docs(connlib): add more inline docs to connlib's state

[thomaseizinger]

This is a follow-up to #5035. I didn't end up renaming Tunnel, GatewayState or ClientState but I've added some comments with my understanding of what the state is we are tracking and tried to group the fields together in a logical way.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
firezone	⬜️ Ignored (Inspect)	Visit Preview		May 24, 2024 0:15am

[github-actions]

Terraform Cloud Plan Output

Plan: 16 to add, 15 to change, 2 to destroy.

Terraform Cloud Plan

[github-actions]

Performance Test Results

TCP

Test Name	Received/s	Sent/s	Retransmits
direct-tcp-client2server	240.4 MiB (+1%)	242.2 MiB (+1%)	127 (-51%)
direct-tcp-server2client	240.6 MiB (-1%)	242.4 MiB (-1%)	230 (-14%)
relayed-tcp-client2server	217.7 MiB (-3%)	218.7 MiB (-3%)	218 (-10%)
relayed-tcp-server2client	236.3 MiB (-2%)	237.0 MiB (-2%)	369 (-12%)

UDP

Test Name	Total/s	Jitter	Lost
direct-udp-client2server	500.0 MiB (+0%)	0.03ms (-10%)	47.10% (-4%)
direct-udp-server2client	500.0 MiB (-0%)	0.02ms (-29%)	21.17% (-6%)
relayed-udp-client2server	499.8 MiB (-0%)	0.02ms (-23%)	55.55% (-2%)
relayed-udp-server2client	500.0 MiB (+0%)	0.01ms (-84%)	39.65% (-14%)

[ReactorScram]

I did cargo doc --no-deps --open -p firezone-tunnel and this link didn't show up?

[ReactorScram]

I guess because snownet is not in the workspace

[thomaseizinger]

You need to build the docs for the entire rust/ directory. Then the links work.

[ReactorScram]

Is that connecting to the Resource or to the Gateway? It's the Gateway that resolves DNS, and the Resource doesn't do anything except accepting incoming connections after we've resolved it, right?

[thomaseizinger]

I think this is for the special case where the configured upstream DNS server is a resource itself.

@conectado Can probably answer this.

[conectado]

These are for any DNS query that hasn't been answered by the gateway yet, we use this to create a response later on.

we don't really connect to a resource ever, but we have the gateway grant access to a resource, at that point it's resolved.

[thomaseizinger]

Ah I forgot to address this one. Will send another PR once it is merged.

[ReactorScram]

What does this do? Do we redo DNS resolving even while connected to a Resource? Or is this the DNS TTL?

[thomaseizinger]

Good question, let me dig into this.

[thomaseizinger]

It is the former. I clarified this in a comment.

[conectado]

the only reason we don't use the TTL here is because we don't have it, we would need to use something like hickory on the gateway too to obtain it.

with the DNS refactor we are doing now this will go away anyways and refreshing will look really different with a whole new set of problems 😛

[ReactorScram]

🤔 And the Portal connection via WebSocket / phoenix channel is not part of that pure state machine, right? It's also part of the Tunnel?

So for my goal of exercising the platform-specific I/O code of the Clients, even in Windows where a Portal can't be run, I could make a mock Tunnel implementation that uses the pure state machine but has fake I/O, similar to your prop tests, and then has a simulated portal?

Or is the WebSocket managed even higher, in ClientTunnel and GatewayTunnel wrappers?

[thomaseizinger]

I think it should be part of the Tunnel. There is no reason why the Eventloops for gateways and client couldn't be in Tunnel (those manage the portal connection). Doing that is tracked in #3837.

But even once that is done, the connection to the portal is a side-effect and thus would likely be contained in Io or live at least next to it.

ClientState and GatewayState are already pure state machines so you can already run them on Windows without a portal or TUN device.

So for my goal of exercising the platform-specific I/O code of the Clients, even in Windows

Our proptests mock everything. IO, portal, TUN device. Our (linux) integration tests don't mock anything, they use a real portal, real TUN device and real sockets.

I don't think it makes much sense to mock only parts of this. If we want to test sockets and TUN device on Windows, and thus perform real network communication, we already have an abstraction layer that can cross OS boundaries: the network. I'd try to somehow connect to a real portal and real gateway from a Windows-VM. Like, can we run a Linux container in a Windows VM on GitHub actions and connect to that?

[ReactorScram]

Actually, maybe we could. Github docs say the Windows runners have Docker installed.

But I haven't tried it because I don't want to spend all day fighting the CI again. Maybe if it was done in a side project so every run doesn't take 6 CPU-hours 🤔 And then integrated if it succeeds

It's just that, that's one more thing that has to be downloaded, installed, set up, another few gigabytes of junk to update. Testing everything end-to-end is great but I'd also just like to test the Windows to Windows Client integration sometimes.

[thomaseizinger]

It's just that, that's one more thing that has to be downloaded, installed, set up, another few gigabytes of junk to update. Testing everything end-to-end is great but I'd also just like to test the Windows to Windows Client integration sometimes.

Yeah that is definitely worthwhile testing. I've found this: actions/runner-images#2216 (comment)

Seems like we need a self-hosted Windows runner for that.

[ReactorScram]

Crud, yeah that was why I didn't try it before. Github doesn't do nested virtualization and Docker / WSL2 needs that to run Linux on Windows.

[conectado]

Awesome, very nice to have proper docs

Addressed all comments.