mirror of
https://source.quilibrium.com/quilibrium/ceremonyclient.git
synced 2025-01-24 14:45:17 +00:00
627 lines
27 KiB
Markdown
627 lines
27 KiB
Markdown
# The libp2p Network Resource Manager
|
||
|
||
This package contains the canonical implementation of the libp2p
|
||
Network Resource Manager interface.
|
||
|
||
The implementation is based on the concept of Resource Management
|
||
Scopes, whereby resource usage is constrained by a DAG of scopes,
|
||
accounting for multiple levels of resource constraints.
|
||
|
||
The Resource Manager doesn't prioritize resource requests at all, it simply
|
||
checks if the resource being requested is currently below the defined limits and
|
||
returns an error if the limit is reached. It has no notion of honest vs bad peers.
|
||
|
||
The Resource Manager does have a special notion of [allowlisted](#allowlisting-multiaddrs-to-mitigate-eclipse-attacks) multiaddrs that
|
||
have their own limits if the normal system limits are reached.
|
||
|
||
## Usage
|
||
|
||
The Resource Manager is intended to be used with go-libp2p. go-libp2p sets up a
|
||
resource manager with the default autoscaled limits if none is provided, but if
|
||
you want to configure things or if you want to enable metrics you'll use the
|
||
resource manager like so:
|
||
|
||
```go
|
||
// Start with the default scaling limits.
|
||
scalingLimits := rcmgr.DefaultLimits
|
||
|
||
// Add limits around included libp2p protocols
|
||
libp2p.SetDefaultServiceLimits(&scalingLimits)
|
||
|
||
// Turn the scaling limits into a concrete set of limits using `.AutoScale`. This
|
||
// scales the limits proportional to your system memory.
|
||
scaledDefaultLimits := scalingLimits.AutoScale()
|
||
|
||
// Tweak certain settings
|
||
cfg := rcmgr.PartialLimitConfig{
|
||
System: rcmgr.ResourceLimits{
|
||
// Allow unlimited outbound streams
|
||
StreamsOutbound: rcmgr.Unlimited,
|
||
},
|
||
// Everything else is default. The exact values will come from `scaledDefaultLimits` above.
|
||
}
|
||
|
||
// Create our limits by using our cfg and replacing the default values with values from `scaledDefaultLimits`
|
||
limits := cfg.Build(scaledDefaultLimits)
|
||
|
||
// The resource manager expects a limiter, se we create one from our limits.
|
||
limiter := rcmgr.NewFixedLimiter(limits)
|
||
|
||
// Metrics are enabled by default. If you want to disable metrics, use the
|
||
// WithMetricsDisabled option
|
||
// Initialize the resource manager
|
||
rm, err := rcmgr.NewResourceManager(limiter, rcmgr.WithMetricsDisabled())
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
|
||
// Create a libp2p host
|
||
host, err := libp2p.New(libp2p.ResourceManager(rm))
|
||
```
|
||
|
||
### Saving the limits config
|
||
The easiest way to save the defined limits is to serialize the `PartialLimitConfig`
|
||
type as JSON.
|
||
|
||
```go
|
||
noisyNeighbor, _ := peer.Decode("QmVvtzcZgCkMnSFf2dnrBPXrWuNFWNM9J3MpZQCvWPuVZf")
|
||
cfg := rcmgr.PartialLimitConfig{
|
||
System: &rcmgr.ResourceLimits{
|
||
// Allow unlimited outbound streams
|
||
StreamsOutbound: rcmgr.Unlimited,
|
||
},
|
||
Peer: map[peer.ID]rcmgr.ResourceLimits{
|
||
noisyNeighbor: {
|
||
// No inbound connections from this peer
|
||
ConnsInbound: rcmgr.BlockAllLimit,
|
||
// But let me open connections to them
|
||
Conns: rcmgr.DefaultLimit,
|
||
ConnsOutbound: rcmgr.DefaultLimit,
|
||
// No inbound streams from this peer
|
||
StreamsInbound: rcmgr.BlockAllLimit,
|
||
// And let me open unlimited (by me) outbound streams (the peer may have their own limits on me)
|
||
StreamsOutbound: rcmgr.Unlimited,
|
||
},
|
||
},
|
||
}
|
||
jsonBytes, _ := json.Marshal(&cfg)
|
||
|
||
// string(jsonBytes)
|
||
// {
|
||
// "System": {
|
||
// "StreamsOutbound": "unlimited"
|
||
// },
|
||
// "Peer": {
|
||
// "QmVvtzcZgCkMnSFf2dnrBPXrWuNFWNM9J3MpZQCvWPuVZf": {
|
||
// "StreamsInbound": "blockAll",
|
||
// "StreamsOutbound": "unlimited",
|
||
// "ConnsInbound": "blockAll"
|
||
// }
|
||
// }
|
||
// }
|
||
```
|
||
|
||
This will omit defaults from the JSON output. It will also serialize the
|
||
blockAll, and unlimited values explicitly.
|
||
|
||
The `Memory` field is serialized as a string to workaround the JSON limitation
|
||
of 32 bit integers (`Memory` is an int64).
|
||
|
||
## Basic Resources
|
||
|
||
### Memory
|
||
|
||
Perhaps the most fundamental resource is memory, and in particular
|
||
buffers used for network operations. The system must provide an
|
||
interface for components to reserve memory that accounts for buffers
|
||
(and possibly other live objects), which is scoped within the component.
|
||
Before a new buffer is allocated, the component should try a memory
|
||
reservation, which can fail if the resource limit is exceeded. It is
|
||
then up to the component to react to the error condition, depending on
|
||
the situation. For example, a muxer failing to grow a buffer in
|
||
response to a window change should simply retain the old buffer and
|
||
operate at perhaps degraded performance.
|
||
|
||
### File Descriptors
|
||
|
||
File descriptors are an important resource that uses memory (and
|
||
computational time) at the system level. They are also a scarce
|
||
resource, as typically (unless the user explicitly intervenes) they
|
||
are constrained by the system. Exhaustion of file descriptors may
|
||
render the application incapable of operating (e.g., because it is
|
||
unable to open a file). This is important for libp2p because most
|
||
operating systems represent sockets as file descriptors.
|
||
|
||
### Connections
|
||
|
||
Connections are a higher-level concept endemic to libp2p; in order to
|
||
communicate with another peer, a connection must first be
|
||
established. Connections are an important resource in libp2p, as they
|
||
consume memory, goroutines, and possibly file descriptors.
|
||
|
||
We distinguish between inbound and outbound connections, as the former
|
||
are initiated by remote peers and consume resources in response to
|
||
network events and thus need to be tightly controlled in order to
|
||
protect the application from overload or attack. Outbound
|
||
connections are typically initiated by the application's volition and
|
||
don't need to be controlled as tightly. However, outbound connections
|
||
still consume resources and may be initiated in response to network
|
||
events because of (potentially faulty) application logic, so they
|
||
still need to be constrained.
|
||
|
||
### Streams
|
||
|
||
Streams are the fundamental object of interaction in libp2p; all
|
||
protocol interactions happen through a stream that goes over some
|
||
connection. Streams are a fundamental resource in libp2p, as they
|
||
consume memory and goroutines at all levels of the stack.
|
||
|
||
Streams always belong to a peer, specify a protocol and they may
|
||
belong to some service in the system. Hence, this suggests that apart
|
||
from global limits, we can constrain stream usage at finer
|
||
granularity, at the protocol and service level.
|
||
|
||
Once again, we disinguish between inbound and outbound streams.
|
||
Inbound streams are initiated by remote peers and consume resources in
|
||
response to network events; controlling inbound stream usage is again
|
||
paramount for protecting the system from overload or attack.
|
||
Outbound streams are normally initiated by the application or some
|
||
service in the system in order to effect some protocol
|
||
interaction. However, they can also be initiated in response to
|
||
network events because of application or service logic, so we still
|
||
need to constrain them.
|
||
|
||
|
||
## Resource Scopes
|
||
|
||
The Resource Manager is based on the concept of resource
|
||
scopes. Resource Scopes account for resource usage that is temporally
|
||
delimited for the span of the scope. Resource Scopes conceptually
|
||
form a DAG, providing us with a mechanism to enforce multiresolution
|
||
resource accounting. Downstream resource usage is aggregated at scopes
|
||
higher up the graph.
|
||
|
||
The following diagram depicts the canonical scope graph:
|
||
```
|
||
System
|
||
+------------> Transient.............+................+
|
||
| . .
|
||
+------------> Service------------- . ----------+ .
|
||
| . | .
|
||
+-------------> Protocol----------- . ----------+ .
|
||
| . | .
|
||
+-------------->* Peer \/ | .
|
||
+------------> Connection | .
|
||
| \/ \/
|
||
+---------------------------> Stream
|
||
```
|
||
|
||
### The System Scope
|
||
|
||
The system scope is the top level scope that accounts for global
|
||
resource usage at all levels of the system. This scope nests and
|
||
constrains all other scopes and institutes global hard limits.
|
||
|
||
### The Transient Scope
|
||
|
||
The transient scope accounts for resources that are in the process of
|
||
full establishment. For instance, a new connection prior to the
|
||
handshake does not belong to any peer, but it still needs to be
|
||
constrained as this opens an avenue for attacks in transient resource
|
||
usage. Similarly, a stream that has not negotiated a protocol yet is
|
||
constrained by the transient scope.
|
||
|
||
The transient scope effectively represents a DMZ (DeMilitarized Zone),
|
||
where resource usage can be accounted for connections and streams that
|
||
are not fully established.
|
||
|
||
### The Allowlist System Scope
|
||
|
||
Same as the normal system scope above, but is used if the normal system scope is
|
||
already at its limits and the resource is from an allowlisted peer. See
|
||
[Allowlisting multiaddrs to mitigate eclipse
|
||
attacks](#allowlisting-multiaddrs-to-mitigate-eclipse-attacks) see for more
|
||
information.
|
||
|
||
### The Allowlist Transient Scope
|
||
|
||
Same as the normal transient scope above, but is used if the normal transient
|
||
scope is already at its limits and the resource is from an allowlisted peer. See
|
||
[Allowlisting multiaddrs to mitigate eclipse
|
||
attacks](#allowlisting-multiaddrs-to-mitigate-eclipse-attacks) see for more
|
||
information.
|
||
|
||
### Service Scopes
|
||
|
||
The system is typically organized across services, which may be
|
||
ambient and provide basic functionality to the system (e.g. identify,
|
||
autonat, relay, etc). Alternatively, services may be explicitly
|
||
instantiated by the application, and provide core components of its
|
||
functionality (e.g. pubsub, the DHT, etc).
|
||
|
||
Services are logical groupings of streams that implement protocol flow
|
||
and may additionally consume resources such as memory. Services
|
||
typically have at least one stream handler, so they are subject to
|
||
inbound stream creation and resource usage in response to network
|
||
events. As such, the system explicitly models them allowing for
|
||
isolated resource usage that can be tuned by the user.
|
||
|
||
### Protocol Scopes
|
||
|
||
Protocol Scopes account for resources at the protocol level. They are
|
||
an intermediate resource scope which can constrain streams which may
|
||
not have a service associated or for resource control within a
|
||
service. It also provides an opportunity for system operators to
|
||
explicitly restrict specific protocols.
|
||
|
||
For instance, a service that is not aware of the resource manager and
|
||
has not been ported to mark its streams, may still gain limits
|
||
transparently without any programmer intervention. Furthermore, the
|
||
protocol scope can constrain resource usage for services that
|
||
implement multiple protocols for the sake of backwards
|
||
compatibility. A tighter limit in some older protocol can protect the
|
||
application from resource consumption caused by legacy clients or
|
||
potential attacks.
|
||
|
||
For a concrete example, consider pubsub with the gossipsub router: the
|
||
service also understands the floodsub protocol for backwards
|
||
compatibility and support for unsophisticated clients that are lagging
|
||
in the implementation effort. By specifying a lower limit for the
|
||
floodsub protocol, we can can constrain the service level for legacy
|
||
clients using an inefficient protocol.
|
||
|
||
### Peer Scopes
|
||
|
||
The peer scope accounts for resource usage by an individual peer. This
|
||
constrains connections and streams and limits the blast radius of
|
||
resource consumption by a single remote peer.
|
||
|
||
This ensures that no single peer can use more resources than allowed
|
||
by the peer limits. Every peer has a default limit, but the programmer
|
||
may raise (or lower) limits for specific peers.
|
||
|
||
|
||
### Connection Scopes
|
||
|
||
The connection scope is delimited to the duration of a connection and
|
||
constrains resource usage by a single connection. The scope is a leaf
|
||
in the DAG, with a span that begins when a connection is established
|
||
and ends when the connection is closed. Its resources are aggregated
|
||
to the resource usage of a peer.
|
||
|
||
### Stream Scopes
|
||
|
||
The stream scope is delimited to the duration of a stream, and
|
||
constrains resource usage by a single stream. This scope is also a
|
||
leaf in the DAG, with span that begins when a stream is created and
|
||
ends when the stream is closed. Its resources are aggregated to the
|
||
resource usage of a peer, and constrained by a service and protocol
|
||
scope.
|
||
|
||
### User Transaction Scopes
|
||
|
||
User transaction scopes can be created as a child of any extant
|
||
resource scope, and provide the programmer with a delimited scope for
|
||
easy resource accounting. Transactions may form a tree that is rooted
|
||
to some canonical scope in the scope DAG.
|
||
|
||
For instance, a programmer may create a transaction scope within a
|
||
service that accounts for some control flow delimited resource
|
||
usage. Similarly, a programmer may create a transaction scope for some
|
||
interaction within a stream, e.g. a Request/Response interaction that
|
||
uses a buffer.
|
||
|
||
## Limits
|
||
|
||
Each resource scope has an associated limit object, which designates
|
||
limits for all [basic resources](#basic-resources). The limit is checked every time some
|
||
resource is reserved and provides the system with an opportunity to
|
||
constrain resource usage.
|
||
|
||
There are separate limits for each class of scope, allowing for
|
||
multiresolution and aggregate resource accounting. As such, we have
|
||
limits for the system and transient scopes, default and specific
|
||
limits for services, protocols, and peers, and limits for connections
|
||
and streams.
|
||
|
||
### Scaling Limits
|
||
|
||
When building software that is supposed to run on many different kind of machines,
|
||
with various memory and CPU configurations, it is desirable to have limits that
|
||
scale with the size of the machine.
|
||
|
||
This is done using the `ScalingLimitConfig`. For every scope, this configuration
|
||
struct defines the absolutely bare minimum limits, and an (optional) increase of
|
||
these limits, which will be applied on nodes that have sufficient memory.
|
||
|
||
A `ScalingLimitConfig` can be converted into a `ConcreteLimitConfig` (which can then be
|
||
used to initialize a fixed limiter with `NewFixedLimiter`) by calling the `Scale` method.
|
||
The `Scale` method takes two parameters: the amount of memory and the number of file
|
||
descriptors that an application is willing to dedicate to libp2p.
|
||
|
||
These amounts will differ between use cases. A blockchain node running on a dedicated
|
||
server might have a lot of memory, and dedicate 1/4 of that memory to libp2p. On the
|
||
other end of the spectrum, a desktop companion application running as a background
|
||
task on a consumer laptop will probably dedicate significantly less than 1/4 of its system
|
||
memory to libp2p.
|
||
|
||
For convenience, the `ScalingLimitConfig` also provides an `AutoScale` method,
|
||
which determines the amount of memory and file descriptors available on the
|
||
system, and dedicates up to 1/8 of the memory and 1/2 of the file descriptors to
|
||
libp2p.
|
||
|
||
For example, one might set:
|
||
```go
|
||
var scalingLimits = ScalingLimitConfig{
|
||
SystemBaseLimit: BaseLimit{
|
||
ConnsInbound: 64,
|
||
ConnsOutbound: 128,
|
||
Conns: 128,
|
||
StreamsInbound: 512,
|
||
StreamsOutbound: 1024,
|
||
Streams: 1024,
|
||
Memory: 128 << 20,
|
||
FD: 256,
|
||
},
|
||
SystemLimitIncrease: BaseLimitIncrease{
|
||
ConnsInbound: 32,
|
||
ConnsOutbound: 64,
|
||
Conns: 64,
|
||
StreamsInbound: 256,
|
||
StreamsOutbound: 512,
|
||
Streams: 512,
|
||
Memory: 256 << 20,
|
||
FDFraction: 1,
|
||
},
|
||
}
|
||
```
|
||
|
||
The base limit (`SystemBaseLimit`) here is the minimum configuration that any
|
||
node will have, no matter how little memory it possesses. For every GB of memory
|
||
passed into the `Scale` method, an increase of (`SystemLimitIncrease`) is added.
|
||
|
||
For Example, calling `Scale` with 4 GB of memory will result in a limit of 384 for
|
||
`Conns` (128 + 4*64).
|
||
|
||
The `FDFraction` defines how many of the file descriptors are allocated to this
|
||
scope. In the example above, when called with a file descriptor value of 1000,
|
||
this would result in a limit of 1000 (1000 * 1) file descriptors for the system
|
||
scope. See `TestReadmeExample` in `limit_test.go`.
|
||
|
||
Note that we only showed the configuration for the system scope here, equivalent
|
||
configuration options apply to all other scopes as well.
|
||
|
||
### Default limits
|
||
|
||
By default the resource manager ships with some reasonable scaling limits and
|
||
makes a reasonable guess at how much system memory you want to dedicate to the
|
||
go-libp2p process. For the default definitions see [`DefaultLimits` and
|
||
`ScalingLimitConfig.AutoScale()`](./limit_defaults.go).
|
||
|
||
### Tweaking Defaults
|
||
|
||
If the defaults seem mostly okay, but you want to adjust one facet you can
|
||
simply copy the default struct object and update the field you want to change. You can
|
||
apply changes to a `BaseLimit`, `BaseLimitIncrease`, and `ConcreteLimitConfig` with
|
||
`.Apply`.
|
||
|
||
Example
|
||
```
|
||
// An example on how to tweak the default limits
|
||
tweakedDefaults := DefaultLimits
|
||
tweakedDefaults.ProtocolBaseLimit.Streams = 1024
|
||
tweakedDefaults.ProtocolBaseLimit.StreamsInbound = 512
|
||
tweakedDefaults.ProtocolBaseLimit.StreamsOutbound = 512
|
||
```
|
||
|
||
### How to tune your limits
|
||
|
||
Once you've set your limits and monitoring (see [Monitoring](#monitoring) below)
|
||
you can now tune your limits better. The `rcmgr_blocked_resources` metric will
|
||
tell you what was blocked and for what scope. If you see a steady stream of
|
||
these blocked requests it means your resource limits are too low for your usage.
|
||
If you see a rare sudden spike, this is okay and it means the resource manager
|
||
protected you from some anomaly.
|
||
|
||
### How to disable limits
|
||
|
||
Sometimes disabling all limits is useful when you want to see how much
|
||
resources you use during normal operation. You can then use this information to
|
||
define your initial limits. Disable the limits by using `InfiniteLimits`.
|
||
|
||
### Debug "resource limit exceeded" errors
|
||
|
||
These errors occur whenever a limit is hit. For example, you'll get this error if
|
||
you are at your limit for the number of streams you can have, and you try to
|
||
open one more.
|
||
|
||
Example Log:
|
||
```
|
||
2022-08-12T15:49:35.459-0700 DEBUG rcmgr go-libp2p-resource-manager@v0.5.3/scope.go:541 blocked connection from constraining edge {"scope": "conn-19667", "edge": "system", "direction": "Inbound", "usefd": false, "current": 100, "attempted": 1, "limit": 100, "stat": {"NumStreamsInbound":28,"NumStreamsOutbound":66,"NumConnsInbound":37,"NumConnsOutbound":63,"NumFD":33,"Memory":8687616}, "error": "system: cannot reserve connection: resource limit exceeded"}
|
||
```
|
||
|
||
The log line above is an example log line that gets emitted if you enable debug
|
||
logging in the resource manager. You can do this by setting the environment
|
||
variable `GOLOG_LOG_LEVEL="rcmgr=debug"`. By default only the error is
|
||
returned to the caller, and nothing is logged by the resource manager itself.
|
||
|
||
The log line message (and returned error) will tell you which resource limit was
|
||
hit (connection in the log above) and what blocked it (in this case it was the
|
||
system scope that blocked it). The log will also include some more information
|
||
about the current usage of the resources. In the example log above, there is a
|
||
limit of 100 connections, and you can see that we have 37 inbound connections
|
||
and 63 outbound connections. We've reached the limit and the resource manager
|
||
will block any further connections.
|
||
|
||
The next step in debugging is seeing if this is a recurring problem or just a
|
||
transient error. If it's a transient error it's okay to ignore it since the
|
||
resource manager was doing its job in keeping resource usage under the limit. If
|
||
it's recurring then you should understand what's causing you to hit these limits
|
||
and either refactor your application or raise the limits.
|
||
|
||
To check if it's a recurring problem you can count the number of times you've
|
||
seen the `"resource limit exceeded"` error over time. You can also check the
|
||
`rcmgr_blocked_resources` metric to see how many times the resource manager has
|
||
blocked a resource over time.
|
||
|
||
![Example graph of blocked resources over time](https://bafkreibul6qipnax5s42abv3jc6bolhd7pju3zbl4rcvdaklmk52f6cznu.ipfs.w3s.link/)
|
||
|
||
If the resource is blocked by a protocol-level scope, take a look at the various
|
||
resource usages in the metrics. For example, if you run into a new stream being blocked,
|
||
you can check the
|
||
`rcmgr_streams` metric and the "Streams by protocol" graph in the Grafana
|
||
dashboard (assuming you've set that up or something similar – see
|
||
[Monitoring](#monitoring)) to understand the usage pattern of that specific
|
||
protocol. This can help answer questions such as: "Am I constantly around my
|
||
limit?", "Does it make sense to raise my limit?", "Are there any patterns around
|
||
hitting this limit?", and "should I refactor my protocol implementation?"
|
||
|
||
## Monitoring
|
||
|
||
Once you have limits set, you'll want to monitor to see if you're running into
|
||
your limits often. This could be a sign that you need to raise your limits
|
||
(your process is more intensive than you originally thought) or that you need
|
||
to fix something in your application (surely you don't need over 1000 streams?).
|
||
|
||
There are Prometheus metrics that can be hooked up to the resource manager. See
|
||
`obs/stats_test.go` for an example on how to enable this, and `DefaultViews` in
|
||
`stats.go` for recommended views. These metrics can be hooked up to Prometheus
|
||
or any other platform that can scrape a prometheus endpoint.
|
||
|
||
There is also an included Grafana dashboard to help kickstart your
|
||
observability into the resource manager. Find more information about it at
|
||
[here](./../../../dashboards/resource-manager/README.md).
|
||
|
||
## Allowlisting multiaddrs to mitigate eclipse attacks
|
||
|
||
If you have a set of trusted peers and IP addresses, you can use the resource
|
||
manager's [Allowlist](./docs/allowlist.md) to protect yourself from eclipse
|
||
attacks. The set of peers in the allowlist will have their own limits in case
|
||
the normal limits are reached. This means you will always be able to connect to
|
||
these trusted peers even if you've already reached your system limits.
|
||
|
||
Look at `WithAllowlistedMultiaddrs` and its example in the GoDoc to learn more.
|
||
|
||
## ConnManager vs Resource Manager
|
||
|
||
go-libp2p already includes a [connection
|
||
manager](https://pkg.go.dev/github.com/libp2p/go-libp2p/core/connmgr#ConnManager),
|
||
so what's the difference between the `ConnManager` and the `ResourceManager`?
|
||
|
||
ConnManager:
|
||
1. Configured with a low and high watermark number of connections.
|
||
2. Attempts to maintain the number of connections between the low and high
|
||
markers.
|
||
3. Connections can be given metadata and weight (e.g. a hole punched
|
||
connection is more valuable than a connection to a publicly addressable
|
||
endpoint since it took more effort to make the hole punched connection).
|
||
4. The ConnManager will trim connections once the high watermark is reached. and
|
||
trim down to the low watermark.
|
||
5. Won't block adding another connection above the high watermark, but will
|
||
trigger the trim mentioned above.
|
||
6. Can trim and prioritize connections with custom logic.
|
||
7. No concept of scopes (like the resource manager).
|
||
|
||
Resource Manager:
|
||
1. Configured with limits on the number of outgoing and incoming connections at
|
||
different [resource scopes](#resource-scopes).
|
||
2. Will block adding any more connections if any of the scope-specific limits would be exceeded.
|
||
|
||
The natural question when comparing these two managers is "how do the watermarks
|
||
and limits interact with each other?". The short answer is that they don't know
|
||
about each other. This can lead to some surprising subtleties, such as the
|
||
trimming never happening because the resource manager's limit is lower than the
|
||
high watermark. This is confusing, and we'd like to fix it. The issue is
|
||
captured in [go-libp2p#1640](https://github.com/libp2p/go-libp2p/issues/1640).
|
||
|
||
When configuring the resource manager and connection manager, you should set the
|
||
limits in the resource manager as your hard limits that you would never want to
|
||
go over, and set the low/high watermarks as the range at which your application
|
||
works best.
|
||
|
||
## Examples
|
||
|
||
Here we consider some concrete examples that can ellucidate the abstract
|
||
design as described so far.
|
||
|
||
### Stream Lifetime
|
||
|
||
Let's consider a stream and the limits that apply to it.
|
||
When the stream scope is first opened, it is created by calling
|
||
`ResourceManager.OpenStream`.
|
||
|
||
Initially the stream is constrained by:
|
||
- the system scope, where global hard limits apply.
|
||
- the transient scope, where unnegotiated streams live.
|
||
- the peer scope, where the limits for the peer at the other end of the stream
|
||
apply.
|
||
|
||
Once the protocol has been negotiated, the protocol is set by calling
|
||
`StreamManagementScope.SetProtocol`. The constraint from the
|
||
transient scope is removed and the stream is now constrained by the
|
||
protocol instead.
|
||
|
||
More specifically, the following constraints apply:
|
||
- the system scope, where global hard limits apply.
|
||
- the peer scope, where the limits for the peer at the other end of the stream
|
||
apply.
|
||
- the protocol scope, where the limits of the specific protocol used apply.
|
||
|
||
The existence of the protocol limit allows us to implicitly constrain
|
||
streams for services that have not been ported to the resource manager
|
||
yet. Once the programmer attaches a stream to a service by calling
|
||
`StreamScope.SetService`, the stream resources are aggregated and constrained
|
||
by the service scope in addition to its protocol scope.
|
||
|
||
More specifically the following constraints apply:
|
||
- the system scope, where global hard limits apply.
|
||
- the peer scope, where the limits for the peer at the other end of the stream
|
||
apply.
|
||
- the service scope, where the limits of the specific service owning the stream apply.
|
||
- the protcol scope, where the limits of the specific protocol for the stream apply.
|
||
|
||
|
||
The resource transfer that happens in the `SetProtocol` and `SetService`
|
||
gives the opportunity to the resource manager to gate the streams. If
|
||
the transfer results in exceeding the scope limits, then a error
|
||
indicating "resource limit exceeded" is returned. The wrapped error
|
||
includes the name of the scope rejecting the resource acquisition to
|
||
aid understanding of applicable limits. Note that the (wrapped) error
|
||
implements `net.Error` and is marked as temporary, so that the
|
||
programmer can handle by backoff retry.
|
||
|
||
|
||
## Implementation Notes
|
||
|
||
- The package only exports a constructor for the resource manager and
|
||
basic types for defining limits. Internals are not exposed.
|
||
- Internally, there is a resources object that is embedded in every scope and
|
||
implements resource accounting.
|
||
- There is a single implementation of a generic resource scope, that
|
||
provides all necessary interface methods.
|
||
- There are concrete types for all canonical scopes, embedding a
|
||
pointer to a generic resource scope.
|
||
- Peer and Protocol scopes, which may be created in response to
|
||
network events, are periodically garbage collected.
|
||
|
||
## Design Considerations
|
||
|
||
- The Resource Manager must account for basic resource usage at all
|
||
levels of the stack, from the internals to application components
|
||
that use the network facilities of libp2p.
|
||
- Basic resources include memory, streams, connections, and file
|
||
descriptors. These account for both space and time used by
|
||
the stack, as each resource has a direct effect on the system
|
||
availability and performance.
|
||
- The design must support seamless integration for user applications,
|
||
which should reap the benefits of resource management without any
|
||
changes. That is, existing applications should be oblivious of the
|
||
resource manager and transparently obtain limits which protects it
|
||
from resource exhaustion and OOM conditions.
|
||
- At the same time, the design must support opt-in resource usage
|
||
accounting for applications that want to explicitly utilize the
|
||
facilities of the system to inform about and constrain their own
|
||
resource usage.
|
||
- The design must allow the user to set their own limits, which can be
|
||
static (fixed) or dynamic.
|