rpc: too many broadcast_commit calls can lead to consensus liveness issues

[melekes]

Issue

See #2748

pubsub currently has no buffer (capacity: 0) by default, which helps us identify issues early. One of such issues is if it (pubsub) has too many subscribers (for example, too many /broadcast_commit calls waiting for txs results), we can't accept a new msg until we've broadcasted a previous one (to all subscribers).

As an example, this

tendermint/consensus/state.go

Line 708 in fb10209

cs.eventBus.PublishEventTimeoutPropose(cs.RoundStateEvent())

will block until previous msg is delivered to all subscribers.

This can potentially lead to consensus liveness issues.

Proposed action

We should rate limit the amount of broadcast_commit calls and other RPC endpoints which use pubsub (or recommend a limit for our clients to set in nginx or other software) + we need to figure out correct timeout for /broadcast_commit and make it configurable

tendermint/rpc/core/mempool.go

Lines 188 to 189 in fb10209

	// TODO: configurable?
	timer := time.NewTimer(60 * 2 * time.Second)

[srmo]

Is this suggestion for synced calls? I.e. would broadcast_tx_async be unaffected?

[melekes]

Is this suggestion for synced calls? I.e. would broadcast_tx_async be unaffected?

_sync/async are unaffected.

[mattkanwisher]

I'll add to this thread as the other, the change to the timeout from 10 seconds from 2 minutes broke a ton of our software. So we have patched it temporarily on our side, and working on a PR to make these timeouts configurable mattkanwisher@9a8cb94#diff-f0521764a882805b106091a2215d58c2R214

[ebuchman]

It sounds like we should add the following config options under [rpc]:

• max_subscription_clients - maximum number of unique clientIDs that can subscribe
• max_subscriptions_per_client - maximum number of unique queries a given client can subscribe to (note all calls to /broadcast_tx_commit uses the same client, so this would limit the number of /broadcast_tx_commit calls that can be open at once)
• timeout_broadcast_tx_commit - how long to wait for a tx to be committed during /broadcast_tx_commit.

@mattkanwisher are you still planning a PR for that last one?

Any other thoughts on this proposal?

We should also consider a max_websocket_connections to limit the maximum number of websocket connections at a time.

[melekes]

MaxSubscriptionClient and MaxSubscriptionsPerClient can be hard to figure out. Another option is to reject subscribers based on the current queue size https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-033-pubsub.md#future-problems-and-their-possible-solutions

We should also consider a max_websocket_connections to limit the maximum number of websocket connections at a time.

We probably don't want too many variables in the config (again, because some of them are dependent on each other and the user will have to calculate their values properly). There's the max_open_connections param, which includes WebSocket connections.