-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatically maintain leases #44
Comments
Here's a design.
This design requires:
The considerations that have informed this design:
|
So, regarding the above, how feasible is it to satisfy the requirements that:
(ii) seems feasible and it is tempting to even say straightforward but it probably touches a bunch of parts of Tahoe-LAFS I'm only minimally familiar with so I should probably investigate further before saying something like that. |
Regarding leases on the storage-servers, my understanding (and I just re-read the code, which seems to confirm this) is that leases are stored in the share-files themselves (for both immutables and mutables). Also maybe I'm completely misunderstanding what (i) means above (what I think it means is: ask the rootcap -- a mutable directory -- when its lease expires). |
For (i) I was imagining having lease information for all of the children of a directory included in the directory itself. This would allow a stat-like call on the directory only to determine lease state for all of the children of the directory (as well as the directory itself, presumable). This inclusion of information related to the children of the directory is what seems impossible. With that clarification, do you agree? Sorry about the unclear initial writeup. |
Ah, yeah. That makes sense (and yes I agree). I don't think we need to fret about anonymity / linkability leaks -- because Tahoe doesn't make too many claims about that and I think there are plenty of other places this sort of information is already leaked. And as you already point out, just "traversing the directories" will (probably) reveal it -- unless the client is doing something else, like using Tor. But even then, if a bunch of requests all arrive at once it's pretty likely they're from the same client (except on really busy servers). |
Alright. So at first blush, to implement this, we need an API like this one:
Or we need two if it turns out we can't tell the difference between slots and storage indexes in the server code but we need to be able to in order to read the lease information. We already have some code that differentiates between the two for the purposes of calculating sizes so we can probably do it for leases too. This brings me to the observation that we also need to know the size of the share at the same time. This is because the number of ZKAPs to spend depends on the size of the data. There is already an API for retrieving size information about shares:
This would largely supersede
where
and
However, though this is efficient on the network, it's also a little risky of ZKAPs with respect to failure partway through. This approach would extract enough passes to renew everything that needs renewal and then launch them over the network. A failure at this point leaves the client unsure what has been renewed and what hasn't. Without careful retry logic, the client may try to double spend passes which creates linkability. Or the client may fail to spend some passes altogether and lose a large amount of value. Safer would be to keep the renewals as separate operations. Something like:
This implies many network round-trips but it exposes less value/privacy to loss in the case of a failure. The existing renew_lease API can easily be extended to allow, optionally, the size to be passed in as an argument instead of retrieving it individually from the server internally. This would at least avoid two round-trips per share. As far as scaling goes, if we assume a renewal takes about a tenth of a second, this limits a client to something over 26 million files which is probably an alright ceiling for the time being. This does suppose the client runs 24/7 renewing leases, though. Still, to maintain 10,000 files would only require the client to run 1000 seconds (16 minutes) per month. So perhaps that's fine. |
Somewhere, an account of how many storage indexes and their sizes must be made, along with the number of ZKAPs spent on the renewals. This will support reporting to a user so they know what they're spending. |
The branch is already somewhat overly large so this should probably be kicked off to a follow-up ticket. |
#74 for the accounting etc. |
The premise of the plugin is that leases are maintained with a scarce resource (ZKAPs) and shares without leases can be garbage collected to reclaim another scarce resource (storage).
For this to work, something must actually maintain leases on shares which are meant to remain alive. There is an existing UI for this in the Tahoe-LAFS CLI, eg
tahoe deep-check --add-lease
. The user could keep their data alive by using this to manually renew leases.It should be possible to provide a better experience by renewing leases automatically, though. This removes the need for the user to remember to perform the task and creates the possibility that the task can be performed in a way that leaks less information to observers (the user may fall into patterns that can be identified, automation may be able to avoid doing so).
The text was updated successfully, but these errors were encountered: