Yet another iptables reconciliation attempt #31024
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
94f5f2f to
b583442
Compare
This comment was marked as outdated.
This comment was marked as outdated.
b583442 to
4cd64e8
Compare
This comment was marked as outdated.
This comment was marked as outdated.
1 similar comment
This comment was marked as outdated.
This comment was marked as outdated.
93b05f4 to
712e009
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
The rate limiting effectively limited how quickly the ipset etc. changes were processed. Use a ticker instead to set the rate at which the changed desired state is reconciled. Additionally move the retrying to be done via the ticker as well so new changes to desired state are taken into account when retrying. Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Based on the generic reconciler Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Manage ipv4 and ipv6 native routing CIDRs in the local node struct. This allows the iptables reconciler to subscribe to the local node update and: - get the native routing CIDRs set at startup as a config option - get the updated v4 native routing CIDRs in case of auto detection (when IPAM is one of CRD, ENI, Azure or Alibaba) at runtime Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Add an immutable set data structure for use in objects stored in StateDB tables. The ImmSet[T] is useful when storing a relatively small set of items (1-1000). Implemented as a sorted slice. Mutations of the set clone the sliceand lookups are implemented as binary searches. The benefit of this is a packed presentation, especially for value types (e.g. netip.Addr) which will cause less overhead for GC. Downside is that inserts and deletes become expensive when there are many items. Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
This allows storing the IP address sets in a more compact GC friendly form and avoids many allocations coming from cloning of sets.Set (map). Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
When removing old Cilium rules, we should not care about rules belonging to "old" chains, that is, chains prefixes with the "oldCiliumPrefix". That's because those chains will be entirely removed immediately after anyway. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Currently, the local node store is implemented on top of an observable
stream, and the Get operation leverages stream.First to retrieve the
last emitted value. However, this approach suffers from two drawbacks,
further detailed below: performance overhead and risk of deadlocks. To
address them, let's instead implement the Get() method so that it
directly returns a shallow copy of the stored LocalNode object, while
making sure to preserve the existing behavior before starting the
LocalNodeStore, and after stopping it.
More in detail, the possible deadlock is caused by the following series
of events:
1. LocalNodeStore.Update() is triggered. stream.Multicast acquires a
lock, and then synchronously calls the subscribers. Subscribers may
do arbitrarily complex operations at that point, possibly acquiring
other locks in the meanwhile. Let's assume that one of them blocks
waiting for a given lock mu.
2 A separate thread is currently holding the mu lock, and calls one
of the global getters to, let's say, retrieve the v4 NodeInternalIP
address, which in turns calls LocalNodeStore.Get() and creates a
new stream.First observing the LocalNodeStore updates. However,
the replay of the last event is blocked by the stream.Multicast
lock held by the other thread, effectively causing a deadlock.
The subtle aspect here is that the global getters appear innocuous,
and it is difficult to reason about the possibility of deadlocks.
Conversely, the new approach ensures that LocalNodeStore.Get() never
blocks even if any subscriber is still processing the update event.
In terms of performance, taking into account the newly introduced
BenchmarkLocalNodeStoreGet benchmark, the new implementation cuts
the CPU time and memory allocations by 96% and 100% respectively:
goos: linux
goarch: amd64
pkg: github.com/cilium/cilium/pkg/node
cpu: 12th Gen Intel(R) Core(TM) i7-12700H
│ old.txt │ new.txt │
│ sec/op │ sec/op vs base │
LocalNodeStoreGet-20 1151.00n ± 1% 44.27n ± 1% -96.15% (p=0.000 n=10)
│ old.txt │ new.txt │
│ B/op │ B/op vs base │
LocalNodeStoreGet-20 1.090Ki ± 0% 0.000Ki ± 0% -100.00% (p=0.000 n=10)
│ old.txt │ new.txt │
│ allocs/op │ allocs/op vs base │
LocalNodeStoreGet-20 13.00 ± 0% 0.00 ± 0% -100.00% (p=0.000 n=10)
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
712e009 to
95c7ead
Compare
Fix previous proxy rules deletion and simplify rules installation functions. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
95c7ead to
7e0e10f
Compare
|
/test |
|
Superseded by #31372 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.