VSS Integration Tracking #246
Comments
event-handling-panic-persistence-failure could be treated the same as persistence failure during any other persistence, where we currently panic and restart. I agree we need to fix this, but in any case, this holds true for any remote persistence that can be implemented by user for ldk/ldk-node afaiu, so this shouldn't block vss integration, and can be tracked separately.
There might be some misunderstanding on how primary/secondary storage model will work.
IIUC, we will replay the events if there was a panic during event handling, so there shouldn't be any data loss. but yes the node will crash if there is persistence failure, this is true for channel-manager and channel-monitor persistence as well. |
For one, we generally try to avoid it and return an error wherever possible. But more importantly, persistence failure is currently ~never expected (i.e., only ever on hardware failure essentially), while with remote storage it will be very common, especially on mobile.
I disagree. We need to find a solution for this before we deem VSS integration 'stable'/ fully expose it in the stable API (and hence in bindings, as UniFFI doesn't support
This might be true for the channel monitor updates where proceeding without being sure an update was persisted is crucial. For basically everything else it would be highly beneficial to write to a local cache, proceed, and try to sync the cache with the remote server, restarting/resetting in case of any conflicts if they can't be resolved. I'm indeed a bit dubious what the benefit is of the secondary local storage, if we can't ever use it in the first place. I think we discussed this many times before and I still keep my hopes up we'd eventually get a better solution for it. But granted, it won't be solved by VSS primary/secondary model as currently planned (and required for monitor persistence).
Well, yeah, I started working on fallible event handling in lightningdevkit/rust-lightning#2995 and intend to get it into the next LDK release. But as mentioned above, I don't think we can deem VSS stable/fully expose as long as we just crash and burn on persistence failure.
The keyword here is live. I kind of assume that at least for many of our users having a regular remote backup (while the node is stopped/no payments are inflight) of the SQLite store might be preferable and safer than exposing their users to arbitrary crashes, especially in environments where Lightning integration/LDK Node is only one of the things going on. Imagine a social media or gaming app just arbitrarily crashing because we disconnected from the internet for a second: unacceptable. |
Most of the work is already merged, here we add some tracking for the remaining tasks:
VssStorein bindings (WIP: ExposeVssStorein bindings #245).AuthMethod(possibly also in WIP: ExposeVssStorein bindings #245).EventHandler. This might be a tough one.VssStoreis configured, but it's probably safer to keep panicking. In any case we need to add some huge warning that VSS is considered experimental and that either data might be lost at any time or that LDK Node / the app using it might crash at any time if the connection is lost.Mid- to longer term we need to switch to a primary/secondary storage model where we also persist to a local on-device database from which we also can handle restarts even if remote persistence fails. IMO this should happen ASAP as neither data loss nor crashing is acceptable UX.AuthMethodtrait, but this is already an advanced feature as it requires user to understand the interface and write matching code instead of providing some credentials.cfg-gate.(cc @G8XSU)
The text was updated successfully, but these errors were encountered: