fix: semaphore use for StoreChunks (#1866)

* Fix semaphore use for StoreChunks()

* make suggested changes

* Override locks when starting validator, by default

* Change default flag behavior

* make suggested changes

Author: cody-littley

node/config.go

@@ -128,24 +128,12 @@ type Config struct {
 	// Directories do not need to be on the same filesystem.
 	LittDBStoragePaths []string
 
-	// If true, then purge LittDB locks on startup. Potentially useful to get rid of zombie lock files,
-	// but also dangerous (multiple LittDB processes operating on the same files can lead to data corruption).
+	// If true, then LittDB will refuse to start if it can't acquire locks on the database file structure.
 	//
-	// When LittDB starts up, it attempts to create lock files. When a validator is forcefully shut down, lock files
-	// may be left behind. At startup time, if LittDB observes existing lock files, it first checks to see
-	// if the process that created the lock files is still running. The lock files contain the creator's PID, and so
-	// LittDB checks to see if there is any process with that PID still running.
-	//
-	// Although it should be rare, it's possible that another process may be started with the same PID as the
-	// PID used to create the lock files. When this happens, LittDB will be prevented from starting up out of
-	// fear of another process trying to access the same files, even though the original process that created the
-	// lock files is no longer running. If that happens, this flag is a safe way to force LittDB to start up
-	// without being blocked by those lock files. BE VERY CERTAIN THAT THE OTHER PROCESS IS ACTUALLY DEAD!
-	// If two instances of LittDB are running on the same files, it WILL lead to data corruption.
-	//
-	// An alternate way to clear the LittDB lock files is via the LittDB CLI with the "litt unlock" command.
-	// Run "litt unlock --help" for more information.
-	LittUnsafePurgeLocks bool
+	// Ideally, this would always be enabled. But PID reuse in common platforms such as Docker/Kubernetes can lead to
+	// a breakdown in lock files being able to detect unsafe concurrent access to the database. Since many (if not most)
+	// users of this software will be running in such an environment, this is disabled by default.
+	LittRespectLocks bool
 
 	// The rate limit for the number of bytes served by the GetChunks API if the data is in the cache.
 	// Unit is in megabytes per second.
@@ -424,7 +412,7 @@ func NewConfig(ctx *cli.Context) (*Config, error) {
 		LittDBReadCacheSizeBytes:      uint64(ctx.GlobalFloat64(flags.LittDBReadCacheSizeGBFlag.Name) * units.GiB),
 		LittDBReadCacheSizeFraction:   ctx.GlobalFloat64(flags.LittDBReadCacheSizeFractionFlag.Name),
 		LittDBStoragePaths:            ctx.GlobalStringSlice(flags.LittDBStoragePathsFlag.Name),
-		LittUnsafePurgeLocks:          ctx.GlobalBool(flags.LittUnsafePurgeLocksFlag.Name),
+		LittRespectLocks:              ctx.GlobalBool(flags.LittRespectLocksFlag.Name),
 		DownloadPoolSize:              ctx.GlobalInt(flags.DownloadPoolSizeFlag.Name),
 		GetChunksHotCacheReadLimitMB:  ctx.GlobalFloat64(flags.GetChunksHotCacheReadLimitMBFlag.Name),
 		GetChunksHotBurstLimitMB:      ctx.GlobalFloat64(flags.GetChunksHotBurstLimitMBFlag.Name),

node/flags/flags.go

@@ -451,11 +451,13 @@ var (
 		Required: false,
 		EnvVar:   common.PrefixEnvVar(EnvVarPrefix, "LITT_DB_STORAGE_PATHS"),
 	}
-	LittUnsafePurgeLocksFlag = cli.BoolFlag{
-		Name:     common.PrefixFlag(FlagPrefix, "litt-unsafe-purge-locks"),
-		Usage:    "Unsafe flag to purge locks in LittDB. Use with caution, as it may lead to data loss or corruption.",
+	LittRespectLocksFlag = cli.BoolFlag{
+		Name: common.PrefixFlag(FlagPrefix, "litt-respect-locks"),
+		Usage: "If set, LittDB will refuse to start if it can't acquire locks on the storage paths. " +
+			"Ideally this would always be enabled, but PID reuse in platforms like Kubernetes/Docker can make " +
+			"lock files practically impossible to manage.",
 		Required: false,
-		EnvVar:   common.PrefixEnvVar(EnvVarPrefix, "LITT_UNSAFE_PURGE_LOCKS"),
+		EnvVar:   common.PrefixEnvVar(EnvVarPrefix, "LITT_RESPECT_LOCKS"),
 	}
 	DownloadPoolSizeFlag = cli.IntFlag{
 		Name:     common.PrefixFlag(FlagPrefix, "download-pool-size"),
@@ -668,7 +670,7 @@ var optionalFlags = []cli.Flag{
 	EigenDADirectoryFlag,
 	BlsOperatorStateRetrieverFlag,
 	EigenDAServiceManagerFlag,
-	LittUnsafePurgeLocksFlag,
+	LittRespectLocksFlag,
 	StoreChunksBufferTimeoutFlag,
 	StoreChunksBufferSizeGBFlag,
 	StoreChunksBufferSizeFractionFlag,

node/grpc/server_v2.go

@@ -182,9 +182,33 @@ func (s *ServerV2) StoreChunks(ctx context.Context, in *pb.StoreChunksRequest) (
 		return nil, api.NewErrorInternal(fmt.Sprintf("failed to get the operator state: %v", err))
 	}
 
-	blobShards, rawBundles, err := s.node.DownloadBundles(ctx, batch, operatorState, probe)
+	downloadSizeInBytes, relayRequests, err :=
+		s.node.DetermineChunkLocations(batch, operatorState, probe)
 	if err != nil {
-		return nil, api.NewErrorInternal(fmt.Sprintf("failed to get the operator state: %v", err))
+		//nolint:wrapcheck
+		return nil, api.NewErrorInternal(fmt.Sprintf("failed to determine chunk locations: %v", err))
+	}
+
+	// storeChunksSemaphore can be nil during unit tests, since there are a bunch of places where the Node struct
+	// is instantiated directly without using the constructor.
+	if s.node.StoreChunksSemaphore != nil {
+		// So far, we've only downloaded metadata for the blob. Before downloading the actual chunks, make sure there
+		// is capacity in the store chunks buffer. This is an OOM safety measure.
+
+		probe.SetStage("acquire_buffer_capacity")
+		semaphoreCtx, cancel := context.WithTimeout(ctx, s.node.Config.StoreChunksBufferTimeout)
+		defer cancel()
+		err = s.node.StoreChunksSemaphore.Acquire(semaphoreCtx, int64(downloadSizeInBytes))
+		if err != nil {
+			return nil, fmt.Errorf("failed to acquire buffer capacity: %w", err)
+		}
+		defer s.node.StoreChunksSemaphore.Release(int64(downloadSizeInBytes))
+	}
+
+	blobShards, rawBundles, err := s.node.DownloadChunksFromRelays(ctx, batch, relayRequests, probe)
+	if err != nil {
+		//nolint:wrapcheck
+		return nil, api.NewErrorInternal(fmt.Sprintf("failed to download chunks: %v", err))
 	}
 
 	err = s.validateAndStoreChunks(ctx, batch, blobShards, rawBundles, operatorState, batchHeaderHash, probe)

node/node.go

@@ -100,7 +100,7 @@ type Node struct {
 	QuorumCount atomic.Uint32
 
 	// Used to limit the maximum amount of memory used to serve StoreChunks() gRPC requests.
-	storeChunksSemaphore *semaphore.Weighted
+	StoreChunksSemaphore *semaphore.Weighted
 }
 
 // NewNode creates a new Node with the provided config.
@@ -286,7 +286,7 @@ func NewNode(
 		BLSSigner:               blsSigner,
 		DownloadPool:            downloadPool,
 		ValidationPool:          validationPool,
-		storeChunksSemaphore:    storeChunksSemaphore,
+		StoreChunksSemaphore:    storeChunksSemaphore,
 	}
 
 	if !config.EnableV2 {

node/node_v2.go

@@ -33,54 +33,40 @@ type RawBundle struct {
 	Bundle          []byte
 }
 
-func (n *Node) DownloadBundles(
-	ctx context.Context,
+// Determines where to find the chunks we need to download for a given batch. For each chunk in a batch, there will
+// be one or more relays that are responsible for serving that chunk. This function determines which relays to contact
+// for each chunk, and sorts the requests by relayID to support batching. Additionally, this method also calculates
+// the size of the chunk data that will be downloaded, in bytes.
+func (n *Node) DetermineChunkLocations(
 	batch *corev2.Batch,
 	operatorState *core.OperatorState,
 	probe *common.SequenceProbe,
-) ([]*corev2.BlobShard, []*RawBundle, error) {
-
-	probe.SetStage("prepare_to_download")
-
-	relayClient, ok := n.RelayClient.Load().(relay.RelayClient)
+) (downloadSizeInBytes uint64, relayRequests map[corev2.RelayKey]*relayRequest, err error) {
 
-	if !ok || relayClient == nil {
-		return nil, nil, fmt.Errorf("relay client is not set")
-	}
+	probe.SetStage("determine_chunk_locations")
 
 	blobVersionParams := n.BlobVersionParams.Load()
 	if blobVersionParams == nil {
-		return nil, nil, fmt.Errorf("blob version params is nil")
+		return 0, nil, fmt.Errorf("blob version params is nil")
 	}
 
-	blobShards := make([]*corev2.BlobShard, len(batch.BlobCertificates))
-	rawBundles := make([]*RawBundle, len(batch.BlobCertificates))
-	requests := make(map[corev2.RelayKey]*relayRequest)
-
-	// Tally the number of bytes we are about to download.
-	var downloadSizeInBytes uint64
+	relayRequests = make(map[corev2.RelayKey]*relayRequest)
 
 	for i, cert := range batch.BlobCertificates {
 		blobKey, err := cert.BlobHeader.BlobKey()
 		if err != nil {
-			return nil, nil, fmt.Errorf("failed to get blob key: %v", err)
+			return 0, nil, fmt.Errorf("failed to get blob key: %w", err)
 		}
 
 		if len(cert.RelayKeys) == 0 {
-			return nil, nil, fmt.Errorf("no relay keys in the certificate")
-		}
-		blobShards[i] = &corev2.BlobShard{
-			BlobCertificate: cert,
-		}
-		rawBundles[i] = &RawBundle{
-			BlobCertificate: cert,
+			return 0, nil, fmt.Errorf("no relay keys in the certificate")
 		}
 		relayIndex := rand.Intn(len(cert.RelayKeys))
 		relayKey := cert.RelayKeys[relayIndex]
 
 		blobParams, ok := blobVersionParams.Get(cert.BlobHeader.BlobVersion)
 		if !ok {
-			return nil, nil, fmt.Errorf("blob version %d not found", cert.BlobHeader.BlobVersion)
+			return 0, nil, fmt.Errorf("blob version %d not found", cert.BlobHeader.BlobVersion)
 		}
 
 		assgn, err := corev2.GetAssignmentForBlob(operatorState, blobParams, cert.BlobHeader.QuorumNumbers, n.Config.ID)
@@ -91,17 +77,17 @@ func (n *Node) DownloadBundles(
 
 		chunkLength, err := blobParams.GetChunkLength(uint32(cert.BlobHeader.BlobCommitments.Length))
 		if err != nil {
-			return nil, nil, fmt.Errorf("failed to get chunk length: %w", err)
+			return 0, nil, fmt.Errorf("failed to get chunk length: %w", err)
 		}
 		downloadSizeInBytes += uint64(assgn.NumChunks() * chunkLength)
 
-		req, ok := requests[relayKey]
+		req, ok := relayRequests[relayKey]
 		if !ok {
 			req = &relayRequest{
 				chunkRequests: make([]*relay.ChunkRequestByIndex, 0),
 				metadata:      make([]*requestMetadata, 0),
 			}
-			requests[relayKey] = req
+			relayRequests[relayKey] = req
 		}
 		// Chunks from one blob are requested to the same relay
 		req.chunkRequests = append(req.chunkRequests, &relay.ChunkRequestByIndex{
@@ -115,27 +101,40 @@ func (n *Node) DownloadBundles(
 
 	}
 
-	// storeChunksSemaphore can be nil during unit tests, since there are a bunch of places where the Node struct
-	// is instantiated directly without using the constructor.
-	if n.storeChunksSemaphore != nil {
-		// So far, we've only downloaded metadata for the blob. Before downloading the actual chunks, make sure there
-		// is capacity in the store chunks buffer. This is an OOM safety measure.
+	return downloadSizeInBytes, relayRequests, nil
+}
 
-		probe.SetStage("acquire_buffer_capacity")
-		semaphoreCtx, cancel := context.WithTimeout(ctx, n.Config.StoreChunksBufferTimeout)
-		defer cancel()
-		err := n.storeChunksSemaphore.Acquire(semaphoreCtx, int64(downloadSizeInBytes))
-		if err != nil {
-			return nil, nil, fmt.Errorf("failed to acquire buffer capacity: %w", err)
+// This method takes a "download plan" from DetermineChunkLocations() and downloads the chunks from the relays.
+// It also deserializes the responses from the relays into BlobShards and RawBundles.
+func (n *Node) DownloadChunksFromRelays(
+	ctx context.Context,
+	batch *corev2.Batch,
+	relayRequests map[corev2.RelayKey]*relayRequest,
+	probe *common.SequenceProbe,
+) (blobShards []*corev2.BlobShard, rawBundles []*RawBundle, err error) {
+
+	blobShards = make([]*corev2.BlobShard, len(batch.BlobCertificates))
+	rawBundles = make([]*RawBundle, len(batch.BlobCertificates))
+	for i, cert := range batch.BlobCertificates {
+		blobShards[i] = &corev2.BlobShard{
+			BlobCertificate: cert,
 		}
+		rawBundles[i] = &RawBundle{
+			BlobCertificate: cert,
+		}
+	}
+
+	relayClient, ok := n.RelayClient.Load().(relay.RelayClient)
+	if !ok || relayClient == nil {
+		return nil, nil, fmt.Errorf("relay client is not set")
 	}
 
 	probe.SetStage("download")
 
-	bundleChan := make(chan response, len(requests))
-	for relayKey := range requests {
+	bundleChan := make(chan response, len(relayRequests))
+	for relayKey := range relayRequests {
 		relayKey := relayKey
-		req := requests[relayKey]
+		req := relayRequests[relayKey]
 		n.DownloadPool.Submit(func() {
 			ctxTimeout, cancel := context.WithTimeout(ctx, n.Config.ChunkDownloadTimeout)
 			defer cancel()
@@ -157,23 +156,24 @@ func (n *Node) DownloadBundles(
 		})
 	}
 
-	responses := make([]response, len(requests))
-	for i := 0; i < len(requests); i++ {
+	responses := make([]response, len(relayRequests))
+	for i := 0; i < len(relayRequests); i++ {
 		responses[i] = <-bundleChan
 	}
 
 	probe.SetStage("deserialize")
 
-	for i := 0; i < len(requests); i++ {
+	for i := 0; i < len(relayRequests); i++ {
 		resp := responses[i]
 		if resp.err != nil {
 			// TODO (cody-littley) this is flaky, and will fail if any relay fails. We should retry failures
 			return nil, nil, fmt.Errorf("failed to get chunks from relays: %v", resp.err)
 		}
 
 		if len(resp.bundles) != len(resp.metadata) {
-			return nil, nil, fmt.Errorf("number of bundles and metadata do not match (%d != %d)",
-				len(resp.bundles), len(resp.metadata))
+			return nil, nil,
+				fmt.Errorf("number of bundles and metadata do not match (%d != %d)",
+					len(resp.bundles), len(resp.metadata))
 		}
 
 		for j, bundle := range resp.bundles {

node/node_v2_test.go

@@ -45,7 +45,11 @@ func TestDownloadBundles(t *testing.T) {
 	})
 	state, err := c.node.ChainState.GetOperatorStateByOperator(ctx, uint(10), op0)
 	require.NoError(t, err)
-	blobShards, rawBundles, err := c.node.DownloadBundles(ctx, batch, state, nil)
+
+	_, relayRequests, err := c.node.DetermineChunkLocations(batch, state, nil)
+	require.NoError(t, err)
+
+	blobShards, rawBundles, err := c.node.DownloadChunksFromRelays(ctx, batch, relayRequests, nil)
 	require.NoError(t, err)
 	require.Len(t, blobShards, 3)
 	require.Equal(t, blobCerts[0], blobShards[0].BlobCertificate)
@@ -82,7 +86,11 @@ func TestDownloadBundlesFail(t *testing.T) {
 	})
 	state, err := c.node.ChainState.GetOperatorState(ctx, uint(10), []core.QuorumID{0, 1, 2})
 	require.NoError(t, err)
-	blobShards, rawBundles, err := c.node.DownloadBundles(ctx, batch, state, nil)
+
+	_, relayRequests, err := c.node.DetermineChunkLocations(batch, state, nil)
+	require.NoError(t, err)
+
+	blobShards, rawBundles, err := c.node.DownloadChunksFromRelays(ctx, batch, relayRequests, nil)
 	require.Error(t, err)
 	require.Nil(t, blobShards)
 	require.Nil(t, rawBundles)
@@ -117,7 +125,11 @@ func TestDownloadBundlesOnlyParticipatingQuorums(t *testing.T) {
 
 	state, err := c.node.ChainState.GetOperatorState(ctx, uint(10), []core.QuorumID{0, 1, 2})
 	require.NoError(t, err)
-	blobShards, rawBundles, err := c.node.DownloadBundles(ctx, batch, state, nil)
+
+	_, relayRequests, err := c.node.DetermineChunkLocations(batch, state, nil)
+	require.NoError(t, err)
+
+	blobShards, rawBundles, err := c.node.DownloadChunksFromRelays(ctx, batch, relayRequests, nil)
 	require.NoError(t, err)
 	require.Len(t, blobShards, 3)
 	require.Equal(t, blobCerts[0], blobShards[0].BlobCertificate)

node/validator_store.go

@@ -113,7 +113,7 @@ func NewValidatorStore(
 	littConfig.MetricsNamespace = littDBMetricsPrefix
 	littConfig.Logger = logger
 	littConfig.DoubleWriteProtection = config.LittDBDoubleWriteProtection
-	littConfig.PurgeLocks = config.LittUnsafePurgeLocks
+	littConfig.PurgeLocks = !config.LittRespectLocks
 	if err != nil {
 		return nil, fmt.Errorf("failed to create new litt config: %w", err)
 	}