fix(coderd): remove rate limits from agent metadata

ammario · ammario · commit 9ea6948f6512 · 2023-08-24T16:38:45.000Z
Include the full update message in the PubSub notification so that
we don't have to refresh metadata from the DB and can avoid rate
limiting.
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -6,7 +6,6 @@ import (
 	"database/sql"
 	"encoding/json"
 	"errors"
-	"flag"
 	"fmt"
 	"io"
 	"net"
@@ -17,7 +16,6 @@ import (
 	"sort"
 	"strconv"
 	"strings"
-	"sync"
 	"sync/atomic"
 	"time"
 
@@ -26,7 +24,6 @@ import (
 	"golang.org/x/exp/slices"
 	"golang.org/x/mod/semver"
 	"golang.org/x/sync/errgroup"
-	"golang.org/x/time/rate"
 	"golang.org/x/xerrors"
 	"nhooyr.io/websocket"
 	"tailscale.com/tailcfg"
@@ -1524,7 +1521,11 @@ func (api *API) workspaceAgentPostMetadata(rw http.ResponseWriter, r *http.Reque
 	key := chi.URLParam(r, "key")
 
 	const (
-		maxValueLen = 32 << 10
+		// maxValueLen is set to 2048 to stay under the 8000 byte Postgres
+		// NOTIFY limit. Since both value and error can be set, the real
+		// payload limit is 2 * 2048 * 4/3 <base64 expansion> = 5461 bytes + a few hundred bytes for JSON
+		// syntax, key names, and metadata.
+		maxValueLen = 2048
 		maxErrorLen = maxValueLen
 	)
 
@@ -1567,7 +1568,15 @@ func (api *API) workspaceAgentPostMetadata(rw http.ResponseWriter, r *http.Reque
 		slog.F("value", ellipse(datum.Value, 16)),
 	)
 
-	err = api.Pubsub.Publish(watchWorkspaceAgentMetadataChannel(workspaceAgent.ID), []byte(datum.Key))
+	// gob is used instead of JSON due to the potential large performance
+	// overhead of agent metadata.
+	datumJSON, err := json.Marshal(datum)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	err = api.Pubsub.Publish(watchWorkspaceAgentMetadataChannel(workspaceAgent.ID), datumJSON)
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
@@ -1593,7 +1602,7 @@ func (api *API) watchWorkspaceAgentMetadata(rw http.ResponseWriter, r *http.Requ
 		)
 	)
 
-	sendEvent, senderClosed, err := httpapi.ServerSentEventSender(rw, r)
+	sseSendEvent, sseSenderClosed, err := httpapi.ServerSentEventSender(rw, r)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Internal error setting up server-sent events.",
@@ -1603,39 +1612,31 @@ func (api *API) watchWorkspaceAgentMetadata(rw http.ResponseWriter, r *http.Requ
 	}
 	// Prevent handler from returning until the sender is closed.
 	defer func() {
-		<-senderClosed
+		<-sseSenderClosed
 	}()
 
 	const refreshInterval = time.Second * 5
 	refreshTicker := time.NewTicker(refreshInterval)
 	defer refreshTicker.Stop()
 
-	var (
-		lastDBMetaMu sync.Mutex
-		lastDBMeta   []database.WorkspaceAgentMetadatum
-	)
+	var lastMetadata []database.WorkspaceAgentMetadatum
 
-	sendMetadata := func(pull bool) {
-		log.Debug(ctx, "sending metadata update", "pull", pull)
-		lastDBMetaMu.Lock()
-		defer lastDBMetaMu.Unlock()
+	sendMetadata := func(pullDB bool) {
+		log.Debug(ctx, "sending metadata update", "pull_db", pullDB)
 
-		var err error
-		if pull {
+		if pullDB {
+			var err error
 			// We always use the original Request context because it contains
 			// the RBAC actor.
-			lastDBMeta, err = api.Database.GetWorkspaceAgentMetadata(ctx, workspaceAgent.ID)
+			lastMetadata, err = api.Database.GetWorkspaceAgentMetadata(ctx, workspaceAgent.ID)
 			if err != nil {
-				_ = sendEvent(ctx, codersdk.ServerSentEvent{
-					Type: codersdk.ServerSentEventTypeError,
-					Data: codersdk.Response{
-						Message: "Internal error getting metadata.",
-						Detail:  err.Error(),
-					},
-				})
+				// If we can't successfully pull the initial metadata, pubsub
+				// updates will be no-op so we may as well terminate the
+				// connection early.
+				httpapi.InternalServerError(rw, err)
 				return
 			}
-			slices.SortFunc(lastDBMeta, func(a, b database.WorkspaceAgentMetadatum) int {
+			slices.SortFunc(lastMetadata, func(a, b database.WorkspaceAgentMetadatum) int {
 				return slice.Ascending(a.Key, b.Key)
 			})
 
@@ -1644,34 +1645,26 @@ func (api *API) watchWorkspaceAgentMetadata(rw http.ResponseWriter, r *http.Requ
 			refreshTicker.Reset(refreshInterval)
 		}
 
-		_ = sendEvent(ctx, codersdk.ServerSentEvent{
+		_ = sseSendEvent(ctx, codersdk.ServerSentEvent{
 			Type: codersdk.ServerSentEventTypeData,
-			Data: convertWorkspaceAgentMetadata(lastDBMeta),
+			Data: convertWorkspaceAgentMetadata(lastMetadata),
 		})
 	}
 
-	// Note: we previously used a debounce here, but when the rate of metadata updates was too
-	// high the debounce would never fire.
-	//
-	// The rate-limit has its own caveat. If the agent sends a burst of metadata
-	// but then goes quiet, we will never pull the new metadata and the frontend
-	// will go stale until refresh. This would only happen if the agent was
-	// under extreme load. Under normal operations, the interval between metadata
-	// updates is constant so there is no burst phenomenon.
-	pubsubRatelimit := rate.NewLimiter(rate.Every(time.Second), 2)
-	if flag.Lookup("test.v") != nil {
-		// We essentially disable the rate-limit in tests for determinism.
-		pubsubRatelimit = rate.NewLimiter(rate.Every(time.Second*100), 100)
-	}
+	// Note: we tried using a ratelimit and debounce here before but it was
+	// pretty buggy.
+	pubsubUpdates := make(chan database.UpdateWorkspaceAgentMetadataParams, 8)
 
 	// Send metadata on updates, we must ensure subscription before sending
 	// initial metadata to guarantee that events in-between are not missed.
-	cancelSub, err := api.Pubsub.Subscribe(watchWorkspaceAgentMetadataChannel(workspaceAgent.ID), func(_ context.Context, _ []byte) {
-		allow := pubsubRatelimit.Allow()
-		log.Debug(ctx, "received metadata update", "allow", allow)
-		if allow {
-			sendMetadata(true)
+	cancelSub, err := api.Pubsub.Subscribe(watchWorkspaceAgentMetadataChannel(workspaceAgent.ID), func(_ context.Context, byt []byte) {
+		var update database.UpdateWorkspaceAgentMetadataParams
+		err = json.Unmarshal(byt, &update)
+		if err != nil {
+			api.Logger.Error(ctx, "failed to unmarshal pubsub message", slog.Error(err))
+			return
 		}
+		pubsubUpdates <- update
 	})
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
@@ -1684,16 +1677,29 @@ func (api *API) watchWorkspaceAgentMetadata(rw http.ResponseWriter, r *http.Requ
 
 	for {
 		select {
-		case <-senderClosed:
-			return
+		case update := <-pubsubUpdates:
+			// There can only be 128 metadatums so this will always be fast.
+			for i, datum := range lastMetadata {
+				if datum.Key != update.Key {
+					continue
+				}
+
+				lastMetadata[i] = database.WorkspaceAgentMetadatum{
+					Value:       update.Value,
+					Error:       update.Error,
+					CollectedAt: update.CollectedAt,
+				}
+			}
+			sendMetadata(false)
 		case <-refreshTicker.C:
+			// Avoid spamming the DB with reads we know there are no updates. We want
+			// to continue sending updates to the frontend so that "Result.Age"
+			// is always accurate. This way, the frontend doesn't need to
+			// sync its own clock with the backend.
+			sendMetadata(false)
+		case <-sseSenderClosed:
+			return
 		}
-
-		// Avoid spamming the DB with reads we know there are no updates. We want
-		// to continue sending updates to the frontend so that "Result.Age"
-		// is always accurate. This way, the frontend doesn't need to
-		// sync its own clock with the backend.
-		sendMetadata(false)
 	}
 }
 
diff --git a/coderd/workspaceagents_test.go b/coderd/workspaceagents_test.go
@@ -1153,7 +1153,7 @@ func TestWorkspaceAgent_Metadata(t *testing.T) {
 	require.Len(t, update, 3)
 	check(wantMetadata1, update[0], true)
 
-	const maxValueLen = 32 << 10
+	const maxValueLen = 2048
 	tooLongValueMetadata := wantMetadata1
 	tooLongValueMetadata.Value = strings.Repeat("a", maxValueLen*2)
 	tooLongValueMetadata.Error = ""
