Improve NetworkPolicy batch installation

[tnqn]

BatchInstallPolicyRuleFlows first generates all flows then installs them
via single bundle. However, it generates the flows incrementally. If an
address is shared by multiple rules, intermediate flows will be
generated, for instance:

expected flow:

add "nw_dst=10.128.119.108 actions=conjunction(64,2/2),conjunction(65,2/2),conjunction(66,2/2)"

actual flows:

add "nw_dst=10.128.119.108 actions=conjunction(64,2/2)"
mod "nw_dst=10.128.119.108 actions=conjunction(64,2/2),conjunction(65,2/2)"
mod "nw_dst=10.128.119.108 actions=conjunction(64,2/2),conjunction(65,2/2),conjunction(66,2/2)"

The number of flows for this address will be same as the number of the
actions. The number of actual actions in these flows will be O(N^2),
N=number of desired actions. This increases CPU and memory usage
greatly in a high scale cluster.

This patches optimizes it by generating flows based on final state,
reducing the time and space complexity from O(N^2) to O(N). In same
cluster, it's observed that the memory usage was reduced from 1.1G to
500M, the execution time was reduced from 10s to 2s.

benchmark comparison:

name                            old time/op    new time/op    delta
BatchInstallPolicyRuleFlows-48     458ms ± 4%     169ms ± 1%  -63.22%  (p=0.008 n=5+5)

name                            old alloc/op   new alloc/op   delta
BatchInstallPolicyRuleFlows-48     205MB ± 0%      56MB ± 0%  -72.47%  (p=0.008 n=5+5)

name                            old allocs/op  new allocs/op  delta
BatchInstallPolicyRuleFlows-48     4.29M ± 0%     0.92M ± 0%  -78.60%  (p=0.008 n=5+5)

Signed-off-by: Quan Tian qtian@vmware.com

For #2457

[codecov-commenter]

Codecov Report

Merging #2479 (55d74a8) into main (7ad23ef) will decrease coverage by 1.99%.
The diff coverage is 71.23%.

@@            Coverage Diff             @@
##             main    #2479      +/-   ##
==========================================
- Coverage   59.83%   57.83%   -2.00%     
==========================================
  Files         284      284              
  Lines       22175    22227      +52     
==========================================
- Hits        13269    12856     -413     
- Misses       7487     7970     +483     
+ Partials     1419     1401      -18     

Flag	Coverage Δ
e2e-tests	∅ <ø> (?)
kind-e2e-tests	43.73% <19.17%> (-3.26%)	⬇️
unit-tests	42.21% <71.23%> (+0.16%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/ovs/openflow/ofctrl_flow.go	40.00% <0.00%> (-5.62%)	⬇️
pkg/util/ip/ip.go	75.71% <0.00%> (-4.59%)	⬇️
pkg/agent/openflow/pipeline.go	58.38% <66.66%> (-14.59%)	⬇️
pkg/agent/openflow/network_policy.go	75.92% <88.46%> (+0.21%)	⬆️
pkg/agent/proxy/metrics/metrics.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/agent/proxy/types/groupcounter.go	0.00% <0.00%> (-87.50%)	⬇️
pkg/agent/proxy/types/types.go	0.00% <0.00%> (-46.67%)	⬇️
pkg/ovs/openflow/ofctrl_group.go	0.00% <0.00%> (-45.95%)	⬇️
pkg/agent/openflow/pipeline_other.go	40.00% <0.00%> (-20.00%)	⬇️
pkg/agent/proxy/proxier.go	45.68% <0.00%> (-18.22%)	⬇️
... and 22 more

[tnqn]

/test-all

[antoninbas]

LGTM, but I am not an expert with respect to that part of the code.

I do wonder if all the differences in the code between initial batch installation and regular ongoing rule processing are completely necessary. In both cases, it seems that we should be computing a diff, and applying the required operations as one bundle. The difference is that the bundle for initial installation should only include Adds (and would be much larger). I may be missing something obvious though, and anyway it is beyond the scope of this PR.

[antoninbas]

what's 192.168.1.45? Did you mean 192.168.1.51 maybe?

I don't think "commit" is the right verb here, but I'm no specialist. I would suggest "tie" instead.

[tnqn]

fixed, thanks

[antoninbas]

do you think it would be possible to generate these expectations in a more human-readable way? Right now there is a lot of noise because of the cookie stuff, etc.

in other words would it be possible to have something like this:

type ExpectedFlowsBuilder struct {...}

fb := &ExpectedFlowsBuilder{}
  .AddConjunction(10).AddConjunction(11)
  .AddConjunctiveMatch(<match info>, ConjunctionAction(10, 1, 2), ConjunctionAction(11, 1, 3))
  .AddConjunctiveMatch(<match info>, ConjunctionAction(11, 1, 3))
...
fb.Flows() // return the list of Flows

It would take care of generating metric flows and all the "noise".

[tnqn]

The conjunction rule may have different in priority and table as well. If too customized for NetworkPolicy flow, it seems we will need such builders when we add verficiation for other flows, like service, pod. But if it's generic, it would be quite similar to the current FlowBuilder, and maybe we should just make FlowBuilder more simpler to use, removing some redundant part.
Maybe I missed your point, I can follow up after the fix is merged, and feel free to update the code directly if you have some mature idea.

[antoninbas]

Maybe I missed your point, I can follow up after the fix is merged, and feel free to update the code directly if you have some mature idea.

No, it seems that we are on the same page. I feared it may not be as simple as I hoped :) Definitely doesn't need to be part of this PR. It may be indeed be an opportunity to simplify the FlowBuilder, although I feel like some customization for testing would always be needed. Ideally the expectations I define would not need to define the metrics flow separately for example.

[Dyanngg]

LGTM overall. I assume this would supercede #2465?

I do wonder if all the differences in the code between initial batch installation and regular
ongoing rule processing are completely necessary. In both cases, it seems that we should be computing a diff, and applying the required operations as one bundle.

My understanding is that in case of batch rule install, we don't actually care about the intermediate conjunctive context changes caused by a single rule -- we only care about the final OVS flows, and in case of bundle failure, we simply revert the entire cache. This PR takes advantage of this fact and skips calculating those intermediate flow states, so the logic here is a bit different than async rule install.

[tnqn]

LGTM overall. I assume this would supercede #2465?

@Dyanngg Yes

I do wonder if all the differences in the code between initial batch installation and regular
ongoing rule processing are completely necessary. In both cases, it seems that we should be computing a diff, and applying the required operations as one bundle.

My understanding is that in case of batch rule install, we don't actually care about the intermediate conjunctive context changes caused by a single rule -- we only care about the final OVS flows, and in case of bundle failure, we simply revert the entire cache. This PR takes advantage of this fact and skips calculating those intermediate flow states, so the logic here is a bit different than async rule install.

@antoninbas Yes, the main motivation of batch install was to avoid priority reassigning but it can avoid intermediate flows for conjunctive match flow update as well. If rules are installed asynchrously:

1. Installing rule B may update priority of rule A's flows, and installing rule C may affect rule A and B.
2. Installing rule B may update the shared conjunctive match flow if it has same from/to address as A, and installing rule C may update it again.

This is what I got from ovs-vswitchd log:
With v1.2.0, flows were calculated incrementally, 100136 modification are for conjunction match flow update. It used 1.1G memory during the peak as all flows were kept in memory before they were installed together.

2021-07-27T07:09:05.226Z|00197|connmgr|INFO|br-int<->unix#0: 159657 flow_mods in the 9 s starting 10 s ago (59520 adds, 1 deletes, 100136 modifications)

Based on v1.2.0, if we simply remove batch install, the number of modification flows is same as above but took more time to install. If the rules have different priorties, there would be more modification flows caused by priority-reassigning. It didn't have memory peak as flows in memory were generated and released but it took longer time and the overhead of calculating and realizing the incremental flows were same as above.

2021-07-27T07:10:59.359Z|00139|connmgr|INFO|br-int<->unix#0: 133058 flow_mods in the 9 s starting 10 s ago (59230 adds, 1 deletes, 73827 modifications)
2021-07-27T07:11:59.359Z|00140|connmgr|INFO|br-int<->unix#0: 51223 flow_mods in the 59 s starting 60 s ago (24913 adds, 1 deletes, 26309 modifications)

With this patch, there is no modification flow and all NetworkPolicy flows were installed via single bundle. It's faster and used less CPU and memory.

2021-07-27T11:23:07.830Z|00139|connmgr|INFO|br-int<->unix#0: 61759 flow_mods in the last 10 s (61758 adds, 1 deletes)

[tnqn]

/test-all

[wenyingd]

LGTM, only one minor comment.

[wenyingd]

Is it safe to clear up all existing entries in globalConjMatchFlowCache. I mean if BatchInstallPolicyRuleFlows is only called in restart case once, it should be OK. But if some other cases also call it, it might introduce new bugs. Better to explain this function is called only after restart case and only one time in the comments.

[tnqn]

Yes, we only use the method when agent starts. Will add comment about it.
Actually we already have a bug because we don't clean the cache, see the fix here: #2465.

[tnqn]

added comment

[tnqn]

/test-all

[antoninbas]

I understand the rationale for this change, or for treating the restart differently from regular rule updates, which is not new to this PR. But ultimately it seems to me that we are just reconciling between a current state and a desired state. In the restart case the current state is EMPTY, and we can compute the desired state from all the received rules, and do the actual reconciliation in one go using only ADD operations. In the case of ongoing rule updates, the diff between current & desired state is typically small, and requires a combination of ADD / UPDATE / DELETE operations. But ultimately, we do reconciliation between 2 states using an OpenFlow bundle. So my question was more future-looking, and I was wondering about whether we could represent the state in such a fashion that the logic is mostly the same in both cases, without sacrificing performance. That may not be possible though...

[antoninbas]

LGTM
I'll let you decide if this needs backporting beyond v1.2

[tnqn]

I understand the rationale for this change, or for treating the restart differently from regular rule updates, which is not new to this PR. But ultimately it seems to me that we are just reconciling between a current state and a desired state. In the restart case the current state is EMPTY, and we can compute the desired state from all the received rules, and do the actual reconciliation in one go using only ADD operations. In the case of ongoing rule updates, the diff between current & desired state is typically small, and requires a combination of ADD / UPDATE / DELETE operations. But ultimately, we do reconciliation between 2 states using an OpenFlow bundle. So my question was more future-looking, and I was wondering about whether we could represent the state in such a fashion that the logic is mostly the same in both cases, without sacrificing performance. That may not be possible though...

Good suggestion. I actually thought a little about this when I was working on this change and tried to unify the single rule installation and multiple rules installation but stopped when the change was much bigger than needed for this bug itself. I will continue thinking about your suggestion and try to simplify/unify the approach as follow-up.