Data loss protect resending

[halseth]

This PR makes the latest channel reestablishment message being stored as part of the channel close summary, such that it can be sent even when a channel ahs been closed.

This makes it possible for nodes to recover from the case where they have been offline, lost state, and comes back online, attempting to reseync the channel.

Note: This PR contains a DB migration. To ensure deserialization code is not changed in the future, and breaking old migrations, a versioned copy of the current deserialization logic is added to the file legacy_serialization.go. Backwards compatible addition of the new field turned out to be complex because of the presence of optional fields (see the now removed commit 14648b2).

TODO:

• Unit test for FetchClosedChannelForID

[halseth]

Note: we can add write the false marker here as part of the migration to avoid this EOF check.

[halseth]

Currently the addition of the LastChanSyncMsg field is kept in its own commit to show how new fields can easily be added after the presence flags are introduced in the serialization.

[Roasbeef]

Why are we mixing the two approaches? We should either use EOF everywhere (so no migration) or the bool based approach.

[Roasbeef]

Ah scratch that, I see the usage now

[halseth]

This is how you would add new fields in the future without a migration.

[halseth]

#golang pop quiz: Why doesn't this work?

var msg *lnwire.ChannelReestablish
if err := ReadElements(r, &msg); err != nil {
		return nil, err
}
c.LastChanSyncMsg = msg

[cfromknecht]

i'm guessing that **lnwire.ChannelReestablish and *lnwire.Message are distinct concrete types, and the type switch doesn't try to determine if the suffix *lnwire.ChannelReestablish implements the other suffix lnwire.Message

[halseth]

Yes, I think that's right. I think the type switch is checking if the passed interface{} is of concrete type *lnwire.Message, not if it is satisfying the interface. TIL you cannot do that: https://play.golang.org/p/SmL37Hobvvs

[Roasbeef]

Nice work! This along with static channel back ups (incoming) really wrap up the set of items we need in place in lnd to cover all the bases we (currently) can as far as channel recovery. Most of my comments in this initial sweep are surrounding the new migration and if it's actually needed or not. Will do another pass in the tests, and also test this out a bit locally my self as well.

[Roasbeef]

This is to indicate if optional fields are there or not? Why's this better (in terms of set of changes) than just attempting to read where we know fields will be appended? May be worth even just going to something more future proof here.

[halseth]

The problem with omitting optional fields is that it only works for the last field. If there are more than one optional field, then you won't know what the data present represents. This way we attempt to make it future proof.

By adding booleans to indicate presence, we can make sure old code will read the new fields (they won't attempt to read any extra data they don't understand) and that new code will read the old format (booleans will indicate whether fields are present, so it can know which fields are not present from the old format).

[Roasbeef]

Yep, realized this later that day. I think in the future, we should do a clean sweep to just move to a TLV format everywhere. You read it all, then at the end check the array/map for the keys you actually know of then parse that. With that, we gain a way to handle an arbitrary number of fields in the future in a uniform manner throughout the codebase.

[halseth]

ooooh, yeah that would be nice!

[Roasbeef]

This seems to break the current serialization more than necessary. The minimal patch set would be to append the chan reest we need and nothing more.

[halseth]

Won't work for the case where cs.RemoteNextRevocation == nil and chanSyncMsg != nil, as the deserialization code will attempt to read the chanSyncMsg as RemoteNextRevocation.

[Roasbeef]

;)

[Roasbeef]

See comments re if this is really worth yet another migration.

[halseth]

I first attempted to do this without a migration, but it turned out to be complex: 14648b2

[Roasbeef]

Ah ok, yeah that's pretty convoluted.

[Roasbeef]

Perhaps this should be split out into another test, or a sub-test? As is this test is nearly 400 lines, not a blocker though, just something we should start to think about re the growth of the integration tests in the future.

[Roasbeef]

Least blocking route would be a comment that delineates this new testing scenario.

[halseth]

Improved the comments.

Agreed that some of the tests would benefit from being split up. I think this might cause our integration tests to run even longer though, bc of the added overhead. Might be worth looking into in combination with running integration tests in parallel (perhaps using containers?).

[Roasbeef]

👍

Yeah we'll need to white board out a better architecture as we add more backends, and also eventually starting other platforms other than mac OS.

[Roasbeef]

Unrelated to this PR, but shouldn't the BRAR be the one that's making this DB state here? Re the whole reliable hand off thing.

[cfromknecht]

the brar writes the retributions to disk, then acks back. after that the chain watcher knows it's safe to mark the channel as pending closed

[halseth]

We could let the BRAR have that responsibility, as we could get rid of ACK logic.

[cfromknecht]

the cleaner solution IMO is just to write resolutions in CloseChannel. then there is no need for a reliable handoff. the resolutions can be passed in memory to kick off the process, but if we crash the brar would look for all breached channels in the db and load resolutions from there

[Roasbeef]

This can eventually be hooked up into the channel life cycle management stuff. So to request a notification once a new node connects. Actually we already have this for use in the funding manager, so perhaps it can be used here?

[cfromknecht]

yeah i think we can use NotifyWhenOnline to just try if they ever reconnect

[halseth]

I actually like the current polling more, since we might need some time to process the ChannelReestablish after they reconnect. In that case the first lookup after they connect might fail, so we have to wait a little bit anyway.

If we don't wait before retrying at that point, we risk the peer coming online send us the ChannelReestablish and disconnects, and we will stall here waiting for them to connect again.

[cfromknecht]

good point, leaving this decoupled from the peer lifecycle makes sense to me then

[halseth]

Comments address, PTAL 🐶

[Roasbeef]

Where do we set the new starting height of a commitment chain? Don't see why this change is necessary atm. There're other spots where we depend on the height being set properly.

[halseth]

We never read it, we just look at the height of the commitment in the chain.

Agreed that the change is not directly relevant to this PR, I just noticed when transforming the ChanSync method to not being dependent on the chain heights.

Removed and made a separate PR: #2206

[Roasbeef]

Ah ok I see this now re remote close. We could also shuffle the other spots we populate this information into this package. Don't consider it a blocker though.

[Roasbeef]

Final lingering comments are re if we should have a lower backoff, and also if a minor refactor is necessary or not given.

[cfromknecht]

Seems equivalent to:

	// Write whether the channel sync message is present.
	if err := WriteElements(w, cs.LastChanSyncMsg != nil); err != nil {
		return err
	}
	// Write the channel sync message, if present.
	if c.LastChanSyncMsg != nil {
		if err := WriteElements(w, cs.LastChanSyncMsg); err != nil {
			return err
		}
	}

[halseth]

YES! Very nice :)

[halseth]

Also did the same change for RemoteNextRevocation

[cfromknecht]

good point, leaving this decoupled from the peer lifecycle makes sense to me then

[cfromknecht]

👍

[cfromknecht]

should this have a mutex around it? esp now that this is called in more places than just the switch

also seems like something that should be implemented in channeldb as a method of OpenChannel, since it is otherwise unrelated to anything in lnwallet. would be nice to keep the .ChanSyncMsg() notation, and not use a package level function

[halseth]

Good idea, added mutex.

The reason I didn't make this a method on OpenChannel is that it calls ComputeCommitmentPoint, which is a method from lnwallet, leading to an import cycle. We could however move this method to a new package (lnutil? 😛) if we want this, but I felt it was not worth it.

Also moving it to channeldb felt wrong 🤔

[cfromknecht]

would be nice to have a unit test for this migration, asserting it behaves properly in all four cases

[halseth]

Migration test added! (only three cases though?)

[halseth]

This was after an idea by @joostjager. Lmk what you think :)

[halseth]

Comments addressed and commits squashed. PTAL.

[Roasbeef]

LGTM 🧩

Have been running this on all my nodes (mainnet+testnet) the past few days, and haven't run into any issues. Migration went smooth, but ofc haven't ran (yet) into any instances where my node needed to retransmit the last chan sync message.