Migrating bsky.social to Multiple PDS Instances (Nov 2023)

[bnewbold]

As part of our operational work in preparation for federation, we are starting to migrate PDS accounts away from the existing monolithic bsky.social instance to several *.*.host.bsky.network PDS instances. We have implemented a new "account entryway" service as a "virtual PDS" which will continue to operate at bsky.social.

These changes are expected to roll out on the main network the week of 2023-11-06 (aka, this week, starting today). Every Bluesky-hosted account will be migrated to a new PDS, which will involved updating DID PLC documents with new PDS service locations and new signing keys. The roll-out may take longer than a week.

What will not change

• Client apps, bots, and other integrations can continue to connect to bsky.social as an API endpoint, and requests will be proxied to the appropriate endpoint. They do not need to connect directly to the account's PDS for now, especially for authentication (login and session refresh)
• Bluesky AppView API (api.bsky.app) is unaffected
• Bluesky BGS firehose is unaffected

What will change:

• DID PLC documents will be updated, with account signing keys and PDS endpoints updated
• Account repos will, of course, be canonically hosted at the new hostname indicated in the DID document. repo events will be emitted from the canonical PDS host for the account, not from bsky.social; subscribe to the BGS firehose (bsky.network) to get all events from all accounts.
• Clients (apps, bots, etc) may connect directly to the PDS hostname instead of bsky.social
• Each account will now have a unique signing key
• some bsky.social endpoints may return 3xx redirects to the specific PDS endpoint, instead of proxying. Specifically, com.atproto.sync.getBlob (for downloading images and other media). Most clients and applications use the AppView-provided CDN URLs, not blobs directly.
• full DID documents are now returned by the bsky.social login endpoint, which allows clients to connect directly to the back-end PDS if they want (for potentially better network latency)

Will my stuff be impacted?

Regular accounts using Bluesky App: should be seamless. We expect that folks will not even need to re-log in unless something goes wrong.

Client Applications: same as the Bluesky App.

Bots: should be mostly unaffected; same as the Bluesky App.

Feed Generators: if verifying firehose repo signatures, will need to detect identity signing key changes (eg, via "cache busting"). Likewise, if verifying JWT auth token signatures, will need to detect identity changes. If subscribing to legacy PDS firehose, will need to switch to BGS firehose.

Accounts (repos) with did:web DIDs: we will probably need to coordinate with you to update DID documents, stay tuned. Updating to newer DID document formatting at the same time would be great: #1510

Sandbox PDS operators: we haven't pushed this round of code changes to the sandbox version of our PDS implementation. These changes will be disruptive when they do land, and will probably require a full wipe for most instances. The PDS reference implementation will only support sqlite (not postgresql), will use a distinct signing key for each account, etc.

Independent PDS implementations: none of these changes will be required by protocol. PDS operators will be free to keep the "account entryway" and "repo hosting" functionality combined in a single service, and can continue to use a single signing key for multiple accounts if they like. This is just a deployment pattern we have chosen to scale out our service for millions of accounts.

A follow-up comments to this post will tag some specific libraries and services which we have tested against.

What is "identity cache busting"?

Federated services in atproto need to keep track of account identity metadata, including handle and DID document resolution. Clients can make requests to PDS instances for this information, but even they are likely to cache the results. Independent services will usually do direct resolution with persisted caching, similar to how DNS caching works.

Our current recommendation is that services cache identity metadata for between 8 and 24 hours. They may also simply rely on native DNS TTL and HTTP caching header information to determine an appropriate cache lifetime. Large services may want to "subscribe" to the DID PLC event log instead of re-fetching information for individual accounts.

In addition to this time-limited caching policy, we recommend automatically "busting" the cache when there is an indication that the identity may be stale. For example, if a repo signature or JWT signature fails to validate. A best practice is to have a separate shorter caching window for "bust" operations, so that failures do not result in a busy-loop of many rapid requests when an identity is in a broken state.

Tell me more about this "virtual PDS" thing

More details coming soon, but this is mostly a mechanism to take advantage of the federated nature of the protocol to help us grow the Bluesky-hosted network beyond a single big database server. The "virtual PDS" handles some of the organization-wide "glue" tasks, like maintaining the *.bsky.social handle namespace, private account email addresses (which should be unique across all of our hosted accounts), and routing new account signups to a particular PDS instance.

We'll soon communicate more details of this architecture, and how clients can connect directly to backing PDS instances (for better network performance).

[bnewbold]

Pinging some specific folks about this change. As with previous pings, not trying to promote/exclude anybody; and sorry if this is spammy.

Feed generators: there are two parts of this: fetching feeds from a migrated account, and posts from a migrated account getting indexed. I have not seen any issues with fetching third-party feeds, but don't have enough data to verify that indexing is working for many (though no evidence that it is not). Tested "For You" (skygaze.io), "Blacksky" (@rudyfraser), "Catch Up" (skyfeed.xyz, @redsolver), "Home+", "Discover", "Likes" (@jcsalterego)

Clients: there is a lot of surface area to cover here, but tested briefly with GreySky (@mozzius) and seems functional.

Libraries: it looks like the great python library that @MarshalX maintains had an issue with additional fields included in JWTs. This is partially on us for making that particular change without thinking that it could impact downstream folks. Looks like there was a fast fix and upgrading fixes the problem.

[redsolver]

Quick question, when will the bsky.social PDS firehose stop including all events? One of my servers is still using that endpoint, so I would like to know if I need to do the switch today or tomorrow is enough, thanks!

[redsolver]

Just checked @bnewbold.net, new posts are not indexed, so I'll switch that indexer to bsky.network in about 10 hours and start from cursor 0

[ericvolp12]

bsky.network has a 3-day event retention so you'll get a lot of playback just FYI

[strideynet]

Yup - I suppose this is the kick I need to finally move FurryList over to BGS 😓

[tcurdt]

So to confirm: bsky.network will bring all traffic in one place?

Is a firehose even possible in a fully distributed future?

[snarfed]

It is! https://atproto.com/guides/overview#achieving-scale , https://blueskyweb.xyz/blog/5-5-2023-federation-architecture

[gildaswise]

deck.blue's dev here

One thing that I need to test is the trick I'm using to show uploaded GIFs, we're just using the direct getBlob call and if that's broken between PDS instances, the trick won't work if any of the test accounts upload a .gif file

I'll keep an eye for any other issues and let you guys know! Also pinging @myConsciousness so he knows about this

[myConsciousness]

Perhaps related to @rudyfraser's thread

[rudyfraser]

Can you elaborate on the getBlob redirect? I use that for image classification right now. Do I need to do anything differently besides using the bsky.social endpoint?

[imax9000]

It's the same token issued by the user's home server, right? The client treats it as opaque and doesn't modify in any way. So a rogue PDS can use it to impersonate the user to the PDS that hosts their account. Or am I missing something?

[DavidBuchanan314]

Ohhh I think I see what you mean. I don't think a trusted PDS should ever redirect to a non-trusted PDS. But, if there is a 302 redirect, I don't think you should ever send auth tokens to the redirect target in any case (the net/http behavior is what I'd intuitively expect). Those are both "I think" not "I know for sure", so yeah, I think it would be good to get some official guidance here

[jcsalterego]

It's always OK to send your auth tokens to Jerry's PDS Emporium

[imax9000]

Yup, I also left a comment to that end here golang/oauth2#500 (comment)

For "normal" web services it's a bit less of an issue, since use cases for redirecting to a third-party host are carved out well enough. But in a federated environment it can bite your ass pretty hard.

I didn't find any specific requirements for removing headers on redirect in RFC7231, so client behaviour might vary :⁠-⁠\

[myConsciousness]

@redsolver @videah @gildaswise

My understanding is that Dart's http package handles redirects automatically. So since my packages also use the http package, we will not have to be aware of this redirect.

If you have any problems with my part of the package, please let me know.

[strideynet]

Hey - just wanted to clarify something as we've noticed an unexpected change in behaviour.

As part of our logic, when we onboard a new actor to the FurryList feeds, we fetch the latest commit cid for the user using com.atproto.sync.getHead and then we use com.atproto.sync.getRecord to fetch the app.bsky.actor.profile for that commit CID. This is because we use the commit cid as part of the primary key when storing profiles in our profile history table - we can't use the profile CID itself because if a user changes their profile, and then changes it back, this yields the same CID.

Since actors have started to be migrated to the new PDS, calling com.atproto.sync.getHead on bsky.social for those actors is giving:

{"error":"RepoNotFound","message":"Could not find root for DID: did:plc:2apayem2zzo4b72ppfjwz7bp"}

My understanding from reading this document was that we should expect most calls to bsky.social to continue working correctly. If this starting to fail is expected behaviour, should we instead be calling these RPCs on the BGS? The AppView? Or should we be determining the address of the PDS for that individual user and making the request directly there instead?

nb: I'm aware that we need to move off getHead and onto getLatestCommit but the behaviour seems the same for that as well.

Many thanks and apologies if I'm missing something here!

[strideynet]

That was my first guess, but unfortunately, if you change your profile back to something it was previously, the CID is then the same. It feels "incorrect" to me to not be able to distinguish between those two points in time. I may just have to bite the bullet on it and do that.

[ericvolp12]

If you want a point-in-time thing you can use the rev of the repo as well but yeah the record itself doesn't have any kind of history and you'll end up with a race condition unless you get the whole repo.

[strideynet]

Hm - I think I actually figured out how to get the Commit CID from the results of com.atproto.sync.getRecord:

package main

import (
	"bytes"
	"context"
	"fmt"
	"github.com/bluesky-social/indigo/api/atproto"
	"github.com/bluesky-social/indigo/repo"
	"github.com/bluesky-social/indigo/xrpc"
	"github.com/ipfs/go-datastore"
	blockstore "github.com/ipfs/go-ipfs-blockstore"
)

func main() {
	ctx := context.Background()
	x := &xrpc.Client{
		Host: "https://bsky.social",
	}
	myDID := "did:plc:dllwm3fafh66ktjofzxhylwk"

	latestCommitOut, err := atproto.SyncGetLatestCommit(ctx, x, myDID)
	if err != nil {
		panic(err)
	}

	buf := new(bytes.Buffer)
	params := map[string]interface{}{
		"collection": "app.bsky.actor.profile",
		"did":        myDID,
		"rkey":       "self",
	}
	if err := x.Do(ctx, xrpc.Query, "", "com.atproto.sync.getRecord", params, nil, buf); err != nil {
		panic(err)
	}
	data := buf.Bytes()

	bs := blockstore.NewBlockstore(datastore.NewMapDatastore())
	root, err := repo.IngestRepo(ctx, bs, bytes.NewReader(data))
	if err != nil {
		panic(err)
	}

	fmt.Println("Latest commit          : " + latestCommitOut.Cid)
	fmt.Println("Root from SyncGetRecord: " + root.String())
        // These two are the same
}

Latest commit          : bafyreifd3wxcj55mb4jt7mlgxcenrjeruksnegnvrvpryfo24w4jzdc5pe
Root from SyncGetRecord: bafyreifd3wxcj55mb4jt7mlgxcenrjeruksnegnvrvpryfo24w4jzdc5pe

This works fine until I point it at bsky.network instead - at which point I get an unexpected EOF when ingesting the Repo. So it's definitely feeling like bsky.network is returning something different to bsky.social for the same RPC

[strideynet]

Calling the com.atproto.sync.getRecord RPC against PDS and BGS gives two different amounts of data:

• PDS 4316 bytes
• BGS 502 bytes

The data returned by the BGS is not enough for repo.IngestRepo to properly build out the repo.

[strideynet]

Looking at the implementation of (s *BGS) handleComAtprotoSyncGetRecord( it feels like the BGS implementation of com.atproto.sync.getRecord is incorrect. It's returning just the record CBOR marshalled, rather than returning a vnd.ipld.car as the spec states.

[gtuckerkellogg]

We have an academic project that we think could be pretty exciting and I'l love to talk with someone at BlueSky about what federation would mean for it. The project would require running, and generating feeds for, thousands of accounts as a botnet. But it would be benevolent botnet. We were originally thinking of the bird app, but then Elon blew that up and took away "Twitter for Good", which would have been a natural partner. We've been considering our own mastadon server, which we know could work in principle, but Bluesky federation might give us another option. Is there any way to set up a discussion on this? I don't want to sidetrack the discussion board for a niche conversation.

[bnewbold]

Sure, i'll send you an email.

[gtuckerkellogg]

Thanks. Just added my email address to my profile.