Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

conntrack: Configurable timeouts #357

Merged
merged 28 commits into from
Feb 8, 2023
Merged

conntrack: Configurable timeouts #357

merged 28 commits into from
Feb 8, 2023

Conversation

ronensc
Copy link
Collaborator

@ronensc ronensc commented Dec 26, 2022
edited
Loading

This PR allows configuring different timeouts for connections based on their key fields.

conntrack:
  keyDefinition:
    fieldGroups:
    - name: protocol
      fields:
      - Proto
    # ...
  scheduling:
  - selector: # UDP connections
      Proto: 17
    endConnectionTimeout: 5s
    updateConnectionInterval: 40s
  - selector: {} # Default group
    endConnectionTimeout: 10s
    updateConnectionInterval: 30s

Implementation: Instead of using a single Multi-Order Map in the connection store for all the connections, the connection store will have a Multi-Order Map for each scheduling group. In addition, the store has a new hashId2groupIdx map that given a connection hash ID, finds the Multi-Order Map of the connection.

Other changes:

  • Add a scheduling group label to the conntrack_memory_connections operational metric. This allows monitoring the number of active connections per scheduling group.

@codecov-commenter
Copy link

codecov-commenter commented Dec 26, 2022
edited
Loading

Codecov Report

Merging #357 (6a0f65b) into main (b6979fe) will decrease coverage by 1.00%.
The diff coverage is 55.37%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##             main     #357      +/-   ##
==========================================
- Coverage   61.91%   60.91%   -1.00%     
==========================================
  Files          91       91              
  Lines        5873     6177     +304     
==========================================
+ Hits         3636     3763     +127     
- Misses       2016     2192     +176     
- Partials      221      222       +1
Flag Coverage Δ
unittests 60.91% <55.37%> (-1.00%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/pipeline/utils/convert.go 7.65% <5.29%> (-10.54%) ⬇️
pkg/pipeline/extract/conntrack/conn.go 75.70% <59.18%> (-14.47%) ⬇️
pkg/pipeline/extract/conntrack/store.go 84.17% <97.22%> (+22.17%) ⬆️
pkg/api/conntrack.go 89.68% <100.00%> (+2.68%) ⬆️
pkg/operational/metrics.go 68.00% <100.00%> (-5.05%) ⬇️
pkg/pipeline/extract/conntrack/conntrack.go 92.20% <100.00%> (-0.74%) ⬇️
pkg/pipeline/extract/conntrack/metrics.go 100.00% <100.00%> (ø)
pkg/pipeline/extract/timebased/heap.go 97.82% <0.00%> (-2.18%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@ronensc ronensc force-pushed the conntrack-timeouts branch from a462f5d to 8c37ec2 Compare January 16, 2023 10:17
@ronensc ronensc added the breaking-change This pull request has breaking changes. They should be described in PR description. label Jan 16, 2023
@ronensc ronensc marked this pull request as ready for review January 16, 2023 10:56
@ronensc ronensc requested review from jotak, KalmanMeth and eranra and removed request for jotak and KalmanMeth January 16, 2023 10:56
@ronensc ronensc added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 16, 2023
@github-actions
Copy link

New image: ["quay.io/netobserv/flowlogs-pipeline:56612e6"]. It will expire after two weeks.

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 19, 2023
@ronensc ronensc added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 19, 2023
@github-actions
Copy link

New image: ["quay.io/netobserv/flowlogs-pipeline:fb0e3bb"]. It will expire after two weeks.

KalmanMeth
KalmanMeth reviewed Jan 19, 2023
View reviewed changes
pkg/api/conntrack.go Outdated
@@ -83,6 +82,12 @@ type ConnTrackOperationEnum struct {
Max string `yaml:"max" doc:"max"`
}

type ConnTrackSchedulingGroup struct {
Selector map[string]string `yaml:"selector,omitempty" doc:"key-value map to match against connection fields to apply this scheduling"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Selector matches only string: string. Is this the intended usage? So we cannot, for instance, select on integer values?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can select integer values. The integer values are converted to string before the comparison.

At first, I used map[string]interface{}. But then I noticed that setting the selector to Proto: 6 is parsed as int. The problem is that the grpc ingester parses Proto as uint32. Comparing int and uint32 is evaluated to false regardless of the values. That's why I convert and compare strings.

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 23, 2023
jotak
jotak reviewed Jan 25, 2023
View reviewed changes
pkg/pipeline/extract/conntrack/conntrack.go
return outputRecords
}

// TBD: think of how to avoid confusion with the word "update". It is used with periodic connections updates and for update a connection with incoming flow logs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a suggestion, you could use the terminology of "heartbeats" to refer to the periodic updates on long connections?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this idea! thanks @jotak :)

@ronensc ronensc mentioned this pull request Jan 30, 2023
Closed
@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jan 30, 2023
@github-actions
Copy link

New image: . It will expire after two weeks.

jotak
jotak approved these changes Jan 30, 2023
View reviewed changes
Copy link
Member

@jotak jotak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, nice PR!

@ronensc
Copy link
Collaborator Author

ronensc commented Feb 1, 2023
edited
Loading

I tired to improve isMatchSelector(). Instead of converting both values to string and compare strings,
I added a check for the type of the value and convert the selector to that type. So at the end we have only one conversion and the comparison is in the original type.
Currently, I implemented checks only for uint32, uint64, int64, int and bool since these types are in use by the protobuf decoder. Other types fallback to the string conversion-comparison.
I added a benchmark test to compare the performance of both approaches.
It seems that the new approach is faster. But, I'm not pleased with the code. It feels too verbose to me.
@jotak @KalmanMeth wdyt?, do you have ideas for improving?

goos: linux
goarch: amd64
pkg: github.com/netobserv/flowlogs-pipeline/pkg/pipeline/extract/conntrack
cpu: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
BenchmarkIsMatchSelectorStrings
BenchmarkIsMatchSelectorStrings/Proto_1
BenchmarkIsMatchSelectorStrings/Proto_1-4         	10409644	       105.8 ns/op
BenchmarkIsMatchSelectorStrings/Proto_2
BenchmarkIsMatchSelectorStrings/Proto_2-4         	12772057	        84.20 ns/op
BenchmarkIsMatchSelectorStrings/Multiple_fields_1
BenchmarkIsMatchSelectorStrings/Multiple_fields_1-4         	 3224965	       393.5 ns/op
BenchmarkIsMatchSelectorStrings/Multiple_fields_2
BenchmarkIsMatchSelectorStrings/Multiple_fields_2-4         	 4209242	       280.4 ns/op
BenchmarkIsMatchSelectorStrings/string_match
BenchmarkIsMatchSelectorStrings/string_match-4              	 9767826	       115.9 ns/op
BenchmarkIsMatchSelectorStrings/string_mismatch
BenchmarkIsMatchSelectorStrings/string_mismatch-4           	12365690	        97.28 ns/op
BenchmarkIsMatchSelectorStrings/custom_match
BenchmarkIsMatchSelectorStrings/custom_match-4              	 2459720	       471.9 ns/op
BenchmarkIsMatchSelectorStrings/custom_mismatch
BenchmarkIsMatchSelectorStrings/custom_mismatch-4           	 2666076	       447.7 ns/op


BenchmarkIsMatchSelectorGeneric
BenchmarkIsMatchSelectorGeneric/Proto_1
BenchmarkIsMatchSelectorGeneric/Proto_1-4                   	26646829	        46.48 ns/op
BenchmarkIsMatchSelectorGeneric/Proto_2
BenchmarkIsMatchSelectorGeneric/Proto_2-4                   	34333780	        34.89 ns/op
BenchmarkIsMatchSelectorGeneric/Multiple_fields_1
BenchmarkIsMatchSelectorGeneric/Multiple_fields_1-4         	 4840779	       243.1 ns/op
BenchmarkIsMatchSelectorGeneric/Multiple_fields_2
BenchmarkIsMatchSelectorGeneric/Multiple_fields_2-4         	 5974236	       211.2 ns/op
BenchmarkIsMatchSelectorGeneric/string_match
BenchmarkIsMatchSelectorGeneric/string_match-4              	10744186	       119.4 ns/op
BenchmarkIsMatchSelectorGeneric/string_mismatch
BenchmarkIsMatchSelectorGeneric/string_mismatch-4           	11647137	        99.56 ns/op
BenchmarkIsMatchSelectorGeneric/custom_match
BenchmarkIsMatchSelectorGeneric/custom_match-4              	 1920768	       618.1 ns/op
BenchmarkIsMatchSelectorGeneric/custom_mismatch
BenchmarkIsMatchSelectorGeneric/custom_mismatch-4           	 2170971	       533.2 ns/op
PASS

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Feb 1, 2023
@ronensc ronensc mentioned this pull request Feb 2, 2023
Merged
@jotak
Copy link
Member

jotak commented Feb 7, 2023

(and sorry for the delay!)
/lgtm

ronensc added 25 commits February 8, 2023 15:01
@ronensc
Remove old timeout and interval from config
53e7e9c
@ronensc
Remove TBD comments
7fb022d
@ronensc
Update comments
a076496
@ronensc
groupId->groupIdx
4c8ef44
@ronensc
Add comment
52779f6
@ronensc
Update comment
e8c3421
@ronensc
Rename ConnTrackSchedulingSelector -> ConnTrackSchedulingGroup
01b96b6
@ronensc
Fix tests
2ca544d
@ronensc
Fix bug in tests
53fa859
@ronensc
Add test for scheduling groups
8fa88fc
@ronensc
Update README.md
79f45c3
@ronensc
Make linter happy
cf77a75
@ronensc
Split metric conntrack_memory_connections into scheduling groups
d661733
@ronensc
Change maps to slices for efficiency
52a51b7
@ronensc
Join multiple slices into a single slice
a4f5cc1
@ronensc
Fix metric conntrack_memory_connections to show the correct length of…
0b7691f 
… each group
@ronensc
Remove entries from hashId2groupIdx map on connection removal
a8a63f9
@ronensc
Update configurations
152b9b6
@ronensc
Convert selector values to string
e6a50cd 
Some of the grpc ingester fields are of type uint32.
The yaml/json parser parses numeric values as int32.
So, comparing uint32 to int32 where both static types are
interface{} will always evaluate to false regardless of the actual values.
Hence, we convert and compare strings.
@ronensc
Add test case for 2 default selectors
ad30223
@ronensc
Add special cases conversion and benchmark
551dcd0
@ronensc
Make linter gofmt happy
9618027
@ronensc
Fix default and string cases and add test cases
75c0aae
@ronensc
Cleanup
59aa2db
@ronensc
Fix rebase
6a0f65b
@ronensc ronensc force-pushed the conntrack-timeouts branch from 827678c to 6a0f65b Compare February 8, 2023 13:27
@ronensc ronensc merged commit eaac68e into netobserv:main Feb 8, 2023
@ronensc ronensc deleted the conntrack-timeouts branch February 8, 2023 14:09
@ronensc ronensc mentioned this pull request Feb 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jotak jotak jotak approved these changes

@KalmanMeth KalmanMeth KalmanMeth approved these changes

@eranra eranra Awaiting requested review from eranra

Assignees

@jotak jotak

@KalmanMeth KalmanMeth

Labels
breaking-change This pull request has breaking changes. They should be described in PR description.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ronensc @codecov-commenter @jotak @KalmanMeth @openshift-merge-robot