stackitem.Item{res}
+	}
+	if _, ok := res.Value().(stackitem.Null); ok || len(arr) == 0 {
+		return util.Uint160{}, errors.New("NNS record is missing")
+	}
+	for i := range arr {
+		bs, err := arr[i].TryBytes()
+		if err != nil {
+			continue
+		}
+
+		// We support several formats for hash encoding, this logic should be maintained in sync
+		// with nnsResolve from pkg/morph/client/nns.go
+		h, err := util.Uint160DecodeStringLE(string(bs))
+		if err == nil {
+			return h, nil
+		}
+
+		h, err = address.StringToUint160(string(bs))
+		if err == nil {
+			return h, nil
+		}
+	}
+	return util.Uint160{}, errors.New("no valid hashes are found")
+}
+
+func nnsIsAvailable(c Client, nnsHash util.Uint160, name string) (bool, error) {
+	switch ct := c.(type) {
+	case *rpcclient.Client:
+		return ct.NNSIsAvailable(nnsHash, name)
+	default:
+		b, err := unwrap.Bool(invokeFunction(c, nnsHash, "isAvailable", []any{name}, nil))
+		if err != nil {
+			return false, fmt.Errorf("`isAvailable`: invalid response: %w", err)
+		}
+
+		return b, nil
+	}
+}

cmd/frostfs-adm/internal/modules/morph/initialize_register.go

@@ -0,0 +1,137 @@
+package morph
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/nspcc-dev/neo-go/pkg/core/native"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/neo"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
+)
+
+// initialAlphabetNEOAmount represents the total amount of GAS distributed between alphabet nodes.
+const initialAlphabetNEOAmount = native.NEOTotalSupply
+
+func (c *initializeContext) registerCandidates() error {
+	neoHash := neo.Hash
+
+	cc, err := unwrap.Array(c.ReadOnlyInvoker.Call(neoHash, "getCandidates"))
+	if err != nil {
+		return fmt.Errorf("`getCandidates`: %w", err)
+	}
+
+	if len(cc) > 0 {
+		c.Command.Println("Candidates are already registered.")
+		return nil
+	}
+
+	regPrice, err := c.getCandidateRegisterPrice()
+	if err != nil {
+		return fmt.Errorf("can't fetch registration price: %w", err)
+	}
+
+	w := io.NewBufBinWriter()
+	emit.AppCall(w.BinWriter, neoHash, "setRegisterPrice", callflag.States, 1)
+	for _, acc := range c.Accounts {
+		emit.AppCall(w.BinWriter, neoHash, "registerCandidate", callflag.States, acc.PrivateKey().PublicKey().Bytes())
+		emit.Opcodes(w.BinWriter, opcode.ASSERT)
+	}
+	emit.AppCall(w.BinWriter, neoHash, "setRegisterPrice", callflag.States, regPrice)
+	if w.Err != nil {
+		panic(fmt.Sprintf("BUG: %v", w.Err))
+	}
+
+	signers := []rpcclient.SignerAccount{{
+		Signer:  c.getSigner(false, c.CommitteeAcc),
+		Account: c.CommitteeAcc,
+	}}
+	for i := range c.Accounts {
+		signers = append(signers, rpcclient.SignerAccount{
+			Signer: transaction.Signer{
+				Account:          c.Accounts[i].Contract.ScriptHash(),
+				Scopes:           transaction.CustomContracts,
+				AllowedContracts: []util.Uint160{neoHash},
+			},
+			Account: c.Accounts[i],
+		})
+	}
+
+	tx, err := c.Client.CreateTxFromScript(w.Bytes(), c.CommitteeAcc, -1, 0, signers)
+	if err != nil {
+		return fmt.Errorf("can't create tx: %w", err)
+	}
+	if err := c.multiSign(tx, committeeAccountName); err != nil {
+		return fmt.Errorf("can't sign a transaction: %w", err)
+	}
+
+	network := c.CommitteeAct.GetNetwork()
+	for i := range c.Accounts {
+		if err := c.Accounts[i].SignTx(network, tx); err != nil {
+			return fmt.Errorf("can't sign a transaction: %w", err)
+		}
+	}
+
+	return c.sendTx(tx, c.Command, true)
+}
+
+func (c *initializeContext) transferNEOToAlphabetContracts() error {
+	neoHash := neo.Hash
+
+	ok, err := c.transferNEOFinished(neoHash)
+	if ok || err != nil {
+		return err
+	}
+
+	cs := c.getContract(alphabetContract)
+	amount := initialAlphabetNEOAmount / len(c.Wallets)
+
+	bw := io.NewBufBinWriter()
+	for _, acc := range c.Accounts {
+		h := state.CreateContractHash(acc.Contract.ScriptHash(), cs.NEF.Checksum, cs.Manifest.Name)
+		emit.AppCall(bw.BinWriter, neoHash, "transfer", callflag.All,
+			c.CommitteeAcc.Contract.ScriptHash(), h, int64(amount), nil)
+		emit.Opcodes(bw.BinWriter, opcode.ASSERT)
+	}
+
+	if err := c.sendCommitteeTx(bw.Bytes(), false); err != nil {
+		return err
+	}
+
+	return c.awaitTx()
+}
+
+func (c *initializeContext) transferNEOFinished(neoHash util.Uint160) (bool, error) {
+	bal, err := c.Client.NEP17BalanceOf(neoHash, c.CommitteeAcc.Contract.ScriptHash())
+	return bal < native.NEOTotalSupply, err
+}
+
+var errGetPriceInvalid = errors.New("`getRegisterPrice`: invalid response")
+
+func (c *initializeContext) getCandidateRegisterPrice() (int64, error) {
+	switch ct := c.Client.(type) {
+	case *rpcclient.Client:
+		return ct.GetCandidateRegisterPrice()
+	default:
+		neoHash := neo.Hash
+		res, err := invokeFunction(c.Client, neoHash, "getRegisterPrice", nil, nil)
+		if err != nil {
+			return 0, err
+		}
+		if len(res.Stack) == 0 {
+			return 0, errGetPriceInvalid
+		}
+		bi, err := res.Stack[0].TryInteger()
+		if err != nil || !bi.IsInt64() {
+			return 0, errGetPriceInvalid
+		}
+		return bi.Int64(), nil
+	}
+}

cmd/frostfs-adm/internal/modules/morph/initialize_roles.go

@@ -1,9 +1,9 @@
 package morph
 
 import (
-	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
 	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/rolemgmt"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
 )
@@ -16,20 +16,18 @@ func (c *initializeContext) setNotaryAndAlphabetNodes() error {
 		return err
 	}
 
-	designateHash := c.nativeHash(nativenames.Designation)
-
-	var pubs []interface{}
+	var pubs []any
 	for _, acc := range c.Accounts {
 		pubs = append(pubs, acc.PrivateKey().PublicKey().Bytes())
 	}
 
 	w := io.NewBufBinWriter()
-	emit.AppCall(w.BinWriter, designateHash, "designateAsRole",
+	emit.AppCall(w.BinWriter, rolemgmt.Hash, "designateAsRole",
 		callflag.States|callflag.AllowNotify, int64(noderoles.P2PNotary), pubs)
-	emit.AppCall(w.BinWriter, designateHash, "designateAsRole",
+	emit.AppCall(w.BinWriter, rolemgmt.Hash, "designateAsRole",
 		callflag.States|callflag.AllowNotify, int64(noderoles.NeoFSAlphabet), pubs)
 
-	if err := c.sendCommitteeTx(w.Bytes(), -1); err != nil {
+	if err := c.sendCommitteeTx(w.Bytes(), false); err != nil {
 		return err
 	}
 
@@ -42,6 +40,6 @@ func (c *initializeContext) setRolesFinished() (bool, error) {
 		return false, err
 	}
 
-	pubs, err := c.Client.GetDesignatedByRole(noderoles.NeoFSAlphabet, height)
+	pubs, err := getDesignatedByRole(c.ReadOnlyInvoker, rolemgmt.Hash, noderoles.NeoFSAlphabet, height)
 	return len(pubs) == len(c.Wallets), err
 }

cmd/frostfs-adm/internal/modules/morph/initialize_test.go

@@ -0,0 +1,121 @@
+package morph
+
+import (
+	"encoding/hex"
+	"os"
+	"path/filepath"
+	"strconv"
+	"testing"
+
+	"github.com/TrueCloudLab/frostfs-node/pkg/innerring"
+	"github.com/nspcc-dev/neo-go/pkg/config"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/vm"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v3"
+)
+
+const (
+	contractsPath = "../../../../../../frostfs-contract/frostfs-contract-v0.16.0.tar.gz"
+	protoFileName = "proto.yml"
+)
+
+func TestInitialize(t *testing.T) {
+	// This test needs frostfs-contract tarball, so it is skipped by default.
+	// It is here for performing local testing after the changes.
+	t.Skip()
+
+	t.Run("1 nodes", func(t *testing.T) {
+		testInitialize(t, 1)
+	})
+	t.Run("4 nodes", func(t *testing.T) {
+		testInitialize(t, 4)
+	})
+	t.Run("7 nodes", func(t *testing.T) {
+		testInitialize(t, 7)
+	})
+}
+
+func testInitialize(t *testing.T, committeeSize int) {
+	testdataDir := t.TempDir()
+	v := viper.GetViper()
+
+	generateTestData(t, testdataDir, committeeSize)
+	v.Set(protoConfigPath, filepath.Join(testdataDir, protoFileName))
+
+	// Set to the path or remove the next statement to download from the network.
+	require.NoError(t, initCmd.Flags().Set(contractsInitFlag, contractsPath))
+	v.Set(localDumpFlag, filepath.Join(testdataDir, "out"))
+	v.Set(alphabetWalletsFlag, testdataDir)
+	v.Set(epochDurationInitFlag, 1)
+	v.Set(maxObjectSizeInitFlag, 1024)
+
+	setTestCredentials(v, committeeSize)
+	require.NoError(t, initializeSideChainCmd(initCmd, nil))
+
+	t.Run("force-new-epoch", func(t *testing.T) {
+		require.NoError(t, forceNewEpochCmd(forceNewEpoch, nil))
+	})
+	t.Run("set-config", func(t *testing.T) {
+		require.NoError(t, setConfigCmd(setConfig, []string{"MaintenanceModeAllowed=true"}))
+	})
+	t.Run("set-policy", func(t *testing.T) {
+		require.NoError(t, setPolicyCmd(setPolicy, []string{"ExecFeeFactor=1"}))
+	})
+	t.Run("remove-node", func(t *testing.T) {
+		pk, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+
+		pub := hex.EncodeToString(pk.PublicKey().Bytes())
+		require.NoError(t, removeNodesCmd(removeNodes, []string{pub}))
+	})
+}
+
+func generateTestData(t *testing.T, dir string, size int) {
+	v := viper.GetViper()
+	v.Set(alphabetWalletsFlag, dir)
+
+	sizeStr := strconv.FormatUint(uint64(size), 10)
+	require.NoError(t, generateAlphabetCmd.Flags().Set(alphabetSizeFlag, sizeStr))
+
+	setTestCredentials(v, size)
+	require.NoError(t, generateAlphabetCreds(generateAlphabetCmd, nil))
+
+	var pubs []string
+	for i := 0; i < size; i++ {
+		p := filepath.Join(dir, innerring.GlagoliticLetter(i).String()+".json")
+		w, err := wallet.NewWalletFromFile(p)
+		require.NoError(t, err, "wallet doesn't exist")
+		for _, acc := range w.Accounts {
+			if acc.Label == singleAccountName {
+				pub, ok := vm.ParseSignatureContract(acc.Contract.Script)
+				require.True(t, ok)
+				pubs = append(pubs, hex.EncodeToString(pub))
+				continue
+			}
+		}
+	}
+
+	cfg := config.Config{}
+	cfg.ProtocolConfiguration.Magic = 12345
+	cfg.ProtocolConfiguration.ValidatorsCount = size
+	cfg.ProtocolConfiguration.SecondsPerBlock = 1
+	cfg.ProtocolConfiguration.StandbyCommittee = pubs // sorted by glagolic letters
+	cfg.ProtocolConfiguration.P2PSigExtensions = true
+	cfg.ProtocolConfiguration.VerifyTransactions = true
+	cfg.ProtocolConfiguration.VerifyBlocks = true
+	data, err := yaml.Marshal(cfg)
+	require.NoError(t, err)
+
+	protoPath := filepath.Join(dir, protoFileName)
+	require.NoError(t, os.WriteFile(protoPath, data, os.ModePerm))
+}
+
+func setTestCredentials(v *viper.Viper, size int) {
+	for i := 0; i < size; i++ {
+		v.Set("credentials."+innerring.GlagoliticLetter(i).String(), strconv.FormatUint(uint64(i), 10))
+	}
+	v.Set("credentials.contract", testContractPassword)
+}

cmd/frostfs-adm/internal/modules/morph/initialize_transfer.go

@@ -4,17 +4,23 @@ import (
 	"fmt"
 
 	"github.com/nspcc-dev/neo-go/pkg/core/native"
-	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
-	"github.com/nspcc-dev/neo-go/pkg/rpc/client"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/neo"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
 	scContext "github.com/nspcc-dev/neo-go/pkg/smartcontract/context"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
 )
 
 const (
 	gasInitialTotalSupply = 30000000 * native.GASFactor
-	// initialAlphabetGASAmount represents amount of GAS given to each alphabet node.
+	// initialAlphabetGASAmount represents the amount of GAS given to each alphabet node.
 	initialAlphabetGASAmount = 10_000 * native.GASFactor
-	// initialProxyGASAmount represents amount of GAS given to proxy contract.
+	// initialProxyGASAmount represents the amount of GAS given to a proxy contract.
 	initialProxyGASAmount = 50_000 * native.GASFactor
 )
 
@@ -27,15 +33,12 @@ func (c *initializeContext) transferFunds() error {
 		return err
 	}
 
-	gasHash := c.nativeHash(nativenames.Gas)
-	neoHash := c.nativeHash(nativenames.Neo)
-
-	var transfers []client.TransferTarget
+	var transfers []rpcclient.TransferTarget
 	for _, acc := range c.Accounts {
 		to := acc.Contract.ScriptHash()
 		transfers = append(transfers,
-			client.TransferTarget{
-				Token:   gasHash,
+			rpcclient.TransferTarget{
+				Token:   gas.Hash,
 				Address: to,
 				Amount:  initialAlphabetGASAmount,
 			},
@@ -44,19 +47,19 @@ func (c *initializeContext) transferFunds() error {
 
 	// It is convenient to have all funds at the committee account.
 	transfers = append(transfers,
-		client.TransferTarget{
-			Token:   gasHash,
+		rpcclient.TransferTarget{
+			Token:   gas.Hash,
 			Address: c.CommitteeAcc.Contract.ScriptHash(),
 			Amount:  (gasInitialTotalSupply - initialAlphabetGASAmount*int64(len(c.Wallets))) / 2,
 		},
-		client.TransferTarget{
-			Token:   neoHash,
+		rpcclient.TransferTarget{
+			Token:   neo.Hash,
 			Address: c.CommitteeAcc.Contract.ScriptHash(),
 			Amount:  native.NEOTotalSupply,
 		},
 	)
 
-	tx, err := c.Client.CreateNEP17MultiTransferTx(c.ConsensusAcc, 0, transfers, []client.SignerAccount{{
+	tx, err := createNEP17MultiTransferTx(c.Client, c.ConsensusAcc, 0, transfers, []rpcclient.SignerAccount{{
 		Signer: transaction.Signer{
 			Account: c.ConsensusAcc.Contract.ScriptHash(),
 			Scopes:  transaction.CalledByEntry,
@@ -75,10 +78,9 @@ func (c *initializeContext) transferFunds() error {
 }
 
 func (c *initializeContext) transferFundsFinished() (bool, error) {
-	gasHash := c.nativeHash(nativenames.Gas)
 	acc := c.Accounts[0]
 
-	res, err := c.Client.NEP17BalanceOf(gasHash, acc.Contract.ScriptHash())
+	res, err := c.Client.NEP17BalanceOf(gas.Hash, acc.Contract.ScriptHash())
 	return res > initialAlphabetGASAmount/2, err
 }
 
@@ -91,7 +93,12 @@ func (c *initializeContext) multiSignAndSend(tx *transaction.Transaction, accTyp
 }
 
 func (c *initializeContext) multiSign(tx *transaction.Transaction, accType string) error {
-	network := c.Client.GetNetwork()
+	network, err := c.Client.GetNetwork()
+	if err != nil {
+		// error appears only if client
+		// has not been initialized
+		panic(err)
+	}
 
 	// Use parameter context to avoid dealing with signature order.
 	pc := scContext.NewParameterContext("", network, tx)
@@ -115,25 +122,40 @@ func (c *initializeContext) multiSign(tx *transaction.Transaction, accType strin
 		}
 	}
 
-	w, err := pc.GetWitness(tx.Signers[0].Account)
+	w, err := pc.GetWitness(h)
 	if err != nil {
 		return fmt.Errorf("incomplete signature: %w", err)
 	}
-	tx.Scripts = append(tx.Scripts, *w)
 
-	return nil
+	for i := range tx.Signers {
+		if tx.Signers[i].Account == h {
+			if i < len(tx.Scripts) {
+				tx.Scripts[i] = *w
+			} else if i == len(tx.Scripts) {
+				tx.Scripts = append(tx.Scripts, *w)
+			} else {
+				panic("BUG: invalid signing order")
+			}
+			return nil
+		}
+	}
+
+	return fmt.Errorf("%s account was not found among transaction signers", accType)
 }
 
 func (c *initializeContext) transferGASToProxy() error {
-	gasHash := c.nativeHash(nativenames.Gas)
 	proxyCs := c.getContract(proxyContract)
 
-	bal, err := c.Client.NEP17BalanceOf(gasHash, proxyCs.Hash)
+	bal, err := c.Client.NEP17BalanceOf(gas.Hash, proxyCs.Hash)
 	if err != nil || bal > 0 {
 		return err
 	}
 
-	tx, err := c.Client.CreateNEP17TransferTx(c.CommitteeAcc, proxyCs.Hash, gasHash, initialProxyGASAmount, 0, nil, nil)
+	tx, err := createNEP17MultiTransferTx(c.Client, c.CommitteeAcc, 0, []rpcclient.TransferTarget{{
+		Token:   gas.Hash,
+		Address: proxyCs.Hash,
+		Amount:  initialProxyGASAmount,
+	}}, nil)
 	if err != nil {
 		return err
 	}
@@ -144,3 +166,25 @@ func (c *initializeContext) transferGASToProxy() error {
 
 	return c.awaitTx()
 }
+
+func createNEP17MultiTransferTx(c Client, acc *wallet.Account, netFee int64,
+	recipients []rpcclient.TransferTarget, cosigners []rpcclient.SignerAccount) (*transaction.Transaction, error) {
+	from := acc.Contract.ScriptHash()
+
+	w := io.NewBufBinWriter()
+	for i := range recipients {
+		emit.AppCall(w.BinWriter, recipients[i].Token, "transfer", callflag.All,
+			from, recipients[i].Address, recipients[i].Amount, recipients[i].Data)
+		emit.Opcodes(w.BinWriter, opcode.ASSERT)
+	}
+	if w.Err != nil {
+		return nil, fmt.Errorf("failed to create transfer script: %w", w.Err)
+	}
+	return c.CreateTxFromScript(w.Bytes(), acc, -1, netFee, append([]rpcclient.SignerAccount{{
+		Signer: transaction.Signer{
+			Account: from,
+			Scopes:  transaction.CalledByEntry,
+		},
+		Account: acc,
+	}}, cosigners...))
+}

cmd/frostfs-adm/internal/modules/morph/internal/types.go

@@ -8,7 +8,7 @@ import (
 )
 
 // StringifySubnetClientGroupID returns string representation of SubnetClientGroupID using MarshalText.
-// Returns string with message on error.
+// Returns a string with a message on error.
 func StringifySubnetClientGroupID(id *SubnetClientGroupID) string {
 	text, err := id.MarshalText()
 	if err != nil {
@@ -18,17 +18,17 @@ func StringifySubnetClientGroupID(id *SubnetClientGroupID) string {
 	return string(text)
 }
 
-// MarshalText encodes SubnetClientGroupID into text format according to NeoFS API V2 protocol:
+// MarshalText encodes SubnetClientGroupID into text format according to FrostFS API V2 protocol:
 // value in base-10 integer string format.
 //
-// Implements encoding.TextMarshaler.
+// It implements encoding.TextMarshaler.
 func (x *SubnetClientGroupID) MarshalText() ([]byte, error) {
 	num := x.GetValue() // NPE safe, returns zero on nil
 
 	return []byte(strconv.FormatUint(uint64(num), 10)), nil
 }
 
-// UnmarshalText decodes SubnetID from the text according to NeoFS API V2 protocol:
+// UnmarshalText decodes the SubnetID from the text according to FrostFS API V2 protocol:
 // should be base-10 integer string format with bitsize = 32.
 //
 // Returns strconv.ErrRange if integer overflows uint32.
@@ -47,13 +47,13 @@ func (x *SubnetClientGroupID) UnmarshalText(txt []byte) error {
 	return nil
 }
 
-// Marshal encodes SubnetClientGroupID into a binary format of NeoFS API V2 protocol
+// Marshal encodes the SubnetClientGroupID into a binary format of FrostFS API V2 protocol
 // (Protocol Buffers with direct field order).
 func (x *SubnetClientGroupID) Marshal() ([]byte, error) {
 	return proto.Marshal(x)
 }
 
-// Unmarshal decodes SubnetClientGroupID from NeoFS API V2 binary format (see Marshal). Must not be called on nil.
+// Unmarshal decodes the SubnetClientGroupID from FrostFS API V2 binary format (see Marshal). Must not be called on nil.
 func (x *SubnetClientGroupID) Unmarshal(data []byte) error {
 	return proto.Unmarshal(data, x)
 }

cmd/frostfs-adm/internal/modules/morph/internal/types.proto

@@ -2,9 +2,9 @@ syntax = "proto3";
 
 package neo.fs.v2.refs;
 
-option go_package = "github.com/nspcc-dev/neofs-node/cmd/neofs-adm/internal/modules/morph/internal";
+option go_package = "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/internal";
 
-// Client group identifier in the NeoFS subnet.
+// Client group identifier in the FrostFS subnet.
 //
 // String representation of a value is base-10 integer.
 //

cmd/frostfs-adm/internal/modules/morph/local_client.go

@@ -0,0 +1,505 @@
+package morph
+
+import (
+	"crypto/elliptic"
+	"errors"
+	"fmt"
+	"os"
+	"sort"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/nspcc-dev/neo-go/pkg/config"
+	"github.com/nspcc-dev/neo-go/pkg/config/netmode"
+	"github.com/nspcc-dev/neo-go/pkg/core"
+	"github.com/nspcc-dev/neo-go/pkg/core/block"
+	"github.com/nspcc-dev/neo-go/pkg/core/chaindump"
+	"github.com/nspcc-dev/neo-go/pkg/core/fee"
+	"github.com/nspcc-dev/neo-go/pkg/core/native/noderoles"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/core/storage"
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
+	"github.com/nspcc-dev/neo-go/pkg/network/payload"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/vm/opcode"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
+	"github.com/nspcc-dev/neo-go/pkg/vm/vmstate"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"go.uber.org/zap"
+)
+
+type localClient struct {
+	bc           *core.Blockchain
+	transactions []*transaction.Transaction
+	dumpPath     string
+	accounts     []*wallet.Account
+	maxGasInvoke int64
+}
+
+func newLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet) (*localClient, error) {
+	cfg, err := config.LoadFile(v.GetString(protoConfigPath))
+	if err != nil {
+		return nil, err
+	}
+
+	bc, err := core.NewBlockchain(storage.NewMemoryStore(), cfg.Blockchain(), zap.NewNop())
+	if err != nil {
+		return nil, err
+	}
+
+	m := smartcontract.GetDefaultHonestNodeCount(cfg.ProtocolConfiguration.ValidatorsCount)
+	accounts := make([]*wallet.Account, len(wallets))
+	for i := range accounts {
+		accounts[i], err = getWalletAccount(wallets[i], consensusAccountName)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	indexMap := make(map[string]int)
+	for i, pub := range cfg.ProtocolConfiguration.StandbyCommittee {
+		indexMap[pub] = i
+	}
+
+	sort.Slice(accounts, func(i, j int) bool {
+		pi := accounts[i].PrivateKey().PublicKey().Bytes()
+		pj := accounts[j].PrivateKey().PublicKey().Bytes()
+		return indexMap[string(pi)] < indexMap[string(pj)]
+	})
+	sort.Slice(accounts[:cfg.ProtocolConfiguration.ValidatorsCount], func(i, j int) bool {
+		return accounts[i].PublicKey().Cmp(accounts[j].PublicKey()) == -1
+	})
+
+	go bc.Run()
+
+	dumpPath := v.GetString(localDumpFlag)
+	if cmd.Name() != "init" {
+		f, err := os.OpenFile(dumpPath, os.O_RDONLY, 0600)
+		if err != nil {
+			return nil, fmt.Errorf("can't open local dump: %w", err)
+		}
+		defer f.Close()
+
+		r := io.NewBinReaderFromIO(f)
+
+		var skip uint32
+		if bc.BlockHeight() != 0 {
+			skip = bc.BlockHeight() + 1
+		}
+
+		count := r.ReadU32LE() - skip
+		if err := chaindump.Restore(bc, r, skip, count, nil); err != nil {
+			return nil, fmt.Errorf("can't restore local dump: %w", err)
+		}
+	}
+
+	return &localClient{
+		bc:           bc,
+		dumpPath:     dumpPath,
+		accounts:     accounts[:m],
+		maxGasInvoke: 15_0000_0000,
+	}, nil
+}
+
+func (l *localClient) GetBlockCount() (uint32, error) {
+	return l.bc.BlockHeight(), nil
+}
+
+func (l *localClient) GetContractStateByID(id int32) (*state.Contract, error) {
+	h, err := l.bc.GetContractScriptHash(id)
+	if err != nil {
+		return nil, err
+	}
+	return l.GetContractStateByHash(h)
+}
+
+func (l *localClient) GetContractStateByHash(h util.Uint160) (*state.Contract, error) {
+	if cs := l.bc.GetContractState(h); cs != nil {
+		return cs, nil
+	}
+	return nil, storage.ErrKeyNotFound
+}
+
+func (l *localClient) GetNativeContracts() ([]state.NativeContract, error) {
+	return l.bc.GetNatives(), nil
+}
+
+func (l *localClient) GetNetwork() (netmode.Magic, error) {
+	return l.bc.GetConfig().Magic, nil
+}
+
+func (l *localClient) GetApplicationLog(h util.Uint256, t *trigger.Type) (*result.ApplicationLog, error) {
+	aer, err := l.bc.GetAppExecResults(h, *t)
+	if err != nil {
+		return nil, err
+	}
+
+	a := result.NewApplicationLog(h, aer, *t)
+	return &a, nil
+}
+
+func (l *localClient) CreateTxFromScript(script []byte, acc *wallet.Account, sysFee int64, netFee int64, cosigners []rpcclient.SignerAccount) (*transaction.Transaction, error) {
+	signers, accounts, err := getSigners(acc, cosigners)
+	if err != nil {
+		return nil, fmt.Errorf("failed to construct tx signers: %w", err)
+	}
+	if sysFee < 0 {
+		res, err := l.InvokeScript(script, signers)
+		if err != nil {
+			return nil, fmt.Errorf("can't add system fee to transaction: %w", err)
+		}
+		if res.State != "HALT" {
+			return nil, fmt.Errorf("can't add system fee to transaction: bad vm state: %s due to an error: %s", res.State, res.FaultException)
+		}
+		sysFee = res.GasConsumed
+	}
+
+	tx := transaction.New(script, sysFee)
+	tx.Signers = signers
+	tx.ValidUntilBlock = l.bc.BlockHeight() + 2
+
+	err = l.AddNetworkFee(tx, netFee, accounts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add network fee: %w", err)
+	}
+
+	return tx, nil
+}
+
+func (l *localClient) GetCommittee() (keys.PublicKeys, error) {
+	// not used by `morph init` command
+	panic("unexpected call")
+}
+
+// InvokeFunction is implemented via `InvokeScript`.
+func (l *localClient) InvokeFunction(h util.Uint160, method string, sPrm []smartcontract.Parameter, ss []transaction.Signer) (*result.Invoke, error) {
+	var err error
+
+	pp := make([]any, len(sPrm))
+	for i, p := range sPrm {
+		pp[i], err = smartcontract.ExpandParameterToEmitable(p)
+		if err != nil {
+			return nil, fmt.Errorf("incorrect parameter type %s: %w", p.Type, err)
+		}
+	}
+
+	return invokeFunction(l, h, method, pp, ss)
+}
+
+func (l *localClient) CalculateNotaryFee(_ uint8) (int64, error) {
+	// not used by `morph init` command
+	panic("unexpected call")
+}
+
+func (l *localClient) SignAndPushP2PNotaryRequest(_ *transaction.Transaction, _ []byte, _ int64, _ int64, _ uint32, _ *wallet.Account) (*payload.P2PNotaryRequest, error) {
+	// not used by `morph init` command
+	panic("unexpected call")
+}
+
+func (l *localClient) SignAndPushInvocationTx(_ []byte, _ *wallet.Account, _ int64, _ fixedn.Fixed8, _ []rpcclient.SignerAccount) (util.Uint256, error) {
+	// not used by `morph init` command
+	panic("unexpected call")
+}
+
+func (l *localClient) TerminateSession(_ uuid.UUID) (bool, error) {
+	// not used by `morph init` command
+	panic("unexpected call")
+}
+
+func (l *localClient) TraverseIterator(_, _ uuid.UUID, _ int) ([]stackitem.Item, error) {
+	// not used by `morph init` command
+	panic("unexpected call")
+}
+
+// GetVersion return default version.
+func (l *localClient) GetVersion() (*result.Version, error) {
+	c := l.bc.GetConfig()
+	return &result.Version{
+		Protocol: result.Protocol{
+			AddressVersion:              address.NEO3Prefix,
+			Network:                     c.Magic,
+			MillisecondsPerBlock:        int(c.TimePerBlock / time.Millisecond),
+			MaxTraceableBlocks:          c.MaxTraceableBlocks,
+			MaxValidUntilBlockIncrement: c.MaxValidUntilBlockIncrement,
+			MaxTransactionsPerBlock:     c.MaxTransactionsPerBlock,
+			MemoryPoolMaxTransactions:   c.MemPoolSize,
+			ValidatorsCount:             byte(c.ValidatorsCount),
+			InitialGasDistribution:      c.InitialGASSupply,
+			CommitteeHistory:            c.CommitteeHistory,
+			P2PSigExtensions:            c.P2PSigExtensions,
+			StateRootInHeader:           c.StateRootInHeader,
+			ValidatorsHistory:           c.ValidatorsHistory,
+		},
+	}, nil
+}
+
+func (l *localClient) InvokeContractVerify(contract util.Uint160, params []smartcontract.Parameter, signers []transaction.Signer, witnesses ...transaction.Witness) (*result.Invoke, error) {
+	// not used by `morph init` command
+	panic("unexpected call")
+}
+
+// CalculateNetworkFee calculates network fee for the given transaction.
+// Copied from neo-go with minor corrections (no need to support non-notary mode):
+// https://github.com/nspcc-dev/neo-go/blob/v0.99.2/pkg/services/rpcsrv/server.go#L744
+func (l *localClient) CalculateNetworkFee(tx *transaction.Transaction) (int64, error) {
+	hashablePart, err := tx.EncodeHashableFields()
+	if err != nil {
+		return 0, fmt.Errorf("failed to compute tx size: %w", err)
+	}
+
+	size := len(hashablePart) + io.GetVarSize(len(tx.Signers))
+	ef := l.bc.GetBaseExecFee()
+
+	var netFee int64
+	for i, signer := range tx.Signers {
+		var verificationScript []byte
+		for _, w := range tx.Scripts {
+			if w.VerificationScript != nil && hash.Hash160(w.VerificationScript).Equals(signer.Account) {
+				verificationScript = w.VerificationScript
+				break
+			}
+		}
+		if verificationScript == nil {
+			gasConsumed, err := l.bc.VerifyWitness(signer.Account, tx, &tx.Scripts[i], l.maxGasInvoke)
+			if err != nil {
+				return 0, fmt.Errorf("invalid signature: %w", err)
+			}
+			netFee += gasConsumed
+			size += io.GetVarSize([]byte{}) + io.GetVarSize(tx.Scripts[i].InvocationScript)
+			continue
+		}
+
+		fee, sizeDelta := fee.Calculate(ef, verificationScript)
+		netFee += fee
+		size += sizeDelta
+	}
+
+	fee := l.bc.FeePerByte()
+	netFee += int64(size) * fee
+
+	return netFee, nil
+}
+
+// AddNetworkFee adds network fee for each witness script and optional extra
+// network fee to transaction. `accs` is an array signer's accounts.
+// Copied from neo-go with minor corrections (no need to support contract signers):
+// https://github.com/nspcc-dev/neo-go/blob/6ff11baa1b9e4c71ef0d1de43b92a8c541ca732c/pkg/rpc/client/rpc.go#L960
+func (l *localClient) AddNetworkFee(tx *transaction.Transaction, extraFee int64, accs ...*wallet.Account) error {
+	if len(tx.Signers) != len(accs) {
+		return errors.New("number of signers must match number of scripts")
+	}
+
+	size := io.GetVarSize(tx)
+	ef := l.bc.GetBaseExecFee()
+	for i := range tx.Signers {
+		netFee, sizeDelta := fee.Calculate(ef, accs[i].Contract.Script)
+		tx.NetworkFee += netFee
+		size += sizeDelta
+	}
+
+	tx.NetworkFee += int64(size)*l.bc.FeePerByte() + extraFee
+	return nil
+}
+
+// getSigners returns an array of transaction signers and corresponding accounts from
+// given sender and cosigners. If cosigners list already contains sender, the sender
+// will be placed at the start of the list.
+// Copied from neo-go with minor corrections:
+// https://github.com/nspcc-dev/neo-go/blob/6ff11baa1b9e4c71ef0d1de43b92a8c541ca732c/pkg/rpc/client/rpc.go#L735
+func getSigners(sender *wallet.Account, cosigners []rpcclient.SignerAccount) ([]transaction.Signer, []*wallet.Account, error) {
+	var (
+		signers  []transaction.Signer
+		accounts []*wallet.Account
+	)
+
+	from := sender.Contract.ScriptHash()
+	s := transaction.Signer{
+		Account: from,
+		Scopes:  transaction.None,
+	}
+	for _, c := range cosigners {
+		if c.Signer.Account == from {
+			s = c.Signer
+			continue
+		}
+		signers = append(signers, c.Signer)
+		accounts = append(accounts, c.Account)
+	}
+	signers = append([]transaction.Signer{s}, signers...)
+	accounts = append([]*wallet.Account{sender}, accounts...)
+	return signers, accounts, nil
+}
+
+func (l *localClient) NEP17BalanceOf(h util.Uint160, acc util.Uint160) (int64, error) {
+	res, err := invokeFunction(l, h, "balanceOf", []any{acc}, nil)
+	if err != nil {
+		return 0, err
+	}
+	if res.State != vmstate.Halt.String() || len(res.Stack) == 0 {
+		return 0, fmt.Errorf("`balance`: invalid response (empty: %t): %s",
+			len(res.Stack) == 0, res.FaultException)
+	}
+	bi, err := res.Stack[0].TryInteger()
+	if err != nil || !bi.IsInt64() {
+		return 0, fmt.Errorf("`balance`: invalid response")
+	}
+	return bi.Int64(), nil
+}
+
+func (l *localClient) InvokeScript(script []byte, signers []transaction.Signer) (*result.Invoke, error) {
+	lastBlock, err := l.bc.GetBlock(l.bc.CurrentBlockHash())
+	if err != nil {
+		return nil, err
+	}
+
+	tx := transaction.New(script, 0)
+	tx.Signers = signers
+	tx.ValidUntilBlock = l.bc.BlockHeight() + 2
+
+	ic, err := l.bc.GetTestVM(trigger.Application, tx, &block.Block{
+		Header: block.Header{
+			Index:     lastBlock.Index + 1,
+			Timestamp: lastBlock.Timestamp + 1,
+		},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("get test VM: %w", err)
+	}
+
+	ic.VM.GasLimit = 100_0000_0000
+	ic.VM.LoadScriptWithFlags(script, callflag.All)
+
+	var errStr string
+	if err := ic.VM.Run(); err != nil {
+		errStr = err.Error()
+	}
+	return &result.Invoke{
+		State:          ic.VM.State().String(),
+		GasConsumed:    ic.VM.GasConsumed(),
+		Script:         script,
+		Stack:          ic.VM.Estack().ToArray(),
+		FaultException: errStr,
+	}, nil
+}
+
+func (l *localClient) SendRawTransaction(tx *transaction.Transaction) (util.Uint256, error) {
+	// We need to test that transaction was formed correctly to catch as many errors as we can.
+	bs := tx.Bytes()
+	_, err := transaction.NewTransactionFromBytes(bs)
+	if err != nil {
+		return tx.Hash(), fmt.Errorf("invalid transaction: %w", err)
+	}
+
+	l.transactions = append(l.transactions, tx)
+	return tx.Hash(), nil
+}
+
+func (l *localClient) putTransactions() error {
+	// 1. Prepare new block.
+	lastBlock, err := l.bc.GetBlock(l.bc.CurrentBlockHash())
+	if err != nil {
+		panic(err)
+	}
+	defer func() { l.transactions = l.transactions[:0] }()
+
+	b := &block.Block{
+		Header: block.Header{
+			NextConsensus: l.accounts[0].Contract.ScriptHash(),
+			Script: transaction.Witness{
+				VerificationScript: l.accounts[0].Contract.Script,
+			},
+			Timestamp: lastBlock.Timestamp + 1,
+		},
+		Transactions: l.transactions,
+	}
+
+	if l.bc.GetConfig().StateRootInHeader {
+		b.StateRootEnabled = true
+		b.PrevStateRoot = l.bc.GetStateModule().CurrentLocalStateRoot()
+	}
+	b.PrevHash = lastBlock.Hash()
+	b.Index = lastBlock.Index + 1
+	b.RebuildMerkleRoot()
+
+	// 2. Sign prepared block.
+	var invocationScript []byte
+
+	magic := l.bc.GetConfig().Magic
+	for _, acc := range l.accounts {
+		sign := acc.PrivateKey().SignHashable(uint32(magic), b)
+		invocationScript = append(invocationScript, byte(opcode.PUSHDATA1), 64)
+		invocationScript = append(invocationScript, sign...)
+	}
+	b.Script.InvocationScript = invocationScript
+
+	// 3. Persist block.
+	return l.bc.AddBlock(b)
+}
+
+func invokeFunction(c Client, h util.Uint160, method string, parameters []any, signers []transaction.Signer) (*result.Invoke, error) {
+	w := io.NewBufBinWriter()
+	emit.Array(w.BinWriter, parameters...)
+	emit.AppCallNoArgs(w.BinWriter, h, method, callflag.All)
+	if w.Err != nil {
+		panic(fmt.Sprintf("BUG: invalid parameters for '%s': %v", method, w.Err))
+	}
+	return c.InvokeScript(w.Bytes(), signers)
+}
+
+var errGetDesignatedByRoleResponse = errors.New("`getDesignatedByRole`: invalid response")
+
+func getDesignatedByRole(inv *invoker.Invoker, h util.Uint160, role noderoles.Role, u uint32) (keys.PublicKeys, error) {
+	arr, err := unwrap.Array(inv.Call(h, "getDesignatedByRole", int64(role), int64(u)))
+	if err != nil {
+		return nil, errGetDesignatedByRoleResponse
+	}
+
+	pubs := make(keys.PublicKeys, len(arr))
+	for i := range arr {
+		bs, err := arr[i].TryBytes()
+		if err != nil {
+			return nil, errGetDesignatedByRoleResponse
+		}
+		pubs[i], err = keys.NewPublicKeyFromBytes(bs, elliptic.P256())
+		if err != nil {
+			return nil, errGetDesignatedByRoleResponse
+		}
+	}
+
+	return pubs, nil
+}
+
+func (l *localClient) dump() (err error) {
+	defer l.bc.Close()
+
+	f, err := os.Create(l.dumpPath)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		closeErr := f.Close()
+		if err == nil && closeErr != nil {
+			err = closeErr
+		}
+	}()
+
+	w := io.NewBinWriterFromIO(f)
+	w.WriteU32LE(l.bc.BlockHeight() + 1)
+	err = chaindump.Dump(l.bc, w, 0, l.bc.BlockHeight()+1)
+	return
+}

cmd/frostfs-adm/internal/modules/morph/n3client.go

@@ -0,0 +1,122 @@
+package morph
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/nspcc-dev/neo-go/pkg/config/netmode"
+	"github.com/nspcc-dev/neo-go/pkg/core/state"
+	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
+	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
+	"github.com/nspcc-dev/neo-go/pkg/network/payload"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+// Client represents N3 client interface capable of test-invoking scripts
+// and sending signed transactions to chain.
+type Client interface {
+	invoker.RPCInvoke
+
+	GetBlockCount() (uint32, error)
+	GetContractStateByID(int32) (*state.Contract, error)
+	GetContractStateByHash(util.Uint160) (*state.Contract, error)
+	GetNativeContracts() ([]state.NativeContract, error)
+	GetNetwork() (netmode.Magic, error)
+	GetApplicationLog(util.Uint256, *trigger.Type) (*result.ApplicationLog, error)
+	GetVersion() (*result.Version, error)
+	CreateTxFromScript([]byte, *wallet.Account, int64, int64, []rpcclient.SignerAccount) (*transaction.Transaction, error)
+	NEP17BalanceOf(util.Uint160, util.Uint160) (int64, error)
+	SendRawTransaction(*transaction.Transaction) (util.Uint256, error)
+	GetCommittee() (keys.PublicKeys, error)
+	CalculateNotaryFee(uint8) (int64, error)
+	CalculateNetworkFee(tx *transaction.Transaction) (int64, error)
+	AddNetworkFee(*transaction.Transaction, int64, ...*wallet.Account) error
+	SignAndPushInvocationTx([]byte, *wallet.Account, int64, fixedn.Fixed8, []rpcclient.SignerAccount) (util.Uint256, error)
+	SignAndPushP2PNotaryRequest(*transaction.Transaction, []byte, int64, int64, uint32, *wallet.Account) (*payload.P2PNotaryRequest, error)
+}
+
+type hashVUBPair struct {
+	hash util.Uint256
+	vub  uint32
+}
+
+type clientContext struct {
+	Client          Client           // a raw neo-go client OR a local chain implementation
+	CommitteeAct    *actor.Actor     // committee actor with the Global witness scope
+	ReadOnlyInvoker *invoker.Invoker // R/O contract invoker, does not contain any signer
+	SentTxs         []hashVUBPair
+}
+
+func getN3Client(v *viper.Viper) (Client, error) {
+	// number of opened connections
+	// by neo-go client per one host
+	const (
+		maxConnsPerHost = 10
+		requestTimeout  = time.Second * 10
+	)
+
+	ctx := context.Background()
+	endpoint := v.GetString(endpointFlag)
+	if endpoint == "" {
+		return nil, errors.New("missing endpoint")
+	}
+	c, err := rpcclient.New(ctx, endpoint, rpcclient.Options{
+		MaxConnsPerHost: maxConnsPerHost,
+		RequestTimeout:  requestTimeout,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if err := c.Init(); err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+func defaultClientContext(c Client, committeeAcc *wallet.Account) (*clientContext, error) {
+	commAct, err := actor.New(c, []actor.SignerAccount{{
+		Signer: transaction.Signer{
+			Account: committeeAcc.Contract.ScriptHash(),
+			Scopes:  transaction.Global,
+		},
+		Account: committeeAcc,
+	}})
+	if err != nil {
+		return nil, err
+	}
+
+	return &clientContext{
+		Client:          c,
+		CommitteeAct:    commAct,
+		ReadOnlyInvoker: invoker.New(c, nil),
+	}, nil
+}
+
+func (c *clientContext) sendTx(tx *transaction.Transaction, cmd *cobra.Command, await bool) error {
+	h, err := c.Client.SendRawTransaction(tx)
+	if err != nil {
+		return err
+	}
+
+	if h != tx.Hash() {
+		return fmt.Errorf("sent and actual tx hashes mismatch:\n\tsent: %v\n\tactual: %v", tx.Hash().StringLE(), h.StringLE())
+	}
+
+	c.SentTxs = append(c.SentTxs, hashVUBPair{hash: h, vub: tx.ValidUntilBlock})
+
+	if await {
+		return c.awaitTx(cmd)
+	}
+	return nil
+}

cmd/frostfs-adm/internal/modules/morph/netmap_candidates.go

@@ -0,0 +1,29 @@
+package morph
+
+import (
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/pkg/morph/client/netmap"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+func listNetmapCandidatesNodes(cmd *cobra.Command, _ []string) {
+	c, err := getN3Client(viper.GetViper())
+	commonCmd.ExitOnErr(cmd, "can't create N3 client: %w", err)
+
+	inv := invoker.New(c, nil)
+
+	cs, err := c.GetContractStateByID(1)
+	commonCmd.ExitOnErr(cmd, "can't get NNS contract info: %w", err)
+
+	nmHash, err := nnsResolveHash(inv, cs.Hash, netmapContract+".frostfs")
+	commonCmd.ExitOnErr(cmd, "can't get netmap contract hash: %w", err)
+
+	res, err := inv.Call(nmHash, "netmapCandidates")
+	commonCmd.ExitOnErr(cmd, "can't fetch list of network config keys from the netmap contract", err)
+	nm, err := netmap.DecodeNetMap(res.Stack)
+	commonCmd.ExitOnErr(cmd, "unable to decode netmap: %w", err)
+	commonCmd.PrettyPrintNetMap(cmd, *nm, !viper.GetBool(commonflags.Verbose))
+}

cmd/frostfs-adm/internal/modules/morph/notary.go

@@ -2,17 +2,17 @@ package morph
 
 import (
 	"fmt"
+	"math/big"
 	"strconv"
 
 	"github.com/nspcc-dev/neo-go/cli/input"
-	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
-	"github.com/nspcc-dev/neo-go/pkg/io"
-	"github.com/nspcc-dev/neo-go/pkg/rpc/client"
-	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
-	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/nep17"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/notary"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -85,18 +85,8 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	nhs, err := getNativeHashes(c)
-	if err != nil {
-		return fmt.Errorf("can't get native contract hashes: %w", err)
-	}
-
-	gasHash, ok := nhs[nativenames.Gas]
-	if !ok {
-		return fmt.Errorf("can't retrieve %s contract hash", nativenames.Gas)
-	}
-	notaryHash, ok := nhs[nativenames.Notary]
-	if !ok {
-		return fmt.Errorf("can't retrieve %s contract hash", nativenames.Notary)
+	if err := checkNotaryEnabled(c); err != nil {
+		return err
 	}
 
 	height, err := c.GetBlockCount()
@@ -104,14 +94,7 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("can't get current height: %v", err)
 	}
 
-	bw := io.NewBufBinWriter()
-	emit.AppCall(bw.BinWriter, gasHash, "transfer", callflag.All,
-		accHash, notaryHash.BytesBE(), int64(gasAmount), []interface{}{nil, int64(height) + till})
-	if bw.Err != nil {
-		return fmt.Errorf("BUG: invalid transfer arguments: %w", bw.Err)
-	}
-
-	tx, err := c.CreateTxFromScript(bw.Bytes(), acc, -1, 0, []client.SignerAccount{{
+	act, err := actor.New(c, []actor.SignerAccount{{
 		Signer: transaction.Signer{
 			Account: acc.Contract.ScriptHash(),
 			Scopes:  transaction.Global,
@@ -119,14 +102,20 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 		Account: acc,
 	}})
 	if err != nil {
-		return fmt.Errorf("can't create tx: %w", err)
+		return fmt.Errorf("could not create actor: %w", err)
 	}
 
-	err = acc.SignTx(c.GetNetwork(), tx)
+	gasActor := nep17.New(act, gas.Hash)
+
+	txHash, vub, err := gasActor.Transfer(
+		accHash,
+		notary.Hash,
+		big.NewInt(int64(gasAmount)),
+		[]any{nil, int64(height) + till},
+	)
 	if err != nil {
-		return fmt.Errorf("can't sign tx: %w", err)
+		return fmt.Errorf("could not send tx: %w", err)
 	}
 
-	cc := defaultClientContext(c)
-	return cc.sendTx(tx, cmd, true)
+	return awaitTx(cmd, c, []hashVUBPair{{hash: txHash, vub: vub}})
 }

cmd/frostfs-adm/internal/modules/morph/policy.go

@@ -0,0 +1,54 @@
+package morph
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/policy"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	execFeeParam      = "ExecFeeFactor"
+	storagePriceParam = "StoragePrice"
+	setFeeParam       = "FeePerByte"
+)
+
+func setPolicyCmd(cmd *cobra.Command, args []string) error {
+	wCtx, err := newInitializeContext(cmd, viper.GetViper())
+	if err != nil {
+		return fmt.Errorf("can't to initialize context: %w", err)
+	}
+
+	bw := io.NewBufBinWriter()
+	for i := range args {
+		k, v, found := strings.Cut(args[i], "=")
+		if !found {
+			return fmt.Errorf("invalid parameter format, must be Parameter=Value")
+		}
+
+		switch k {
+		case execFeeParam, storagePriceParam, setFeeParam:
+		default:
+			return fmt.Errorf("parameter must be one of %s, %s and %s", execFeeParam, storagePriceParam, setFeeParam)
+		}
+
+		value, err := strconv.ParseUint(v, 10, 32)
+		if err != nil {
+			return fmt.Errorf("can't parse parameter value '%s': %w", args[1], err)
+		}
+
+		emit.AppCall(bw.BinWriter, policy.Hash, "set"+k, callflag.All, int64(value))
+	}
+
+	if err := wCtx.sendCommitteeTx(bw.Bytes(), false); err != nil {
+		return err
+	}
+
+	return wCtx.awaitTx()
+}

cmd/frostfs-adm/internal/modules/morph/remove_node.go

@@ -0,0 +1,61 @@
+package morph
+
+import (
+	"errors"
+	"fmt"
+
+	netmapcontract "github.com/TrueCloudLab/frostfs-contract/netmap"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/io"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/callflag"
+	"github.com/nspcc-dev/neo-go/pkg/vm/emit"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+func removeNodesCmd(cmd *cobra.Command, args []string) error {
+	if len(args) == 0 {
+		return errors.New("at least one node key must be provided")
+	}
+
+	nodeKeys := make(keys.PublicKeys, len(args))
+	for i := range args {
+		var err error
+		nodeKeys[i], err = keys.NewPublicKeyFromString(args[i])
+		if err != nil {
+			return fmt.Errorf("can't parse node public key: %w", err)
+		}
+	}
+
+	wCtx, err := newInitializeContext(cmd, viper.GetViper())
+	if err != nil {
+		return fmt.Errorf("can't initialize context: %w", err)
+	}
+	defer wCtx.close()
+
+	cs, err := wCtx.Client.GetContractStateByID(1)
+	if err != nil {
+		return fmt.Errorf("can't get NNS contract info: %w", err)
+	}
+
+	nmHash, err := nnsResolveHash(wCtx.ReadOnlyInvoker, cs.Hash, netmapContract+".frostfs")
+	if err != nil {
+		return fmt.Errorf("can't get netmap contract hash: %w", err)
+	}
+
+	bw := io.NewBufBinWriter()
+	for i := range nodeKeys {
+		emit.AppCall(bw.BinWriter, nmHash, "updateStateIR", callflag.All,
+			int64(netmapcontract.NodeStateOffline), nodeKeys[i].Bytes())
+	}
+
+	if err := emitNewEpochCall(bw, wCtx, nmHash); err != nil {
+		return err
+	}
+
+	if err := wCtx.sendConsensusTx(bw.Bytes()); err != nil {
+		return err
+	}
+
+	return wCtx.awaitTx()
+}

cmd/frostfs-adm/internal/modules/morph/root.go

@@ -0,0 +1,339 @@
+package morph
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	alphabetWalletsFlag             = "alphabet-wallets"
+	alphabetSizeFlag                = "size"
+	endpointFlag                    = "rpc-endpoint"
+	storageWalletFlag               = "storage-wallet"
+	storageWalletLabelFlag          = "label"
+	storageGasCLIFlag               = "initial-gas"
+	storageGasConfigFlag            = "storage.initial_gas"
+	contractsInitFlag               = "contracts"
+	maxObjectSizeInitFlag           = "network.max_object_size"
+	maxObjectSizeCLIFlag            = "max-object-size"
+	epochDurationInitFlag           = "network.epoch_duration"
+	epochDurationCLIFlag            = "epoch-duration"
+	incomeRateInitFlag              = "network.basic_income_rate"
+	incomeRateCLIFlag               = "basic-income-rate"
+	auditFeeInitFlag                = "network.fee.audit"
+	auditFeeCLIFlag                 = "audit-fee"
+	containerFeeInitFlag            = "network.fee.container"
+	containerAliasFeeInitFlag       = "network.fee.container_alias"
+	containerFeeCLIFlag             = "container-fee"
+	containerAliasFeeCLIFlag        = "container-alias-fee"
+	candidateFeeInitFlag            = "network.fee.candidate"
+	candidateFeeCLIFlag             = "candidate-fee"
+	homomorphicHashDisabledInitFlag = "network.homomorphic_hash_disabled"
+	maintenanceModeAllowedInitFlag  = "network.maintenance_mode_allowed"
+	homomorphicHashDisabledCLIFlag  = "homomorphic-disabled"
+	withdrawFeeInitFlag             = "network.fee.withdraw"
+	withdrawFeeCLIFlag              = "withdraw-fee"
+	containerDumpFlag               = "dump"
+	containerContractFlag           = "container-contract"
+	containerIDsFlag                = "cid"
+	refillGasAmountFlag             = "gas"
+	walletAccountFlag               = "account"
+	notaryDepositTillFlag           = "till"
+	localDumpFlag                   = "local-dump"
+	protoConfigPath                 = "protocol"
+	walletAddressFlag               = "wallet-address"
+)
+
+var (
+	// RootCmd is a root command of config section.
+	RootCmd = &cobra.Command{
+		Use:   "morph",
+		Short: "Section for morph network configuration commands",
+	}
+
+	generateAlphabetCmd = &cobra.Command{
+		Use:   "generate-alphabet",
+		Short: "Generate alphabet wallets for consensus nodes of the morph network",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			// PreRun fixes https://github.com/spf13/viper/issues/233
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+		},
+		RunE: generateAlphabetCreds,
+	}
+
+	initCmd = &cobra.Command{
+		Use:   "init",
+		Short: "Initialize side chain network with smart-contracts and network settings",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(epochDurationInitFlag, cmd.Flags().Lookup(epochDurationCLIFlag))
+			_ = viper.BindPFlag(maxObjectSizeInitFlag, cmd.Flags().Lookup(maxObjectSizeCLIFlag))
+			_ = viper.BindPFlag(incomeRateInitFlag, cmd.Flags().Lookup(incomeRateCLIFlag))
+			_ = viper.BindPFlag(homomorphicHashDisabledInitFlag, cmd.Flags().Lookup(homomorphicHashDisabledCLIFlag))
+			_ = viper.BindPFlag(auditFeeInitFlag, cmd.Flags().Lookup(auditFeeCLIFlag))
+			_ = viper.BindPFlag(candidateFeeInitFlag, cmd.Flags().Lookup(candidateFeeCLIFlag))
+			_ = viper.BindPFlag(containerFeeInitFlag, cmd.Flags().Lookup(containerFeeCLIFlag))
+			_ = viper.BindPFlag(containerAliasFeeInitFlag, cmd.Flags().Lookup(containerAliasFeeCLIFlag))
+			_ = viper.BindPFlag(withdrawFeeInitFlag, cmd.Flags().Lookup(withdrawFeeCLIFlag))
+			_ = viper.BindPFlag(protoConfigPath, cmd.Flags().Lookup(protoConfigPath))
+			_ = viper.BindPFlag(localDumpFlag, cmd.Flags().Lookup(localDumpFlag))
+		},
+		RunE: initializeSideChainCmd,
+	}
+
+	generateStorageCmd = &cobra.Command{
+		Use:   "generate-storage-wallet",
+		Short: "Generate storage node wallet for the morph network",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(storageGasConfigFlag, cmd.Flags().Lookup(storageGasCLIFlag))
+		},
+		RunE: generateStorageCreds,
+	}
+
+	refillGasCmd = &cobra.Command{
+		Use:   "refill-gas",
+		Short: "Refill GAS of storage node's wallet in the morph network",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(refillGasAmountFlag, cmd.Flags().Lookup(refillGasAmountFlag))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return refillGas(cmd, refillGasAmountFlag, false)
+		},
+	}
+
+	forceNewEpoch = &cobra.Command{
+		Use:   "force-new-epoch",
+		Short: "Create new FrostFS epoch event in the side chain",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: forceNewEpochCmd,
+	}
+
+	removeNodes = &cobra.Command{
+		Use:   "remove-nodes key1 [key2 [...]]",
+		Short: "Remove storage nodes from the netmap",
+		Long:  `Move nodes to the Offline state in the candidates list and tick an epoch to update the netmap`,
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: removeNodesCmd,
+	}
+
+	setConfig = &cobra.Command{
+		Use:                   "set-config key1=val1 [key2=val2 ...]",
+		DisableFlagsInUseLine: true,
+		Short:                 "Add/update global config value in the FrostFS network",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		Args: cobra.MinimumNArgs(1),
+		RunE: setConfigCmd,
+	}
+
+	setPolicy = &cobra.Command{
+		Use:                   "set-policy [ExecFeeFactor=<n1>] [StoragePrice=<n2>] [FeePerByte=<n3>]",
+		DisableFlagsInUseLine: true,
+		Short:                 "Set global policy values",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: setPolicyCmd,
+		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+			return []string{"ExecFeeFactor=", "StoragePrice=", "FeePerByte="}, cobra.ShellCompDirectiveNoSpace
+		},
+	}
+
+	dumpContractHashesCmd = &cobra.Command{
+		Use:   "dump-hashes",
+		Short: "Dump deployed contract hashes",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: dumpContractHashes,
+	}
+
+	dumpNetworkConfigCmd = &cobra.Command{
+		Use:   "dump-config",
+		Short: "Dump FrostFS network config",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: dumpNetworkConfig,
+	}
+
+	dumpBalancesCmd = &cobra.Command{
+		Use:   "dump-balances",
+		Short: "Dump GAS balances",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: dumpBalances,
+	}
+
+	updateContractsCmd = &cobra.Command{
+		Use:   "update-contracts",
+		Short: "Update FrostFS contracts",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: updateContracts,
+	}
+
+	dumpContainersCmd = &cobra.Command{
+		Use:   "dump-containers",
+		Short: "Dump FrostFS containers to file",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: dumpContainers,
+	}
+
+	restoreContainersCmd = &cobra.Command{
+		Use:   "restore-containers",
+		Short: "Restore FrostFS containers from file",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: restoreContainers,
+	}
+
+	listContainersCmd = &cobra.Command{
+		Use:   "list-containers",
+		Short: "List FrostFS containers",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: listContainers,
+	}
+
+	depositNotaryCmd = &cobra.Command{
+		Use:   "deposit-notary",
+		Short: "Deposit GAS for notary service",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+		},
+		RunE: depositNotary,
+	}
+
+	netmapCandidatesCmd = &cobra.Command{
+		Use:   "netmap-candidates",
+		Short: "List netmap candidates nodes",
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlag(endpointFlag, cmd.Flags().Lookup(endpointFlag))
+			_ = viper.BindPFlag(alphabetWalletsFlag, cmd.Flags().Lookup(alphabetWalletsFlag))
+		},
+		Run: listNetmapCandidatesNodes,
+	}
+)
+
+func init() {
+	RootCmd.AddCommand(generateAlphabetCmd)
+	generateAlphabetCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	generateAlphabetCmd.Flags().Uint(alphabetSizeFlag, 7, "Amount of alphabet wallets to generate")
+
+	RootCmd.AddCommand(initCmd)
+	initCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	initCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	initCmd.Flags().String(contractsInitFlag, "", "Path to archive with compiled FrostFS contracts (default fetched from latest github release)")
+	initCmd.Flags().Uint(epochDurationCLIFlag, 240, "Amount of side chain blocks in one FrostFS epoch")
+	initCmd.Flags().Uint(maxObjectSizeCLIFlag, 67108864, "Max single object size in bytes")
+	initCmd.Flags().Bool(homomorphicHashDisabledCLIFlag, false, "Disable object homomorphic hashing")
+	// Defaults are taken from neo-preodolenie.
+	initCmd.Flags().Uint64(containerFeeCLIFlag, 1000, "Container registration fee")
+	initCmd.Flags().Uint64(containerAliasFeeCLIFlag, 500, "Container alias fee")
+	initCmd.Flags().String(protoConfigPath, "", "Path to the consensus node configuration")
+	initCmd.Flags().String(localDumpFlag, "", "Path to the blocks dump file")
+
+	RootCmd.AddCommand(deployCmd)
+
+	RootCmd.AddCommand(generateStorageCmd)
+	generateStorageCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	generateStorageCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	generateStorageCmd.Flags().String(storageWalletFlag, "", "Path to new storage node wallet")
+	generateStorageCmd.Flags().String(storageGasCLIFlag, "", "Initial amount of GAS to transfer")
+	generateStorageCmd.Flags().StringP(storageWalletLabelFlag, "l", "", "Wallet label")
+
+	RootCmd.AddCommand(forceNewEpoch)
+	forceNewEpoch.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	forceNewEpoch.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+
+	RootCmd.AddCommand(removeNodes)
+	removeNodes.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	removeNodes.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+
+	RootCmd.AddCommand(setPolicy)
+	setPolicy.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	setPolicy.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+
+	RootCmd.AddCommand(dumpContractHashesCmd)
+	dumpContractHashesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	dumpContractHashesCmd.Flags().String(customZoneFlag, "", "Custom zone to search.")
+
+	RootCmd.AddCommand(dumpNetworkConfigCmd)
+	dumpNetworkConfigCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+
+	RootCmd.AddCommand(setConfig)
+	setConfig.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	setConfig.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	setConfig.Flags().Bool(forceConfigSet, false, "Force setting not well-known configuration key")
+
+	RootCmd.AddCommand(dumpBalancesCmd)
+	dumpBalancesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	dumpBalancesCmd.Flags().BoolP(dumpBalancesStorageFlag, "s", false, "Dump balances of storage nodes from the current netmap")
+	dumpBalancesCmd.Flags().BoolP(dumpBalancesAlphabetFlag, "a", false, "Dump balances of alphabet contracts")
+	dumpBalancesCmd.Flags().BoolP(dumpBalancesProxyFlag, "p", false, "Dump balances of the proxy contract")
+	dumpBalancesCmd.Flags().Bool(dumpBalancesUseScriptHashFlag, false, "Use script-hash format for addresses")
+
+	RootCmd.AddCommand(updateContractsCmd)
+	updateContractsCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	updateContractsCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	updateContractsCmd.Flags().String(contractsInitFlag, "", "Path to archive with compiled FrostFS contracts (default fetched from latest github release)")
+
+	RootCmd.AddCommand(dumpContainersCmd)
+	dumpContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	dumpContainersCmd.Flags().String(containerDumpFlag, "", "File where to save dumped containers")
+	dumpContainersCmd.Flags().String(containerContractFlag, "", "Container contract hash (for networks without NNS)")
+	dumpContainersCmd.Flags().StringSlice(containerIDsFlag, nil, "Containers to dump")
+
+	RootCmd.AddCommand(restoreContainersCmd)
+	restoreContainersCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	restoreContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	restoreContainersCmd.Flags().String(containerDumpFlag, "", "File to restore containers from")
+	restoreContainersCmd.Flags().StringSlice(containerIDsFlag, nil, "Containers to restore")
+
+	RootCmd.AddCommand(listContainersCmd)
+	listContainersCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	listContainersCmd.Flags().String(containerContractFlag, "", "Container contract hash (for networks without NNS)")
+
+	RootCmd.AddCommand(refillGasCmd)
+	refillGasCmd.Flags().String(alphabetWalletsFlag, "", "Path to alphabet wallets dir")
+	refillGasCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	refillGasCmd.Flags().String(storageWalletFlag, "", "Path to storage node wallet")
+	refillGasCmd.Flags().String(walletAddressFlag, "", "Address of wallet")
+	refillGasCmd.Flags().String(refillGasAmountFlag, "", "Additional amount of GAS to transfer")
+	refillGasCmd.MarkFlagsMutuallyExclusive(walletAddressFlag, storageWalletFlag)
+
+	RootCmd.AddCommand(cmdSubnet)
+
+	RootCmd.AddCommand(depositNotaryCmd)
+	depositNotaryCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+	depositNotaryCmd.Flags().String(storageWalletFlag, "", "Path to storage node wallet")
+	depositNotaryCmd.Flags().String(walletAccountFlag, "", "Wallet account address")
+	depositNotaryCmd.Flags().String(refillGasAmountFlag, "", "Amount of GAS to deposit")
+	depositNotaryCmd.Flags().String(notaryDepositTillFlag, "", "Notary deposit duration in blocks")
+
+	RootCmd.AddCommand(netmapCandidatesCmd)
+	netmapCandidatesCmd.Flags().StringP(endpointFlag, "r", "", "N3 RPC node endpoint")
+}

cmd/frostfs-adm/internal/modules/root.go

@@ -0,0 +1,85 @@
+package modules
+
+import (
+	"os"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/config"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/storagecfg"
+	"github.com/TrueCloudLab/frostfs-node/misc"
+	"github.com/TrueCloudLab/frostfs-node/pkg/util/autocomplete"
+	utilConfig "github.com/TrueCloudLab/frostfs-node/pkg/util/config"
+	"github.com/TrueCloudLab/frostfs-node/pkg/util/gendoc"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var (
+	rootCmd = &cobra.Command{
+		Use:   "frostfs-adm",
+		Short: "FrostFS Administrative Tool",
+		Long: `FrostFS Administrative Tool provides functions to setup and
+manage FrostFS network deployment.`,
+		RunE:         entryPoint,
+		SilenceUsage: true,
+	}
+)
+
+func init() {
+	cobra.OnInitialize(func() { initConfig(rootCmd) })
+	// we need to init viper config to bind viper and cobra configurations for
+	// rpc endpoint, alphabet wallet dir, key credentials, etc.
+
+	// use stdout as default output for cmd.Print()
+	rootCmd.SetOut(os.Stdout)
+
+	rootCmd.PersistentFlags().StringP(commonflags.ConfigFlag, commonflags.ConfigFlagShorthand, "", commonflags.ConfigFlagUsage)
+	rootCmd.PersistentFlags().String(commonflags.ConfigDirFlag, "", commonflags.ConfigDirFlagUsage)
+	rootCmd.PersistentFlags().BoolP(commonflags.Verbose, commonflags.VerboseShorthand, false, commonflags.VerboseUsage)
+	_ = viper.BindPFlag(commonflags.Verbose, rootCmd.PersistentFlags().Lookup(commonflags.Verbose))
+	rootCmd.Flags().Bool("version", false, "Application version")
+
+	rootCmd.AddCommand(config.RootCmd)
+	rootCmd.AddCommand(morph.RootCmd)
+	rootCmd.AddCommand(storagecfg.RootCmd)
+
+	rootCmd.AddCommand(autocomplete.Command("frostfs-adm"))
+	rootCmd.AddCommand(gendoc.Command(rootCmd))
+}
+
+func Execute() error {
+	return rootCmd.Execute()
+}
+
+func entryPoint(cmd *cobra.Command, args []string) error {
+	printVersion, _ := cmd.Flags().GetBool("version")
+	if printVersion {
+		cmd.Print(misc.BuildInfo("FrostFS Adm"))
+		return nil
+	}
+
+	return cmd.Usage()
+}
+
+func initConfig(cmd *cobra.Command) {
+	configFile, err := cmd.Flags().GetString(commonflags.ConfigFlag)
+	if err != nil {
+		return
+	}
+
+	if configFile != "" {
+		viper.SetConfigType("yml")
+		viper.SetConfigFile(configFile)
+		_ = viper.ReadInConfig() // if config file is set but unavailable, ignore it
+	}
+
+	configDir, err := cmd.Flags().GetString(commonflags.ConfigDirFlag)
+	if err != nil {
+		return
+	}
+
+	if configDir != "" {
+		_ = utilConfig.ReadConfigDir(viper.GetViper(), configDir) // if config files cannot be read, ignore it
+	}
+}

cmd/frostfs-adm/internal/modules/storagecfg/config.go

@@ -0,0 +1,138 @@
+package storagecfg
+
+const configTemplate = `logger:
+  level: info  # logger level: one of "debug", "info" (default), "warn", "error", "dpanic", "panic", "fatal"
+
+node:
+  wallet:
+    path: {{ .Wallet.Path }}  # path to a NEO wallet; ignored if key is presented
+    address: {{ .Wallet.Account }}  # address of a NEO account in the wallet; ignored if key is presented
+    password: {{ .Wallet.Password }}  # password for a NEO account in the wallet; ignored if key is presented
+  addresses:  # list of addresses announced by Storage node in the Network map
+    - {{ .AnnouncedAddress }}
+  attribute_0: UN-LOCODE:{{ .Attribute.Locode }}
+  relay: {{ .Relay }}  # start Storage node in relay mode without bootstrapping into the Network map
+  subnet:
+    exit_zero: false # toggle entrance to zero subnet (overrides corresponding attribute and occurrence in entries)
+    entries: [] # list of IDs of subnets to enter in a text format of FrostFS API protocol (overrides corresponding attributes)
+
+grpc:
+  num: 1  # total number of listener endpoints
+  0:
+    endpoint: {{ .Endpoint }}  # endpoint for gRPC server
+    tls:{{if .TLSCert}}
+      enabled: true  # enable TLS for a gRPC connection (min version is TLS 1.2)
+      certificate: {{ .TLSCert }}  # path to TLS certificate
+      key: {{ .TLSKey }}  # path to TLS key
+    {{- else }}
+      enabled: false # disable TLS for a gRPC connection
+    {{- end}}
+
+control:
+  authorized_keys:  # list of hex-encoded public keys that have rights to use the Control Service
+    {{- range .AuthorizedKeys }}
+    - {{.}}{{end}}
+  grpc:
+    endpoint: {{.ControlEndpoint}}  # endpoint that is listened by the Control Service
+
+morph:
+  dial_timeout: 20s  # timeout for side chain NEO RPC client connection
+  cache_ttl: 15s  # use TTL cache for side chain GET operations
+  rpc_endpoint:  # side chain N3 RPC endpoints
+    {{- range .MorphRPC }}
+    - address: wss://{{.}}/ws{{end}}
+{{if not .Relay }}
+storage:
+  shard_pool_size: 15  # size of per-shard worker pools used for PUT operations
+
+  shard:
+    default: # section with the default shard parameters
+      metabase:
+        perm: 0644  # permissions for metabase files(directories: +x for current user and group)
+
+      blobstor:
+        perm: 0644  # permissions for blobstor files(directories: +x for current user and group)
+        depth: 2  # max depth of object tree storage in FS
+        small_object_size: 102400  # 100KiB, size threshold for "small" objects which are stored in key-value DB, not in FS, bytes
+        compress: true  # turn on/off Zstandard compression (level 3) of stored objects
+        compression_exclude_content_types:
+          - audio/*
+          - video/*
+
+        blobovnicza:
+          size: 1073741824  # approximate size limit of single blobovnicza instance, total size will be: size*width^(depth+1), bytes
+          depth: 1  # max depth of object tree storage in key-value DB
+          width: 4   # max width of object tree storage in key-value DB
+          opened_cache_capacity: 50  # maximum number of opened database files
+
+      gc:
+        remover_batch_size: 200  # number of objects to be removed by the garbage collector
+        remover_sleep_interval: 5m  # frequency of the garbage collector invocation
+    0:
+      mode: "read-write"  # mode of the shard, must be one of the: "read-write" (default), "read-only"
+
+      metabase:
+        path: {{ .MetabasePath }}  # path to the metabase
+
+      blobstor:
+        path: {{ .BlobstorPath }}  # path to the blobstor
+{{end}}`
+
+const (
+	neofsMainnetAddress   = "2cafa46838e8b564468ebd868dcafdd99dce6221"
+	balanceMainnetAddress = "dc1ec98d9d0c5f9dfade16144defe08cffc5ca55"
+	neofsTestnetAddress   = "b65d8243ac63983206d17e5221af0653a7266fa1"
+	balanceTestnetAddress = "e0420c216003747626670d1424569c17c79015bf"
+)
+
+var n3config = map[string]struct {
+	MorphRPC        []string
+	RPC             []string
+	NeoFSContract   string
+	BalanceContract string
+}{
+	"testnet": {
+		MorphRPC: []string{
+			"rpc01.morph.testnet.fs.neo.org:51331",
+			"rpc02.morph.testnet.fs.neo.org:51331",
+			"rpc03.morph.testnet.fs.neo.org:51331",
+			"rpc04.morph.testnet.fs.neo.org:51331",
+			"rpc05.morph.testnet.fs.neo.org:51331",
+			"rpc06.morph.testnet.fs.neo.org:51331",
+			"rpc07.morph.testnet.fs.neo.org:51331",
+		},
+		RPC: []string{
+			"rpc01.testnet.n3.nspcc.ru:21331",
+			"rpc02.testnet.n3.nspcc.ru:21331",
+			"rpc03.testnet.n3.nspcc.ru:21331",
+			"rpc04.testnet.n3.nspcc.ru:21331",
+			"rpc05.testnet.n3.nspcc.ru:21331",
+			"rpc06.testnet.n3.nspcc.ru:21331",
+			"rpc07.testnet.n3.nspcc.ru:21331",
+		},
+		NeoFSContract:   neofsTestnetAddress,
+		BalanceContract: balanceTestnetAddress,
+	},
+	"mainnet": {
+		MorphRPC: []string{
+			"rpc1.morph.fs.neo.org:40341",
+			"rpc2.morph.fs.neo.org:40341",
+			"rpc3.morph.fs.neo.org:40341",
+			"rpc4.morph.fs.neo.org:40341",
+			"rpc5.morph.fs.neo.org:40341",
+			"rpc6.morph.fs.neo.org:40341",
+			"rpc7.morph.fs.neo.org:40341",
+		},
+		RPC: []string{
+			"rpc1.n3.nspcc.ru:10331",
+			"rpc2.n3.nspcc.ru:10331",
+			"rpc3.n3.nspcc.ru:10331",
+			"rpc4.n3.nspcc.ru:10331",
+			"rpc5.n3.nspcc.ru:10331",
+			"rpc6.n3.nspcc.ru:10331",
+			"rpc7.n3.nspcc.ru:10331",
+		},
+		NeoFSContract:   neofsMainnetAddress,
+		BalanceContract: balanceMainnetAddress,
+	},
+}

cmd/frostfs-adm/internal/modules/storagecfg/root.go

@@ -0,0 +1,417 @@
+package storagecfg
+
+import (
+	"bytes"
+	"context"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"math/rand"
+	"net"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"text/template"
+	"time"
+
+	netutil "github.com/TrueCloudLab/frostfs-node/pkg/network"
+	"github.com/chzyer/readline"
+	"github.com/nspcc-dev/neo-go/cli/flags"
+	"github.com/nspcc-dev/neo-go/cli/input"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/gas"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/nep17"
+	"github.com/nspcc-dev/neo-go/pkg/smartcontract/trigger"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+
+	"github.com/spf13/cobra"
+)
+
+const (
+	walletFlag  = "wallet"
+	accountFlag = "account"
+)
+
+const (
+	defaultControlEndpoint = "localhost:8090"
+	defaultDataEndpoint    = "localhost"
+)
+
+// RootCmd is a root command of config section.
+var RootCmd = &cobra.Command{
+	Use:   "storage-config [-w wallet] [-a acccount] [<path-to-config>]",
+	Short: "Section for storage node configuration commands",
+	Run:   storageConfig,
+}
+
+func init() {
+	fs := RootCmd.Flags()
+
+	fs.StringP(walletFlag, "w", "", "Path to wallet")
+	fs.StringP(accountFlag, "a", "", "Wallet account")
+}
+
+type config struct {
+	AnnouncedAddress string
+	AuthorizedKeys   []string
+	ControlEndpoint  string
+	Endpoint         string
+	TLSCert          string
+	TLSKey           string
+	MorphRPC         []string
+	Attribute        struct {
+		Locode string
+	}
+	Wallet struct {
+		Path     string
+		Account  string
+		Password string
+	}
+	Relay        bool
+	BlobstorPath string
+	MetabasePath string
+}
+
+func storageConfig(cmd *cobra.Command, args []string) {
+	var outPath string
+	if len(args) != 0 {
+		outPath = args[0]
+	} else {
+		outPath = getPath("File to write config at [./config.yml]: ")
+		if outPath == "" {
+			outPath = "./config.yml"
+		}
+	}
+
+	historyPath := filepath.Join(os.TempDir(), "frostfs-adm.history")
+	readline.SetHistoryPath(historyPath)
+
+	var c config
+
+	c.Wallet.Path, _ = cmd.Flags().GetString(walletFlag)
+	if c.Wallet.Path == "" {
+		c.Wallet.Path = getPath("Path to the storage node wallet: ")
+	}
+
+	w, err := wallet.NewWalletFromFile(c.Wallet.Path)
+	fatalOnErr(err)
+
+	c.Wallet.Account, _ = cmd.Flags().GetString(accountFlag)
+	if c.Wallet.Account == "" {
+		addr := address.Uint160ToString(w.GetChangeAddress())
+		c.Wallet.Account = getWalletAccount(w, fmt.Sprintf("Wallet account [%s]: ", addr))
+		if c.Wallet.Account == "" {
+			c.Wallet.Account = addr
+		}
+	}
+
+	accH, err := flags.ParseAddress(c.Wallet.Account)
+	fatalOnErr(err)
+
+	acc := w.GetAccount(accH)
+	if acc == nil {
+		fatalOnErr(errors.New("can't find account in wallet"))
+	}
+
+	c.Wallet.Password, err = input.ReadPassword(fmt.Sprintf("Account password for %s: ", c.Wallet.Account))
+	fatalOnErr(err)
+
+	err = acc.Decrypt(c.Wallet.Password, keys.NEP2ScryptParams())
+	fatalOnErr(err)
+
+	c.AuthorizedKeys = append(c.AuthorizedKeys, hex.EncodeToString(acc.PrivateKey().PublicKey().Bytes()))
+
+	var network string
+	for {
+		network = getString("Choose network [mainnet]/testnet: ")
+		switch network {
+		case "":
+			network = "mainnet"
+		case "testnet", "mainnet":
+		default:
+			cmd.Println(`Network must be either "mainnet" or "testnet"`)
+			continue
+		}
+		break
+	}
+
+	c.MorphRPC = n3config[network].MorphRPC
+
+	depositGas(cmd, acc, network)
+
+	c.Attribute.Locode = getString("UN-LOCODE attribute in [XX YYY] format: ")
+	var addr, port string
+	for {
+		c.AnnouncedAddress = getString("Publicly announced address: ")
+		validator := netutil.Address{}
+		err := validator.FromString(c.AnnouncedAddress)
+		if err != nil {
+			cmd.Println("Incorrect address format. See https://github.com/TrueCloudLab/frostfs-node/blob/master/pkg/network/address.go for details.")
+			continue
+		}
+		uriAddr, err := url.Parse(validator.URIAddr())
+		if err != nil {
+			panic(fmt.Errorf("unexpected error: %w", err))
+		}
+		addr = uriAddr.Hostname()
+		port = uriAddr.Port()
+		ip, err := net.ResolveIPAddr("ip", addr)
+		if err != nil {
+			cmd.Printf("Can't resolve IP address %s: %v\n", addr, err)
+			continue
+		}
+
+		if !ip.IP.IsGlobalUnicast() {
+			cmd.Println("IP must be global unicast.")
+			continue
+		}
+		cmd.Printf("Resolved IP address: %s\n", ip.String())
+
+		_, err = strconv.ParseUint(port, 10, 16)
+		if err != nil {
+			cmd.Println("Port must be an integer.")
+			continue
+		}
+
+		break
+	}
+
+	defaultAddr := net.JoinHostPort(defaultDataEndpoint, port)
+	c.Endpoint = getString(fmt.Sprintf("Listening address [%s]: ", defaultAddr))
+	if c.Endpoint == "" {
+		c.Endpoint = defaultAddr
+	}
+
+	c.ControlEndpoint = getString(fmt.Sprintf("Listening address (control endpoint) [%s]: ", defaultControlEndpoint))
+	if c.ControlEndpoint == "" {
+		c.ControlEndpoint = defaultControlEndpoint
+	}
+
+	c.TLSCert = getPath("TLS Certificate (optional): ")
+	if c.TLSCert != "" {
+		c.TLSKey = getPath("TLS Key: ")
+	}
+
+	c.Relay = getConfirmation(false, "Use node as a relay? yes/[no]: ")
+	if !c.Relay {
+		p := getPath("Path to the storage directory (all available storage will be used): ")
+		c.BlobstorPath = filepath.Join(p, "blob")
+		c.MetabasePath = filepath.Join(p, "meta")
+	}
+
+	out := applyTemplate(c)
+	fatalOnErr(os.WriteFile(outPath, out, 0644))
+
+	cmd.Println("Node is ready for work! Run `frostfs-node -config " + outPath + "`")
+}
+
+func getWalletAccount(w *wallet.Wallet, prompt string) string {
+	addrs := make([]readline.PrefixCompleterInterface, len(w.Accounts))
+	for i := range w.Accounts {
+		addrs[i] = readline.PcItem(w.Accounts[i].Address)
+	}
+
+	readline.SetAutoComplete(readline.NewPrefixCompleter(addrs...))
+	defer readline.SetAutoComplete(nil)
+
+	s, err := readline.Line(prompt)
+	fatalOnErr(err)
+	return strings.TrimSpace(s) // autocompleter can return a string with a trailing space
+}
+
+func getString(prompt string) string {
+	s, err := readline.Line(prompt)
+	fatalOnErr(err)
+	if s != "" {
+		_ = readline.AddHistory(s)
+	}
+	return s
+}
+
+type filenameCompleter struct{}
+
+func (filenameCompleter) Do(line []rune, pos int) (newLine [][]rune, length int) {
+	prefix := string(line[:pos])
+	dir := filepath.Dir(prefix)
+	de, err := os.ReadDir(dir)
+	if err != nil {
+		return nil, 0
+	}
+
+	for i := range de {
+		name := filepath.Join(dir, de[i].Name())
+		if strings.HasPrefix(name, prefix) {
+			tail := []rune(strings.TrimPrefix(name, prefix))
+			if de[i].IsDir() {
+				tail = append(tail, filepath.Separator)
+			}
+			newLine = append(newLine, tail)
+		}
+	}
+	if pos != 0 {
+		return newLine, pos - len([]rune(dir))
+	}
+	return newLine, 0
+}
+
+func getPath(prompt string) string {
+	readline.SetAutoComplete(filenameCompleter{})
+	defer readline.SetAutoComplete(nil)
+
+	p, err := readline.Line(prompt)
+	fatalOnErr(err)
+
+	if p == "" {
+		return p
+	}
+
+	_ = readline.AddHistory(p)
+
+	abs, err := filepath.Abs(p)
+	if err != nil {
+		fatalOnErr(fmt.Errorf("can't create an absolute path: %w", err))
+	}
+
+	return abs
+}
+
+func getConfirmation(def bool, prompt string) bool {
+	for {
+		s, err := readline.Line(prompt)
+		fatalOnErr(err)
+
+		switch strings.ToLower(s) {
+		case "y", "yes":
+			return true
+		case "n", "no":
+			return false
+		default:
+			if len(s) == 0 {
+				return def
+			}
+		}
+	}
+}
+
+func applyTemplate(c config) []byte {
+	tmpl, err := template.New("config").Parse(configTemplate)
+	fatalOnErr(err)
+
+	b := bytes.NewBuffer(nil)
+	fatalOnErr(tmpl.Execute(b, c))
+
+	return b.Bytes()
+}
+
+func fatalOnErr(err error) {
+	if err != nil {
+		_, _ = fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func depositGas(cmd *cobra.Command, acc *wallet.Account, network string) {
+	sideClient := initClient(n3config[network].MorphRPC)
+	balanceHash, _ := util.Uint160DecodeStringLE(n3config[network].BalanceContract)
+
+	sideActor, err := actor.NewSimple(sideClient, acc)
+	if err != nil {
+		fatalOnErr(fmt.Errorf("creating actor over side chain client: %w", err))
+	}
+
+	sideGas := nep17.NewReader(sideActor, balanceHash)
+	accSH := acc.Contract.ScriptHash()
+
+	balance, err := sideGas.BalanceOf(accSH)
+	if err != nil {
+		fatalOnErr(fmt.Errorf("side chain balance: %w", err))
+	}
+
+	ok := getConfirmation(false, fmt.Sprintf("Current NeoFS balance is %s, make a deposit? y/[n]: ",
+		fixedn.ToString(balance, 12)))
+	if !ok {
+		return
+	}
+
+	amountStr := getString("Enter amount in GAS: ")
+	amount, err := fixedn.FromString(amountStr, 8)
+	if err != nil {
+		fatalOnErr(fmt.Errorf("invalid amount: %w", err))
+	}
+
+	mainClient := initClient(n3config[network].RPC)
+	neofsHash, _ := util.Uint160DecodeStringLE(n3config[network].NeoFSContract)
+
+	mainActor, err := actor.NewSimple(mainClient, acc)
+	if err != nil {
+		fatalOnErr(fmt.Errorf("creating actor over main chain client: %w", err))
+	}
+
+	mainGas := nep17.New(mainActor, gas.Hash)
+
+	txHash, _, err := mainGas.Transfer(accSH, neofsHash, amount, nil)
+	if err != nil {
+		fatalOnErr(fmt.Errorf("sending TX to the NeoFS contract: %w", err))
+	}
+
+	cmd.Print("Waiting for transactions to persist.")
+	tick := time.NewTicker(time.Second / 2)
+	defer tick.Stop()
+
+	timer := time.NewTimer(time.Second * 20)
+	defer timer.Stop()
+
+	at := trigger.Application
+
+loop:
+	for {
+		select {
+		case <-tick.C:
+			_, err := mainClient.GetApplicationLog(txHash, &at)
+			if err == nil {
+				cmd.Print("\n")
+				break loop
+			}
+			cmd.Print(".")
+		case <-timer.C:
+			cmd.Printf("\nTimeout while waiting for transaction to persist.\n")
+			if getConfirmation(false, "Continue configuration? yes/[no]: ") {
+				return
+			}
+			os.Exit(1)
+		}
+	}
+}
+
+func initClient(rpc []string) *rpcclient.Client {
+	var c *rpcclient.Client
+	var err error
+
+	shuffled := make([]string, len(rpc))
+	copy(shuffled, rpc)
+	rand.Shuffle(len(shuffled), func(i, j int) { shuffled[i], shuffled[j] = shuffled[j], shuffled[i] })
+
+	for _, endpoint := range shuffled {
+		c, err = rpcclient.New(context.Background(), "https://"+endpoint, rpcclient.Options{
+			DialTimeout:    time.Second * 2,
+			RequestTimeout: time.Second * 5,
+		})
+		if err != nil {
+			continue
+		}
+		if err = c.Init(); err != nil {
+			continue
+		}
+		return c
+	}
+
+	fatalOnErr(fmt.Errorf("can't create N3 client: %w", err))
+	panic("unreachable")
+}

cmd/frostfs-adm/main.go

@@ -3,7 +3,7 @@ package main
 import (
 	"os"
 
-	"github.com/nspcc-dev/neofs-node/cmd/neofs-adm/internal/modules"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules"
 )
 
 func main() {

cmd/frostfs-cli/docs/sessions.md

@@ -0,0 +1,75 @@
+# How FrostFS CLI uses session mechanism of the FrostFS
+
+## Overview
+
+FrostFS sessions implement a mechanism for issuing a power of attorney by one
+party to another. A trusted party can provide a so-called session token as
+proof of the right to act on behalf of another member of the network. The
+client of operations carried out with such a token will be the user who opened
+the session. The token contains information which limits power of attorney like
+action context or lifetime.
+
+The client confirms trust in a third party by signing its public (session) key
+with his private key. Any operation signed using private session key with
+attached session token is treated as performed by the original client.
+
+## Types
+
+FrostFS CLI supports two ways to execute operation within a session depending on
+whether the user of the command application is an original user (1) or a trusted
+one (2).
+
+### Dynamic
+
+For case (1) CLI user can only open dynamic sessions. Protocol call
+`SessionService.Create` is used for this purpose. As a result of the call, a
+private session key will be generated on the server, thus making the remote
+server trusted. This type of session is useful when the client needs to
+transfer part of the responsibility for the formation of strict system elements
+to the trusted server. At the moment, the approach is applicable only to
+creating objects.
+
+```shell
+$ frostfs-cli session create --rpc-endpoint <server_ip> --out ./blank_token
+```
+After this example command remote node holds session private key while its
+public part is written into the session token encoded into the output file.
+Later this token can be attached to the operations which support dynamic
+sessions. Then the token will be finally formed and signed by CLI itself.
+
+### Static
+
+For case (2) CLI user can act on behalf of the person who issued the session
+token to him. Unlike (1) the token must be fully prepared on the side of the
+original client, and the CLI uses it only for reading. Ready token MUST have:
+- correct context (object, container, etc.)
+- valid lifetime
+- public session key corresponding to the CLI key
+- valid client signature
+
+To sign the session token, exec:
+```shell
+$ frostfs-cli --wallet <client_wallet> util sign session-token --from ./blank_token --to ./token
+```
+Once the token is signed, it MUST NOT be modified.
+
+## Commands
+
+### Object
+
+Here are sub-commands of `object` command which support only dynamic sessions (1):
+- `put`
+- `delete`
+- `lock`
+
+These commands accept blank token of the dynamically opened session or open
+session internally if it has not been opened yet.
+
+All other `object` sub-commands support only static sessions (2).
+
+### Container
+
+List of commands supporting sessions (static only):
+- `create`
+- `delete`
+- `set-eacl`

cmd/frostfs-cli/docs/storage-node-xheaders.md

@@ -0,0 +1,34 @@
+# Extended headers
+
+## Overview
+
+Extended headers are used for request/response. They may contain any
+user-defined headers to be interpreted on application level. Key name must be a
+unique valid UTF-8 string. Value can't be empty. Requests or Responses with
+duplicated header names or headers with empty values are considered invalid.
+
+## Existing headers
+
+There are some "well-known" headers starting with `__FROSTFS__` prefix that
+affect system behaviour. For backward compatibility, the same set of
+"well-known" headers may also use `__NEOFS__` prefix:
+
+* `__FROSTFS__NETMAP_EPOCH` - netmap epoch to use for object placement calculation. The `value` is string
+encoded `uint64` in decimal presentation. If set to '0' or omitted, the
+current epoch only will be used.
+* `__FROSTFS__NETMAP_LOOKUP_DEPTH` - if object can't be found using current epoch's netmap, this header limits
+how many past epochs the node can look up through. Depth is applied to a current epoch or the value
+of `__FROSTFS__NETMAP_EPOCH` attribute. The `value` is string encoded `uint64` in decimal presentation.
+If set to '0' or not set, only the current epoch is used.
+
+## `frostfs-cli` commands with `--xhdr`
+
+List of commands with support of extended headers:
+* `container list-objects`
+* `object delete/get/hash/head/lock/put/range/search`
+* `storagegroup delete/get/list/put`
+
+Example:
+```shell
+$ frostfs-cli object put -r s01.frostfs.devenv:8080 -w wallet.json --cid CID --file FILE --xhdr "__FROSTFS__NETMAP_EPOCH=777"
+```

cmd/frostfs-cli/internal/client/client.go

@@ -0,0 +1,891 @@
+package internal
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/TrueCloudLab/frostfs-sdk-go/accounting"
+	"github.com/TrueCloudLab/frostfs-sdk-go/client"
+	containerSDK "github.com/TrueCloudLab/frostfs-sdk-go/container"
+	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
+	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	"github.com/TrueCloudLab/frostfs-sdk-go/netmap"
+	"github.com/TrueCloudLab/frostfs-sdk-go/object"
+	oid "github.com/TrueCloudLab/frostfs-sdk-go/object/id"
+	"github.com/TrueCloudLab/frostfs-sdk-go/version"
+)
+
+// BalanceOfPrm groups parameters of BalanceOf operation.
+type BalanceOfPrm struct {
+	commonPrm
+	client.PrmBalanceGet
+}
+
+// BalanceOfRes groups the resulting values of BalanceOf operation.
+type BalanceOfRes struct {
+	cliRes *client.ResBalanceGet
+}
+
+// Balance returns the current balance.
+func (x BalanceOfRes) Balance() accounting.Decimal {
+	return x.cliRes.Amount()
+}
+
+// BalanceOf requests the current balance of a FrostFS user.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func BalanceOf(prm BalanceOfPrm) (res BalanceOfRes, err error) {
+	res.cliRes, err = prm.cli.BalanceGet(context.Background(), prm.PrmBalanceGet)
+
+	return
+}
+
+// ListContainersPrm groups parameters of ListContainers operation.
+type ListContainersPrm struct {
+	commonPrm
+	client.PrmContainerList
+}
+
+// ListContainersRes groups the resulting values of ListContainers operation.
+type ListContainersRes struct {
+	cliRes *client.ResContainerList
+}
+
+// IDList returns list of identifiers of user's containers.
+func (x ListContainersRes) IDList() []cid.ID {
+	return x.cliRes.Containers()
+}
+
+// ListContainers requests a list of FrostFS user's containers.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func ListContainers(prm ListContainersPrm) (res ListContainersRes, err error) {
+	res.cliRes, err = prm.cli.ContainerList(context.Background(), prm.PrmContainerList)
+
+	return
+}
+
+// PutContainerPrm groups parameters of PutContainer operation.
+type PutContainerPrm struct {
+	commonPrm
+	client.PrmContainerPut
+}
+
+// PutContainerRes groups the resulting values of PutContainer operation.
+type PutContainerRes struct {
+	cnr cid.ID
+}
+
+// ID returns identifier of the created container.
+func (x PutContainerRes) ID() cid.ID {
+	return x.cnr
+}
+
+// PutContainer sends a request to save the container in FrostFS.
+//
+// Operation is asynchronous and not guaranteed even in the absence of errors.
+// The required time is also not predictable.
+//
+// Success can be verified by reading by identifier.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func PutContainer(prm PutContainerPrm) (res PutContainerRes, err error) {
+	cliRes, err := prm.cli.ContainerPut(context.Background(), prm.PrmContainerPut)
+	if err == nil {
+		res.cnr = cliRes.ID()
+	}
+
+	return
+}
+
+// GetContainerPrm groups parameters of GetContainer operation.
+type GetContainerPrm struct {
+	commonPrm
+	cliPrm client.PrmContainerGet
+}
+
+// SetContainer sets identifier of the container to be read.
+func (x *GetContainerPrm) SetContainer(id cid.ID) {
+	x.cliPrm.SetContainer(id)
+}
+
+// GetContainerRes groups the resulting values of GetContainer operation.
+type GetContainerRes struct {
+	cliRes *client.ResContainerGet
+}
+
+// Container returns structured of the requested container.
+func (x GetContainerRes) Container() containerSDK.Container {
+	return x.cliRes.Container()
+}
+
+// GetContainer reads a container from FrostFS by ID.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func GetContainer(prm GetContainerPrm) (res GetContainerRes, err error) {
+	res.cliRes, err = prm.cli.ContainerGet(context.Background(), prm.cliPrm)
+
+	return
+}
+
+// IsACLExtendable checks if ACL of the container referenced by the given identifier
+// can be extended. Client connection MUST BE correctly established in advance.
+func IsACLExtendable(c *client.Client, cnr cid.ID) (bool, error) {
+	var prm GetContainerPrm
+	prm.SetClient(c)
+	prm.SetContainer(cnr)
+
+	res, err := GetContainer(prm)
+	if err != nil {
+		return false, fmt.Errorf("get container from the FrostFS: %w", err)
+	}
+
+	return res.Container().BasicACL().Extendable(), nil
+}
+
+// DeleteContainerPrm groups parameters of DeleteContainerPrm operation.
+type DeleteContainerPrm struct {
+	commonPrm
+	client.PrmContainerDelete
+}
+
+// DeleteContainerRes groups the resulting values of DeleteContainer operation.
+type DeleteContainerRes struct{}
+
+// DeleteContainer sends a request to remove a container from FrostFS by ID.
+//
+// Operation is asynchronous and not guaranteed even in the absence of errors.
+// The required time is also not predictable.
+//
+// Success can be verified by reading by identifier.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func DeleteContainer(prm DeleteContainerPrm) (res DeleteContainerRes, err error) {
+	_, err = prm.cli.ContainerDelete(context.Background(), prm.PrmContainerDelete)
+
+	return
+}
+
+// EACLPrm groups parameters of EACL operation.
+type EACLPrm struct {
+	commonPrm
+	client.PrmContainerEACL
+}
+
+// EACLRes groups the resulting values of EACL operation.
+type EACLRes struct {
+	cliRes *client.ResContainerEACL
+}
+
+// EACL returns requested eACL table.
+func (x EACLRes) EACL() eacl.Table {
+	return x.cliRes.Table()
+}
+
+// EACL reads eACL table from FrostFS by container ID.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func EACL(prm EACLPrm) (res EACLRes, err error) {
+	res.cliRes, err = prm.cli.ContainerEACL(context.Background(), prm.PrmContainerEACL)
+
+	return
+}
+
+// SetEACLPrm groups parameters of SetEACL operation.
+type SetEACLPrm struct {
+	commonPrm
+	client.PrmContainerSetEACL
+}
+
+// SetEACLRes groups the resulting values of SetEACL operation.
+type SetEACLRes struct{}
+
+// SetEACL requests to save an eACL table in FrostFS.
+//
+// Operation is asynchronous and no guaranteed even in the absence of errors.
+// The required time is also not predictable.
+//
+// Success can be verified by reading by container identifier.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func SetEACL(prm SetEACLPrm) (res SetEACLRes, err error) {
+	_, err = prm.cli.ContainerSetEACL(context.Background(), prm.PrmContainerSetEACL)
+
+	return
+}
+
+// NetworkInfoPrm groups parameters of NetworkInfo operation.
+type NetworkInfoPrm struct {
+	commonPrm
+	client.PrmNetworkInfo
+}
+
+// NetworkInfoRes groups the resulting values of NetworkInfo operation.
+type NetworkInfoRes struct {
+	cliRes *client.ResNetworkInfo
+}
+
+// NetworkInfo returns structured information about the FrostFS network.
+func (x NetworkInfoRes) NetworkInfo() netmap.NetworkInfo {
+	return x.cliRes.Info()
+}
+
+// NetworkInfo reads information about the FrostFS network.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func NetworkInfo(prm NetworkInfoPrm) (res NetworkInfoRes, err error) {
+	res.cliRes, err = prm.cli.NetworkInfo(context.Background(), prm.PrmNetworkInfo)
+
+	return
+}
+
+// NodeInfoPrm groups parameters of NodeInfo operation.
+type NodeInfoPrm struct {
+	commonPrm
+	client.PrmEndpointInfo
+}
+
+// NodeInfoRes groups the resulting values of NodeInfo operation.
+type NodeInfoRes struct {
+	cliRes *client.ResEndpointInfo
+}
+
+// NodeInfo returns information about the node from netmap.
+func (x NodeInfoRes) NodeInfo() netmap.NodeInfo {
+	return x.cliRes.NodeInfo()
+}
+
+// LatestVersion returns the latest FrostFS API version in use.
+func (x NodeInfoRes) LatestVersion() version.Version {
+	return x.cliRes.LatestVersion()
+}
+
+// NodeInfo requests information about the remote server from FrostFS netmap.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func NodeInfo(prm NodeInfoPrm) (res NodeInfoRes, err error) {
+	res.cliRes, err = prm.cli.EndpointInfo(context.Background(), prm.PrmEndpointInfo)
+
+	return
+}
+
+// NetMapSnapshotPrm groups parameters of NetMapSnapshot operation.
+type NetMapSnapshotPrm struct {
+	commonPrm
+}
+
+// NetMapSnapshotRes groups the resulting values of NetMapSnapshot operation.
+type NetMapSnapshotRes struct {
+	cliRes *client.ResNetMapSnapshot
+}
+
+// NetMap returns current local snapshot of the FrostFS network map.
+func (x NetMapSnapshotRes) NetMap() netmap.NetMap {
+	return x.cliRes.NetMap()
+}
+
+// NetMapSnapshot requests current network view of the remote server.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func NetMapSnapshot(prm NetMapSnapshotPrm) (res NetMapSnapshotRes, err error) {
+	res.cliRes, err = prm.cli.NetMapSnapshot(context.Background(), client.PrmNetMapSnapshot{})
+	return
+}
+
+// CreateSessionPrm groups parameters of CreateSession operation.
+type CreateSessionPrm struct {
+	commonPrm
+	client.PrmSessionCreate
+}
+
+// CreateSessionRes groups the resulting values of CreateSession operation.
+type CreateSessionRes struct {
+	cliRes *client.ResSessionCreate
+}
+
+// ID returns session identifier.
+func (x CreateSessionRes) ID() []byte {
+	return x.cliRes.ID()
+}
+
+// SessionKey returns public session key in a binary format.
+func (x CreateSessionRes) SessionKey() []byte {
+	return x.cliRes.PublicKey()
+}
+
+// CreateSession opens a new unlimited session with the remote node.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func CreateSession(prm CreateSessionPrm) (res CreateSessionRes, err error) {
+	res.cliRes, err = prm.cli.SessionCreate(context.Background(), prm.PrmSessionCreate)
+
+	return
+}
+
+// PutObjectPrm groups parameters of PutObject operation.
+type PutObjectPrm struct {
+	commonObjectPrm
+
+	hdr *object.Object
+
+	rdr io.Reader
+
+	headerCallback func(*object.Object)
+}
+
+// SetHeader sets object header.
+func (x *PutObjectPrm) SetHeader(hdr *object.Object) {
+	x.hdr = hdr
+}
+
+// SetPayloadReader sets reader of the object payload.
+func (x *PutObjectPrm) SetPayloadReader(rdr io.Reader) {
+	x.rdr = rdr
+}
+
+// SetHeaderCallback sets callback which is called on the object after the header is received
+// but before the payload is written.
+func (x *PutObjectPrm) SetHeaderCallback(f func(*object.Object)) {
+	x.headerCallback = f
+}
+
+// PutObjectRes groups the resulting values of PutObject operation.
+type PutObjectRes struct {
+	id oid.ID
+}
+
+// ID returns identifier of the created object.
+func (x PutObjectRes) ID() oid.ID {
+	return x.id
+}
+
+// PutObject saves the object in FrostFS network.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func PutObject(prm PutObjectPrm) (*PutObjectRes, error) {
+	var putPrm client.PrmObjectPutInit
+
+	if prm.sessionToken != nil {
+		putPrm.WithinSession(*prm.sessionToken)
+	}
+
+	if prm.bearerToken != nil {
+		putPrm.WithBearerToken(*prm.bearerToken)
+	}
+
+	if prm.local {
+		putPrm.MarkLocal()
+	}
+
+	putPrm.WithXHeaders(prm.xHeaders...)
+
+	wrt, err := prm.cli.ObjectPutInit(context.Background(), putPrm)
+	if err != nil {
+		return nil, fmt.Errorf("init object writing: %w", err)
+	}
+
+	if wrt.WriteHeader(*prm.hdr) {
+		if prm.headerCallback != nil {
+			prm.headerCallback(prm.hdr)
+		}
+
+		sz := prm.hdr.PayloadSize()
+
+		if data := prm.hdr.Payload(); len(data) > 0 {
+			if prm.rdr != nil {
+				prm.rdr = io.MultiReader(bytes.NewReader(data), prm.rdr)
+			} else {
+				prm.rdr = bytes.NewReader(data)
+				sz = uint64(len(data))
+			}
+		}
+
+		if prm.rdr != nil {
+			const defaultBufferSizePut = 3 << 20 // Maximum chunk size is 3 MiB in the SDK.
+
+			if sz == 0 || sz > defaultBufferSizePut {
+				sz = defaultBufferSizePut
+			}
+
+			buf := make([]byte, sz)
+
+			var n int
+
+			for {
+				n, err = prm.rdr.Read(buf)
+				if n > 0 {
+					if !wrt.WritePayloadChunk(buf[:n]) {
+						break
+					}
+
+					continue
+				}
+
+				if errors.Is(err, io.EOF) {
+					break
+				}
+
+				return nil, fmt.Errorf("read payload: %w", err)
+			}
+		}
+	}
+
+	cliRes, err := wrt.Close()
+	if err != nil { // here err already carries both status and client errors
+		return nil, fmt.Errorf("client failure: %w", err)
+	}
+
+	return &PutObjectRes{
+		id: cliRes.StoredObjectID(),
+	}, nil
+}
+
+// DeleteObjectPrm groups parameters of DeleteObject operation.
+type DeleteObjectPrm struct {
+	commonObjectPrm
+	objectAddressPrm
+}
+
+// DeleteObjectRes groups the resulting values of DeleteObject operation.
+type DeleteObjectRes struct {
+	tomb oid.ID
+}
+
+// Tombstone returns the ID of the created object with tombstone.
+func (x DeleteObjectRes) Tombstone() oid.ID {
+	return x.tomb
+}
+
+// DeleteObject marks an object to be removed from FrostFS through tombstone placement.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func DeleteObject(prm DeleteObjectPrm) (*DeleteObjectRes, error) {
+	var delPrm client.PrmObjectDelete
+	delPrm.FromContainer(prm.objAddr.Container())
+	delPrm.ByID(prm.objAddr.Object())
+
+	if prm.sessionToken != nil {
+		delPrm.WithinSession(*prm.sessionToken)
+	}
+
+	if prm.bearerToken != nil {
+		delPrm.WithBearerToken(*prm.bearerToken)
+	}
+
+	delPrm.WithXHeaders(prm.xHeaders...)
+
+	cliRes, err := prm.cli.ObjectDelete(context.Background(), delPrm)
+	if err != nil {
+		return nil, fmt.Errorf("remove object via client: %w", err)
+	}
+
+	return &DeleteObjectRes{
+		tomb: cliRes.Tombstone(),
+	}, nil
+}
+
+// GetObjectPrm groups parameters of GetObject operation.
+type GetObjectPrm struct {
+	commonObjectPrm
+	objectAddressPrm
+	rawPrm
+	payloadWriterPrm
+	headerCallback func(*object.Object)
+}
+
+// SetHeaderCallback sets callback which is called on the object after the header is received
+// but before the payload is written.
+func (p *GetObjectPrm) SetHeaderCallback(f func(*object.Object)) {
+	p.headerCallback = f
+}
+
+// GetObjectRes groups the resulting values of GetObject operation.
+type GetObjectRes struct {
+	hdr *object.Object
+}
+
+// Header returns the header of the request object.
+func (x GetObjectRes) Header() *object.Object {
+	return x.hdr
+}
+
+// GetObject reads an object by address.
+//
+// Interrupts on any writer error. If successful, payload is written to the writer.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+// For raw reading, returns *object.SplitInfoError error if object is virtual.
+func GetObject(prm GetObjectPrm) (*GetObjectRes, error) {
+	var getPrm client.PrmObjectGet
+	getPrm.FromContainer(prm.objAddr.Container())
+	getPrm.ByID(prm.objAddr.Object())
+
+	if prm.sessionToken != nil {
+		getPrm.WithinSession(*prm.sessionToken)
+	}
+
+	if prm.bearerToken != nil {
+		getPrm.WithBearerToken(*prm.bearerToken)
+	}
+
+	if prm.raw {
+		getPrm.MarkRaw()
+	}
+
+	if prm.local {
+		getPrm.MarkLocal()
+	}
+
+	getPrm.WithXHeaders(prm.xHeaders...)
+
+	rdr, err := prm.cli.ObjectGetInit(context.Background(), getPrm)
+	if err != nil {
+		return nil, fmt.Errorf("init object reading on client: %w", err)
+	}
+
+	var hdr object.Object
+
+	if !rdr.ReadHeader(&hdr) {
+		_, err = rdr.Close()
+		return nil, fmt.Errorf("read object header: %w", err)
+	}
+	if prm.headerCallback != nil {
+		prm.headerCallback(&hdr)
+	}
+
+	_, err = io.Copy(prm.wrt, rdr)
+	if err != nil {
+		return nil, fmt.Errorf("copy payload: %w", err)
+	}
+
+	return &GetObjectRes{
+		hdr: &hdr,
+	}, nil
+}
+
+// HeadObjectPrm groups parameters of HeadObject operation.
+type HeadObjectPrm struct {
+	commonObjectPrm
+	objectAddressPrm
+	rawPrm
+
+	mainOnly bool
+}
+
+// SetMainOnlyFlag sets flag to get only main fields of an object header in terms of FrostFS API.
+func (x *HeadObjectPrm) SetMainOnlyFlag(v bool) {
+	x.mainOnly = v
+}
+
+// HeadObjectRes groups the resulting values of HeadObject operation.
+type HeadObjectRes struct {
+	hdr *object.Object
+}
+
+// Header returns the requested object header.
+func (x HeadObjectRes) Header() *object.Object {
+	return x.hdr
+}
+
+// HeadObject reads an object header by address.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+// For raw reading, returns *object.SplitInfoError error if object is virtual.
+func HeadObject(prm HeadObjectPrm) (*HeadObjectRes, error) {
+	var cliPrm client.PrmObjectHead
+	cliPrm.FromContainer(prm.objAddr.Container())
+	cliPrm.ByID(prm.objAddr.Object())
+
+	if prm.sessionToken != nil {
+		cliPrm.WithinSession(*prm.sessionToken)
+	}
+
+	if prm.bearerToken != nil {
+		cliPrm.WithBearerToken(*prm.bearerToken)
+	}
+
+	if prm.raw {
+		cliPrm.MarkRaw()
+	}
+
+	if prm.local {
+		cliPrm.MarkLocal()
+	}
+
+	cliPrm.WithXHeaders(prm.xHeaders...)
+
+	res, err := prm.cli.ObjectHead(context.Background(), cliPrm)
+	if err != nil {
+		return nil, fmt.Errorf("read object header via client: %w", err)
+	}
+
+	var hdr object.Object
+
+	if !res.ReadHeader(&hdr) {
+		return nil, fmt.Errorf("missing header in response")
+	}
+
+	return &HeadObjectRes{
+		hdr: &hdr,
+	}, nil
+}
+
+// SearchObjectsPrm groups parameters of SearchObjects operation.
+type SearchObjectsPrm struct {
+	commonObjectPrm
+	containerIDPrm
+
+	filters object.SearchFilters
+}
+
+// SetFilters sets search filters.
+func (x *SearchObjectsPrm) SetFilters(filters object.SearchFilters) {
+	x.filters = filters
+}
+
+// SearchObjectsRes groups the resulting values of SearchObjects operation.
+type SearchObjectsRes struct {
+	ids []oid.ID
+}
+
+// IDList returns identifiers of the matched objects.
+func (x SearchObjectsRes) IDList() []oid.ID {
+	return x.ids
+}
+
+// SearchObjects selects objects from the container which match the filters.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+func SearchObjects(prm SearchObjectsPrm) (*SearchObjectsRes, error) {
+	var cliPrm client.PrmObjectSearch
+	cliPrm.InContainer(prm.cnrID)
+	cliPrm.SetFilters(prm.filters)
+
+	if prm.sessionToken != nil {
+		cliPrm.WithinSession(*prm.sessionToken)
+	}
+
+	if prm.bearerToken != nil {
+		cliPrm.WithBearerToken(*prm.bearerToken)
+	}
+
+	if prm.local {
+		cliPrm.MarkLocal()
+	}
+
+	cliPrm.WithXHeaders(prm.xHeaders...)
+
+	rdr, err := prm.cli.ObjectSearchInit(context.Background(), cliPrm)
+	if err != nil {
+		return nil, fmt.Errorf("init object search: %w", err)
+	}
+
+	buf := make([]oid.ID, 10)
+	var list []oid.ID
+	var n int
+	var ok bool
+
+	for {
+		n, ok = rdr.Read(buf)
+		for i := 0; i < n; i++ {
+			list = append(list, buf[i])
+		}
+		if !ok {
+			break
+		}
+	}
+
+	_, err = rdr.Close()
+	if err != nil {
+		return nil, fmt.Errorf("read object list: %w", err)
+	}
+
+	return &SearchObjectsRes{
+		ids: list,
+	}, nil
+}
+
+// HashPayloadRangesPrm groups parameters of HashPayloadRanges operation.
+type HashPayloadRangesPrm struct {
+	commonObjectPrm
+	objectAddressPrm
+
+	tz bool
+
+	rngs []*object.Range
+
+	salt []byte
+}
+
+// TZ sets flag to request Tillich-Zemor hashes.
+func (x *HashPayloadRangesPrm) TZ() {
+	x.tz = true
+}
+
+// SetRanges sets a list of payload ranges to hash.
+func (x *HashPayloadRangesPrm) SetRanges(rngs []*object.Range) {
+	x.rngs = rngs
+}
+
+// SetSalt sets data for each range to be XOR'ed with.
+func (x *HashPayloadRangesPrm) SetSalt(salt []byte) {
+	x.salt = salt
+}
+
+// HashPayloadRangesRes groups the resulting values of HashPayloadRanges operation.
+type HashPayloadRangesRes struct {
+	cliRes *client.ResObjectHash
+}
+
+// HashList returns a list of hashes of the payload ranges keeping order.
+func (x HashPayloadRangesRes) HashList() [][]byte {
+	return x.cliRes.Checksums()
+}
+
+// HashPayloadRanges requests hashes (by default SHA256) of the object payload ranges.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+// Returns an error if number of received hashes differs with the number of requested ranges.
+func HashPayloadRanges(prm HashPayloadRangesPrm) (*HashPayloadRangesRes, error) {
+	var cliPrm client.PrmObjectHash
+	cliPrm.FromContainer(prm.objAddr.Container())
+	cliPrm.ByID(prm.objAddr.Object())
+
+	if prm.local {
+		cliPrm.MarkLocal()
+	}
+
+	cliPrm.UseSalt(prm.salt)
+
+	rngs := make([]uint64, 2*len(prm.rngs))
+
+	for i := range prm.rngs {
+		rngs[2*i] = prm.rngs[i].GetOffset()
+		rngs[2*i+1] = prm.rngs[i].GetLength()
+	}
+
+	cliPrm.SetRangeList(rngs...)
+
+	if prm.tz {
+		cliPrm.TillichZemorAlgo()
+	}
+
+	if prm.sessionToken != nil {
+		cliPrm.WithinSession(*prm.sessionToken)
+	}
+
+	if prm.bearerToken != nil {
+		cliPrm.WithBearerToken(*prm.bearerToken)
+	}
+
+	cliPrm.WithXHeaders(prm.xHeaders...)
+
+	res, err := prm.cli.ObjectHash(context.Background(), cliPrm)
+	if err != nil {
+		return nil, fmt.Errorf("read payload hashes via client: %w", err)
+	}
+
+	return &HashPayloadRangesRes{
+		cliRes: res,
+	}, nil
+}
+
+// PayloadRangePrm groups parameters of PayloadRange operation.
+type PayloadRangePrm struct {
+	commonObjectPrm
+	objectAddressPrm
+	rawPrm
+	payloadWriterPrm
+
+	rng *object.Range
+}
+
+// SetRange sets payload range to read.
+func (x *PayloadRangePrm) SetRange(rng *object.Range) {
+	x.rng = rng
+}
+
+// PayloadRangeRes groups the resulting values of PayloadRange operation.
+type PayloadRangeRes struct{}
+
+// PayloadRange reads object payload range from FrostFS and writes it to the specified writer.
+//
+// Interrupts on any writer error.
+//
+// Returns any error which prevented the operation from completing correctly in error return.
+// For raw reading, returns *object.SplitInfoError error if object is virtual.
+func PayloadRange(prm PayloadRangePrm) (*PayloadRangeRes, error) {
+	var cliPrm client.PrmObjectRange
+	cliPrm.FromContainer(prm.objAddr.Container())
+	cliPrm.ByID(prm.objAddr.Object())
+
+	if prm.sessionToken != nil {
+		cliPrm.WithinSession(*prm.sessionToken)
+	}
+
+	if prm.bearerToken != nil {
+		cliPrm.WithBearerToken(*prm.bearerToken)
+	}
+
+	if prm.raw {
+		cliPrm.MarkRaw()
+	}
+
+	if prm.local {
+		cliPrm.MarkLocal()
+	}
+
+	cliPrm.SetOffset(prm.rng.GetOffset())
+	cliPrm.SetLength(prm.rng.GetLength())
+
+	cliPrm.WithXHeaders(prm.xHeaders...)
+
+	rdr, err := prm.cli.ObjectRangeInit(context.Background(), cliPrm)
+	if err != nil {
+		return nil, fmt.Errorf("init payload reading: %w", err)
+	}
+
+	_, err = io.Copy(prm.wrt, rdr)
+	if err != nil {
+		return nil, fmt.Errorf("copy payload: %w", err)
+	}
+
+	return new(PayloadRangeRes), nil
+}
+
+// SyncContainerPrm groups parameters of SyncContainerSettings operation.
+type SyncContainerPrm struct {
+	commonPrm
+	c *containerSDK.Container
+}
+
+// SetContainer sets a container that is required to be synced.
+func (s *SyncContainerPrm) SetContainer(c *containerSDK.Container) {
+	s.c = c
+}
+
+// SyncContainerRes groups resulting values of SyncContainerSettings
+// operation.
+type SyncContainerRes struct{}
+
+// SyncContainerSettings reads global network config from FrostFS and
+// syncs container settings with it.
+//
+// Interrupts on any writer error.
+//
+// Panics if a container passed as a parameter is nil.
+func SyncContainerSettings(prm SyncContainerPrm) (*SyncContainerRes, error) {
+	if prm.c == nil {
+		panic("sync container settings with the network: nil container")
+	}
+
+	err := client.SyncContainerWithNetwork(context.Background(), prm.c, prm.cli)
+	if err != nil {
+		return nil, err
+	}
+
+	return new(SyncContainerRes), nil
+}

cmd/frostfs-cli/internal/client/doc.go

@@ -0,0 +1,15 @@
+// Package internal provides functionality for FrostFS CLI application
+// communication with FrostFS network.
+//
+// The base client for accessing remote nodes via FrostFS API is a FrostFS SDK
+// Go API client. However, although it encapsulates a useful piece of business
+// logic (e.g. the signature mechanism), the FrostFS CLI application does not
+// fully use the client's flexible interface.
+//
+// In this regard, this package provides functions over base API client
+// necessary for the application. This allows you to concentrate the entire
+// spectrum of the client's use in one place (this will be convenient both when
+// updating the base client and for evaluating the UX of SDK library). So it is
+// expected that all application packages will be limited to this package for
+// the development of functionality requiring FrostFS API communication.
+package internal

cmd/frostfs-cli/internal/client/prm.go

@@ -0,0 +1,92 @@
+package internal
+
+import (
+	"io"
+
+	"github.com/TrueCloudLab/frostfs-sdk-go/bearer"
+	"github.com/TrueCloudLab/frostfs-sdk-go/client"
+	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
+	oid "github.com/TrueCloudLab/frostfs-sdk-go/object/id"
+	"github.com/TrueCloudLab/frostfs-sdk-go/session"
+)
+
+// here are small structures with public setters to share between parameter structures
+
+type commonPrm struct {
+	cli *client.Client
+}
+
+// SetClient sets the base client for FrostFS API communication.
+func (x *commonPrm) SetClient(cli *client.Client) {
+	x.cli = cli
+}
+
+type containerIDPrm struct {
+	cnrID cid.ID
+}
+
+// SetContainerID sets the container identifier.
+func (x *containerIDPrm) SetContainerID(id cid.ID) {
+	x.cnrID = id
+}
+
+type bearerTokenPrm struct {
+	bearerToken *bearer.Token
+}
+
+// SetBearerToken sets the bearer token to be attached to the request.
+func (x *bearerTokenPrm) SetBearerToken(tok *bearer.Token) {
+	x.bearerToken = tok
+}
+
+type objectAddressPrm struct {
+	objAddr oid.Address
+}
+
+func (x *objectAddressPrm) SetAddress(addr oid.Address) {
+	x.objAddr = addr
+}
+
+type rawPrm struct {
+	raw bool
+}
+
+// SetRawFlag sets flag of raw request.
+func (x *rawPrm) SetRawFlag(raw bool) {
+	x.raw = raw
+}
+
+type payloadWriterPrm struct {
+	wrt io.Writer
+}
+
+// SetPayloadWriter sets the writer of the object payload.
+func (x *payloadWriterPrm) SetPayloadWriter(wrt io.Writer) {
+	x.wrt = wrt
+}
+
+type commonObjectPrm struct {
+	commonPrm
+	bearerTokenPrm
+
+	sessionToken *session.Object
+
+	local bool
+
+	xHeaders []string
+}
+
+// SetTTL sets request TTL value.
+func (x *commonObjectPrm) SetTTL(ttl uint32) {
+	x.local = ttl < 2
+}
+
+// SetXHeaders sets request X-Headers.
+func (x *commonObjectPrm) SetXHeaders(hs []string) {
+	x.xHeaders = hs
+}
+
+// SetSessionToken sets the token of the session within which the request should be sent.
+func (x *commonObjectPrm) SetSessionToken(tok *session.Object) {
+	x.sessionToken = tok
+}

cmd/frostfs-cli/internal/client/sdk.go

@@ -0,0 +1,96 @@
+package internal
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"errors"
+	"fmt"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/pkg/network"
+	"github.com/TrueCloudLab/frostfs-sdk-go/client"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var errInvalidEndpoint = errors.New("provided RPC endpoint is incorrect")
+
+// GetSDKClientByFlag returns default frostfs-sdk-go client using the specified flag for the address.
+// On error, outputs to stderr of cmd and exits with non-zero code.
+func GetSDKClientByFlag(cmd *cobra.Command, key *ecdsa.PrivateKey, endpointFlag string) *client.Client {
+	cli, err := getSDKClientByFlag(cmd, key, endpointFlag)
+	if err != nil {
+		commonCmd.ExitOnErr(cmd, "can't create API client: %w", err)
+	}
+	return cli
+}
+
+func getSDKClientByFlag(cmd *cobra.Command, key *ecdsa.PrivateKey, endpointFlag string) (*client.Client, error) {
+	var addr network.Address
+
+	err := addr.FromString(viper.GetString(endpointFlag))
+	if err != nil {
+		return nil, fmt.Errorf("%v: %w", errInvalidEndpoint, err)
+	}
+	return GetSDKClient(cmd, key, addr)
+}
+
+// GetSDKClient returns default frostfs-sdk-go client.
+func GetSDKClient(cmd *cobra.Command, key *ecdsa.PrivateKey, addr network.Address) (*client.Client, error) {
+	var (
+		c       client.Client
+		prmInit client.PrmInit
+		prmDial client.PrmDial
+	)
+
+	prmInit.SetDefaultPrivateKey(*key)
+	prmInit.ResolveNeoFSFailures()
+	prmDial.SetServerURI(addr.URIAddr())
+	if timeout := viper.GetDuration(commonflags.Timeout); timeout > 0 {
+		// In CLI we can only set a timeout for the whole operation.
+		// By also setting stream timeout we ensure that no operation hands
+		// for too long.
+		prmDial.SetTimeout(timeout)
+		prmDial.SetStreamTimeout(timeout)
+
+		common.PrintVerbose(cmd, "Set request timeout to %s.", timeout)
+	}
+
+	c.Init(prmInit)
+
+	if err := c.Dial(prmDial); err != nil {
+		return nil, fmt.Errorf("can't init SDK client: %w", err)
+	}
+
+	return &c, nil
+}
+
+// GetCurrentEpoch returns current epoch.
+func GetCurrentEpoch(ctx context.Context, cmd *cobra.Command, endpoint string) (uint64, error) {
+	var addr network.Address
+
+	if err := addr.FromString(endpoint); err != nil {
+		return 0, fmt.Errorf("can't parse RPC endpoint: %w", err)
+	}
+
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return 0, fmt.Errorf("can't generate key to sign query: %w", err)
+	}
+
+	c, err := GetSDKClient(cmd, key, addr)
+	if err != nil {
+		return 0, err
+	}
+
+	ni, err := c.NetworkInfo(ctx, client.PrmNetworkInfo{})
+	if err != nil {
+		return 0, err
+	}
+
+	return ni.Info().CurrentEpoch(), nil
+}

cmd/frostfs-cli/internal/common/eacl.go

@@ -0,0 +1,50 @@
+package common
+
+import (
+	"errors"
+	"os"
+
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/pkg/core/version"
+	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	versionSDK "github.com/TrueCloudLab/frostfs-sdk-go/version"
+	"github.com/spf13/cobra"
+)
+
+var errUnsupportedEACLFormat = errors.New("unsupported eACL format")
+
+// ReadEACL reads extended ACL table from eaclPath.
+func ReadEACL(cmd *cobra.Command, eaclPath string) *eacl.Table {
+	_, err := os.Stat(eaclPath) // check if `eaclPath` is an existing file
+	if err != nil {
+		commonCmd.ExitOnErr(cmd, "", errors.New("incorrect path to file with EACL"))
+	}
+
+	PrintVerbose(cmd, "Reading EACL from file: %s", eaclPath)
+
+	data, err := os.ReadFile(eaclPath)
+	commonCmd.ExitOnErr(cmd, "can't read file with EACL: %w", err)
+
+	table := eacl.NewTable()
+
+	if err = table.UnmarshalJSON(data); err == nil {
+		validateAndFixEACLVersion(table)
+		PrintVerbose(cmd, "Parsed JSON encoded EACL table")
+		return table
+	}
+
+	if err = table.Unmarshal(data); err == nil {
+		validateAndFixEACLVersion(table)
+		PrintVerbose(cmd, "Parsed binary encoded EACL table")
+		return table
+	}
+
+	commonCmd.ExitOnErr(cmd, "", errUnsupportedEACLFormat)
+	return nil
+}
+
+func validateAndFixEACLVersion(table *eacl.Table) {
+	if !version.IsValid(table.Version()) {
+		table.SetVersion(versionSDK.Current())
+	}
+}

cmd/frostfs-cli/internal/common/epoch.go

@@ -0,0 +1,28 @@
+package common
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/spf13/cobra"
+)
+
+// ParseEpoch parses epoch argument. Second return value is true if
+// the specified epoch is relative, and false otherwise.
+func ParseEpoch(cmd *cobra.Command, flag string) (uint64, bool, error) {
+	s, _ := cmd.Flags().GetString(flag)
+	if len(s) == 0 {
+		return 0, false, nil
+	}
+
+	relative := s[0] == '+'
+	if relative {
+		s = s[1:]
+	}
+
+	epoch, err := strconv.ParseUint(s, 10, 64)
+	if err != nil {
+		return 0, relative, fmt.Errorf("can't parse epoch for %s argument: %w", flag, err)
+	}
+	return epoch, relative, nil
+}

cmd/frostfs-cli/internal/common/json.go

@@ -0,0 +1,23 @@
+package common
+
+import (
+	"bytes"
+	"encoding/json"
+
+	"github.com/spf13/cobra"
+)
+
+// PrettyPrintJSON prints m as an indented JSON to the cmd output.
+func PrettyPrintJSON(cmd *cobra.Command, m json.Marshaler, entity string) {
+	data, err := m.MarshalJSON()
+	if err != nil {
+		PrintVerbose(cmd, "Can't convert %s to json: %w", entity, err)
+		return
+	}
+	buf := new(bytes.Buffer)
+	if err := json.Indent(buf, data, "", "  "); err != nil {
+		PrintVerbose(cmd, "Can't pretty print json: %w", err)
+		return
+	}
+	cmd.Println(buf)
+}

cmd/frostfs-cli/internal/common/token.go

@@ -0,0 +1,67 @@
+package common
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-sdk-go/bearer"
+	"github.com/spf13/cobra"
+)
+
+// ReadBearerToken reads bearer token from the path provided in a specified flag.
+func ReadBearerToken(cmd *cobra.Command, flagname string) *bearer.Token {
+	path, err := cmd.Flags().GetString(flagname)
+	commonCmd.ExitOnErr(cmd, "", err)
+
+	if len(path) == 0 {
+		return nil
+	}
+
+	PrintVerbose(cmd, "Reading bearer token from file [%s]...", path)
+
+	var tok bearer.Token
+
+	err = ReadBinaryOrJSON(cmd, &tok, path)
+	commonCmd.ExitOnErr(cmd, "invalid bearer token: %v", err)
+
+	return &tok
+}
+
+// BinaryOrJSON is an interface of entities which provide json.Unmarshaler
+// and FrostFS binary decoder.
+type BinaryOrJSON interface {
+	Unmarshal([]byte) error
+	json.Unmarshaler
+}
+
+// ReadBinaryOrJSON reads file data using provided path and decodes
+// BinaryOrJSON from the data.
+func ReadBinaryOrJSON(cmd *cobra.Command, dst BinaryOrJSON, fPath string) error {
+	PrintVerbose(cmd, "Reading file [%s]...", fPath)
+
+	// try to read session token from file
+	data, err := os.ReadFile(fPath)
+	if err != nil {
+		return fmt.Errorf("read file <%s>: %w", fPath, err)
+	}
+
+	PrintVerbose(cmd, "Trying to decode binary...")
+
+	err = dst.Unmarshal(data)
+	if err != nil {
+		PrintVerbose(cmd, "Failed to decode binary: %v", err)
+
+		PrintVerbose(cmd, "Trying to decode JSON...")
+
+		err = dst.UnmarshalJSON(data)
+		if err != nil {
+			PrintVerbose(cmd, "Failed to decode JSON: %v", err)
+			return errors.New("invalid format")
+		}
+	}
+
+	return nil
+}

cmd/frostfs-cli/internal/common/verbose.go

@@ -0,0 +1,46 @@
+package common
+
+import (
+	"encoding/hex"
+	"strconv"
+	"time"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/TrueCloudLab/frostfs-sdk-go/checksum"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+// PrintVerbose prints to the stdout if the commonflags.Verbose flag is on.
+func PrintVerbose(cmd *cobra.Command, format string, a ...any) {
+	if viper.GetBool(commonflags.Verbose) {
+		cmd.Printf(format+"\n", a...)
+	}
+}
+
+// PrettyPrintUnixTime interprets s as unix timestamp and prints it as
+// a date. Is s is invalid, "malformed" is returned.
+func PrettyPrintUnixTime(s string) string {
+	unixTime, err := strconv.ParseInt(s, 10, 64)
+	if err != nil {
+		return "malformed"
+	}
+
+	timestamp := time.Unix(unixTime, 0)
+
+	return timestamp.String()
+}
+
+// PrintChecksum prints checksum.
+func PrintChecksum(cmd *cobra.Command, name string, recv func() (checksum.Checksum, bool)) {
+	var strVal string
+
+	cs, csSet := recv()
+	if csSet {
+		strVal = hex.EncodeToString(cs.Value())
+	} else {
+		strVal = "<empty>"
+	}
+
+	cmd.Printf("%s: %s\n", name, strVal)
+}

cmd/frostfs-cli/internal/commonflags/api.go

@@ -0,0 +1,33 @@
+package commonflags
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	TTL          = "ttl"
+	TTLShorthand = ""
+	TTLDefault   = 2
+	TTLUsage     = "TTL value in request meta header"
+
+	XHeadersKey       = "xhdr"
+	XHeadersShorthand = "x"
+	XHeadersUsage     = "Request X-Headers in form of Key=Value"
+)
+
+// InitAPI inits common flags for storage node services.
+func InitAPI(cmd *cobra.Command) {
+	ff := cmd.Flags()
+
+	ff.StringSliceP(XHeadersKey, XHeadersShorthand, []string{}, XHeadersUsage)
+	ff.Uint32P(TTL, TTLShorthand, TTLDefault, TTLUsage)
+}
+
+// BindAPI binds API flags of storage node services to the viper.
+func BindAPI(cmd *cobra.Command) {
+	ff := cmd.Flags()
+
+	_ = viper.BindPFlag(TTL, ff.Lookup(TTL))
+	_ = viper.BindPFlag(XHeadersKey, ff.Lookup(XHeadersKey))
+}

cmd/frostfs-cli/internal/commonflags/expiration.go

@@ -0,0 +1,9 @@
+package commonflags
+
+const (
+	// ExpireAt is a flag for setting last epoch of an object or a token.
+	ExpireAt = "expire-at"
+	// Lifetime is a flag for setting the lifetime of an object or a token,
+	// starting from the current epoch.
+	Lifetime = "lifetime"
+)

cmd/frostfs-cli/internal/commonflags/flags.go

@@ -0,0 +1,84 @@
+package commonflags
+
+import (
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+// Common CLI flag keys, shorthands, default
+// values and their usage descriptions.
+const (
+	GenerateKey          = "generate-key"
+	generateKeyShorthand = "g"
+	generateKeyDefault   = false
+	generateKeyUsage     = "Generate new private key"
+
+	WalletPath          = "wallet"
+	WalletPathShorthand = "w"
+	WalletPathDefault   = ""
+	WalletPathUsage     = "Path to the wallet or binary key"
+
+	Account          = "address"
+	AccountShorthand = ""
+	AccountDefault   = ""
+	AccountUsage     = "Address of wallet account"
+
+	RPC          = "rpc-endpoint"
+	RPCShorthand = "r"
+	RPCDefault   = ""
+	RPCUsage     = "Remote node address (as 'multiaddr' or '<host>:<port>')"
+
+	Timeout          = "timeout"
+	TimeoutShorthand = "t"
+	TimeoutDefault   = 15 * time.Second
+	TimeoutUsage     = "Timeout for an operation"
+
+	Verbose          = "verbose"
+	VerboseShorthand = "v"
+	VerboseUsage     = "Verbose output"
+
+	ForceFlag          = "force"
+	ForceFlagShorthand = "f"
+
+	CIDFlag      = "cid"
+	CIDFlagUsage = "Container ID."
+
+	OIDFlag      = "oid"
+	OIDFlagUsage = "Object ID."
+)
+
+// Init adds common flags to the command:
+// - GenerateKey,
+// - WalletPath,
+// - Account,
+// - RPC,
+// - Timeout.
+func Init(cmd *cobra.Command) {
+	InitWithoutRPC(cmd)
+
+	ff := cmd.Flags()
+	ff.StringP(RPC, RPCShorthand, RPCDefault, RPCUsage)
+	ff.DurationP(Timeout, TimeoutShorthand, TimeoutDefault, TimeoutUsage)
+}
+
+// InitWithoutRPC is similar to Init but doesn't create the RPC flag.
+func InitWithoutRPC(cmd *cobra.Command) {
+	ff := cmd.Flags()
+
+	ff.BoolP(GenerateKey, generateKeyShorthand, generateKeyDefault, generateKeyUsage)
+	ff.StringP(WalletPath, WalletPathShorthand, WalletPathDefault, WalletPathUsage)
+	ff.StringP(Account, AccountShorthand, AccountDefault, AccountUsage)
+}
+
+// Bind binds common command flags to the viper.
+func Bind(cmd *cobra.Command) {
+	ff := cmd.Flags()
+
+	_ = viper.BindPFlag(GenerateKey, ff.Lookup(GenerateKey))
+	_ = viper.BindPFlag(WalletPath, ff.Lookup(WalletPath))
+	_ = viper.BindPFlag(Account, ff.Lookup(Account))
+	_ = viper.BindPFlag(RPC, ff.Lookup(RPC))
+	_ = viper.BindPFlag(Timeout, ff.Lookup(Timeout))
+}

cmd/frostfs-cli/internal/commonflags/json.go

@@ -0,0 +1,3 @@
+package commonflags
+
+const JSON = "json"

cmd/frostfs-cli/internal/commonflags/session.go

@@ -0,0 +1,19 @@
+package commonflags
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+)
+
+const SessionToken = "session"
+
+// InitSession registers SessionToken flag representing file path to the token of
+// the session with the given name. Supports FrostFS-binary and JSON files.
+func InitSession(cmd *cobra.Command, name string) {
+	cmd.Flags().String(
+		SessionToken,
+		"",
+		fmt.Sprintf("Filepath to a JSON- or binary-encoded token of the %s session", name),
+	)
+}

cmd/frostfs-cli/internal/key/key_test.go

@@ -1,29 +1,38 @@
-package cmd
+package key
 
 import (
 	"bytes"
-	"errors"
-	"io/ioutil"
+	"io"
 	"os"
-	"path"
 	"path/filepath"
 	"testing"
 
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
 	"github.com/nspcc-dev/neo-go/cli/input"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/term"
 )
 
-func Test_getKey(t *testing.T) {
+var testCmd = &cobra.Command{
+	Use:   "test",
+	Short: "test",
+	Run:   func(cmd *cobra.Command, args []string) {},
+}
+
+func Test_getOrGenerate(t *testing.T) {
 	dir := t.TempDir()
 
-	wallPath := path.Join(dir, "wallet.json")
+	wallPath := filepath.Join(dir, "wallet.json")
 	w, err := wallet.NewWallet(wallPath)
 	require.NoError(t, err)
 
+	badWallPath := filepath.Join(dir, "bad_wallet.json")
+	require.NoError(t, os.WriteFile(badWallPath, []byte("bad content"), os.ModePerm))
+
 	acc1, err := wallet.NewAccount()
 	require.NoError(t, err)
 	require.NoError(t, acc1.Encrypt("pass", keys.NEP2ScryptParams()))
@@ -35,12 +44,11 @@ func Test_getKey(t *testing.T) {
 	acc2.Default = true
 	w.AddAccount(acc2)
 	require.NoError(t, w.Save())
-	w.Close()
 
-	keyPath := path.Join(dir, "binary.key")
+	keyPath := filepath.Join(dir, "binary.key")
 	rawKey, err := keys.NewPrivateKey()
 	require.NoError(t, err)
-	require.NoError(t, ioutil.WriteFile(keyPath, rawKey.Bytes(), os.ModePerm))
+	require.NoError(t, os.WriteFile(keyPath, rawKey.Bytes(), os.ModePerm))
 
 	wifKey, err := keys.NewPrivateKey()
 	require.NoError(t, err)
@@ -53,55 +61,40 @@ func Test_getKey(t *testing.T) {
 	in := bytes.NewBuffer(nil)
 	input.Terminal = term.NewTerminal(input.ReadWriter{
 		Reader: in,
-		Writer: ioutil.Discard,
+		Writer: io.Discard,
 	}, "")
 
-	checkKeyError(t, filepath.Join(dir, "badfile"), errInvalidKey)
+	checkKeyError(t, filepath.Join(dir, "badfile"), ErrFs)
+	checkKeyError(t, badWallPath, ErrInvalidKey)
 
 	t.Run("wallet", func(t *testing.T) {
-		checkKeyError(t, wallPath, errInvalidPassword)
+		checkKeyError(t, wallPath, ErrInvalidPassword)
 
 		in.WriteString("invalid\r")
-		checkKeyError(t, wallPath, errInvalidPassword)
+		checkKeyError(t, wallPath, ErrInvalidPassword)
 
 		in.WriteString("pass\r")
 		checkKey(t, wallPath, acc2.PrivateKey()) // default account
 
-		viper.Set(address, acc1.Address)
+		viper.Set(commonflags.Account, acc1.Address)
 		in.WriteString("pass\r")
 		checkKey(t, wallPath, acc1.PrivateKey())
 
-		viper.Set(address, "not an address")
-		checkKeyError(t, wallPath, errInvalidAddress)
+		viper.Set(commonflags.Account, "not an address")
+		checkKeyError(t, wallPath, ErrInvalidAddress)
 
 		acc, err := wallet.NewAccount()
 		require.NoError(t, err)
-		viper.Set(address, acc.Address)
-		checkKeyError(t, wallPath, errInvalidAddress)
+		viper.Set(commonflags.Account, acc.Address)
+		checkKeyError(t, wallPath, ErrInvalidAddress)
 	})
 
 	t.Run("WIF", func(t *testing.T) {
-		checkKey(t, wifKey.WIF(), wifKey)
+		checkKeyError(t, wifKey.WIF(), ErrFs)
 	})
 
 	t.Run("NEP-2", func(t *testing.T) {
-		checkKeyError(t, nep2, errInvalidPassword)
-
-		in.WriteString("invalid\r")
-		checkKeyError(t, nep2, errInvalidPassword)
-
-		in.WriteString("pass\r")
-		checkKey(t, nep2, nep2Key)
-
-		t.Run("password from config", func(t *testing.T) {
-			viper.Set(password, "invalid")
-			in.WriteString("pass\r")
-			checkKeyError(t, nep2, errInvalidPassword)
-
-			viper.Set(password, "pass")
-			in.WriteString("invalid\r")
-			checkKey(t, nep2, nep2Key)
-		})
+		checkKeyError(t, nep2, ErrFs)
 	})
 
 	t.Run("raw key", func(t *testing.T) {
@@ -109,8 +102,8 @@ func Test_getKey(t *testing.T) {
 	})
 
 	t.Run("generate", func(t *testing.T) {
-		viper.Set(generateKey, true)
-		actual, err := getKey()
+		viper.Set(commonflags.GenerateKey, true)
+		actual, err := getOrGenerate(testCmd)
 		require.NoError(t, err)
 		require.NotNil(t, actual)
 		for _, p := range []*keys.PrivateKey{nep2Key, rawKey, wifKey, acc1.PrivateKey(), acc2.PrivateKey()} {
@@ -120,14 +113,14 @@ func Test_getKey(t *testing.T) {
 }
 
 func checkKeyError(t *testing.T, desc string, err error) {
-	viper.Set(walletPath, desc)
-	_, actualErr := getKey()
-	require.True(t, errors.Is(actualErr, err), "got: %v", actualErr)
+	viper.Set(commonflags.WalletPath, desc)
+	_, actualErr := getOrGenerate(testCmd)
+	require.ErrorIs(t, actualErr, err)
 }
 
 func checkKey(t *testing.T, desc string, expected *keys.PrivateKey) {
-	viper.Set(walletPath, desc)
-	actual, err := getKey()
+	viper.Set(commonflags.WalletPath, desc)
+	actual, err := getOrGenerate(testCmd)
 	require.NoError(t, err)
 	require.Equal(t, &expected.PrivateKey, actual)
 }

cmd/frostfs-cli/internal/key/raw.go

@@ -0,0 +1,62 @@
+package key
+
+import (
+	"crypto/ecdsa"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var errCantGenerateKey = errors.New("can't generate new private key")
+
+// Get returns private key from wallet or binary file.
+// Ideally we want to touch file-system on the last step.
+// This function assumes that all flags were bind to viper in a `PersistentPreRun`.
+func Get(cmd *cobra.Command) *ecdsa.PrivateKey {
+	pk, err := get(cmd)
+	commonCmd.ExitOnErr(cmd, "can't fetch private key: %w", err)
+	return pk
+}
+
+func get(cmd *cobra.Command) (*ecdsa.PrivateKey, error) {
+	keyDesc := viper.GetString(commonflags.WalletPath)
+	data, err := os.ReadFile(keyDesc)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", ErrFs, err)
+	}
+
+	priv, err := keys.NewPrivateKeyFromBytes(data)
+	if err != nil {
+		w, err := wallet.NewWalletFromFile(keyDesc)
+		if err == nil {
+			return FromWallet(cmd, w, viper.GetString(commonflags.Account))
+		}
+		return nil, fmt.Errorf("%w: %v", ErrInvalidKey, err)
+	}
+	return &priv.PrivateKey, nil
+}
+
+// GetOrGenerate is similar to get but generates a new key if commonflags.GenerateKey is set.
+func GetOrGenerate(cmd *cobra.Command) *ecdsa.PrivateKey {
+	pk, err := getOrGenerate(cmd)
+	commonCmd.ExitOnErr(cmd, "can't fetch private key: %w", err)
+	return pk
+}
+
+func getOrGenerate(cmd *cobra.Command) (*ecdsa.PrivateKey, error) {
+	if viper.GetBool(commonflags.GenerateKey) {
+		priv, err := keys.NewPrivateKey()
+		if err != nil {
+			return nil, fmt.Errorf("%w: %v", errCantGenerateKey, err)
+		}
+		return &priv.PrivateKey, nil
+	}
+	return get(cmd)
+}

cmd/frostfs-cli/internal/key/wallet.go

@@ -0,0 +1,70 @@
+package key
+
+import (
+	"crypto/ecdsa"
+	"errors"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"github.com/nspcc-dev/neo-go/cli/flags"
+	"github.com/nspcc-dev/neo-go/cli/input"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/wallet"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+// Key-related errors.
+var (
+	ErrFs              = errors.New("unable to read file from given path")
+	ErrInvalidKey      = errors.New("provided key is incorrect, only wallet or binary key supported")
+	ErrInvalidAddress  = errors.New("--address option must be specified and valid")
+	ErrInvalidPassword = errors.New("invalid password for the encrypted key")
+)
+
+// FromWallet returns private key of the wallet account.
+func FromWallet(cmd *cobra.Command, w *wallet.Wallet, addrStr string) (*ecdsa.PrivateKey, error) {
+	var (
+		addr util.Uint160
+		err  error
+	)
+
+	if addrStr == "" {
+		common.PrintVerbose(cmd, "Using default wallet address")
+		addr = w.GetChangeAddress()
+	} else {
+		addr, err = flags.ParseAddress(addrStr)
+		if err != nil {
+			common.PrintVerbose(cmd, "Can't parse address: %s", addrStr)
+			return nil, ErrInvalidAddress
+		}
+	}
+
+	acc := w.GetAccount(addr)
+	if acc == nil {
+		common.PrintVerbose(cmd, "Can't find wallet account for %s", addrStr)
+		return nil, ErrInvalidAddress
+	}
+
+	pass, err := getPassword()
+	if err != nil {
+		common.PrintVerbose(cmd, "Can't read password: %v", err)
+		return nil, ErrInvalidPassword
+	}
+
+	if err := acc.Decrypt(pass, keys.NEP2ScryptParams()); err != nil {
+		common.PrintVerbose(cmd, "Can't decrypt account: %v", err)
+		return nil, ErrInvalidPassword
+	}
+
+	return &acc.PrivateKey().PrivateKey, nil
+}
+
+func getPassword() (string, error) {
+	// this check allows empty passwords
+	if viper.IsSet("password") {
+		return viper.GetString("password"), nil
+	}
+
+	return input.ReadPassword("Enter password > ")
+}

cmd/frostfs-cli/main.go

@@ -0,0 +1,7 @@
+package main
+
+import cmd "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules"
+
+func main() {
+	cmd.Execute()
+}

cmd/frostfs-cli/modules/accounting/balance.go

@@ -0,0 +1,70 @@
+package accounting
+
+import (
+	"math/big"
+
+	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/pkg/util/precision"
+	"github.com/TrueCloudLab/frostfs-sdk-go/accounting"
+	"github.com/TrueCloudLab/frostfs-sdk-go/user"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	ownerFlag = "owner"
+)
+
+var accountingBalanceCmd = &cobra.Command{
+	Use:   "balance",
+	Short: "Get internal balance of FrostFS account",
+	Long:  `Get internal balance of FrostFS account`,
+	Run: func(cmd *cobra.Command, args []string) {
+		var idUser user.ID
+
+		pk := key.GetOrGenerate(cmd)
+
+		balanceOwner, _ := cmd.Flags().GetString(ownerFlag)
+		if balanceOwner == "" {
+			user.IDFromKey(&idUser, pk.PublicKey)
+		} else {
+			commonCmd.ExitOnErr(cmd, "can't decode owner ID wallet address: %w", idUser.DecodeString(balanceOwner))
+		}
+
+		cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)
+
+		var prm internalclient.BalanceOfPrm
+		prm.SetClient(cli)
+		prm.SetAccount(idUser)
+
+		res, err := internalclient.BalanceOf(prm)
+		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+
+		// print to stdout
+		prettyPrintDecimal(cmd, res.Balance())
+	},
+}
+
+func initAccountingBalanceCmd() {
+	ff := accountingBalanceCmd.Flags()
+
+	ff.StringP(commonflags.WalletPath, commonflags.WalletPathShorthand, commonflags.WalletPathDefault, commonflags.WalletPathUsage)
+	ff.StringP(commonflags.Account, commonflags.AccountShorthand, commonflags.AccountDefault, commonflags.AccountUsage)
+	ff.StringP(commonflags.RPC, commonflags.RPCShorthand, commonflags.RPCDefault, commonflags.RPCUsage)
+	ff.String(ownerFlag, "", "owner of balance account (omit to use owner from private key)")
+}
+
+func prettyPrintDecimal(cmd *cobra.Command, decimal accounting.Decimal) {
+	if viper.GetBool(commonflags.Verbose) {
+		cmd.Println("value:", decimal.Value())
+		cmd.Println("precision:", decimal.Precision())
+	} else {
+		amountF8 := precision.Convert(decimal.Precision(), 8, big.NewInt(decimal.Value()))
+
+		cmd.Println(fixedn.ToString(amountF8, 8))
+	}
+}

cmd/frostfs-cli/modules/accounting/root.go

@@ -0,0 +1,27 @@
+package accounting
+
+import (
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+// Cmd represents the accounting command.
+var Cmd = &cobra.Command{
+	Use:   "accounting",
+	Short: "Operations with accounts and balances",
+	Long:  `Operations with accounts and balances`,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		flags := cmd.Flags()
+
+		_ = viper.BindPFlag(commonflags.WalletPath, flags.Lookup(commonflags.WalletPath))
+		_ = viper.BindPFlag(commonflags.Account, flags.Lookup(commonflags.Account))
+		_ = viper.BindPFlag(commonflags.RPC, flags.Lookup(commonflags.RPC))
+	},
+}
+
+func init() {
+	Cmd.AddCommand(accountingBalanceCmd)
+
+	initAccountingBalanceCmd()
+}

cmd/frostfs-cli/modules/acl/basic/print.go

@@ -0,0 +1,28 @@
+package basic
+
+import (
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-sdk-go/container/acl"
+	"github.com/spf13/cobra"
+)
+
+var printACLCmd = &cobra.Command{
+	Use:     "print",
+	Short:   "Pretty print basic ACL from the HEX representation",
+	Example: `frostfs-cli acl basic print 0x1C8C8CCC`,
+	Long: `Pretty print basic ACL from the HEX representation.
+Few roles have exclusive default access to set of operation, even if particular bit deny it.
+Container have access to the operations of the data replication mechanism:
+    Get, Head, Put, Search, Hash.
+InnerRing members are allowed to data audit ops only:
+    Get, Head, Hash, Search.`,
+	Run:  printACL,
+	Args: cobra.ExactArgs(1),
+}
+
+func printACL(cmd *cobra.Command, args []string) {
+	var bacl acl.Basic
+	commonCmd.ExitOnErr(cmd, "unable to parse basic acl: %w", bacl.DecodeString(args[0]))
+	util.PrettyPrintTableBACL(cmd, &bacl)
+}

cmd/frostfs-cli/modules/acl/basic/root.go

@@ -0,0 +1,14 @@
+package basic
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var Cmd = &cobra.Command{
+	Use:   "basic",
+	Short: "Operations with Basic Access Control Lists",
+}
+
+func init() {
+	Cmd.AddCommand(printACLCmd)
+}

cmd/frostfs-cli/modules/acl/extended/create.go

@@ -0,0 +1,127 @@
+package extended
+
+import (
+	"bytes"
+	"encoding/json"
+	"os"
+	"strings"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	cid "github.com/TrueCloudLab/frostfs-sdk-go/container/id"
+	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	"github.com/spf13/cobra"
+)
+
+var createCmd = &cobra.Command{
+	Use:   "create",
+	Short: "Create extended ACL from the text representation",
+	Long: `Create extended ACL from the text representation.
+
+Rule consist of these blocks: <action> <operation> [<filter1> ...] [<target1> ...]
+
+Action is 'allow' or 'deny'.
+
+Operation is an object service verb: 'get', 'head', 'put', 'search', 'delete', 'getrange', or 'getrangehash'.
+
+Filter consists of <typ>:<key><match><value>
+  Typ is 'obj' for object applied filter or 'req' for request applied filter. 
+  Key is a valid unicode string corresponding to object or request header key. 
+    Well-known system object headers start with '$Object:' prefix.
+    User defined headers start without prefix.
+    Read more about filter keys at github.com/TrueCloudLab/frostfs-api/blob/master/proto-docs/acl.md#message-eaclrecordfilter
+  Match is '=' for matching and '!=' for non-matching filter.
+  Value is a valid unicode string corresponding to object or request header value.
+
+Target is 
+  'user' for container owner, 
+  'system' for Storage nodes in container and Inner Ring nodes,
+  'others' for all other request senders, 
+  'pubkey:<key1>,<key2>,...' for exact request sender, where <key> is a hex-encoded 33-byte public key.
+
+When both '--rule' and '--file' arguments are used, '--rule' records will be placed higher in resulting extended ACL table.
+`,
+	Example: `frostfs-cli acl extended create --cid EutHBsdT1YCzHxjCfQHnLPL1vFrkSyLSio4vkphfnEk -f rules.txt --out table.json
+frostfs-cli acl extended create --cid EutHBsdT1YCzHxjCfQHnLPL1vFrkSyLSio4vkphfnEk -r 'allow get obj:Key=Value others' -r 'deny put others'`,
+	Run: createEACL,
+}
+
+func init() {
+	createCmd.Flags().StringArrayP("rule", "r", nil, "Extended ACL table record to apply")
+	createCmd.Flags().StringP("file", "f", "", "Read list of extended ACL table records from text file")
+	createCmd.Flags().StringP("out", "o", "", "Save JSON formatted extended ACL table in file")
+	createCmd.Flags().StringP(commonflags.CIDFlag, "", "", commonflags.CIDFlagUsage)
+
+	_ = cobra.MarkFlagFilename(createCmd.Flags(), "file")
+	_ = cobra.MarkFlagFilename(createCmd.Flags(), "out")
+}
+
+func createEACL(cmd *cobra.Command, _ []string) {
+	rules, _ := cmd.Flags().GetStringArray("rule")
+	fileArg, _ := cmd.Flags().GetString("file")
+	outArg, _ := cmd.Flags().GetString("out")
+	cidArg, _ := cmd.Flags().GetString(commonflags.CIDFlag)
+
+	var containerID cid.ID
+	if cidArg != "" {
+		if err := containerID.DecodeString(cidArg); err != nil {
+			cmd.PrintErrf("invalid container ID: %v\n", err)
+			os.Exit(1)
+		}
+	}
+
+	rulesFile, err := getRulesFromFile(fileArg)
+	if err != nil {
+		cmd.PrintErrf("can't read rules from file: %v\n", err)
+		os.Exit(1)
+	}
+
+	rules = append(rules, rulesFile...)
+	if len(rules) == 0 {
+		cmd.PrintErrln("no extended ACL rules has been provided")
+		os.Exit(1)
+	}
+
+	tb := eacl.NewTable()
+	commonCmd.ExitOnErr(cmd, "unable to parse provided rules: %w", util.ParseEACLRules(tb, rules))
+
+	tb.SetCID(containerID)
+
+	data, err := tb.MarshalJSON()
+	if err != nil {
+		cmd.PrintErrln(err)
+		os.Exit(1)
+	}
+
+	buf := new(bytes.Buffer)
+	err = json.Indent(buf, data, "", "  ")
+	if err != nil {
+		cmd.PrintErrln(err)
+		os.Exit(1)
+	}
+
+	if len(outArg) == 0 {
+		cmd.Println(buf)
+		return
+	}
+
+	err = os.WriteFile(outArg, buf.Bytes(), 0644)
+	if err != nil {
+		cmd.PrintErrln(err)
+		os.Exit(1)
+	}
+}
+
+func getRulesFromFile(filename string) ([]string, error) {
+	if len(filename) == 0 {
+		return nil, nil
+	}
+
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	return strings.Split(strings.TrimSpace(string(data)), "\n"), nil
+}

cmd/frostfs-cli/modules/acl/extended/create_test.go

@@ -1,10 +1,10 @@
 package extended
 
 import (
-	"strings"
 	"testing"
 
-	"github.com/nspcc-dev/neofs-sdk-go/eacl"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
 	"github.com/stretchr/testify/require"
 )
 
@@ -63,8 +63,7 @@ func TestParseTable(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			ss := strings.Split(test.rule, " ")
-			err := parseTable(eaclTable, ss)
+			err := util.ParseEACLRule(eaclTable, test.rule)
 			ok := len(test.jsonRecord) > 0
 			require.Equal(t, ok, err == nil, err)
 			if ok {
@@ -74,7 +73,7 @@ func TestParseTable(t *testing.T) {
 
 				actualRecord := eaclTable.Records()[len(eaclTable.Records())-1]
 
-				equalRecords(t, expectedRecord, actualRecord)
+				equalRecords(t, expectedRecord, &actualRecord)
 			}
 		})
 	}

cmd/frostfs-cli/modules/acl/extended/print.go

@@ -0,0 +1,38 @@
+package extended
+
+import (
+	"os"
+	"strings"
+
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/util"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	"github.com/spf13/cobra"
+)
+
+var printEACLCmd = &cobra.Command{
+	Use:   "print",
+	Short: "Pretty print extended ACL from the file(in text or json format) or for given container.",
+	Run:   printEACL,
+}
+
+func init() {
+	flags := printEACLCmd.Flags()
+	flags.StringP("file", "f", "",
+		"Read list of extended ACL table records from text or json file")
+	_ = printEACLCmd.MarkFlagRequired("file")
+}
+
+func printEACL(cmd *cobra.Command, _ []string) {
+	file, _ := cmd.Flags().GetString("file")
+	eaclTable := new(eacl.Table)
+	data, err := os.ReadFile(file)
+	commonCmd.ExitOnErr(cmd, "can't read file with EACL: %w", err)
+	if strings.HasSuffix(file, ".json") {
+		commonCmd.ExitOnErr(cmd, "unable to parse json: %w", eaclTable.UnmarshalJSON(data))
+	} else {
+		rules := strings.Split(strings.TrimSpace(string(data)), "\n")
+		commonCmd.ExitOnErr(cmd, "can't parse file with EACL: %w", util.ParseEACLRules(eaclTable, rules))
+	}
+	util.PrettyPrintTableEACL(cmd, eaclTable)
+}

cmd/frostfs-cli/modules/acl/extended/root.go

@@ -1,6 +1,8 @@
 package extended
 
-import "github.com/spf13/cobra"
+import (
+	"github.com/spf13/cobra"
+)
 
 var Cmd = &cobra.Command{
 	Use:   "extended",
@@ -9,4 +11,5 @@ var Cmd = &cobra.Command{
 
 func init() {
 	Cmd.AddCommand(createCmd)
+	Cmd.AddCommand(printEACLCmd)
 }

cmd/frostfs-cli/modules/acl/root.go

@@ -1,7 +1,8 @@
 package acl
 
 import (
-	"github.com/nspcc-dev/neofs-node/cmd/neofs-cli/modules/acl/extended"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/acl/basic"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/modules/acl/extended"
 	"github.com/spf13/cobra"
 )
 
@@ -12,4 +13,5 @@ var Cmd = &cobra.Command{
 
 func init() {
 	Cmd.AddCommand(extended.Cmd)
+	Cmd.AddCommand(basic.Cmd)
 }

cmd/frostfs-cli/modules/bearer/create.go

@@ -0,0 +1,126 @@
+package bearer
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"time"
+
+	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-sdk-go/bearer"
+	eaclSDK "github.com/TrueCloudLab/frostfs-sdk-go/eacl"
+	"github.com/TrueCloudLab/frostfs-sdk-go/user"
+	"github.com/spf13/cobra"
+)
+
+const (
+	eaclFlag           = "eacl"
+	issuedAtFlag       = "issued-at"
+	notValidBeforeFlag = "not-valid-before"
+	ownerFlag          = "owner"
+	outFlag            = "out"
+	jsonFlag           = commonflags.JSON
+)
+
+var createCmd = &cobra.Command{
+	Use:   "create",
+	Short: "Create bearer token",
+	Long: `Create bearer token.
+
+All epoch flags can be specified relative to the current epoch with the +n syntax.
+In this case --` + commonflags.RPC + ` flag should be specified and the epoch in bearer token
+is set to current epoch + n.
+`,
+	Run: createToken,
+}
+
+func init() {
+	createCmd.Flags().StringP(eaclFlag, "e", "", "Path to the extended ACL table")
+	createCmd.Flags().StringP(issuedAtFlag, "i", "", "Epoch to issue token at")
+	createCmd.Flags().StringP(notValidBeforeFlag, "n", "", "Not valid before epoch")
+	createCmd.Flags().StringP(commonflags.ExpireAt, "x", "", "The last active epoch for the token")
+	createCmd.Flags().StringP(ownerFlag, "o", "", "Token owner")
+	createCmd.Flags().String(outFlag, "", "File to write token to")
+	createCmd.Flags().Bool(jsonFlag, false, "Output token in JSON")
+	createCmd.Flags().StringP(commonflags.RPC, commonflags.RPCShorthand, commonflags.RPCDefault, commonflags.RPCUsage)
+
+	_ = cobra.MarkFlagFilename(createCmd.Flags(), eaclFlag)
+
+	_ = cobra.MarkFlagRequired(createCmd.Flags(), issuedAtFlag)
+	_ = cobra.MarkFlagRequired(createCmd.Flags(), notValidBeforeFlag)
+	_ = cobra.MarkFlagRequired(createCmd.Flags(), commonflags.ExpireAt)
+	_ = cobra.MarkFlagRequired(createCmd.Flags(), ownerFlag)
+	_ = cobra.MarkFlagRequired(createCmd.Flags(), outFlag)
+}
+
+func createToken(cmd *cobra.Command, _ []string) {
+	iat, iatRelative, err := common.ParseEpoch(cmd, issuedAtFlag)
+	commonCmd.ExitOnErr(cmd, "can't parse --"+issuedAtFlag+" flag: %w", err)
+
+	exp, expRelative, err := common.ParseEpoch(cmd, commonflags.ExpireAt)
+	commonCmd.ExitOnErr(cmd, "can't parse --"+commonflags.ExpireAt+" flag: %w", err)
+
+	nvb, nvbRelative, err := common.ParseEpoch(cmd, notValidBeforeFlag)
+	commonCmd.ExitOnErr(cmd, "can't parse --"+notValidBeforeFlag+" flag: %w", err)
+
+	if iatRelative || expRelative || nvbRelative {
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
+		defer cancel()
+
+		endpoint, _ := cmd.Flags().GetString(commonflags.RPC)
+		currEpoch, err := internalclient.GetCurrentEpoch(ctx, cmd, endpoint)
+		commonCmd.ExitOnErr(cmd, "can't fetch current epoch: %w", err)
+
+		if iatRelative {
+			iat += currEpoch
+		}
+		if expRelative {
+			exp += currEpoch
+		}
+		if nvbRelative {
+			nvb += currEpoch
+		}
+	}
+	if exp < nvb {
+		commonCmd.ExitOnErr(cmd, "",
+			fmt.Errorf("expiration epoch is less than not-valid-before epoch: %d < %d", exp, nvb))
+	}
+
+	ownerStr, _ := cmd.Flags().GetString(ownerFlag)
+
+	var ownerID user.ID
+	commonCmd.ExitOnErr(cmd, "can't parse recipient: %w", ownerID.DecodeString(ownerStr))
+
+	var b bearer.Token
+	b.SetExp(exp)
+	b.SetNbf(nvb)
+	b.SetIat(iat)
+	b.ForUser(ownerID)
+
+	eaclPath, _ := cmd.Flags().GetString(eaclFlag)
+	if eaclPath != "" {
+		table := eaclSDK.NewTable()
+		raw, err := os.ReadFile(eaclPath)
+		commonCmd.ExitOnErr(cmd, "can't read extended ACL file: %w", err)
+		commonCmd.ExitOnErr(cmd, "can't parse extended ACL: %w", json.Unmarshal(raw, table))
+		b.SetEACLTable(*table)
+	}
+
+	var data []byte
+
+	toJSON, _ := cmd.Flags().GetBool(jsonFlag)
+	if toJSON {
+		data, err = json.Marshal(b)
+		commonCmd.ExitOnErr(cmd, "can't mashal token to JSON: %w", err)
+	} else {
+		data = b.Marshal()
+	}
+
+	out, _ := cmd.Flags().GetString(outFlag)
+	err = os.WriteFile(out, data, 0644)
+	commonCmd.ExitOnErr(cmd, "can't write token to file: %w", err)
+}

cmd/frostfs-cli/modules/bearer/root.go

@@ -0,0 +1,14 @@
+package bearer
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var Cmd = &cobra.Command{
+	Use:   "bearer",
+	Short: "Operations with bearer token",
+}
+
+func init() {
+	Cmd.AddCommand(createCmd)
+}

cmd/frostfs-cli/modules/completion.go

@@ -0,0 +1,9 @@
+package cmd
+
+import (
+	"github.com/TrueCloudLab/frostfs-node/pkg/util/autocomplete"
+)
+
+func init() {
+	rootCmd.AddCommand(autocomplete.Command("frostfs-cli"))
+}

cmd/frostfs-cli/modules/container/create.go

@@ -0,0 +1,229 @@
+package container
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	containerApi "github.com/TrueCloudLab/frostfs-api-go/v2/container"
+	internalclient "github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
+	"github.com/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
+	commonCmd "github.com/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/TrueCloudLab/frostfs-sdk-go/container"
+	"github.com/TrueCloudLab/frostfs-sdk-go/container/acl"
+	"github.com/TrueCloudLab/frostfs-sdk-go/netmap"
+	subnetid "github.com/TrueCloudLab/frostfs-sdk-go/subnet/id"
+	"github.com/TrueCloudLab/frostfs-sdk-go/user"
+	"github.com/spf13/cobra"
+)
+
+var (
+	containerACL         string
+	containerPolicy      string
+	containerAttributes  []string
+	containerAwait       bool
+	containerName        string
+	containerNnsName     string
+	containerNnsZone     string
+	containerNoTimestamp bool
+	containerSubnet      string
+	force                bool
+)
+
+var createContainerCmd = &cobra.Command{
+	Use:   "create",
+	Short: "Create new container",
+	Long: `Create new container and register it in the FrostFS. 
+It will be stored in sidechain when inner ring will accepts it.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		placementPolicy, err := parseContainerPolicy(cmd, containerPolicy)
+		commonCmd.ExitOnErr(cmd, "", err)
+
+		key := key.Get(cmd)
+		cli := internalclient.GetSDKClientByFlag(cmd, key, commonflags.RPC)
+
+		if !force {
+			var prm internalclient.NetMapSnapshotPrm
+			prm.SetClient(cli)
+
+			resmap, err := internalclient.NetMapSnapshot(prm)
+			commonCmd.ExitOnErr(cmd, "unable to get netmap snapshot to validate container placement, "+
+				"use --force option to skip this check: %w", err)
+
+			nodesByRep, err := resmap.NetMap().ContainerNodes(*placementPolicy, nil)
+			commonCmd.ExitOnErr(cmd, "could not build container nodes based on given placement policy, "+
+				"use --force option to skip this check: %w", err)
+
+			for i, nodes := range nodesByRep {
+				if placementPolicy.ReplicaNumberByIndex(i) > uint32(len(nodes)) {
+					commonCmd.ExitOnErr(cmd, "", fmt.Errorf(
+						"the number of nodes '%d' in selector is not enough for the number of replicas '%d', "+
+							"use --force option to skip this check",
+						len(nodes),
+						placementPolicy.ReplicaNumberByIndex(i),
+					))
+				}
+			}
+		}
+
+		if containerSubnet != "" {
+			var subnetID subnetid.ID
+
+			err = subnetID.DecodeString(containerSubnet)
+			commonCmd.ExitOnErr(cmd, "could not parse subnetID: %w", err)
+
+			placementPolicy.RestrictSubnet(subnetID)
+		}
+
+		var cnr container.Container
+		cnr.Init()
+
+		err = parseAttributes(&cnr, containerAttributes)
+		commonCmd.ExitOnErr(cmd, "", err)
+
+		var basicACL acl.Basic
+		commonCmd.ExitOnErr(cmd, "decode basic ACL string: %w", basicACL.DecodeString(containerACL))
+
+		tok := getSession(cmd)
+
+		if tok != nil {
+			issuer := tok.Issuer()
+			cnr.SetOwner(issuer)
+		} else {
+			var idOwner user.ID
+			user.IDFromKey(&idOwner, key.PublicKey)
+
+			cnr.SetOwner(idOwner)
+		}
+
+		cnr.SetPlacementPolicy(*placementPolicy)
+		cnr.SetBasicACL(basicACL)
+
+		var syncContainerPrm internalclient.SyncContainerPrm
+		syncContainerPrm.SetClient(cli)
+		syncContainerPrm.SetContainer(&cnr)
+
+		_, err = internalclient.SyncContainerSettings(syncContainerPrm)
+		commonCmd.ExitOnErr(cmd, "syncing container's settings rpc error: %w", err)
+
+		var putPrm internalclient.PutContainerPrm
+		putPrm.SetClient(cli)
+		putPrm.SetContainer(cnr)
+
+		if tok != nil {
+			putPrm.WithinSession(*tok)
+		}
+
+		res, err := internalclient.PutContainer(putPrm)
+		commonCmd.ExitOnErr(cmd, "put container rpc error: %w", err)
+
+		id := res.ID()
+
+		cmd.Println("container ID:", id)
+
+		if containerAwait {
+			cmd.Println("awaiting...")
+
+			var getPrm internalclient.GetContainerPrm
+			getPrm.SetClient(cli)
+			getPrm.SetContainer(id)
+
+			for i := 0; i < awaitTimeout; i++ {
+				time.Sleep(1 * time.Second)
+
+				_, err := internalclient.GetContainer(getPrm)
+				if err == nil {
+					cmd.Println("container has been persisted on sidechain")
+					return
+				}
+			}
+
+			commonCmd.ExitOnErr(cmd, "", errCreateTimeout)
+		}
+	},
+}
+
+func initContainerCreateCmd() {
+	flags := createContainerCmd.Flags()
+
+	// Init common flags
+	flags.StringP(commonflags.RPC, commonflags.RPCShorthand, commonflags.RPCDefault, commonflags.RPCUsage)
+	flags.DurationP(commonflags.Timeout, commonflags.TimeoutShorthand, commonflags.TimeoutDefault, commonflags.TimeoutUsage)
+	flags.StringP(commonflags.WalletPath, commonflags.WalletPathShorthand, commonflags.WalletPathDefault, commonflags.WalletPathUsage)
+	flags.StringP(commonflags.Account, commonflags.AccountShorthand, commonflags.AccountDefault, commonflags.AccountUsage)
+
+	flags.StringVar(&containerACL, "basic-acl", acl.NamePrivate, fmt.Sprintf("HEX encoded basic ACL value or keywords like '%s', '%s', '%s'",
+		acl.NamePublicRW, acl.NamePrivate, acl.NamePublicROExtended,
+	))
+	flags.StringVarP(&containerPolicy, "policy", "p", "", "QL-encoded or JSON-encoded placement policy or path to file with it")
+	flags.StringSliceVarP(&containerAttributes, "attributes", "a", nil, "Comma separated pairs of container attributes in form of Key1=Value1,Key2=Value2")
+	flags.BoolVar(&containerAwait, "await", false, "Block execution until container is persisted")
+	flags.StringVar(&containerName, "name", "", "Container name attribute")
+	flags.StringVar(&containerNnsName, "nns-name", "", "Container nns name attribute")
+	flags.StringVar(&containerNnsZone, "nns-zone", "", "Container nns zone attribute")
+	flags.BoolVar(&containerNoTimestamp, "disable-timestamp", false, "Disable timestamp container attribute")
+	flags.StringVar(&containerSubnet, "subnet", "", "String representation of container subnetwork")
+	flags.BoolVarP(&force, commonflags.ForceFlag, commonflags.ForceFlagShorthand, false,
+		"Skip placement validity check")
+}
+
+func parseContainerPolicy(cmd *cobra.Command, policyString string) (*netmap.PlacementPolicy, error) {
+	_, err := os.Stat(policyString) // check if `policyString` is a path to file with placement policy
+	if err == nil {
+		common.PrintVerbose(cmd, "Reading placement policy from file: %s", policyString)
+
+		data, err := os.ReadFile(policyString)
+		if err != nil {
+			return nil, fmt.Errorf("can't read file with placement policy: %w", err)
+		}
+
+		policyString = string(data)
+	}
+
+	var result netmap.PlacementPolicy
+
+	err = result.DecodeString(policyString)
+	if err == nil {
+		common.PrintVerbose(cmd, "Parsed QL encoded policy")
+		return &result, nil
+	}
+
+	if err = result.UnmarshalJSON([]byte(policyString)); err == nil {
+		common.PrintVerbose(cmd, "Parsed JSON encoded policy")
+		return &result, nil
+	}
+
+	return nil, errors.New("can't parse placement policy")
+}
+
+func parseAttributes(dst *container.Container, attributes []string) error {
+	for i := range attributes {
+		k, v, found := strings.Cut(attributes[i], attributeDelimiter)
+		if !found {
+			return errors.New("invalid container attribute")
+		}
+
+		dst.SetAttribute(k, v)
+	}
+
+	if !containerNoTimestamp {
+		container.SetCreationTime(dst, time.Now())
+	}
+
+	if containerName != "" {
+		container.SetName(dst, containerName)
+	}
+
+	if containerNnsName != "" {
+		dst.SetAttribute(containerApi.SysAttributeName, containerNnsName)
+	}
+	if containerNnsZone != "" {
+		dst.SetAttribute(containerApi.SysAttributeZone, containerNnsZone)
+	}
+
+	return nil
+}