Home Explore Help
Sign In
zorun
/
kea
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 122da90997
Branches Tags
kea
/
doc
/
design
/
ipc-high.txt

ipc-high.txt 6.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162 
  1. The IPC protocol
    2. 

  2. ================
    3. 

  3. 

  4. While the cc-protocol.txt describes the low-level primitives, here we
    5. 

  5. describe how the whole IPC should work and how to use it.
    6. 

  6. 

  7. Assumptions
    8. 

  8. -----------
    9. 

  9. 

  10. We assume the low-level protocol keeps ordering of messages. That is,
    11. 

  11. if A sends messages 1 and 2 to B, they get delivered in the same order
    12. 

  12. as they were sent. However, if A sends message 1 to B and 2 to C, the
    13. 

  13. order in which get them or the order in which they answer is not
    14. 

  14. defined.
    15. 

  15. 

  16. We also assume that the delivery is reliable. If B gets a message from
    17. 

  17. A, it can be sure that all previous messages were delivered too. If A
    18. 

  18. sends a message to B, B either gets the message or either A or B is
    19. 

  19. disconnected during the attempt.
    20. 

  20. 

  21. Also, we expect the messages don't get damaged or modified on their
    22. 

  22. way.
    23. 

  23. 

  24. Addressing
    25. 

  25. ----------
    26. 

  26. 

  27. We can specify the recipient in two different ways:
    28. 

  28. 

  29.  * Directly. Each connected client has an unique address. A message
    30. 

  30.    addressed to that addressed is sent only to the one client.
    31. 

  31.  * By a group. A client might subscribe to any number of groups.
    32. 

  32.    When a message is sent to the group, all clients subscribed to the
    33. 

  33.    group receive it. It is legal to send to an empty group.
    34. 

  34. 

  35. Feedback from the IPC system
    36. 

  36. ----------------------------
    37. 

  37. 

  38. The IPC system generates some additional information to aid the
    39. 

  39. communicating clients.
    40. 

  40. 

  41. Undeliverable notification::
    42. 

  42.   If the client requests it (by a per-message flag) and the set of
    43. 

  43.   recipients specified is empty (either because the connection
    44. 

  44.   ID/lname is not connected or because the addressed group is empty),
    45. 

  45.   an answer message is sent from the MSGQ daemon to notify it about
    46. 

  46.   the situation.
    47. 

  47. Notifications about connections and disconnections::
    48. 

  48.   The system generates notification about following events:
    49. 

  49.   * Client with given lname connected
    50. 

  50.   * Client with given lname disconnected
    51. 

  51.   * Client with given lname subscribed to given group
    52. 

  52.   * Client with given lname unsubscribed from given group
    53. 

  53. List of group members:
    54. 

  54.   The MSGQ provides a command to list members of given group and list
    55. 

  55.   of all connections.
    56. 

  56. 

  57. Communication paradigms
    58. 

  58. -----------------------
    59. 

  59. 

  60. Event notifications
    61. 

  61. ~~~~~~~~~~~~~~~~~~~
    62. 

  62. 

  63. Sometimes, an event that may be interesting to other parts of the
    64. 

  64. system happens. The originating module may not know what other modules
    65. 

  65. are interested in that kind of event, nor it may know if any at all
    66. 

  66. wants to know that. With such event, the originating module does not
    67. 

  67. need any feedback.
    68. 

  68. 

  69. For each kind or family of notifications, there's a group. Everybody
    70. 

  70. interested in that family of notifications subscribes to the group.
    71. 

  71. When the event happens, it is sent (broadcasted) to the group, without
    72. 

  72. requiring an answer.
    73. 

  73. 

  74. [[NOTE]]
    75. 

  75. To avoid race conditions on start up, it is important to first
    76. 

  76. subscribe to the group and then load the initial state (for which
    77. 

  77. change the notification would be), not the other way around. The other
    78. 

  78. way, the state could be loaded, and then, before subscribing, an event
    79. 

  79. could happen and be unnoticed. On the other hand, we may still receive
    80. 

  80. event for change to the state we already loaded (which should be
    81. 

  81. generally safe), but not lose an update.
    82. 

  82. 

  83. Examples of these kinds could be change to a zone data (so it would
    84. 

  84. get reloaded by every process that has the data),
    85. 

  85. connection/disconnection notification from msgq, or change to
    86. 

  86. configuration data.
    87. 

  87. 

  88. It would be the recipients responsibility to handle the notification,
    89. 

  89. or at least, produce an error log message. In these situations, the
    90. 

  90. originator can not reasonably handle error cases anyway (the zone data
    91. 

  91. has been written), so if something does not work, log is everything we
    92. 

  92. can do.
    93. 

  93. 

  94. One-to-one RPC call
    95. 

  95. ~~~~~~~~~~~~~~~~~~~
    96. 

  96. 

  97. Sometimes, a process needs to call remote function (or command) in
    98. 

  98. other process. An example could be asking the configuration manager
    99. 

  99. for the current configuration or asking it to change it, asking single
    100. 

  100. process to terminate, etc.
    101. 

  101. 

  102. It may be that the group is a singleton group (eg. the command
    103. 

  103. manager, there must be exactly one in a running system, and is used
    104. 

  104. just as a stable name for the process) or an lname received by means
    105. 

  105. of other communication (like a previous subscribe notification).
    106. 

  106. 

  107. A command message (containing the parameters, name of the command,
    108. 

  108. etc) is sent, with the want-answer flag set. The other side processes
    109. 

  109. the command and sends a result or error back.
    110. 

  110. 

  111. If the recipient does not exist, the msgq sends an error right away.
    112. 

  112. 

  113. There are still two ways this may fail to provide an answer:
    114. 

  114. 

  115.  * The receiving module reads the command, but does not provide an
    116. 

  116.    answer. Clearly, such module is broken. There should be some (long)
    117. 

  117.    timeout for this situation, and loud logging to get it fixed.
    118. 

  118.  * The receiving module terminated at the exact time when msgq tried
    119. 

  119.    to send to it, or crashed handling the command. Therefore the
    120. 

  120.    sender listens for disconnect or unsubscription notifications
    121. 

  121.    (depending on if it was sent by lname or group name) and if the
    122. 

  122.    recipient disconnects, the sender knows it should not expect the
    123. 

  123.    answer any more.
    124. 

  124. 

  125. An asynchronous waiting for the answer is preferred.
    126. 

  126. 

  127. One-to-many RPC call
    128. 

  128. ~~~~~~~~~~~~~~~~~~~~
    129. 

  129. 

  130. Sometimes it is needed to send a command to bunch of modules at once,
    131. 

  131. usually all members of a group that can contain any number of clients.
    132. 

  132. 

  133. This would be done by requesting the members of the group from msgq
    134. 

  134. and then sending a one-to-one RPC call to each of them, tracking them
    135. 

  135. separately.
    136. 

  136. 

  137. [NOTE]
    138. 

  138. It might happen the list of group members changes between the time it
    139. 

  139. was requested and the time the commands are sent. If a client gets
    140. 

  140. disconnected, the sender gets an undeliverable error back from msgq.
    141. 

  141. If anything else happens (the client unsubscribes, connects,
    142. 

  142. subscribes), it must explicitly synchronise to the state anyway,
    143. 

  143. because we could have sent the commands before the change actually
    144. 

  144. happened and it would look the same to the client.
    145. 

  145. 

  146. [WARNING]
    147. 

  147. It would look better to first request the list of group members and
    148. 

  148. then send the command to the group, and use the list to track the
    149. 

  149. answers only. But that is prone to race conditions ‒ if there's any
    150. 

  150. change between the request for the member list and sending the
    151. 

  151. command, the actual recipients don't match the list and the server
    152. 

  152. could get more answers than expected or could wait for answer of a
    153. 

  153. module that no longer exists.
    154. 

  154. 

  155. Known limitations
    156. 

  156. -----------------
    157. 

  157. 

  158. It is meant mostly as signalling protocol. Sending millions of
    159. 

  159. messages or messages of several tens of megabytes is probably a bad
    160. 

  160. idea. While there's no architectural limitation with regards of the
    161. 

  161. number of transferred messages or their sizes, the code is not
    162. 

  162. optimised and it would probably be very slow.
    163.