endpoint: Enhance policy map sync #14370
Conversation
jrajahalme
added
kind/bug
jrajahalme
force-pushed
the
pr/jrajahalme/enhance-policy-map-sync
branch
from
663d5f0
to
9a140fa
Compare
|
test-me-please |
jrajahalme
force-pushed
the
pr/jrajahalme/enhance-policy-map-sync
branch
from
9a140fa
to
9992ca5
Compare
|
test-me-please |
|
Known flake (#12511) on netnext, no other failures. |
|
Could you please fix the commit log as well? |
pkg/endpoint/bpf.go
Outdated
| // syncDesiredPolicyMapWith updates the bpf policy map state based on the | ||
| // difference between the realized and desired policy state without | ||
| // dumping the bpf policy map. | ||
| func (e *Endpoint) syncDesiredPolicyMapWith(realized policy.MapState, diffs []policy.MapChange) error { |
There was a problem hiding this comment.
Instead of passing diffs as a parameter, why don't we return the slice? I know that you will say because the usage of the returned diffs is optional, but this can be achieved with a boolean:
func (e *Endpoint) syncDesiredPolicyMapWith(realized policy.MapState, withDiff bool) (count int, diffs []policy.MapChange, err error) {
Which allows us to do [0]
There was a problem hiding this comment.
You're right, updates to a slice header passed as a parameter would not even be visible to the caller, fixed this.
pkg/endpoint/bpf.go
Outdated
| diffs := []policy.MapChange{} // non-nil empty slice | ||
| err = e.syncDesiredPolicyMapWith(currentMap, diffs) | ||
|
|
||
| err = e.addPolicyMapDelta() | ||
|
|
||
| if errors > 0 { | ||
| return fmt.Errorf("synchronizing desired PolicyMap state failed") | ||
| if len(diffs) > 0 { | ||
| e.getLogger().WithField(logfields.Count, len(diffs)).Warning("Policy map sync fixed errors, consider running with debug verbose = policy to get detailed dumps") | ||
| e.policyDebug(logrus.Fields{"dumpedDiffs": diffs}, "syncPolicyMapWithDump") |
There was a problem hiding this comment.
[0]
basically we are consuming memory, by storing the diff in the slice, just for debug messages. Following my suggestion above we could call this as follows:
isDebug := option.Config.Debug
count, diffs, err = e.syncDesiredPolicyMapWith(currentMap, isDebug)
if len(count) > 0 {
...
which makes sure the memory usage does not grows in production environments.
| if e.policyMap == nil { | ||
| return fmt.Errorf("not syncing PolicyMap state for endpoint because PolicyMap is nil") | ||
| } | ||
|
|
||
| currentMapContents, err := e.policyMap.DumpKeysToSlice() |
There was a problem hiding this comment.
With this PR the DumpKeysToSlice function is no longer used anywhere.
| return err | ||
| } | ||
|
|
||
| currentMap, err := e.dumpPolicyMapToMapState() |
There was a problem hiding this comment.
There's a small difference that you might have noticed which is previously we were only dumping the keys, not keys + values. Do we have some benchmarks, specially for the mem-allocs, for these changes vs the previous changes?
There was a problem hiding this comment.
Using the values for comparison is required for correct operation, and as this dump is only done on a periodically run controller I would not be so concerned about the memory allocations that are done to store the values in the map. While we could code the deletes directly to the dump loop itself to avoid storing the dump results in a map, we do need to store the dump keys and values in a map to be able to compare with the desired mapstate. This comparison between the dumped values and desired values was missing before this change.
jrajahalme
force-pushed
the
pr/jrajahalme/enhance-policy-map-sync
branch
from
9992ca5
to
6e29821
Compare
jrajahalme
force-pushed
the
pr/jrajahalme/enhance-policy-map-sync
branch
from
6e29821
to
0ba54f8
Compare
|
retest-runtime |
|
known net-next flake #12511 |
|
retest-net-next |
|
retest-runtime |
|
retest-net-next |
jrajahalme
force-pushed
the
pr/jrajahalme/enhance-policy-map-sync
branch
from
0ba54f8
to
8f00268
Compare
|
Removed duplicate unit test. |
|
test-me-please |
|
Test failures seem legit, will investigate. |
jrajahalme
force-pushed
the
pr/jrajahalme/enhance-policy-map-sync
branch
from
8f00268
to
365de70
Compare
|
test-me-please |
|
retest-gke |
|
Net-next hit by a rare (?) flake: #13833 |
|
retest-net-next |
|
retest-gke |
|
retest-net-next |
|
netnext known flake #13275 |
|
retest-net-next |
Shift the realized map update to the caller of addPolicyKey() and deletePolicyKey() so that the update can be made to the correct map in syncDesiredPolicyMapWith(). Rename addPolicyKey() and deletePolicyKey() as addBPFPolicyKey() and deleteBPFPolicyKey(), respectively, to make the role of there functions clearer. Fixes: cilium#14370 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
When syncing policy map with dump, compare the desired policy map to
the dumped map for both deletes and adds. Record and log any
differences found.
Fixes: #14358
Fixes: #14357
Signed-off-by: Jarno Rajahalme jarno@covalent.io