QUIC proxy peering

[espadolini]

This PR adds experimental support for a new QUIC-based transport for proxy peering. Support is enabled by setting the TELEPORT_UNSTABLE_QUIC_PROXY_PEERING envvar to yes and proxies that opt into the experimental feature will advertise their support by heartbeating with the teleport.internal/proxy-peer-quic label set to yes, and will exclusively use the QUIC transport to connect through proxies that carry the same label.

Proxies using the QUIC transport for proxy peering expect to be able to bind a UDP socket on the peer_listen_addr address and expect to be able to send UDP packets to other QUIC-enabled proxies on their peer_public_addr and to receive packets sent to their own peer_public_addr. Enabling or disabling the QUIC transport for an existing proxy (in the host ID sense) is unsupported and will lead to very confusing behavior, and the same can be said for restarting a proxy using the QUIC transport; the feature is strictly for environments where new proxies are rolled out (like a Kubernetes deployment).

The protocol and mode of operation is currently described in the package doc in lib/proxy/peer/quic/quic.go.

[fspmarshall]

nit: conventionally data sent over the wire is big endian. GRPC performs length prefixing using big endian uint32s. unless there is some compelling reason to not to, I'd suggest sticking with that convention.

[espadolini]

Counterpoint: it's 2024.

gRPC over HTTP/2 uses big endian for length prefixes because the HTTP/2 spec uses big endian and that's just how they happened to write the spec; protobuf itself uses little endian for any fixed-length integers, so "convention" should clearly not be a factor in any new protocol.

[fspmarshall]

Alright, ignoring convention... little endian byte order is an affront to god and nature and has no place in a civilized codebase. Especially for the case of a home-brewed API that we might be called upon to debug at some point, since visually parsing little endian data is annoying/weird.

[codingllama]

I also have a slight preference for big endian for over-the-wire data, if nothing else because I would expect it to be the case. That said, as long as it's well documented I'm OK with it.

[codingllama]

Quick (no pun intended) look at API and docs.

[codingllama]

How would it know that a message is oversized, though?

[espadolini]

We read the size first, if the message is oversized we just close the stream.

[codingllama]

I thought we capped at uint32, but later I saw we have a limit on top of the uint32, which then made this line make sense. Maybe we should mention that we have an arbitrary limit, so the messages can't use the full uint32 length?

[codingllama]

Server review. I think you would benefit from someone who understands QUIC (if we have any), but I did my best.

I'll wait for replies before catching up to the client, so you have time to catch up to it all.

[codingllama]

Log the error?

[espadolini]

I'll give it a shot, I suspect it would be pretty spammy tho.

[codingllama]

Same for debug or trace level.

[rosstimothy]

I think even at debug this is going to be spammmyish and produce more confusion than needed. Or perhaps a qerr.ApplicationError Application error 0x0 is a benign error that shouldn't be considered an error at all?

2024-10-31T12:29:56-04:00 DEBU [PROXY:QPE] error accepting a stream pid:26284.1 remote_addr:127.0.0.1:5021 internal_id:3cce12a9-5fc5-410d-999c-b5268e80a947 error:[Application error 0x0 (remote)] quic/server.go:244
2024-10-31T12:29:56-04:00 DEBU [PROXY:QPE] done forwarding data pid:26284.1 remote_addr:127.0.0.1:5021 internal_id:3cce12a9-5fc5-410d-999c-b5268e80a947 stream_id:0 error:[
ERROR REPORT:
Original Error: *qerr.ApplicationError Application error 0x0 (remote)
Stack Trace:
	github.com/gravitational/teleport/lib/proxy/peer/quic/server.go:418 github.com/gravitational/teleport/lib/proxy/peer/quic.(*Server).handleStream.func4
	golang.org/x/sync@v0.8.0/errgroup/errgroup.go:78 golang.org/x/sync/errgroup.(*Group).Go.func1
	runtime/asm_arm64.s:1223 runtime.goexit
User Message: Application error 0x0 (remote)] quic/server.go:421```

[espadolini]

Errors with a zero code should now be appropriately ignored in log messages; stream and connection closing before the connection is established (or successfully fails(???)) now use a nonzero error code which is still quite aspecific but we can figure that out at a later time.

[codingllama]

As a general comment, I'd rather this function returned an error and the caller made the choice to swallow it.

[espadolini]

The only possible error is caused by the connection getting closed - which is also why the log line is at debug level. I'm not convinced that moving the error logging one layer above will do much for the clarity of the code, at least while this is the only exit point for the function.

[codingllama]

Moving the logging up makes this behave like a regular erroring function, which is already a valuable readability improvement IMO.

[espadolini]

The logging happens before the defers, logging after returning would mean that the log line is related to an error that happened potentially much earlier, seeing as now we're waiting for the per-connection waitgroup to end.

[codingllama]

That is not typically an issue - a function errors, runs defers, returns the error and then the error gets logged by the caller. I won't push further but I do think a regular erroring func tends to be simpler to follow than the unusual over-swallowing of errors.

[codingllama]

Maybe:

Suggested change

	package teleport.quicpeering.v1alpha;
	package teleport.quicpeering.v1alpha1;

Bold of you to assume there will be only one alpha... ;)

[espadolini]

v1alpha seems to edge out (slightly) v1alpha1 in terms of google search result count - I wouldn't be opposed to v1alpha2 as a followup to v1alpha, either.

[codingllama]

I guess it really depends on whether we expect more alphas. If yes, then go v1alpha1. Otherwise we can do v1alpha to v1alpha2 like you said.

[codingllama]

Thanks for the added documentation/context. Very helpful!

[espadolini]

@codingllama after shuffling some types and functions around, QUIC proxy peering is now in its own package

[public-teleport-github-review-bot]

@espadolini - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

[rosstimothy]

Ran through a few tests on this branch again and noticed one last log spam nit. I was seeing the following in the proxy logs at the conclusion of every tsh ssh session:

2024-11-07T11:56:47-05:00 DEBU [PROXY:QPE] done forwarding data pid:18690.1 remote_addr:127.0.0.1:4021 internal_id:401212a6-d467-487d-8424-06bbe1bdf215 stream_id:0 error:[
ERROR REPORT:
Original Error: *trace.ConnectionProblemError use of closed network connection
Stack Trace:
	github.com/gravitational/teleport/api@v0.0.0/utils/sshutils/chconn.go:141 github.com/gravitational/teleport/api/utils/sshutils.(*ChConn).Read
	github.com/gravitational/teleport/lib/reversetunnel/conn_metric.go:80 github.com/gravitational/teleport/lib/reversetunnel.(*metricConn).Read
	io/io.go:429 io.copyBuffer
	io/io.go:388 io.Copy
	github.com/gravitational/teleport/lib/proxy/peer/quic/server.go:389 github.com/gravitational/teleport/lib/proxy/peer/quic.(*Server).handleStream.func3
	golang.org/x/sync@v0.8.0/errgroup/errgroup.go:78 golang.org/x/sync/errgroup.(*Group).Go.func1
	runtime/asm_arm64.s:1223 runtime.goexit
User Message: use of closed network connection] quic/server.go:415

[espadolini]

@codingllama @fspmarshall friendly ping

[codingllama]

Apologies for the delay. Here's a pass on the "easy" parts, I'm still giving the server/client parts a proper look.

I probably said this before, but a non-trivial 2.5k lines, 45-commits PR is pretty difficult to hold in ones head/reason about. This would benefit from being split into human-friendly sized PRs.

[espadolini]

@codingllama I've split off the code reorganization parts in #48836, but I don't really see a sensible way to split off the client and server parts of the QUIC implementation without it being somewhat meaningless. I've rebased the commits tho, they should be far more manageable now.

[codingllama]

Wait with a timeout so it fails cleanly on a delay?

[espadolini]

Would it be a clean failure, or a timeout that doesn't respect the test timeout as specified by the harness?

[codingllama]

The global test timeout is usually too high, so I think it's worth adding an explicit 1s-2s here in case it locks for some reason. (As of now obviously this works, so it would have little effect.)

[codingllama]

Set the group limit to 2, to be explicit/safe.

Should we use the group context to cancel in-flight goroutines, or is that redundant? This probably deserves a brief comment.

[espadolini]

We call Go twice in succession and then immediately call Wait, we don't move or reuse the errgroup, and there's no errgroup context, I'm not entirely sure what the comment should be.

[codingllama]

Fair enough, but do consider setting the limit.

[public-teleport-github-review-bot]

@espadolini See the table below for backport results.

Branch	Result
branch/v17	Create PR