lib/connections, lib/config: Bandwidth throttling per remote device (fixes #4516)

[qepasa]

Purpose

Hello everyone. As described in the issue. This fix enables read/write bandwidth throttling per remote device alongside current global limiting. It can be set via device tab in advanced settings.

Testing

Testing was done using 2 remote devices. Tested scenarios include adding and removing devices and various configurations of r/w rates:
device1: 300/300, device2: unlimited/unlimited, global: unlimited/unlimited
device1: 300/300, device2: unlimited/unlimited, global: 150/150
device1: 300/300, device2: 50/50, global: 150/150
device1: unlimited/unlimited, device2: 50/50, global: 150/150
device1: unlimited/unlimited, device2: unlimited/unlimited, global: 700/700

Of course these tests may not be comprehensive. I'll be thankful for any additional suggestions or scenarios.

[AudriusButkevicius]

!ok

[AudriusButkevicius]

This has no context, rebuild of what, where, why

[AudriusButkevicius]

This is only called once, I'd say that it's fine to wedge in the loop inline in the constructor.

[AudriusButkevicius]

Could just call rebuildMap here?

[AudriusButkevicius]

You can just use equality for device ID's they should be comparable just fine.

[AudriusButkevicius]

Overall or Total. Global usually talks about locations.

[AudriusButkevicius]

How can this happen?

[qepasa]

It happens after removing remote device. I'm not sure about limitedWriter but I added it just to be safe.

[AudriusButkevicius]

This probably needs to be sync.Map (atomic map) as you have not implemented any locking, and there are definately multiple routines poking at it. Also, the atomic map should only be initialized once, because if you re-assign the map on the limiter struct, you still need a lock.

[imsodin]

Now you are using both locks and sync.Map, why?

The rebuildMap calls in several places seem overly complicated to me: Couldn't you just iterate over devices from old and new configuration in CommitConfiguration and delete/add/adjust limiters as necessary? When initializing you can then just call CommitConfiguration with empty maps as well.

[AudriusButkevicius]

You should not throw away the ok, in case the value is not there.
Also, you are not locking here, so you might be accessing deviceReadLimiters as the map is being swapped out.

This is also a reason why rebuildMap should potentially do it without swapping the maps.

[AudriusButkevicius]

Also, this is unnecessery if you handle it properly in checkDeviceLimits, or stop it from having side-effects.

[AudriusButkevicius]

Wouldn't it be better for rebuild to happen in place, this way getting rid of the lock that we have to get on every read and write.

[AudriusButkevicius]

This should blow up if a device is removed, as len(to) < len(from).

[AudriusButkevicius]

You should probably write a test case for this logic.
Test case for adding
Test case for removing
Test case for adding and removing in the same config commit cycle.

[AudriusButkevicius]

To be honest, this function as it states should only do checking, and not rebuilding (as a side-effect), and rebuilding and other cruft should happen in the CommitConfiguration.

[AudriusButkevicius]

This will always print stuff, even if someones rate hasn't changed since before.
It will further always mess around with the rate limiters, regardless if the value changed or not.

[AudriusButkevicius]

To be honest, if !ok, I'd panic (or do nothing), as it should clearly be there.
Now it's like a bandaid for a problem we can't explain.

I'd do a if deviceLimiter != nil check in take

[AudriusButkevicius]

the l could do with a better name now, and the doc string should be updated.

[AudriusButkevicius]

What if there are two rebuildMap calls in parallel due to frequent config save or something like that, this might be halfway through a swap too.

[qepasa]

@AudriusButkevicius You're right. I assumed (which was pretty stupid) that only one routine at the time visits CommitConfiguration. I guess the right way will be to rewrite it so that "rebuild" happens without swapping map instances and definitely implement mentioned tests and fix other issues pointed by you. Thanks for feedback!

@imsodin My intention was to use lock in order to ensure atomic assignment in rebuildMap.

[AudriusButkevicius]

@qepasa thanks for working on this.

[calmh]

sync.Map is Go 1.9 and we're currently targeting 1.8. This is the build failure reported by the tests.

Although we could bump our requirements I think there should be little enough churn on these that we can actually use regular maps and locking...

[qepasa]

Hello everyone. Sorry for delay with coding. I tried to keep your suggestions in mind. If there is anything you would like to be done differently I'll make sure to implement it faster this time.

[imsodin]

I believe the entire above block isn't necessary, as CommitConfiguration will add all missing devices anyway, so https://github.com/syncthing/syncthing/pull/4603/files#diff-da45d4f40dfa16a9aae760dd650fe79aL35 should be sufficient.

[imsodin]

empty

[imsodin]

Could be map[protocol.DeviceID]struct{} and then later instead of = false do delete(devicesToRemove, v.DeviceID). Then you can just iterate over the final map in the end without checking a bool.

[AudriusButkevicius]

Now this lives on the lim struct, but doesn't actually use it, meaning it should either be a utility function not part of lim, or use lim and reach into lim.device{Write,Read}Limiters directly.

[AudriusButkevicius]

Noop space.

[AudriusButkevicius]

Again, doesn't need to live on lim.
Also the function name doesn't explain well what this does. Should probably be called deviceLimitsChanged() and invert what it returns.

[AudriusButkevicius]

This is a nit-pick, but we don't really need to rely on the device order here. It's possible that rates aren't changed, just the order gets changed.

[AudriusButkevicius]

There should be some sort of cfg.DeviceMap() or something like that utility function.

[imsodin]

Yes, that should be moved from model to config: https://github.com/syncthing/syncthing/blob/master/lib/model/model.go#L2569
That also makes it easier to remove limiters, just treat it like folders in models CommitConfiguration.

[AudriusButkevicius]

This could be map[DeviceID]struct{}, and devicesToRemove[x] = false is essentially delete(devicesToRemove, x)

Or better would be:

for dev in to.Devices {
   seen[dev] = struct{}{}
}

for dev in from.Devices {
   if  _, ok := seen[dev]; !ok {
      lim.deleteLimiters(dev)
   }
}

[AudriusButkevicius]

Why is this a pointer?

[AudriusButkevicius]

This is too complicated. The only way these things get set are under a lock, so it's very unlikely they get out of sync.
Also, perhaps it's better to get getDevice{Read,Write}Limiter always return a new limiter even if one does not exists (and add it to the map).

I am thinking about a case where a new device gets added, and there is a race between CommitConfiguration here, and us making a connection. It's probably always better wrap every connection in a limiter (and create one if it doesn't exist) and then adjust the rates later.

[AudriusButkevicius]

Is it not better not to do this if the limits are the same as previously?
As in, move this after the if?

[imsodin]

empty

[imsodin]

I think this global check is not very useful as global limits are reset even if just a device changed and whether device change is checked again later on. So I would either not check at all and just reset everything or check the different parameters separately.

[imsodin]

Yes, that should be moved from model to config: https://github.com/syncthing/syncthing/blob/master/lib/model/model.go#L2569
That also makes it easier to remove limiters, just treat it like folders in models CommitConfiguration.

[imsodin]

Argh this github reviews... Probably better look at the comments in the diff, this comment view is fractured badly.

Hello everyone. Sorry for delay with coding. I tried to keep your suggestions in mind. If there is anything you would like to be done differently I'll make sure to implement it faster this time.

Even if you weren't occupied with Christmas holidays and family reunions there is no reason at all to apologize for ~1week (and also if longer) followup times after a round of review. Reviewers will nag if it comes to the point of being too quiet ;)

[imsodin]

I propose func (cfg *Configuration) DeviceMap() map[protocol.DeviceID]DeviceConfiguration.

[AudriusButkevicius]

Agree. And we do this in a few other places (in the model I think), so we should use this instead.

[imsodin]

No manual line breaks (I was/am a fan of them too, but it's not the Syncthing/Go style ;) ).

[imsodin]

line breaks

[imsodin]

I would remove this check. You already do the same checks in processDevicesConfiguration and skip any devices which don't change.

[imsodin]

Doesn't need to pass configs as pointers.

[AudriusButkevicius]

My previous comments on always creating limiters and always wrapping each device connection in two limiters still apply

[qepasa]

I added suggested fixes. Thank you guys for patience with this pull request and for quick reviews.

[imsodin]

This can just be if lim.setLimits(dev) {.

[AudriusButkevicius]

The fact that processblabla does locking outside the function, and this does inside, feels wrong.

[imsodin]

@AudriusButkevicius We are starting to contradict each other once again x-): My reasoning to suggest this was that the locking now happens in CommitConfiguration and in these newLimited... functions, which are all "top-level", i.e. called "externally" (not all outside of the package, but outside of the limiter code). Also locking the entirety of CommitConfiguration was considered necessary to disallow concurrent change and thus with a single lock the locking cannot happen on get...Limiter anymore (single lock is not a requirement obviously, I just consider it cleaner).

[AudriusButkevicius]

Fine, but why can't we lock lim.mu before calling the newblabla twice in the connection service, this way we lock the same way in both places. Also a function that needs locking before called, we should add the locked word into the name like we do in the model.

[imsodin]

Now I see.
@qepasa So locking should happen here instead and a whole bunch of functions needs the Locked suffix: setLimits, new..., get..., processD....

[AudriusButkevicius]

The variable assignment is pointless, you can straight do if setLimits(dev) {

[AudriusButkevicius]

Don't need t.helper as you are not asserting anything here

[AudriusButkevicius]

This can just return a config, rather than setting some global that leaks between the tests.

[AudriusButkevicius]

Implementation wise looks ok to me, needs to resolve merge conflicts and pass the tests (which I am not sure if they are failing due to anything this PR is doing).
Also perhaps needs UI to expose this in device editor.

[imsodin]

Also perhaps needs UI to expose this in device editor.

I agree that this is probably a nice enough functionality to get a place there. If @qepasa wants to do it in this PR, cool, but otherwise I think it's fine to leave it in advanced settings and open an enhancement issue for someone else (or qepasa) to do that eventually.

[calmh]

I'm sure you've already discussed this in the 90+ comments above, but all of this juggling of mutexes and maps and stuff does not seem worth it to me compared to just creating the limiter with the appropriate settings at connection time. Yeah then we can't change the per device rate limit on the fly, but this will almost never happen and we anyway disconnect peers most of the time when we change folders or devices. That would make this whole thing like a four line diff instead.

[calmh]

This should probably be our lib/sync

[calmh]

Just sync.Mutex, no need for a pointer (regardless of which sync package)

[calmh]

Adjust here to nothing at all (standard lib sync) or sync.NewMutex() (our sync)

[calmh]

Not clear what the pointer comments are about. The configuration parameters are not pointers.

[calmh]

This is unusual, we do don't want to take locks on mutexes inside other objects and then call their ...Locked functions. Wrap in a method.

rd, wr := s.limiter.getLimiters(remoteID, c, isLAN)

[imsodin]

[...] all of this juggling of mutexes and maps and stuff does not seem worth it to me compared to just creating the limiter with the appropriate settings at connection time. Yeah then we can't change the per device rate limit on the fly, but this will almost never happen and we anyway disconnect peers most of the time when we change folders or devices. [...]

@calmh Isn't this dropping of connection one of the long-standing issues nobody wants to tackle because it is so entangled? What I mean is that not needing a "complete reset" and thus at least not increasing the entanglement, seems to already provide quite a bit of merit.

[calmh]

I don't really think the connection resetting is a big deal, but on the other hand we already have the limiter that listens to config reloads, so fine lets roll with this.

[calmh]

LGTM apart from above mutex nits, and that the parameters to take could have better names (l being globalLimiter or something maybe).

Has anyone tested that this actually works?

[AudriusButkevicius]

no point using here defer as the scope is small, as this just prevents potential inlining.

[AudriusButkevicius]

Apart from the last nitpick this looks good to me, if it works :)

[AudriusButkevicius]

Merge these two two line functions into the callee to reduce the mental stack depth.

[qepasa]

I can try to make UI for this but I would prefer it to be a new issue.

[AudriusButkevicius]

@imsodin @calmh pls re-review and lets put this to bed.

The person has put an immense amount of effort for dealing with my (our?) comments so far, and we just left him in silence. I am happy with this.

old

[calmh]

I have nits to pick, but i'll pick them myself in a followup at some point