Skip to content

v1.14 Backports - ipsec: cache xfrm state list #32883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 5, 2024
Merged

v1.14 Backports - ipsec: cache xfrm state list #32883

merged 1 commit into from
Jun 5, 2024

Conversation

marseel
Copy link
Contributor

@marseel marseel commented Jun 4, 2024

Once this PR is merged, a GitHub action will update the labels of these PRs:

 32588

@marseel
ipsec: cache xfrm state list
e0c6072 
[ upstream commit 3a4c57f ]

[ Backporter's notes: switch default to false - so not enabled by
default. Switch from testing package to checkmate in unit tests. Flags
use Vp instead of vp. Minor conflicts with netlink.XfrmState* calls ]

Reduces GC CPU usage and memory allocations coming from XfrmStateList.
To ensure we have up-to-date cache, wrap all XfrmState related
functions inside cache, which is invalidated whenever XfrmState changes.

This is follow-up to #32577
While that PR averages out CPU usage over time, in large cluster 100+
nodes amount of allocations coming from netlink.XfrmStateList() is high
due to backgroundSync where we usually don't change any Xfrm states.
This becomes more and more expensive as number of nodes increases.

Added CI test to make sure that we accidentally don't add calls that
modify XFRMState without going through cache.

Also, added hidden option that allows to turn of caching.

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Jun 4, 2024
@marseel marseel changed the title v1.15 Backports - ipsec: cache xfrm state list v1.14 Backports - ipsec: cache xfrm state list Jun 4, 2024
@marseel
Copy link
Contributor Author

marseel commented Jun 4, 2024

/test-backport-1.14

@marseel marseel requested a review from pchaigno June 5, 2024 08:27
@marseel marseel marked this pull request as ready for review June 5, 2024 08:27
@marseel marseel requested a review from a team as a code owner June 5, 2024 08:27
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 5, 2024
@qmonnet qmonnet merged commit 00ada47 into v1.14 Jun 5, 2024
@qmonnet qmonnet deleted the backport_xfrm_state_cache_v1.14 branch June 5, 2024 09:38
@michi-covalent michi-covalent mentioned this pull request Jun 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
No open projects
cilium v1.14.12
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marseel @pchaigno @qmonnet