ssh: actionable error when binary upload is reset by network proxy#5204
Open
anton-107 wants to merge 3 commits into
Open
ssh: actionable error when binary upload is reset by network proxy#5204anton-107 wants to merge 3 commits into
anton-107 wants to merge 3 commits into
Conversation
When `databricks ssh connect` uploads the CLI binary to the workspace, a network intermediary (corporate egress proxy, VPN, firewall/WAF) may close the HTTP/2 stream mid-upload, surfacing as a cryptic `stream error: stream ID N; NO_ERROR; received from peer`. Detect this transport-level reset and wrap the error with a hint that the connection was closed by an intermediary and the user should try from a network without such restrictions. Co-authored-by: Isaac
Contributor
Waiting for approvalBased on git history, these people are best suited to review:
Eligible reviewers: Suggestions based on git history. See OWNERS for ownership rules. |
The typed http2.StreamError check promoted golang.org/x/net to a direct dependency, failing the lint check that go.mod is unchanged. Rely on string match alone — http2.StreamError.Error() formats as "stream error: stream ID N; ..." which the existing string match catches. Co-authored-by: Isaac
The previous fixup dropped the typed errors.As(err, &http2.StreamError{})
check because importing golang.org/x/net/http2 promoted golang.org/x/net
from indirect to direct in go.mod and tripped the SPDX license test.
Per CLAUDE.md, we should not branch on err.Error() content when a typed
sentinel is available, so restore the typed check and pay the license
metadata tax instead:
- Add // BSD-3-Clause suffix on the direct require in go.mod.
- Add a matching entry to NOTICE under the BSD (3-clause) section.
Update the test that previously claimed to cover the wrapped/typed form
(but actually used errors.New) to wrap a real http2.StreamError.
Co-authored-by: Isaac
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
databricks ssh connectuploads the CLI binary to the workspace, a network intermediary (corporate egress proxy, VPN, firewall/WAF) can close the HTTP/2 stream mid-upload. The Go HTTP/2 client surfaces this as a crypticstream error: stream ID N; NO_ERROR; received from peer, which is hard for end users to interpret.http2.StreamErrorand the wrapped string form) and wraps the error with a clear, actionable message pointing at network-side restrictions.Reported by a customer on
*.cloud.databricks.comwhose 50 MB CLI binary upload was reset within ~2 s — every step before the upload (cluster check, secrets, GitHub download) succeeded; only the final POST to/api/2.0/workspace-files/import-file/...failed with the stream reset.New error message
Test plan
go test ./experimental/ssh/internal/client/ -run TestIsStreamResetError -v— table-driven cases cover typedhttp2.StreamError, wrapped variant, raw string match, and unrelated errorsgo test ./experimental/ssh/internal/client/ -count=1— full client package greengo build ./experimental/ssh/...— cleanbin/databricks ssh connect --cluster <id>against a working workspace still succeeds (no spurious detection on the success path)This pull request and its description were written by Isaac.