Offload TLS negotiation to I/O threads

[uriyage]

TLS Negotiation Offloading to I/O Threads

Overview

This PR introduces the ability to offload TLS handshake negotiations to I/O threads, significantly improving performance under high TLS connection loads.

Key Changes

• Added infrastructure to offload TLS negotiations to I/O threads
• Refactored SSL event handling to allow I/O threads modify conn flags.
• Introduced new connection flag to identify client connections

Performance Impact

Testing with 650 clients with SET commands and 160 new TLS connections per second in the background:

Throughput Impact of new TLS connections

• With Offloading: Minimal impact (1050K → 990K ops/sec)
• Without Offloading: Significant drop (1050K → 670K ops/sec)

New Connection Rate

• With Offloading:
  • 1,757 conn/sec
• Without Offloading:
  • 477 conn/sec

Implementation Details

1. Main Thread:

   • Initiates negotiation-offload jobs to I/O threads
   • Adds connections to pending-read clients list (using existing read offload mechanism)
   • Post-negotiation handling:
     • Creates read/write events if needed for incomplete negotiations
     • Calls accept handler for completed negotiations

2. I/O Thread:

   • Performs TLS negotiation
   • Updates connection flags based on negotiation result

Related issue:#761

[codecov]

Codecov Report

Attention: Patch coverage is 7.14286% with 26 lines in your changes missing coverage. Please review.

Project coverage is 70.74%. Comparing base (3d0c834) to head (dc5aa76).
Report is 14 commits behind head on unstable.

Files with missing lines	Patch %	Lines
src/io_threads.c	0.00%	25 Missing ⚠️
src/networking.c	50.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##           unstable    #1338      +/-   ##
============================================
+ Coverage     70.71%   70.74%   +0.02%     
============================================
  Files           115      116       +1     
  Lines         63159    63307     +148     
============================================
+ Hits          44666    44786     +120     
- Misses        18493    18521      +28     

Files with missing lines	Coverage Δ
src/connection.h	87.05% <ø> (-0.16%)	⬇️
src/server.c	87.65% <100.00%> (+0.02%)	⬆️
src/server.h	100.00% <ø> (ø)
src/tls.c	100.00% <ø> (ø)
src/networking.c	88.53% <50.00%> (-0.14%)	⬇️
src/io_threads.c	6.94% <0.00%> (-0.67%)	⬇️

... and 17 files with indirect coverage changes

---- 🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests
• JS Bundle Analysis - Avoid shipping oversized bundles

[madolson]

This implementation basically breaks the connection abstraction, since it has the TLS implementation calling functions related to IO threading (which is supposed to be agnostic to the connection type). I was sort of expecting we would offload the event handler.

[madolson]

Can we make a typdef for this, it'll be a bit more readable.

[uriyage]

Thanks, Done.

[madolson]

Suggested change

	#define CONN_FLAG_CLIENT (1 << 2) /* Connection is of a client - not a cluster link. */
	#define CONN_FLAG_NO_OFFLOAD (1 << 2) /* Connection should not be offloaded to IO threads. */

The goal was to keep the connection layer independent of the the server layer.

[uriyage]

Changed.

[madolson]

Suggested change

	if (server.io_threads_num <= 1) {
	return C_ERR;
	}
	if (!(conn->flags & CONN_FLAG_CLIENT)) {
	return C_ERR;
	}
	client *c = connGetPrivateData(conn);
	if (c->io_read_state != CLIENT_IDLE) {
	return C_OK;
	}
	if (server.active_io_threads_num <= 1) {
	return C_ERR;
	}
	if (server.active_io_threads_num <= 1) {
	return C_ERR;
	}
	if (!(conn->flags & CONN_FLAG_CLIENT)) {
	return C_ERR;
	}
	client *c = connGetPrivateData(conn);
	if (c->io_read_state != CLIENT_IDLE) {
	return C_OK;
	}

[madolson]

It seems everywhere else we just check for active threads.

[uriyage]

Consider a scenario where the main thread sends a job to the IO thread. After the IO thread completes the job, the main thread deactivates all threads. In this case, we want to ensure the main thread processes the returned job from the IO thread before performing an accept operation even if the io threads are not active.

To achieve this:

First, check if IO threads are enabled at all (less expensive check)
Then, verify the read_state is not idle
Finally, check the active state

Unlike read/write where we anyway check for the read/write states, the accept flow operates at the connection layer rather than the client layer, so we can't check the read state there.

[uriyage]

This implementation basically breaks the connection abstraction, since it has the TLS implementation calling functions related to IO threading (which is supposed to be agnostic to the connection type). I was sort of expecting we would offload the event handler.

We still don't check in any point for the connection type, since the TLS code calls the IO threads to offload the negotiation with a supplied callback, not the other way around. Maybe we can rename it to 'accept' instead of 'tls_negotiate' to be more abstract.

I was sort of expecting we would offload the event handler.

Not sure I get this, would you please elaborate.