Add nonce to repair request/response

[carllin]

Problem

People could send arbitrary shreds for ingestion via the repair port

Summary of Changes

1. Add a nonce to repair/responses that needs to match in order for response to be accepted

• request: https://github.com/solana-labs/solana/pull/9903/files#diff-f03a09b141837083bc32c6373631d89fR356
  definition: https://github.com/solana-labs/solana/pull/9903/files#diff-7062b585d412f82cf93eb8c6255d60ecR99-R102
• verification: https://github.com/solana-labs/solana/pull/9903/files#diff-65dbf75f4753cd8c1a130e96e72cd1b4R122-R126

2. Reduce shred by 4 byte size of nonce: https://github.com/solana-labs/solana/pull/9903/files#diff-dc91d3a3b6051569c3c1d9979c3e4df1R46. New shred size will be: https://github.com/solana-labs/solana/pull/9903/files#diff-dc91d3a3b6051569c3c1d9979c3e4df1R50
   Because we still have to support old shred size as well, changes like: https://github.com/solana-labs/solana/pull/9903/files#diff-dc91d3a3b6051569c3c1d9979c3e4df1R896 are necessary.

Backwards Compatibility:

(Painful, but good exercise in what we want to do for any future changes to shreds :P)

1. Window service has been modified to accept both the old and the new shred sizes, where previously it was assumed that the shred was the entire packet.data.

• Verified here:
  https://github.com/solana-labs/solana/pull/9903/files#diff-65dbf75f4753cd8c1a130e96e72cd1b4R242-R246
• Shred payload taken here: https://github.com/solana-labs/solana/pull/9903/files#diff-65dbf75f4753cd8c1a130e96e72cd1b4R226

2. Due to new shred size, changes like https://github.com/solana-labs/solana/pull/9903/files#diff-dc91d3a3b6051569c3c1d9979c3e4df1R750 and https://github.com/solana-labs/solana/pull/9903/files#diff-dc91d3a3b6051569c3c1d9979c3e4df1R843 are needed to guarantee erasure and de-shredding still work with old shred sizes.

3. Repair request structure has changed to include nonce: https://github.com/solana-labs/solana/pull/9903/files#diff-dc108ad584300fa57f99d1675ccff3b9R93-R95. TODO: support old version as well

Proposed Upgrade Path:

1. Land Backwards Compatibility 1) and 2) above without changing the shred size so that everyone has the code to parse/perform erasure/deshred on smaller shreds. This way when we upgrade, people will understand turbine shreds regardless of whether they have upgraded.

2. This step is dependent on knowing what version people in gossip are on, @mvines is there a way to do that? If not I was thinking maybe we could set the storage_addr in ContactInfo as a flag.

Perform upgrade and modify repair such that:

• only make nonce repair requests to people on new version.
• only serve nonce repair responses to people on new version.

Fixes #

[codecov]

Codecov Report

Merging #9903 into master will decrease coverage by 0.0%.
The diff coverage is 79.4%.

@@           Coverage Diff            @@
##           master   #9903     +/-   ##
========================================
- Coverage    80.4%   80.4%   -0.1%     
========================================
  Files         287     289      +2     
  Lines       66539   67016    +477     
========================================
+ Hits        53555   53922    +367     
- Misses      12984   13094    +110     

[mvines]

Darn, all those nice links you setup in the description don't work @carllin :(

[mvines]

This step is dependent on knowing what version people in gossip are on, @mvines is there a way to do that? If not I was thinking maybe we could set the storage_addr in ContactInfo as a flag.

I've been wanting a way to determine Solana version from gossip actually, now that everybody is locking down RPC.

Stealing bits from the storage_add in ContactInfo sounds great for this! I'd do that as a completely independent PR that I'd actually love to backport all the way to 1.0.

It would be amazing if solana-gossip spy also included software version info for all the nodes

[carllin]

Darn, all those nice links you setup in the description don't work @carllin :(

Ah shucks, updated all of them, hopefully they work now?

[mvines]

This is looking really good overall. I think you should hack this PR to little bits though, so we can incrementally roll this out to the clusters.

For example we know we'll need that shred nonce, so we can carve that bit out ASAP and get mainnet-beta/testnet using it. That looks like the stickiest part of enabling a rolling update.

[mvines]

nit: outstanding_requests feels too generic to me in core: outstanding_repair_requests. If we had that repair crate then calling this module outstanding_requests would be fine 😵

[carllin]

@mvines, so the way it's currently set up, outstanding_requests::OutstandingRequests<T, S> is designed to be more general than just repair, it can track any request type T that implements T: RequestResponse<Response = S>.

For instance gossip could potentially initialize an OutstandingRequests<T, S> for gossip requests/responses as well.

[mvines]

Is that a thing we need though? Building generic interfaces in the hopes that somebody in the future will use them when there's only a single consumer today usually doesn't end too well.

[carllin]

@mvines yeah I would agree in mosts cases, but there was a lot of talk of a similar solution to solve the gossip replay issue here: #9491.

It was a also a nice way to logically bundle the verification of responses into the actual request object like this: https://github.com/solana-labs/solana/pull/9903/files#diff-dc108ad584300fa57f99d1675ccff3b9R66, so that they fit together rather than in disparate functions.

[mvines]

3. Separate thread for repair inserts so that grabbing the lock/verifying nonce doesn't block turbine shreds. Also greedily send shreds for insert: https://github.com/solana-labs/solana/pull/9903/files#diff-65dbf75f4753cd8c1a130e96e72cd1b4R242-R246 instead of blocking waiting for entire batch.

This feels like it's own PR too.

[carllin]

Tested by setting the "crossover" slot (the slot at which the nonces are turned on) to 1200 on a testnet, and also induced 3-min long partitions every 10 mins so that the cluster was partitioned during the "crossover" point, and at many points afterwards testing the repair path.

After a couple of edge cases, the results, no panics after an hour:

Time to split it up and it should be ready to go!

[carllin]

1. Separate thread for repair inserts so that grabbing the lock/verifying nonce doesn't block turbine shreds. Also greedily send shreds for insert: https://github.com/solana-labs/solana/pull/9903/files#diff-65dbf75f4753cd8c1a130e96e72cd1b4R242-R246 instead of blocking waiting for entire batch.

This feels like it's own PR too.

Removed that change as it didn't yield the expected perf benefits

[sakridge]

Is it easier to just read the slot out of the shred data here?

[mvines]

@carllin - thanks for landing the v1.1 version of shred nonce. Rolling out the v1.0 version and master quickly would be very nice too. We're coming up on branch day for v1.2 (next Tuesday!)

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.