New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new default values to the Guardian flags network-pool
and max-containers
#6031
Conversation
If network-pool is unset Guardian defaults to 10.80.0.0/22 which allows 1024 addresses implicitly limiting a Guardian worker to 250 containers (4 addresses per container). This is true even if max-containers is set to a higher value. We set network-pool to 10.80.0.0/16 to increase the allowable addresses significantly ensuring the container count is only limited by the explicit max-containers flag. Signed-off-by: Muntasir Chowdhury <mchowdhury@pivotal.io>
CONCOURSE_GARDEN_ALLOW_HOST_ACCESS will have a value of "false" even without a default value being provided as it is represented as a bool in the Guardian codebase. The recommendation to have CONCOURSE_GARDEN_MAX_CONTAINERS at 250 was based off CloudFoundry's Diego which also uses Guardian. Concourse deployments have been operated at a much higher limit and do not need to be held to this limit. The binary will set CONCOURSE_GARDEN_NETWORK_POOL to a default value of 10.80.0.0/16 as of concourse/concourse#6031. concourse/concourse#5985 Signed-off-by: Muntasir Chowdhury <mchowdhury@pivotal.io>
Would it make sense to pull this in into GuardianRuntime so its more explicit ? |
@xtreme-sameer-vohra I would say we should only move it there if we also expose An alternative would be for us to document a list of commonly used Guardian flags like |
@xtreme-sameer-vohra @chenbh I believe Guardian specific flags were removed from the CLI listing i.e. Guardian Runtime for easier reasoning about the runtimes. The flags present under I posted a question in the BOSH release PR about determining the default value of
|
I put in 250 for now, and noted in #6043 to test for new limits when we're doing drills for containerd vs guardian. |
It would be useful to document the default values in the binary |
Setting default limit to 250 as this is the only default value for Guardian that has been widely tested against Concourse. This can be increased in the future with more thorough testing with production workloads. #5985 Signed-off-by: Muntasir Chowdhury <mchowdhury@pivotal.io>
44ec35d
to
846bc8f
Compare
CONCOURSE_GARDEN_ALLOW_HOST_ACCESS will have a value of "false" even without a default value being provided as it is represented as a bool in the Guardian codebase. The recommendation to have CONCOURSE_GARDEN_MAX_CONTAINERS at 250 was based off CloudFoundry's Diego which also uses Guardian. Concourse deployments have been operated at a much higher limit and do not need to be held to this limit. The binary will set CONCOURSE_GARDEN_NETWORK_POOL to a default value of 10.80.0.0/16 as of concourse/concourse#6031. concourse/concourse#5985 Signed-off-by: Muntasir Chowdhury <mchowdhury@pivotal.io>
concourse/concourse#6031 exposes Guardian's max-containers and network-pool as part of the worker command's options. This change keeps the chart and binary in sync. concourse/concourse#5985 Signed-off-by: Muntasir Chowdhury <mchowdhury@pivotal.io>
Limiting this to 250 similar to Guardian to avoid stampeding herd problem. With stress testing in the future this can be updated to a more accurate value. issue#5985 Signed-off-by: Muntasir Chowdhury <mchowdhury@pivotal.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey,
Looks like the wiring logic got dropped in the refactor. The two values aren't passed to gdn at the moment. They're just exposed in Concourse.
Seeing the same :( Will let you know when I have a fix. |
These flags were in the GuardianRuntime struct but they weren't being detected by the detectGuardianFlags() function. Our theory is that the go-flags package is unsetting these environment variables when parsing them. Therefore when os.Environ() is called by detectGuardianFlags() the GuardianRuntime struct flags are not found. #5985 Signed-off-by: Muntasir Chowdhury <mchowdhury@pivotal.io> Co-authored-by: Taylor Silva <tsilva@pivotal.io>
@xtreme-sameer-vohra fyi @taylorsilva and I pushed a fix but all the tests are breaking because of an elm package whose signature has changed at source. |
The elm stuff fixed itself. I'm rerunning all test suites. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm !!
network-pool
and max-containers
What does this PR accomplish?
Feature
Part of #5985
Changes proposed by this PR:
If
--network-pool
is unset Guardian defaults to10.80.0.0/22
which allows 1024 addresses, implicitly limiting aGuardian worker to 250 containers (4 addresses reserved per container). This is true even if max-containers is set to
a higher value.
We set network-pool to
10.80.0.0/16
to increase the allowable addresses significantly ensuring the containercount is only limited by the explicit max-containers flag. If a user passes a custom value we use that instead.
Update
More details on reasoning in an issue comment.
Notes to reviewer:
Inspecting processes running on a Guardian worker without having set
CONCOURSE_GARDEN_NETWORK_POOL
shows the following.When passing a custom value of
10.80.0.0/20
:Related PRs
concourse/concourse-chart#150
concourse/concourse-bosh-release#121
Release Note
Contributor Checklist
Reviewer Checklist
BOSH and
Helm packaging; otherwise, ignored for
the integration
tests
(for example, if they are Garden configs that are not displayed in the
--help
text).