WiP: Do not generate events in eBPF if they are going to be dropped in the filter anyway #27885
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
github-actions
bot
added
the
kind/community-contribution
marqc
force-pushed
the
optimize-event-generation-for-hubble-monitor-events
branch
from
201b986
to
91e9ee1
Compare
There was a problem hiding this comment.
Thanks for the PR!
Overall, this is a nice improvement and I think filtering in BPF is the right way to do it. However, with this change, a hubble flag (which in the past mainly only affected Hubble itself), will now affect the output of cilium monitor.
This could be surprising to users. We should at least clearly document this more clearly in the description of hubble-monitor-events.
gandro
added
kind/performance
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
Yeah. I'm not sure about the API so I'm eager to hear your suggestions. Generally I don't really like the idea of the |
Yeah, I'm not really sure how to best approach this either. The nice thing is that users can manually enable the disabled events in Therefore I personally am fine with Only half-related side-note:We have discussed in the past if it maybe even makes sense to disable trace notifications by default, and mainly rely on policy verdict events (we could also issue them if there is no policy to get observability for the default-allow behavior too). Basically have |
marqc
force-pushed
the
optimize-event-generation-for-hubble-monitor-events
branch
from
91e9ee1
to
e35b5c4
Compare
|
Thanks @gandro for your reply. I changed the docs for now. |
gandro
added
the
dont-merge/discussion
|
With this change, are the other changes in #24828 even needed anymore? Could we get rid of the |
I think this PR will be helpful for us but I would prefer if this event filtering was totally separate from the hubble filtering. For example: we tap into the monitor socket through a different daemonset where we don't care about the CPU/Memory usage. (the reasoning behind #24828 was to help tame the CPU used by the hubble subsystem so the CNI responsibilities remain snappy) Also |
|
This is amazing 😲. It's a great way to give users the ability to tune things as they need. IMO, I think we should follow through with what @gandro was mentioning about changing the flag name and making it opt-in. The opt-in is especially important because a common theme I've heard is how folks will enable hubble and be surprised by the increased resource usage. If users need more events from hubble, then I think it makes sense to have users go through the process of opting-in, as it gives them the opportunity to read in the docs the performance trade-offs, rather than having to discover the trade-off at run time. If users don't need more events from hubble, then they'd get the benefits of lower resource usage and we could potentially save them time figuring out how to tune hubble for their needs. @marqc, if you have time, do you mind adding a note in |
|
The MonitorFilter configured with hubble-monitor-events covers some more event types than only drop, trace and policy-verdict so I don't find this change as justification to remove this monitor entirely. I'm rather thinking of changing the API and introducing new flags to enable/disable BPF events. Current stateTo summarize we have the following event types and steering flags:
Possible options1. Separate flag for each typeAdd a steering boolean flag for each of the event types that are currently always on: Pros:
Cons:
2. Replace all existing flags with a new list type flag to cover all event types
Pros:
Cons:
@gandro @chancez @learnitall Please let me know what you think |
|
Great writeup, thanks! I personally have a slight preference for option two, but I'm fine with either solutions. A note on Option 1: Yes, separate flags are cumbersome to use in the configmap, but that could be "simplified" via a A note on Option 2: Since |
daemon/cmd/daemon_main.go
Outdated
| @@ -1314,11 +1315,16 @@ func initEnv(vp *viper.Viper) { | |||
| bpf.CheckOrMountFS(option.Config.BPFRoot) | |||
| cgroups.CheckOrMountCgrpFS(option.Config.CGroupRoot) | |||
|
|
|||
| monitorEvents := option.Config.HubbleMonitorEvents | |||
| var enableEventGeneration = func(eventType string) bool { | |||
There was a problem hiding this comment.
Should we default to true if hubble is disabled?
There was a problem hiding this comment.
@marqc please resolve this discussion if you have adressed it in your current PR. The discussion is blocking the merge.
There was a problem hiding this comment.
I'm working on changes agreed on in the general discussion.
|
+1 for option two, that sounds great! |
|
/test |
marqc
changed the title
marqc
force-pushed
the
optimize-event-generation-for-hubble-monitor-events
branch
from
e35b5c4
to
2f821ad
Compare
marqc
force-pushed
the
optimize-event-generation-for-hubble-monitor-events
branch
from
2f821ad
to
710b39f
Compare
Add monitor-events option allowing to select which event types are to be generated. Signed-off-by: Marek Chodor <mchodor@google.com>
marqc
force-pushed
the
optimize-event-generation-for-hubble-monitor-events
branch
from
710b39f
to
68e0cb9
Compare
|
Just chiming in: this is great work and I also favor option 2. |
|
I also like option 2 overall. |
|
This pull request has been automatically marked as stale because it |
github-actions
bot
added
the
stale
|
This pull request has not seen any activity since it was marked stale. |
Do not generate events in eBPF if they are going to be dropped in the filter anyway when the hubble-monitor-events flag is in use
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXXline if the commit addresses a particularGitHub issue.
Fixes: <commit-id>tag, thenplease add the commit author[s] as reviewer[s] to this issue.
Do not generate events in bpf programs when they are going to be dropped by the hubble-monitor-events filter in the cilium agent.
The original idea was to skip some types of flows when the system cannot keep up with processing all monitored events #24828. In a typical setup it happens when there is a very high rate of trace events and we are not interested in them at all (and we are only interested in eg. drop or policy verdict events).
Actually we can provide a better solution, by disabling event generation in bpf programs altogether.
I did a simple test case where a heavy number of flows were generated and:
a) no filter was provided
b) current filter implementation was set to only "drop" events
c) this implementation with the same setting of only "drop" events
The results are as follows:
With the current approach still the filtered event types may be lost in perf-event-ring-buffer and actually under a heavy traffic they do. Disabling event generation reduces resources usage and leaves enough capacity to process all events of the required event type.
cc: @epk