-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPIP-332: Streaming Error Handling on Web Gateways #332
Conversation
I would like to be an options for clients to optout of this behaviour (with a header probably). Killing the connection can have real performance costs and will require clients to reopen a new connection if they are using |
Co-authored-by: Jorropo <[email protected]>
This can be done via the following mechanisms: | ||
|
||
- Sending a `RST` (reset) frame for HTTP/1.1 | ||
- Sending a `RST_STREAM` (reset stream) frame for HTTP/2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Sending a `RST_STREAM` (reset stream) frame for HTTP/2 | |
- Sending a `RST_STREAM` (reset stream) frame for HTTP/2 | |
- Sending a `CANCEL_PUSH` frame for HTTP/3, see RFC9114 section A.2.5.3. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't read the entire spec, but according to BCP 56, HTTP APIs shouldn't go into this level of detail. HTTP is designed in a way that allows building applications without referring to the specific HTTP version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Jorropo Again, haven't read the entire spec, but I are we actually doing server push (which is the only context in which CANCEL_PUSH would be valid)? That feature of HTTP is going to be removed from major browser implementations very soon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't actually red the RFC, I know RST_STREAM on HTTP/2 is what we want, I just CTRL + F RST_STREAM in the HTTP/3 RFC and found this text:
RST_STREAM (0x03): RST_STREAM frames do not exist in HTTP/3, since
QUIC provides stream lifecycle management. The same code point is
used for the CANCEL_PUSH frame (Section 7.2.3).
I guess it should be whatever QUIC's frame is to close a stream unexpectedly.
HTTP is designed in a way that allows building applications without referring to the specific HTTP version.
Streaming errors is not a thing HTTP supports, you can setup trailler headers but they aren't supported by browsers.
So we are stealing the rug from under HTTP and use the underlying protocol to generate an unexpected error (which is actually supported and will return errors in all client implementations I've tested), that why we need to use TCP FIN.
I don't know if we should add this to the gateway spec, because most HTTP server implementations give you as much control as the go std does.
How will you implement that on reverse proxies ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marten-seemann as @Jorropo mentioned, the big issue here is that HTTP doesn't have any error handling for streaming. One of my motivations behind this IPIP regards the new TAR format for the gateway (ipfs/kubo#9029).
It is possible that the TAR creation fails while streaming the file to the client due to many reasons. However, if you just stop streaming the TAR, you still get a valid TAR file, but it is incomplete. There's no feedback. Printing a trailer header is useless since browsers are not able to parse them. The only way we found so far to tell the user that something is wrong was by force-closing the HTTP stream.
I also have mixed feelings about having this on the spec since it is so specific. In addition, as @Jorropo mentioned it may be worth it having an opt-out of the behaviour through some header.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How will you implement that on reverse proxies ?
I think this is an important question.
I would like to see something like: X-On-Error: reset
header sent by the server to indicate this will be done, then a reverse proxy could just not send thoses headers, and clients would be able to tell it is not gonna do this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Jorropo please see the updates I've made to the IPIP.
This can be done via the following mechanisms: | ||
|
||
- Sending a `RST` (reset) frame for HTTP/1.1 | ||
- Sending a `RST_STREAM` (reset stream) frame for HTTP/2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't read the entire spec, but according to BCP 56, HTTP APIs shouldn't go into this level of detail. HTTP is designed in a way that allows building applications without referring to the specific HTTP version.
Co-authored-by: Jorropo <[email protected]>
Co-authored-by: Jorropo <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dropping some quick notes:
- Agree with Marten, HTTP API should not go into low level connection detail. We want gateway interface to be future-proof.
- The more gateway implementations exist, the less control we have over these low level details. Need to solve this on higher client application layer.
👉 due to this I am closing this IPIP
Instead, suggest opening a new IPIP with simpler proposal (but looking for better ones! – comment below):
-
The problem is that there is no way to signal that mid-way transfer error occurred. Instead of trying to bolt-on something on the server side, instead, spec should specify inexpensive way how clients should detect that the entire CAR got transferred:
-
Introduce optimization where we always add a zero-length raw block at the end of a CAR as a tombstone indicator – if this well-known CID is present, the client can skip hashing the last block, because we know the last block arrived safely.
-
If tombstone is not present, then the client MUST verify hash of the last block. If hash does match, means the connection was not interrupted mid-transfer (downside is additional CPU cost due to hashing that one block, that is why we prefer to have tombstone)
The tombstone is backward-compatible, and allows us to have an escape hatch to skip hashing and save CPU.
The client can opt-out of this behavior by sending a `X-Error-Behavior: trailer`. | ||
In that case, the server will not force-close the HTTP stream. Instead, the server | ||
will send the trailing header `X-Stream-Error` header with the error message. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this was opt-in, but as usual, reminding that Trailers can't be read by JS in web browsers: mdn/browser-compat-data#14703 (lesson learned from Kubo RPC: ipfs/js-ipfs#2519)
Gateway specs should never require things that are not supported in browsers, as this leads to the very problem types this IPIP aims to solve.
|
|
Happily I think we can mush all of that into CARv2 without breaking. We'd just need that as a wishlist and some consumers of that functionality to help drive a spec to lock it in. |
See ipfs/kubo#9333 (comment) for more context.