Hard Limit the number of hop stream goroutines

[vyzo]

This adds a hard limit to the number of hop goroutines, so that relays don't get overloaded.

Note that the live hop tracking has been removed for two reasons:

• it was not by any way exported to the outside world, just taking memory
• there is lock contention

Note 2: DO NOT MERGE AS IS; I will rebase/squash before merging to clean up history.

[vyzo]

An alternative to hard resetting is to add a new error code for overloaded relays.
But if we do this, we must stop lingering awaiting EOF in handleError; perhaps we should just reset after sending the error.

[vyzo]

Resetting the stream won't work, the error will not be propagated further.
But we can reduce the EOF timeout to something much more reasonable than the current 1 minute (to say 5s).
Fortunately this is a variable in go-libp2p-net, so the consumer can set it.

[vyzo]

Implemented the RELAY_OVERLOADED error code, so that we don't do hard resets without notifying the other side.
The relay daemon can set the EOFTimeout to something shorter in order to reduce the goroutine linger time.

[vyzo]

I reverted to resetting the stream when the hop limit is exceeded -- being nice has deleterious effects in the number of lingering goroutines.

[Stebalien]

Sounds like something we need although I'm a bit worried we should be using per-peer limits instead. At the moment, ~500 peers could fully mesh-connect through the relay to kill it.

[Stebalien]

Nit: could we give these full names? (streamCount?)

[vyzo]

Sure, will do.

[vyzo]

done.

[Stebalien]

ultra nit: HopStreamBufferSize

[vyzo]

ok!

[vyzo]

done

[Stebalien]

Are we going to use this or should we just leave it at a reset?

[vyzo]

I will drop it in the rebase/squash.

[Stebalien]

Have we checked this against our current numbers? This seems kind of low, actually. For 20k peers, this'll give us less than 10 streams per peer.

[vyzo]

We can easily double it -- in fact the mplex relay where I am testing this is running with double the count (it overrides in the daemon init).

[vyzo]

I'll try with quadruple the count (hop limit at 1M) and evaluate memory usage with it.

[vyzo]

Seems like we are tight on memory with 2M goroutines active.

[vyzo]

I doubled the default, and actual daemons can set it higher if they have the resources.

[vyzo]

Sounds like something we need although I'm a bit worried we should be using per-peer limits instead. At the moment, ~500 peers could fully mesh-connect through the relay to kill it.

Per-peer limits are a little complex to implement, and need a lock (which I would like to avoid).
We have not observed fully connected meshes in the relays whatsoever; what has been observed is a long tail distribution where most peers have a small number of streams (they are connecting to the peers behind the relay) and then a bunch have a large number of streams (they are accepting connections).

[Stebalien]

Per-peer limits are a little complex to implement, and need a lock (which I would like to avoid).
We have not observed fully connected meshes in the relays whatsoever; what has been observed is a long tail distribution where most peers have a small number of streams (they are connecting to the peers behind the relay) and then a bunch have a large number of streams (they are accepting connections).

I'm primarily worried about someone attacking a relay this way but this certainly isn't the only way.

[vyzo]

rebased/squashed to just 2 commits and dropped the RELAY_OVERLOADED change in pb.