<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Nov 21, 2016 at 2:46 PM, Augie Fackler <span dir="ltr"><<a href="mailto:raf@durin42.com" target="_blank">raf@durin42.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sun, Nov 20, 2016 at 02:23:43PM -0800, Gregory Szorc wrote:<br>
> # HG changeset patch<br>
> # User Gregory Szorc <<a href="mailto:gregory.szorc@gmail.com">gregory.szorc@gmail.com</a>><br>
> # Date 1479679271 28800<br>
> # Sun Nov 20 14:01:11 2016 -0800<br>
> # Node ID 952478a50f2583be4400c0f6fcc156<wbr>d73d46711c<br>
> # Parent 8d1b65503e8b360dd5121488f31d52<wbr>a3587a0819<br>
> internals: document compression negotiation<br>
<br>
</span>Lots of comments here. I've taken patches 1-5, and will review the<br>
rest of the series before stopping.<br>
<div><div class="h5"><br>
><br>
> As part of adding zstd support to all of the things, we'll need<br>
> to teach the wire protocol to support non-zlib compression formats.<br>
><br>
> This commit documents how we'll implement that.<br>
><br>
> To understand how we arrived at this proposal, let's look at how<br>
> things are done today.<br>
><br>
> The wire protocol today doesn't have a unified format. Instead,<br>
> there is a limited facility for differentiating replies as successful<br>
> or not. And, each command essentially defines its own response format.<br>
><br>
> A significant deficiency in the current protocol is the lack of<br>
> payload framing over the SSH transport. In the HTTP transport,<br>
> chunked transfer is used and the end of an HTTP response body (and<br>
> the end of a Mercurial command response) can be identified by a 0<br>
> length chunk. This is how HTTP chunked transfer works. But in the<br>
> SSH transport, there is no such framing, at least for certain<br>
> responses (notably the response to "getbundle" requests). Clients<br>
> can't simply read until end of stream because the socket is<br>
> persistent and reused for multiple requests. Clients need to know<br>
> when they've encountered the end of a request but there is nothing<br>
> simple for them to key off of to detect this. So what happens is<br>
> the client must decode the payload (as opposed to being dumb and<br>
> forwarding frames/packets). This means the payload itself needs<br>
> to support identifying end of stream. In some cases (bundle2), it<br>
> also means the payload can encode "error" or "interrupt" events<br>
> telling the client to e.g. abort processing. The lack of framing<br>
> on the SSH transport and the transfer of its responsibilities to<br>
> e.g. bundle2 is a massive layering violation and a wart on the<br>
> protocol architecture. It needs to be fixed someday by inventing a<br>
> proper framing protocol.<br>
<br>
</div></div>Love this paragraph. It's a huge loss that the framing delegation<br>
happened, because it means the existing batch() method isn't streaming<br>
over ssh (but it is over http).<br>
<div><div class="h5"><br>
><br>
> So about compression.<br>
><br>
> The client transport abstractions have a "_callcompressable()"<br>
> API. This API is called to invoke a remote command that will<br>
> send a compressable response. The response is essentially a<br>
> "streaming" response (no framing data at the Mercurial layer)<br>
> that is fed into a decompressor.<br>
><br>
> On the HTTP transport, the decompressor is zlib and only zlib.<br>
> There is currently no mechanism for the client to specify an<br>
> alternate compression format. And, clients don't advertise what<br>
> compression formats they support or ask the server to send a<br>
> specific compression format. Instead, it is assumed that non-error<br>
> responses to "compressable" commands are zlib compressed.<br>
><br>
> On the SSH transport, there is no compression at the Mercurial<br>
> protocol layer. Instead, compression must be handled by SSH<br>
> itself (e.g. `ssh -C`) or within the payload data (e.g. bundle<br>
> compression).<br>
><br>
> For the HTTP transport, adding new compression formats is pretty<br>
> straightforward. Once you know what decompressor to use, you can<br>
> stream data into the decompressor until you reach a 0 size HTTP<br>
> chunk, at which point you are at end of stream.<br>
><br>
> So our wire protocol changes for the HTTP transport are pretty<br>
> straightforward: the client and server advertise what compression<br>
> formats they support and an appropriate compression format is<br>
> chosen. We introduce a new HTTP media type to hold compressed<br>
> payloads. The first 2 bytes of the payload define the compression<br>
> format being used. Whoever is on the receiving end can sniff the<br>
> first 2 bytes and handle the remaining data accordingly.<br>
><br>
> Support for multiple compression formats is advertised on both<br>
> server and client. The server advertises a "compression" capability<br>
> saying which compression formats it supports and in what order they<br>
> are preferred. Clients advertise their support for multiple<br>
> compression formats via the HTTP "Accept" header.<br>
><br>
> Strictly speaking, servers don't need to advertise which compression<br>
> formats they support. But doing so allows clients to fail fast if<br>
> they don't support any of the formats the server does. This is useful<br>
> in situations like sending bundles, where the client may have to<br>
> perform expensive computation before sending data to the server.<br>
><br>
> By advertising compression support on each request in the "Accept"<br>
> header and by introducing a new media type, the server is able<br>
> to gradually transition existing commands/responses to use compression,<br>
> even if they don't do so today. Contrast with the old world, where<br>
> "application/mercurial-0.1" may or may not use zlib compression<br>
> depending on the command being called. Compression is defined as<br>
> part of "application/mercurial-0.2," so if a client supports this<br>
> media type it supports compression.<br>
><br>
> It's worth noting that we explicitly don't use "Accept-Encoding,"<br>
> "Content-Encoding," or "Transfer-Encoding" for handling compression.<br>
> People knowledgeable of the HTTP specifications will say that we<br>
> should use these because compression is a media or transfer encoding,<br>
> not a media type and dynamic compression is exactly what these<br>
> headers should be used for. They have a point and I sympathize with<br>
> the argument. However, my years of experience rolling out services<br>
> leveraging HTTP has taught me to not trust the HTTP layer, especially<br>
> if you are going outside the normal spec (such as using a custom<br>
> "Content-Encoding" value to represent zstd streams). I've seen load<br>
> balancers, proxies, and other network devices do very bad and<br>
> unexpected things to HTTP messages (like insisting zlib compressed<br>
> content is decoded and then re-encoded at a different compression level<br>
> or even stripping compression completely). I've found that the best<br>
> way to avoid surprises when writing protocols on top of HTTP is to use<br>
> HTTP as a dumb transport as much as possible to minimize the chances<br>
> that an "intelligent" agent between endpoints will muck with your data.<br>
<br>
</div></div>Totally agreed on this front, in case others have qualms. Experience<br>
with git's smart-http protocol in the wild has motivated me to never<br>
trust invisible intermediate proxies to do reasonable things. I've got<br>
a variety of war stories debugging supposed bugs in the old google<br>
code stack only to discover that it was an http proxy problem between<br>
us and the client.<br>
<span class=""><br>
> While the widespread use of TLS is mitigating many intermediate<br>
> network agents interfering with HTTP, there are still problems at the<br>
> edges, with e.g. the origin HTTP server needing to convert HTTP to and<br>
> from WSGI and buggy or feature-lacking HTTP client implementations.<br>
> I've found the best way to avoid these problems is to avoid using<br>
> headers like "Content-Encoding" and to bake as much logic as possible<br>
> into media types and HTTP message bodies. The protocol changes in this<br>
> commit do rely on the "Accept" and "Content-Type" headers. But we<br>
> used them before, so we shouldn't be increasing our exposure to "bad"<br>
> HTTP agents.<br>
><br>
> What about SSH.<br>
<br>
</span>s/\./?/<br>
<span class=""><br>
><br>
> For the SSH transport, we can't easily implement content negotiation<br>
> to determine compression formats because the SSH transport has no<br>
> content negotiation capabilities today. And without a framing protocol,<br>
> we don't know how much data to feed into a decompressor. So in order<br>
> to implement compression support on the SSH transport, we'd need to<br>
> invent a mechanism to represent content types and an outer framing<br>
> protocol to stream data robustly. While I'm fully capable of doing<br>
> that, it is a lot of work and not something that should be undertaken<br>
> lightly.<br>
<br>
> My opinion is that if we're going to change the SSH transport<br>
> protocol, we should take a long hard look at implementing a grand<br>
> unified protocol that attempts to address all the deficiencies with<br>
> the existing protocol.<br>
<br>
</span>Yes, totally agreed.<br>
<span class=""><br>
> While I want this to happen, that would be<br>
> massive scope bloat standing in the way of zstd support. So, I've<br>
> decided to take the easy solution: the SSH transport will not gain<br>
> support for multiple compression formats. Keep in mind it doesn't<br>
> support *any* compression today. So essentially nothing is changing<br>
> on the SSH front.<br>
<br>
</span>This sounds like a reasonable approach here. I'd like to get a clean<br>
re-do on the wire protocol some day, but I suspect it'll be many moons<br>
before someone is willing to pay for that work (and it seems unlikely<br>
I'll get around to it for the laughs).<br>
<br>
I wonder if it'd be reasonable to have an sshv2 protocol just *be*<br>
http-over-ssh via stdin/stdout? I feel a touch dirty even suggesting<br>
it, but the framing rules etc are already there...<br></blockquote><div><br></div><div>It's not a horrible idea. It's certainly convenient. Of course, that means Python's built-in HTTP server will be generating HTTP messages. I'm not sure how I feel about that. I assume most production Mercurial HTTP servers today are doing WSGI into a "real" HTTP server. I don't want to think about what differences in behavior the Python HTTP server stack brings to the table.<br></div><div><br></div><div>The features of HTTP we're relying on in the protocol today are chunked transfer and a limited set of HTTP headers.<br><br></div><div>Chunked transfer is kinda bad from a performance perspective because it relies on readline() to find the next chunk's size. Some of the many readline() implementations in the code today are so poorly done that they show up as hotspots for some operations. I've seen it enough times that I want to abolish reliance on readline() and used fixed width (or varint) encoding for frame sizes everywhere possible.<br><br></div><div>Anyway, I don't think it's too difficult for us to devise a custom protocol that provides the parts we need without all the HTTP baggage. We could even optionally use this protocol on HTTP servers via the Upgrade header (although I know there are good reasons to avoid that).<br><br></div><div>A new wire protocol is definitely something a few of us should set time aside to discuss, possibly at the next sprint.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
><br>
> diff --git a/mercurial/help/internals/<wbr>wireprotocol.txt b/mercurial/help/internals/<wbr>wireprotocol.txt<br>
> --- a/mercurial/help/internals/<wbr>wireprotocol.txt<br>
> +++ b/mercurial/help/internals/<wbr>wireprotocol.txt<br>
> @@ -68,8 +68,16 @@ Example HTTP requests::<br>
> The ``Content-Type`` HTTP response header identifies the response as coming<br>
> from Mercurial and can also be used to signal an error has occurred.<br>
><br>
> -The ``application/mercurial-0.1`` media type indicates a generic Mercurial<br>
> -response. It matches the media type sent by the client.<br>
> +The ``application/mercurial-*`` media types indicate a generic Mercurial<br>
> +data type.<br>
> +<br>
> +The ``application/mercurial-0.1`` media type is raw Mercurial data.<br>
<br>
</span>Perhaps the word legacy wants to be in this statement.<br>
<div><div class="h5"><br>
> +<br>
> +The ``application/mercurial-0.2`` media type is compression framed Mercurial<br>
> +data. The first 2 bytes of the payload indicate the compression format<br>
> +used. The remaining bytes are compressed according to that compression<br>
> +format. The decompressed data behaves the same as with<br>
> +``application/mercurial-0.1``<wbr>.<br>
><br>
> The ``application/hg-error`` media type indicates a generic error occurred.<br>
> The content of the HTTP response body typically holds text describing the<br>
> @@ -81,15 +89,19 @@ type.<br>
> Clients also accept the ``text/plain`` media type. All other media<br>
> types should cause the client to error.<br>
><br>
> +Behavior of media types is further described in the ``Content Negotiation``<br>
> +section below.<br>
> +<br>
> Clients should issue a ``User-Agent`` request header that identifies the client.<br>
> The server should not use the ``User-Agent`` for feature detection.<br>
><br>
> -A command returning a ``string`` response issues the<br>
> -``application/mercurial-0.1`` media type and the HTTP response body contains<br>
> -the raw string value. A ``Content-Length`` header is typically issued.<br>
> +A command returning a ``string`` response issues a<br>
> +``application/mercurial-0.*`` media type and the HTTP response body contains<br>
> +the raw string value (after compression decoding, if used). A<br>
> +``Content-Length`` header is typically issued, but not required.<br>
><br>
> -A command returning a ``stream`` response issues the<br>
> -``application/mercurial-0.1`` media type and the HTTP response is typically<br>
> +A command returning a ``stream`` response issues a<br>
> +``application/mercurial-0.*`` media type and the HTTP response is typically<br>
> using *chunked transfer* (``Transfer-Encoding: chunked``).<br>
><br>
> SSH Transport<br>
> @@ -233,6 +245,29 @@ 2006).<br>
> This capability was introduced at the same time as the ``lookup``<br>
> capability/command.<br>
><br>
> +compression<br>
> +-----------<br>
> +<br>
> +Declares support for negotiating compression formats.<br>
> +<br>
> +Presence of this capability indicates the server supports dynamic selection<br>
> +of compression formats based on the client request.<br>
> +<br>
> +Servers advertising this capability are required to support the<br>
> +``application/mercurial-0.2`` media type in response to commands returning<br>
> +streams. Servers may support this media type on any command.<br>
> +<br>
> +The value of the capability is a comma-delimited list of strings declaring<br>
> +supported compression formats. The order of the compression formats is in<br>
> +server-preferred order, most preferred first.<br>
> +<br>
> +The compression format strings are 2 byte identifiers. These are the same<br>
> +2 byte *header* values at the beginning of ``application/mercurial-0.2``<br>
> +media types (as used by the HTTP transport).<br>
> +<br>
> +This capability was introduced in Mercurial 4.1 (released February<br>
> +2017).<br>
<br>
</div></div>Mention that as of that release it was not yet used over the ssh<br>
transport? Or state that it was only used over http?<br>
<div><div class="h5"><br>
> +<br>
> getbundle<br>
> ---------<br>
><br>
> @@ -416,6 +451,46 @@ Mercurial server replies to the client-i<br>
> not conforming to the expected command responses is assumed to be not related<br>
> to Mercurial and can be ignored.<br>
><br>
> +Content Negotiation<br>
> +===================<br>
> +<br>
> +The wire protocol has some mechanisms to help peers determine what content<br>
> +types and encoding the other side will accept. Historically, these mechanisms<br>
> +have been built into commands themselves because most commands only send a<br>
> +well-defined response type and only certain commands needed to support<br>
> +functionality like compression.<br>
> +<br>
> +Currently, only the HTTP transport supports content negotiation at the protocol<br>
> +layer.<br>
> +<br>
> +HTTP requests advertise accepted media types via the ``Accept`` header.<br>
> +<br>
> +All clients should advertise an ``application/mercurial-0.1`` value.<br>
> +<br>
> +Clients supporting it can also advertise ``application/mercurial-0.2``.<br>
> +This media type supports the ``comp`` parameter to declare which compression<br>
> +formats the client accepts. The value is a ``quoted-string`` (defined by<br>
> +HTTP specification) containing a space-delimited list of 2 byte compression<br>
> +format identifiers. e.g. ``application/mercurial-0.2; comp="ZS ZL UN"``.<br>
> +If the ``comp`` parameter is absent, the server interprets this as equivalent<br>
> +to ``ZL UN``.<br>
> +<br>
> +Clients may choose to only advertise the ``application/mercurial-0.2`` media<br>
> +type if the server advertises the ``compression`` capability.<br>
> +<br>
> +A server that doesn't receive an ``Accept`` header listing any<br>
> +``application/mercurial-*`` values should infer that<br>
> +``application/mercurial-0.1`` was sent, as this media type should be supported<br>
> +by all clients ever written.<br>
<br>
</div></div>I'd like to be more cautious in the wording here, and give servers<br>
room to reject old clients for not understanding<br>
application/mercurial-0.2. It's not hard for me to envision a future<br>
where someone writes a modern-proto-only client in<br>
Java/Go/Rust/Piet/whatever, and it'd be nice to have a defined way for<br>
the client and server to identify each other in that case. I also want<br>
to be able to run servers that intentionally lock out old clients<br>
(potentially for scaling reasons, since we're talking about<br>
compression performance).<br>
<span class=""><br>
> +<br>
> +A server receiving multiple ``application/mercurial-*`` values may choose any<br>
> +of them. For example, a server may issue ``application/mercurial-0.2`` only<br>
> +for responses that it chooses to compress.<br>
> +<br>
> +A server may issue ``application/hg-*`` media types even though the client<br>
> +does not specify support for them in an ``Accept`` header. This is for<br>
> +backwards compatibility reasons.<br>
<br>
</span>Can we provide guidance here that new servers should not issue these<br>
forms? Other than hg-error, we don't send them today, so I'd like to<br>
put a stop to any growth of that now (especially<br>
application/hg-changegroup, which looks super crufty and ancient).<br>
<br>
> +<br>
> Commands<br>
> ========<br>
><br>
</blockquote></div><br></div></div>