-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
endpoint: Enhance policy map sync #14370
Conversation
663d5f0
to
9a140fa
Compare
test-me-please |
9a140fa
to
9992ca5
Compare
test-me-please |
Known flake (#12511) on netnext, no other failures. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good, but I don't see how it addresses #14353, as claimed by PR description and commit log. Did I miss something, or did you mean another PR number?
Could you please fix the commit log as well? |
pkg/endpoint/bpf.go
Outdated
// syncDesiredPolicyMapWith updates the bpf policy map state based on the | ||
// difference between the realized and desired policy state without | ||
// dumping the bpf policy map. | ||
func (e *Endpoint) syncDesiredPolicyMapWith(realized policy.MapState, diffs []policy.MapChange) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of passing diffs
as a parameter, why don't we return the slice? I know that you will say because the usage of the returned diffs
is optional, but this can be achieved with a boolean:
func (e *Endpoint) syncDesiredPolicyMapWith(realized policy.MapState, withDiff bool) (count int, diffs []policy.MapChange, err error) {
Which allows us to do [0]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, updates to a slice header passed as a parameter would not even be visible to the caller, fixed this.
pkg/endpoint/bpf.go
Outdated
diffs := []policy.MapChange{} // non-nil empty slice | ||
err = e.syncDesiredPolicyMapWith(currentMap, diffs) | ||
|
||
err = e.addPolicyMapDelta() | ||
|
||
if errors > 0 { | ||
return fmt.Errorf("synchronizing desired PolicyMap state failed") | ||
if len(diffs) > 0 { | ||
e.getLogger().WithField(logfields.Count, len(diffs)).Warning("Policy map sync fixed errors, consider running with debug verbose = policy to get detailed dumps") | ||
e.policyDebug(logrus.Fields{"dumpedDiffs": diffs}, "syncPolicyMapWithDump") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[0]
basically we are consuming memory, by storing the diff in the slice, just for debug messages. Following my suggestion above we could call this as follows:
isDebug := option.Config.Debug
count, diffs, err = e.syncDesiredPolicyMapWith(currentMap, isDebug)
if len(count) > 0 {
...
which makes sure the memory usage does not grows in production environments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
if e.policyMap == nil { | ||
return fmt.Errorf("not syncing PolicyMap state for endpoint because PolicyMap is nil") | ||
} | ||
|
||
currentMapContents, err := e.policyMap.DumpKeysToSlice() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this PR the DumpKeysToSlice
function is no longer used anywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will remove.
return err | ||
} | ||
|
||
currentMap, err := e.dumpPolicyMapToMapState() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a small difference that you might have noticed which is previously we were only dumping the keys, not keys + values. Do we have some benchmarks, specially for the mem-allocs, for these changes vs the previous changes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the values for comparison is required for correct operation, and as this dump is only done on a periodically run controller I would not be so concerned about the memory allocations that are done to store the values in the map. While we could code the deletes directly to the dump loop itself to avoid storing the dump results in a map, we do need to store the dump keys and values in a map to be able to compare with the desired mapstate. This comparison between the dumped values and desired values was missing before this change.
9992ca5
to
6e29821
Compare
6e29821
to
0ba54f8
Compare
retest-runtime |
known net-next flake #12511 |
retest-net-next |
retest-runtime |
retest-net-next |
0ba54f8
to
8f00268
Compare
Removed duplicate unit test. |
test-me-please |
Test failures seem legit, will investigate. |
8f00268
to
365de70
Compare
test-me-please |
retest-gke |
Net-next hit by a rare (?) flake: #13833 |
retest-net-next |
retest-gke |
retest-net-next |
netnext known flake #13275 |
retest-net-next |
Shift the realized map update to the caller of addPolicyKey() and deletePolicyKey() so that the update can be made to the correct map in syncDesiredPolicyMapWith(). Rename addPolicyKey() and deletePolicyKey() as addBPFPolicyKey() and deleteBPFPolicyKey(), respectively, to make the role of there functions clearer. Fixes: cilium#14370 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
When syncing policy map with dump, compare the desired policy map to
the dumped map for both deletes and adds. Record and log any
differences found.
Fixes: #14358
Fixes: #14357
Signed-off-by: Jarno Rajahalme jarno@covalent.io