Break addnode out from the outbound connection limits. #9319
Conversation
src/init.cpp
Outdated
There was a problem hiding this comment.
Are addnode connections no longer counted under the normal max connection limit?
There was a problem hiding this comment.
They are not. See also commit message, pr text, and release note. :)
|
concept ACK |
doc/release-notes.md
Outdated
There was a problem hiding this comment.
What do you mean by "aggressive"connection here?
src/net_processing.cpp
Outdated
There was a problem hiding this comment.
This is new behaviour, addnoded nodes are not punished/banned. Right?
There was a problem hiding this comment.
"Ban-disconnects are also exempted for peers added via addnode since
the outbound addnode logic ignores bans. Previously it would ban
an addnode then immediately reconnect to it."
src/rpc/net.cpp
Outdated
There was a problem hiding this comment.
addnode missing in the helptext.
|
Adding a specific limit for user-added nodes makes it easier to reason about, and avoids some annoying edge cases. Good idea. Concept ACK. |
|
ACK b8d170dab441896970d5ab0f15ca672173592065 Would very much like to see this for 0.14. |
src/net.cpp
Outdated
There was a problem hiding this comment.
If no connection was established, this sleep runs while holding the semaphore. Is that a problem? I think this is the only thread that accesses the semaphore, but if that's the case... why are we using a semaphore?
There was a problem hiding this comment.
It's okay to hold extras here because this is the only place they're taken. What they're used for is to sleep until a release, which is also the case for outbound peers use of a semaphore. The result is so that when this thread is inactive because we're at connection maximum and a connection goes down the code to make a new connection begins instantly.
Perhaps it would be better to use some other notification mechanism; e.g. a sleep that can wake early on a condition variable, triggered whenever an addnoded peer is disconnected... but this is what the outbound connections currently do, and I didn't see a reason to make them any different. If you want I could add a change to rework both to whatever mechanism you prefer. The goal should be that if we're sleeping because there is nothing else to do (because we're at our limit, or because we have no down addnodes to try) we ought to wake instantly when a disconnection (or rpc reconfiguration, I guess) potentially changes that situation.
There was a problem hiding this comment.
We'll soon have an OnDisconnected() event that will allow us to change this (and possibly the outbound behavior) more easily. Using the same mechanism here makes sense for now, imo.
src/net.cpp
Outdated
There was a problem hiding this comment.
This makes addnoded connections no longer prevent random connections to the same netgroups. Is that change implied by "which is not subject to any of the other connection limitations"?
There was a problem hiding this comment.
That was the intent. At least the idea was to make the automatic and addnode connections operate largely independent of each other, not auto-connecting to amazon because you've got an addnode to amazon seems odd.
At least my perspective on the netgroup limitation is that with your limited 8 outbound slots you don't want to harm your partition resistance by spending multiple of them on a single netgroup. That no longer applies when addnodes are not consuming your outbound slots, just like it doesn't apply to inbound peers. (though inbound has a stronger additional reason: they're attacker controlled).
There was a problem hiding this comment.
That makes sense. I just wanted to make sure it was intentional.
There was a problem hiding this comment.
Do you think I should add a comment like, "Inbound and addnode connections don't use our limited pool of automatic outbound connections, so we don't consider them for netgroup exclusion."?
There was a problem hiding this comment.
Sure, always add comments :).
|
One nit: your last commit has 'documnetation' in the title. |
|
utACK 1c7dcacabd7327273a138aec4fd74a404b32e596 |
|
Missing command line and RPC options to set the limit. |
|
That discussion is only about RPC. |
|
@kanoi that discussion is about outbound connection P2P slots, not RPC. The issue here is that lots of folks configure Bitcoin Core by adding a long list of known IP addresses from arbitrary sources to addnode. This used to be especially common, but still exists today. In those cases, we absolutely cannot default to simply make 100 outbound connections (for the same reasons as discussed in #9217). |
|
Nothing to do with defaults - I'm referring to having an arbitrary constant number that can't be changed without modifying the code - there's no logical reason to set it at 8 and enforce that number for eternity. |
|
I don't see the reason for adding a new setting and ignoring adding an option to configure it. |
|
There is no new setting here? It uses the same connection slot count as previously (8). |
|
Really?
|
|
If the setting is necessary, why not allow it to be configured.
Configurable settings are useful when there are distinctly different environments that require different behaviour.
Reasons for a higher number of outgoing connections:
* Better partition resistance (but more than a few has hardly any effect).
Reasons for a lower number of outgoing connections:
* More load on the network (not something we want to encourage, having seen what the effects of no open connectable slots on the network are).
* Making your own node's performance and responsiveness worse, and increasing your bandwidth (which can adequately be controlled by using less -addnode's and/or lower -maxconnection setting).
As a result, I do not see a reason to make it configurable. Doing so would indicate that there is a usefulness to changing it, which likely leads to misunderstandings ("I want the most connections because I want the most verified blockchain!" or "I want to help the network with lots of connections!" or "My validation is too slow, I want to download faster!"), without any advantages for anyone.
If you want a configurable setting here, there would need to be a condition under which a higher or lower value would be recommendable.
|
theuni
left a comment
theuni
left a comment
There was a problem hiding this comment.
utACK. I like having added connections independent of the automatic ones. As-is, it's been unclear what should take precedence in some cases.
src/net.cpp
Outdated
There was a problem hiding this comment.
We'll soon have an OnDisconnected() event that will allow us to change this (and possibly the outbound behavior) more easily. Using the same mechanism here makes sense for now, imo.
|
Needs rebase, should be easy. |
|
Conflicts: |
Previously addnodes were in competition with outbound connections for access to the eight outbound slots. One result of this is that frequently a node with several addnode configured peers would end up connected to none of them, because while the addnode loop was in its two minute sleep the automatic connection logic would fill any free slots with random peers. This is particularly unwelcome to users trying to maintain links to specific nodes for fast block relay or purposes. Another result is that a group of nine or more nodes which are have addnode configured towards each other can become partitioned from the public network. This commit introduces a new limit of eight connections just for addnode peers which is not subject to any of the other connection limitations (including maxconnections). The choice of eight is sufficient so that under no condition would a user find themselves connected to fewer addnoded peers than previously. It is also low enough that users who are confused about the significance of more connections and have gotten too copy-and-paste happy will not consume more than twice the slot usage of a typical user. Any additional load on the network resulting from this will likely be offset by a reduction in users applying even more wasteful workaround for the prior behavior. The retry delays are reduced to avoid nodes sitting around without their added peers up, but are still sufficient to prevent overly aggressive repeated connections. The reduced delays also make the system much more responsive to the addnode RPC. Ban-disconnects are also exempted for peers added via addnode since the outbound addnode logic ignores bans. Previously it would ban an addnode then immediately reconnect to it. A minor change was also made to CSemaphoreGrant so that it is possible to re-acquire via an object whos grant was moved.
Also adds a comment about the netgroup exclusion behavior.
|
rebased. |
|
utACK 032ba3f |
|
Diff looks equivalent to me from my previous ACK at b8d170dab441896970d5ab0f15ca672173592065 to 032ba3f |
| } | ||
| if (!interruptNet.sleep_for(std::chrono::minutes(2))) | ||
| // Retry every 60 seconds if a connection was attempted, otherwise two seconds | ||
| if (!interruptNet.sleep_for(std::chrono::seconds(tried ? 60 : 2))); |
There was a problem hiding this comment.
FYI, I'm getting a warning for this on macOS 10.12.
net.cpp:1807:75: warning: if statement has empty body [-Wempty-body]
if (!interruptNet.sleep_for(std::chrono::seconds(tried ? 60 : 2)));
^
net.cpp:1807:75: note: put the semicolon on a separate line to silence this warning
Looks like a stray semicolon to me. For reference in the future, if I come across something like this again, should I bring this to the attention of the engineer, or should I just file a PR if the commit has already occurred?
There was a problem hiding this comment.
@droark If it is not merged, provide feedback. After it is merged, pull requests are very welcomed.
Empty body introduced by commit bitcoin#9319 should not be empty.
|
Post humus ACK 032ba3f |
Empty body introduced by commit bitcoin#9319 should not be empty.
…ections config options b4fcbcf doc: update -maxconnections config option help (Jon Atack) 79685a8 doc: update -addnode config option help (Jon Atack) 2896c6c doc: update addnode rpc help (Jon Atack) Pull request description: Since #9319 proposed by Gregory Maxwell and released in v0.14, peers manually added through the `-addnode` config option or using the `addnode` RPC have their own separate limit of 8 connections that does not compete with other inbound or outbound connection usage and is not subject to the limitation imposed by the `-maxconnections` option. This PR updates the `-addnode` and `-maxconnections` config options and the `addnode` RPC help docs with this information. `-addnode` config option help ``` $ bitcoind -h | grep -A5 addnode= -addnode=<ip> Add a node to connect to and attempt to keep the connection open (see the addnode RPC help for more info). This option can be specified multiple times to add multiple nodes; connections are limited to 8 at a time and are counted separately from the -maxconnections limit. $ bitcoind -h | grep -A3 maxconnections= -maxconnections=<n> Maintain at most <n> connections to peers (default: 125). This limit does not apply to connections manually added via -addnode or the addnode RPC, which have a separate limit of 8. ``` `addnode` rpc help ``` $ bitcoin-cli help addnode addnode "node" "command" Attempts to add or remove a node from the addnode list. Or try a connection to a node once. Nodes added using addnode (or -connect) are protected from DoS disconnection and are not required to be full nodes/support SegWit as other outbound peers are (though such peers will not be synced from). Addnode connections are limited to 8 at a time and are counted separately from the -maxconnections limit. ``` ACKs for top commit: prayank23: ACK b4fcbcf jarolrod: ACK b4fcbcf Tree-SHA512: b6d69baa6cbf6d53f91bac5b39b549d49db6c95f92ea1bdd3588a6432794a25ac2c8b3c89e2c72bb9097e61f2717c8b5ecc404745d5992b88e523db03200898f
…maxconnections config options b4fcbcf doc: update -maxconnections config option help (Jon Atack) 79685a8 doc: update -addnode config option help (Jon Atack) 2896c6c doc: update addnode rpc help (Jon Atack) Pull request description: Since bitcoin#9319 proposed by Gregory Maxwell and released in v0.14, peers manually added through the `-addnode` config option or using the `addnode` RPC have their own separate limit of 8 connections that does not compete with other inbound or outbound connection usage and is not subject to the limitation imposed by the `-maxconnections` option. This PR updates the `-addnode` and `-maxconnections` config options and the `addnode` RPC help docs with this information. `-addnode` config option help ``` $ bitcoind -h | grep -A5 addnode= -addnode=<ip> Add a node to connect to and attempt to keep the connection open (see the addnode RPC help for more info). This option can be specified multiple times to add multiple nodes; connections are limited to 8 at a time and are counted separately from the -maxconnections limit. $ bitcoind -h | grep -A3 maxconnections= -maxconnections=<n> Maintain at most <n> connections to peers (default: 125). This limit does not apply to connections manually added via -addnode or the addnode RPC, which have a separate limit of 8. ``` `addnode` rpc help ``` $ bitcoin-cli help addnode addnode "node" "command" Attempts to add or remove a node from the addnode list. Or try a connection to a node once. Nodes added using addnode (or -connect) are protected from DoS disconnection and are not required to be full nodes/support SegWit as other outbound peers are (though such peers will not be synced from). Addnode connections are limited to 8 at a time and are counted separately from the -maxconnections limit. ``` ACKs for top commit: prayank23: ACK bitcoin@b4fcbcf jarolrod: ACK b4fcbcf Tree-SHA512: b6d69baa6cbf6d53f91bac5b39b549d49db6c95f92ea1bdd3588a6432794a25ac2c8b3c89e2c72bb9097e61f2717c8b5ecc404745d5992b88e523db03200898f
12 participants
Previously addnodes were in competition with outbound connections
for access to the eight outbound slots.
One result of this is that frequently a node with several addnode
configured peers would end up connected to none of them, because
while the addnode loop was in its two minute sleep the automatic
connection logic would fill any free slots with random peers.
This is particularly unwelcome to users trying to maintain links
to specific nodes for fast block relay or monitoring purposes.
Another result is that a group of nine or more nodes which are
have addnode configured towards each other can become partitioned
from the public network.
This commit introduces a new limit of eight connections just for
addnode peers which is not subject to any of the other connection
limitations (including maxconnections).
The choice of eight is sufficient so that under no condition would
a user find themselves connected to fewer addnoded peers than
previously. It is also low enough that users who are confused
about the significance of more connections and have gotten too
copy-and-paste happy will not consume more than twice the slot
usage of a typical user.
Any additional load on the network resulting from this will likely
be offset by a reduction in users applying even more wasteful
workaround for the prior behavior.
The retry delays are reduced to avoid nodes sitting around without
their added peers up, but are still sufficient to prevent overly
aggressive repeated connections. The reduced delays also make
the system much more responsive to the addnode RPC.
Ban-disconnects are also exempted for peers added via addnode since
the outbound addnode logic ignores bans. Previously it would ban
an addnode then immediately reconnect to it.
A minor change was also made to CSemaphoreGrant so that it is
possible to re-acquire via an object whos grant was moved.