Catch-up after Federation Outage

[reivilibre]

There are a few points marked XXX REVIEW which I'd like help with.

This fixes #2528 by:

• having a 'catch-up' phase of federation sending
  • no new PDUs are sent in this phase, only the latest PDU per room (in order of least recent) that has changed since our last transmission to a destination
  • the destination can then /get_missing_events to get other events in rooms
  • this phase ends when there are no catch-up PDUs left; then we return to normal behaviour
• enabling this catch-up flag on startup and when a destination goes offline for so long that we stop retrying a normal transaction
• (N.B. when we hear from a destination that we are backing off from, we will also resume transmissions in the catch-up phase — this is what wake_destination is about)

Database notes:

• destination_rooms stores the reference to the latest PDU of each room that has been enqueued to be sent to a destination.
• destinations has sprouted last_successful_stream_ordering which is the stream_ordering of the most recent successfully-sent PDU to the destination

Limitations/Flaws:

• we don't currently start catching-up a destination:
  • on startup until we already intend to send a PDU or EDU there
    • would like to address but separate PR, since the current PR is already a vast incremental improvement
    • (unless we have a backoff from the destination and then hear from it, then it recovers itself)
    • I believe this can occur if you shut down your HS whilst still retrying transmissions to a destination (there won't be a backoff applied for that destination yet, but no events get through and nothing on startup kicks off a retransmission, since the queues are entirely in-memory).
      • to clarify: if you shut down your HS whilst retrying, then the destination comes online (say) and you restart your HS, then even when we hear from the destination, we don't think about triggering a catch-up — nothing happens until we feel like sending an EDU or PDU (in my tests, once someone starts typing, it sends a typing EDU which kicks that off)

[reivilibre]

2 fails, but I still believe it to be in a reviewable state, I'll sort the 2 failures on monday, they can't be too bad (he said, knowing nothing at all).

[reivilibre]

I note that test https://buildkite.com/matrix-dot-org/synapse/builds/11053#98a85fe9-ce0d-4a7b-83dd-09812911bff7 (Python: 3.7 /
Postgres: 11 / Workers FAILURE Test #595: Outbound federation can request missing events) failed the first time, then I re-ran and it passed. Not sure if this is of concern or not…

For now I'll open this to review.

[anoadragon453]

Not sure if this is of concern or not…

It was noted in #synapse-dev that this is a known flakey test.

[anoadragon453]

I'd still like to see a cursory review of this from either @richvdh or @erikjohnston as they were involved in the initial design phase, but on the whole looks like an excellent stab at it.

Comments are particularly good 👍

[anoadragon453]

What are those arguments?

[reivilibre]

D'ow, that'll teach me for not writing my full thoughts whilst I still remember what I was on about.

So, vaguely I may have had two wavelengths of thought here:

1. We're dropping 50 PDUs, isn't that bad?! Won't that mean we will forget to catch-up some rooms potentially?

If I recall, I appear to have been under the delusion that those PDUs would be lost altogether.

However, now I realise that this will enable catch-up, and those PDUs will be eligible for catch-up if they are the most recent PDUs in their respective rooms (a destination_rooms entry will exist and we won't update our last_successful_stream_ordering on a failure…) — so the remote will still get a chance to hear about them when they next come up. (If they aren't, then the more recent PDUs will be in the main queue so the remote will hear eventually!)

So: all OK here.

2. Is there any point in dropping 50 but not just dropping the whole queue?

• Erik mentioned that sometimes, moving on to a different transaction can help a remote recover (i.e. just one particular one causes it to blow up), so 'skipping' is not necessarily bad.
• I wonder if waiting for retries to exceed an hour before sweeping out the queue could be bad for memory usage (of course, no worse than present-day, but …. is this a chance to make it better?)
• On the other hand, I don't suppose that /get_missing_events is the most efficient/high-throughput way to get events so forcing catch-up onto destinations too aggressively may be harmful.

Broadly I am tempted to think this is currently fine, but may need tweaking/limiting/aggressifying in the future in case that really does grow too large. I think Erik or Rich will have a more trustworthy sense here, though.

[richvdh]

I think it's fine for now, though once we have more confidence in the "catching up" behaviour, I think we may as well drop the whole queue immediately.

[richvdh]

I'd kinda like to see the logic shuffled so that this can be a foreign key; however at the very least it needs a comment saying why it can't be one.

[reivilibre]

Sure, would it suffice to INSERT IGNORE a NULL row into the destinations table when upserting a destination_rooms row?

[richvdh]

probably. It would be nice to avoid doing so on every PDU (for example by doing it when we first create a PerDestinationQueue for the destination), but that might be fiddly, and is something we can do later.

[richvdh]

question: why do we need a high-water-mark at all? why not just keep going until get_catch_up_room_event_ids returns an empty list?

[richvdh]

(doing so without care will introduce races though...)

[reivilibre]

I suppose we could do that if you are keen — as you say though, needs more thought.

The advantage of this approach is that it's easy to keep the logic in my head. Was keen not to give a chance for any nasty bugs to crawl in, because it'd be nice to have confidence in this.

[richvdh]

as noted elsewhere: I think the order is redundant: it might be easier to get rid of it (in a separate PR).

[reivilibre]

I'll put it on my list, then :)

[richvdh]

when does this happen, and why is breaking the loop the correct behaviour?

[reivilibre]

I suppose this should be log an ERROR, since this shouldn't happen.

[reivilibre]

break isn't the correct behaviour really, since it disables catch-up when we supposedly should have some to do.

But only break will let us make progress and go to the main loop again.

So I will log an error either way, but is it best to break or return?

[reivilibre]

Is this being unnecessarily paranoid?

There will be a foreign key constraint to link our rows to events, so this should darn well be impossible.

Better to assert events or if not events: raise AssertionError(...)?

[reivilibre]

@richvdh Thanks for the juicy review — some questions above on how to proceed

[reivilibre]

Gah, broken.

[richvdh]

please can you take these fixes to a separate PR?

[richvdh]

probably. It would be nice to avoid doing so on every PDU (for example by doing it when we first create a PerDestinationQueue for the destination), but that might be fiddly, and is something we can do later.

[richvdh]

ON DELETE CASCADE sounds scary. Why do we do that?

[richvdh]

this is being superceded by smaller PRs.