Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fqdn: Fix notifyOnDNSMsg benchmark #32454

Merged
merged 2 commits into from
May 21, 2024
Merged

fqdn: Fix notifyOnDNSMsg benchmark #32454

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
66ab1d0
fqdn: Add default values for DNSProxyLock{Count,Timeout}
pippolo84 May 14, 2024
2aa79d5
fqdn: Fix notifyOnDNSMsg benchmark
pippolo84 May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions daemon/cmd/daemon_main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -835,11 +835,11 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
flags.Duration(option.DNSProxyConcurrencyProcessingGracePeriod, 0, "Grace time to wait when DNS proxy concurrent limit has been reached during DNS message processing")
option.BindEnv(vp, option.DNSProxyConcurrencyProcessingGracePeriod)

flags.Int(option.DNSProxyLockCount, 131, "Array size containing mutexes which protect against parallel handling of DNS response names. Preferably use prime numbers")
flags.Int(option.DNSProxyLockCount, defaults.DNSProxyLockCount, "Array size containing mutexes which protect against parallel handling of DNS response names. Preferably use prime numbers")
flags.MarkHidden(option.DNSProxyLockCount)
option.BindEnv(vp, option.DNSProxyLockCount)

flags.Duration(option.DNSProxyLockTimeout, 500*time.Millisecond, fmt.Sprintf("Timeout when acquiring the locks controlled by --%s", option.DNSProxyLockCount))
flags.Duration(option.DNSProxyLockTimeout, defaults.DNSProxyLockTimeout, fmt.Sprintf("Timeout when acquiring the locks controlled by --%s", option.DNSProxyLockCount))
flags.MarkHidden(option.DNSProxyLockTimeout)
option.BindEnv(vp, option.DNSProxyLockTimeout)

Expand Down
116 changes: 70 additions & 46 deletions daemon/cmd/fqdn_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ import (
"github.com/cilium/cilium/pkg/identity"
"github.com/cilium/cilium/pkg/ipcache"
"github.com/cilium/cilium/pkg/lock"
"github.com/cilium/cilium/pkg/node"
"github.com/cilium/cilium/pkg/option"
"github.com/cilium/cilium/pkg/policy"
"github.com/cilium/cilium/pkg/policy/api"
"github.com/cilium/cilium/pkg/proxy/accesslog"
Expand All @@ -37,13 +39,32 @@ type DaemonFQDNSuite struct {
d *Daemon
}

var notifyOnDNSMsgBenchSetup sync.Once

func setupDaemonFQDNSuite(tb testing.TB) *DaemonFQDNSuite {
testutils.IntegrationTest(tb)

re.InitRegexCompileLRU(defaults.FQDNRegexCompileLRUSize)
// We rely on a sync.Once to complete the benchmark setup that initialize
// read-only global status.
// Also, node.SetTestLocalNodeStore() panics if it called more than once.
notifyOnDNSMsgBenchSetup.Do(func() {
// set FQDN related options to defaults in order to avoid a flood of warnings
option.Config.DNSProxyLockCount = defaults.DNSProxyLockCount
option.Config.DNSProxyLockTimeout = defaults.DNSProxyLockTimeout
option.Config.FQDNProxyResponseMaxDelay = defaults.FQDNProxyResponseMaxDelay

// Set local node store as it is accessed by NewLogRecord to get node IPv4
node.SetTestLocalNodeStore()

re.InitRegexCompileLRU(defaults.FQDNRegexCompileLRUSize)
logger.SetEndpointInfoRegistry(&dummyInfoRegistry{})
})

ds := &DaemonFQDNSuite{}
d := &Daemon{}
d.ctx = context.Background()
d.policy = policy.NewPolicyRepository(d.identityAllocator, nil, nil, nil)
d.endpointManager = endpointmanager.New(&dummyEpSyncher{}, nil, nil)
d.ipcache = ipcache.NewIPCache(&ipcache.Configuration{
Context: context.TODO(),
IdentityAllocator: testidentity.NewMockIdentityAllocator(nil),
Expand All @@ -56,13 +77,10 @@ func setupDaemonFQDNSuite(tb testing.TB) *DaemonFQDNSuite {
UpdateSelectors: d.updateSelectors,
IPCache: d.ipcache,
})
d.endpointManager = endpointmanager.New(&dummyEpSyncher{}, nil, nil)
d.policy.GetSelectorCache().SetLocalIdentityNotifier(d.dnsNameManager)

ds.d = d

logger.SetEndpointInfoRegistry(&dummyInfoRegistry{})

return ds
}

Expand All @@ -71,13 +89,17 @@ type dummyInfoRegistry struct{}
func (*dummyInfoRegistry) FillEndpointInfo(info *accesslog.EndpointInfo, addr netip.Addr, id identity.NumericIdentity) {
}

type dummySelectorCacheUser struct{}

func (d *dummySelectorCacheUser) IdentitySelectionUpdated(selector policy.CachedSelector, added, deleted []identity.NumericIdentity) {
}

// BenchmarkNotifyOnDNSMsg stresses the main callback function for the DNS
// proxy path, which is called on every DNS request and response.
func BenchmarkNotifyOnDNSMsg(b *testing.B) {
ds := setupDaemonFQDNSuite(b)

var (
nameManager = ds.d.dnsNameManager
ciliumIOSel = api.FQDNSelector{MatchName: "cilium.io"}
ciliumIOSelMatchPattern = api.FQDNSelector{MatchPattern: "*cilium.io."}
ebpfIOSel = api.FQDNSelector{MatchName: "ebpf.io"}
Expand All @@ -92,21 +114,22 @@ func BenchmarkNotifyOnDNSMsg(b *testing.B) {
)

// Register rules (simulates applied policies).
dscu := &dummySelectorCacheUser{}
selectorsToAdd := api.FQDNSelectorSlice{ciliumIOSel, ciliumIOSelMatchPattern, ebpfIOSel}
nameManager.Lock()
for _, sel := range selectorsToAdd {
nameManager.RegisterForIPUpdatesLocked(sel)
pippolo84 marked this conversation as resolved.
Show resolved Hide resolved
ds.d.policy.GetSelectorCache().AddFQDNSelector(dscu, nil, sel)
}
nameManager.Unlock()

const nEndpoints int = 1024

// Initialize the endpoints.
endpoints := make([]*endpoint.Endpoint, b.N)
endpoints := make([]*endpoint.Endpoint, nEndpoints)
for i := range endpoints {
endpoints[i] = &endpoint.Endpoint{
ID: uint16(b.N % 65000),
IPv4: netip.MustParseAddr(fmt.Sprintf("10.96.%d.%d", (b.N>>16)%8, b.N%256)),
ID: uint16(i),
IPv4: netip.MustParseAddr(fmt.Sprintf("10.96.%d.%d", i/256, i%256)),
SecurityIdentity: &identity.Identity{
ID: identity.NumericIdentity(b.N % int(identity.GetMaximumAllocationIdentity())),
ID: identity.NumericIdentity(i % int(identity.GetMaximumAllocationIdentity())),
},
DNSZombies: &fqdn.DNSZombieMappings{
Mutex: lock.Mutex{},
Expand All @@ -121,39 +144,40 @@ func BenchmarkNotifyOnDNSMsg(b *testing.B) {
// Simulate parallel DNS responses from the upstream DNS for cilium.io and
// ebpf.io, done by every endpoint.
for i := 0; i < b.N; i++ {
wg.Add(1)
go func(ep *endpoint.Endpoint) {
defer wg.Done()
// Using a hardcoded string representing endpoint IP:port as this
// parameter is only used in logging. Not using the endpoint's IP
// so we don't spend any time in the benchmark on converting from
// net.IP to string.
require.Nil(b, ds.d.notifyOnDNSMsg(time.Now(), ep, "10.96.64.8:12345", 0, "10.96.64.1:53", &ciliumdns.Msg{
MsgHdr: ciliumdns.MsgHdr{
Response: true,
},
Question: []ciliumdns.Question{{
Name: dns.FQDN("cilium.io"),
}},
Answer: []ciliumdns.RR{&ciliumdns.A{
Hdr: ciliumdns.RR_Header{Name: dns.FQDN("cilium.io")},
A: ciliumDNSRecord[dns.FQDN("cilium.io")].IPs[0],
}}}, "udp", true, &dnsproxy.ProxyRequestContext{}))

require.Nil(b, ds.d.notifyOnDNSMsg(time.Now(), ep, "10.96.64.4:54321", 0, "10.96.64.1:53", &ciliumdns.Msg{
MsgHdr: ciliumdns.MsgHdr{
Response: true,
},
Compress: false,
Question: []ciliumdns.Question{{
Name: dns.FQDN("ebpf.io"),
}},
Answer: []ciliumdns.RR{&ciliumdns.A{
Hdr: ciliumdns.RR_Header{Name: dns.FQDN("ebpf.io")},
A: ebpfDNSRecord[dns.FQDN("ebpf.io")].IPs[0],
}}}, "udp", true, &dnsproxy.ProxyRequestContext{}))
}(endpoints[i%len(endpoints)])
for _, ep := range endpoints {
wg.Add(1)
go func() {
defer wg.Done()
// Using a hardcoded string representing endpoint IP:port as this
// parameter is only used in logging. Not using the endpoint's IP
// so we don't spend any time in the benchmark on converting from
// net.IP to string.
require.Nil(b, ds.d.notifyOnDNSMsg(time.Now(), ep, "10.96.64.8:12345", 0, "10.96.64.1:53", &ciliumdns.Msg{
MsgHdr: ciliumdns.MsgHdr{
Response: true,
},
Question: []ciliumdns.Question{{
Name: dns.FQDN("cilium.io"),
}},
Answer: []ciliumdns.RR{&ciliumdns.A{
Hdr: ciliumdns.RR_Header{Name: dns.FQDN("cilium.io")},
A: ciliumDNSRecord[dns.FQDN("cilium.io")].IPs[0],
}}}, "udp", true, &dnsproxy.ProxyRequestContext{}))

require.Nil(b, ds.d.notifyOnDNSMsg(time.Now(), ep, "10.96.64.4:54321", 0, "10.96.64.1:53", &ciliumdns.Msg{
MsgHdr: ciliumdns.MsgHdr{
Response: true,
},
Compress: false,
Question: []ciliumdns.Question{{
Name: dns.FQDN("ebpf.io"),
}},
Answer: []ciliumdns.RR{&ciliumdns.A{
Hdr: ciliumdns.RR_Header{Name: dns.FQDN("ebpf.io")},
A: ebpfDNSRecord[dns.FQDN("ebpf.io")].IPs[0],
}}}, "udp", true, &dnsproxy.ProxyRequestContext{}))
}()
}
wg.Wait()
}

wg.Wait()
}
8 changes: 8 additions & 0 deletions pkg/defaults/defaults.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,14 @@ const (
// DNSProxyEnableTransparentMode enables transparent mode for the DNS proxy.
DNSProxyEnableTransparentMode = false

// DNSProxyLockCount is the default array size containing mutexes which protect
// against parallel handling of DNS response names.
DNSProxyLockCount = 131

// DNSProxyLockTimeout is the default timeout when acquiring the locks controlled by
// DNSProxyLockCount.
DNSProxyLockTimeout = 500 * time.Millisecond

// IdentityChangeGracePeriod is the default value for
// option.IdentityChangeGracePeriod
IdentityChangeGracePeriod = 5 * time.Second
Expand Down
Loading