relay sync1.1

[brianolson]

relay radical rehacking for sync1.1 induction firehose
drops all carstore code for keeping archive of all repos
drops all indexer code for running getRepo on all those repos
drops a bunch of other stuff that fell out being deprecated and unneeded.
adds sync1.1 protocol features for checking #commit.prevData and #sync
internally vendors a bunch of code that we should re-share back out to common code

formerly known as #951

[bnewbold]

got through some review. I still want to look at:

• the actual generated postgresql schemas. getting those right seems important. the gorm models are still spread through many files, seems like they could all be in cmd/relay/models/models.go?
• account state and lifecycle
• rate-limiting

it feels like there is still a lot of low-hanging fruit for code that could just be ripped out? eg, all the deprecated event types. there seemed to be a lot of config arguments which are not used.

I was surprised the disk persister is still used, instead of the pebble persister used in rainbow.

[bnewbold]

chunks of this README are out of date. maybe simpler to just leave it a couple lines in this PR, and I can update it in a follow-up?

[brianolson]

I re-read it just now and I think most of it is still valid and I deleted the obviously obsolete stuff.

[bnewbold]

same feedback as before: should this get cleared to 0 if the ping is successful?

(in this for loop)

[brianolson]

this is not the active code, see cmd/relay/events/consumer.go

[bnewbold]

if this doesn't impact the indigo:cmd/relay code, can you pull it out of this PR?

[bnewbold]

this only impacts the old bigsky, not the new relay, right? seems like we should minimize any changes to bigsky in this PR.

[brianolson]

yeah, I should probably rollback most of the changes outside of cmd/relay

[bnewbold]

should do a container-relay-ghcr CI action as well; we will remove the bigsky GHCR soon so it won't be a net increase in container builds

[bnewbold]

is there still sqlite support? I thought that got dropped

[brianolson]

it's not working right now because some transactions changed, but it's maybe not far off from being fixed?

[bnewbold]

we should at least be updating the metadata for the account (DID) here, right?

[bnewbold]

I think the rough expected behavior is:

• parse out the commit object
• verify the message matches the fields in the commit object
• fetch user metadata
  • if account isn't active, drop event
  • if rev is old/bad, drop event
• update user metadata with sync info
• emit the event

[bnewbold]

also account status throttled

[bnewbold]

I'm pretty sure we just don't / shouldn't have a concept of "tombstoned" accounts in the relay. If the DID is tombstoned, that is basically account status deleted

[brianolson]

yeah, old code, I basically haven't had time to update the account status flow yet, that part seemed to have been in flux up until last week

[bnewbold]

it looks like adding per-account rate-limits would currently mean a few slidingwindow.Limiter in-process for each of tens of millions of accounts (and growing). do you think that will scale, for us and for others (eg, with less RAM)? if they could expire out of memory, then the total number of counters could be more like "DAU" than "MAU".

the limits we have discussed are total bytes of data, and number of record ops, per account (DID). and then also the number of "expensive" events (like a #sync which is not a no-op; or an #identity event), or "broken" events (MST does not invert, for example).

---

overall account lifecycle state tracking:

• should store "local" account state as a string, not boolean flags
• if local state is "active', then default to upstream state (which may or may not be "active"). otherwise, use local state
• could store an "until" timestamp in account status, for temporary throttled situations

[bnewbold]

unique constraint on the domain?

[bnewbold]

can this just be merged on to the existing Users table? I guess this table has higher churn and it might be good to keep that separate

[brianolson]

yeah, that's my motivation. I think Postgres works better with the high churn on separate smaller rows from the relatively low-churn data.

[bnewbold]

I think a better column name would be good; data_cid? commit_data or commit_data_cid?

[bnewbold]

I think the rough expected behavior is:

• parse out the commit object
• verify the message matches the fields in the commit object
• fetch user metadata
  • if account isn't active, drop event
  • if rev is old/bad, drop event
• update user metadata with sync info
• emit the event

[bnewbold]

seems like a good time to rename this, can update comments around what it does.

[bnewbold]

I assume this is old code, maybe from the days when BGS had indexing and would "spider" to discover accounts? or if there is a bulk catch-up happening?

would be good if you could clarify what the expected behavior is here ("maybe this never happens").

[brianolson]

I did a bunch of reorg and commenting on this function as a whole and I think it's better now

[bnewbold]

I don't really understand the repo_count < repo_limit clause here... is this how account limits are enforced? the increment fails if the clause filters out the relevant row?

my intuition is that the account should be created (inserted), but with local account state "throttled", if the overall PDS is over quota. instead of silently being dropped; the later is hard for external folks to debug.

[brianolson]

there's a potential waste-our-storage attack for an evil PDS sending one event each from a zililon different DIDs; but aside from that I'd like your approach. We could try for both with limit and a hard limit? DIDs beyond the basic limit get #throttled, DIDs beyond the second limit get ignored?

[bnewbold]

I think you should split out these changes to function signatures (here, and indigo:mst and indigo:repo) to a separate PR, if they aren't touched by the indigo:cmd/relay code.