Re: [9fans] QTCTL?

["Russ Cox" <rsc@swtch.com>]

> The fact is we have loose consistency now, we just don't call it that.
> Anytime you are running a file from a server, you have loose
> consistency. It works ok in most cases.

Because all reads and writes go through to the
server, all file system operations on a particular
server are globally ordered, *and* that global ordering
matches the actual sequence of events in the
physical world (because clients wait for R-messages).
That's a pretty strong consistency statement!

Any revocation-based system has to have the server
wait for an acknowledgement from the client.
If there is no wait, then between the time that the server
sends the "oops, stop caching this" and the client
processes it, the client might incorrectly use the
now-invalid data.  That's why a change file doesn't
provide the same consistency guarantees as pushing
all reads/writes to the file server.  To get those, revocations
fundamentally must wait for the client.  

It's also why this doesn't work:

> Tcache	asks whether the server is prepared to cache
> Rcache	makes lease available with parameters, Rerror says no.
> 
> Tlease	says, ok start my lease now (almost immediately follows Rache)
> Rlease	lease expired or lease needs to be given back early
> 
> Tcache	done with old lease (may immediately ask for a new lease)
> etc.

because the Rlease/Tcache sequence is a s->c->s
message.  If a client doesn't respond with the Tcache
to formally give up the lease, the server has no choice
but to wait.

If you are willing to assume that each machine has
a real-time clock that runs approximately at the
same rate (so that different machines agree on 
what 5 seconds means, but not necessarily what
time it is right now), then you can fix the above messages
by saying that the client lease is only good for a fixed
time period (say 5 seconds) from the time that the
client sent the Tlease.  Then the server can overestimate
the lease length as 5 seconds from when it sent the
Rlease, and everything is safe.  And if the server 
sends a Rlease and the client doesn't respond with
a Tcache to officially renounce the lease, the server
can just wait until Tlease + 5 seconds and go on.
But that means the client has to be renewing the
lease every 5 seconds (more frequently, actually).

Also, in the case where the lease is just expiring
but not being revoked, then you have to have some
mechanism for establishing the new lease before
the old one runs out.  If there is a time between
two leases when you don't hold any leases, then 
all your cached data becomes invalid.

The following works:

Tnewlease	asks for a new lease
Rnewlease	grants the lease, for n seconds starting at time of Tnewlease

Trenewlease	asks to renew the lease
Rrenewlease	grants the renewal for n seconds starting at time of Trenewlease

Now if the server needs to revoke the lease, it just 
refuses to renew and waits until the current lease expires.

You can add a pseudo-callback to speed up revocation
with a cooperative client:

Tneeditback	offers to give lease back to server early
Rneeditback	says I accept your offer, please do

Tdroplease	gives lease back
Rdroplease	says okay I got it (not really necessary)

The lease ends when the client sends Tdroplease, 
*not* when the server sends Rneeditback.  It can't end
at Rneeditback for the same reason change files don't work.
And this can *only* be an optimization, because it 
depends on the client sending Tdroplease.  To get 
something that works in the presence of misbehaved
clients you have to be able to fall back on the 
"wait it out" strategy.

One could, of course, use a different protocol with 
a 9P front end.  That's okay for clients, but you'd still
have to teach the back-end server (i.e. fossil) to speak
the other protocol directly in order to get any guarantees.
(If 9P doesn't cut it then anything that's just in front of
(not in place of) a 9P server can't solve the problem.)

Russ