Route key requests to federation senders #15121
Conversation
DMRobertson
added
the
Z-Time-Tracked
| async def _fetch_keys( | ||
| self, keys_to_fetch: List[_FetchKeyRequest] | ||
| ) -> Dict[str, Dict[str, FetchKeyResult]]: | ||
| # For simplicity's sake, pick a random federation sender |
There was a problem hiding this comment.
I think we would want to choose the same federation sender that's talking to that instance? 🤷
There was a problem hiding this comment.
That's what I thought, but federation_shard_config is a ShardedWorkerHandlingConfig rather than a class RoutableShardedWorkerHandlingConfig; only the latter defines get_instance publicly.
Personally I find this all incomprehensible.
There was a problem hiding this comment.
My reading of it is that if all workers have the same federation_sender_instances config, then federation_shard_config can be upgraded to a RoutableShardedWorkerHandlingConfig, since all workers will route requests the same way.
| @@ -0,0 +1 @@ | |||
| Route remote key requests via federation senders. | |||
There was a problem hiding this comment.
(As I've left this comment on #15133 and #15134 I should just copy it here...)
I think we also need to update:
docker/configure_workers_and_start.pyso complement uses this- https://github.com/matrix-org/sytest/blob/d1c931af1179848526d323f3955a9f21f81d600f/lib/SyTest/Homeserver/Synapse.pm#L1257 so sytest uses this.
docs/workers.md
There was a problem hiding this comment.
The upgrade notes will need amending too; I think federation senders will need to be declared in the instance_map.
This will help to break an import cycle
So I can call it from federation senders
DMRobertson
force-pushed
the
dmr/key-requests-from-fed-senders
branch
from
37c633b
to
615c55f
Compare
DMRobertson
force-pushed
the
dmr/key-requests-from-fed-senders
branch
from
615c55f
to
8f5f5f8
Compare
DMRobertson
force-pushed
the
dmr/key-requests-from-fed-senders
branch
from
8f5f5f8
to
4e3d2e8
Compare
|
This should now be working well enough to start review. I have one outstanding concern. If this change lands as-is, every worker that can possibly need to fetch keys will need an entry for the We could add a config option e.g. a) I am loathe to any new config option. Indeed, that's why I chose to exfiltrate these requests via federation senders rather than add some new complex worker class/role. b) There is likely to be future traffic that we might want to route to the external internet via federation senders only; so we would probably end up adding similar config options to Could use input from the team to make that call: @matrix-org/synapse-core
|
|
I would favor an option, but it would be nice to make it generic. Something like |
|
My two cents is that it makes more sense to just do the second option: it means confusion and annoyance in the short term while everyone gets up to speed, rather than the endless confusion and annoyance that results from a continuously expanding and complex-ifying config. |
DMRobertson
changed the title
DMRobertson
force-pushed
the
dmr/key-requests-from-fed-senders
branch
from
e3ccb15
to
3452c2a
Compare
|
There are some unit tests that need fixing up. I would like us to decide how to proceed on this (config option or not) before fixing that up. I'll chase up on Monday. |
|
I'm in several minds about this. I'm not mad keen about the faff of ensuring that everyone has correctly set up their OTOH, I'm not really that keen with this approach. It feels like we're going to play whack-a-mole with lots of the federation requests, rather than take a more systematic approach. I wonder if we should take this opportunity to go down a "federation proxy" route, either as an external util or as a dedicated config option |
So, what, something like this?
|
There was a problem hiding this comment.
Looks alright functionally.
Server admins having to update their config sounds like a lot of faff. The alternative of making it an option isn't great either. It sounded like we're exploring whether we can make a federation proxy as an alternative to this PR, is that right?
| instance_map: | ||
| - federation_sender1: | ||
| - host: localhost | ||
| - port: 1001 | ||
| - federation_sender2: | ||
| - host: localhost | ||
| - port: 1002 |
There was a problem hiding this comment.
| instance_map: | |
| - federation_sender1: | |
| - host: localhost | |
| - port: 1001 | |
| - federation_sender2: | |
| - host: localhost | |
| - port: 1002 | |
| instance_map: | |
| - federation_sender1: | |
| - host: localhost | |
| - port: 1001 | |
| - federation_sender2: | |
| - host: localhost | |
| - port: 1002 |
| async def _fetch_keys( | ||
| self, keys_to_fetch: List[_FetchKeyRequest] | ||
| ) -> Dict[str, Dict[str, FetchKeyResult]]: | ||
| # For simplicity's sake, pick a random federation sender |
There was a problem hiding this comment.
My reading of it is that if all workers have the same federation_sender_instances config, then federation_shard_config can be upgraded to a RoutableShardedWorkerHandlingConfig, since all workers will route requests the same way.
| We would normally return a group of FetchKeyResponse structs like the | ||
| normal code path does, but FetchKeyResponse holds a nacl.signing.VerifyKey | ||
| which is not JSON-serialisable. Instead, for each requested key we respond | ||
| with a boolean: `true` meaning we fetched this key, and `false` meaning we | ||
| didn't. | ||
|
|
||
| The response takes the form: | ||
|
|
||
| 200 OK | ||
| { | ||
| "fetched_count": 1 | ||
| } |
There was a problem hiding this comment.
Are these comments still accurate? I can't figure out what the endpoint returns just from the code below, but it doesn't seem to match the comment.
There was a problem hiding this comment.
No, I think I had iterated since then and not updated the comment.
That's right. Let me close this. |
Fixes #14805, which says:
(emphasis mine).
I am loathe to add a config option for this; I have chosen to route all key requests via federation senders.