plugins/forward: Add max_concurrent option

[chrisohaver]

1. Why is this pull request needed and what does it do?

Adds a concurrent query limit option to the forward plugin, as described in #3635

2. Which issues (if any) are related?

#3635

3. Which documentation changes (if any) need to be made?

included

4. Does this introduce a backward incompatible change or deprecation?

no

[codecov-io]

Codecov Report

Merging #3640 into master will decrease coverage by <.01%.
The diff coverage is 50%.

@@            Coverage Diff             @@
##           master    #3640      +/-   ##
==========================================
- Coverage    56.6%   56.59%   -0.01%     
==========================================
  Files         220      220              
  Lines       11039    11055      +16     
==========================================
+ Hits         6249     6257       +8     
- Misses       4311     4317       +6     
- Partials      479      481       +2

Impacted Files	Coverage Δ
plugin/forward/forward.go	51.61% <0%> (-3.56%)	⬇️
plugin/forward/setup.go	58.38% <80%> (+1.55%)	⬆️
plugin/kubernetes/setup.go	64.24% <0%> (ø)	⬆️
test/server.go	82.75% <0%> (ø)	⬆️
plugin/test/scrape.go	0% <0%> (ø)	⬆️
plugin/trace/trace.go	79.06% <0%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ff981b1...ed7bcdb. Read the comment docs.

[johnbelamaric]

In theory there is a race condition where we may drop some extra queries when we're hovering near the edge. I don't think we care though, not enough to mutex this whole thing.

[chrisohaver]

Yes, I lingered on this issue for a bit after seeing it happen during testing, but decided to stick with simple/performant atomic despite this. The count can go over the limit if overwhelmed, since we don't check for the limit in the same atomic action as the increment. Would be nice if there was an atomic action "increment-if-less-than", but I don't think this is a big deal, since these increments above the limit are immediately decremented.

Adding an atomic check of the value before the increment lessens, but does not completely eliminate the issue. But I don't think it's a problem enough to warrant the extra check.

[johnbelamaric]

/lgtm

[corbot]

Approved by johnbelamaric

[miekg]

for sync atomic these need to be put first in the struct otherwise they don't align on ARM

[chrisohaver]

Thanks, fixed.

[miekg]

Would refuse be better here?

[chrisohaver]

I'm not sure. I think either could work. I initially thought REFUSED, because this is a known/expected failure (soft failure). ... but then changed it to SERVFAIL in a later commit after reading some discussions on the difference between the two.

There isn't a strict difference: It's fuzzy...
REFUSE is supposed to indicate refusal due to policy. I read that as a function of the client or queried name. But thats vague, and you could describe a query rate type limit like this as a "policy".
SERVFAIL is supposed to indicate something broken.

[miekg]

is there a better name with maybe 'concurrent' in it? (not sure there is, but max_queries is not what's implemented here)

[chrisohaver]

changed to max_concurrent

[miekg]

Also see #2593

[rdrozhdzh]

No needs to construct the error object here on each query, it can be constructed once as a global var, see ErrNoHealthy for example

[chrisohaver]

Thanks, fixed.

[chrisohaver]

I should add a metric here for number of refused packets.

[miekg]

[ Quoting <notifications@github.com> in "Re: [coredns/coredns] plugins/forwa..." ]

I should add a metric here for number of refused packets.

yes, that would be a nice enhancement

[miekg]

I think is valuable to include the configured max here.

[miekg]

Difference between SERVFAIL or REFUSED is fuzzy. REFUSED is better here, because the server is fine (no SERVFAIL), but actually refuses to do work for you

[rdrozhdzh]

from rfc1035, section 4.1.1.

Server failure - The name server was unable to process this query due to a problem with the name server.

Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data.

I think SERVFAIL suits better in this case. This is a temporary error. If we return REFUSED, client will probably decide that this query is not permitted and will not retry. In case of SERVFAIL it could try again.

[chrisohaver]

In a sense, this kind of failure is like a timeout, in that there is some transient condition (some action has exceeded a configured limit) that makes it so we are not going to answer. Although in a timeout, we cannot get an answer, and in the concurrent limit case, we choose not to.

I think clients would treat either of these equally, as a negative response. Since the definition of REFUSED/SERVFAIL is fuzzy, it would be unwise for a client to draw special conclusions in a general context for one answer vs the other.

If the desired behavior is to have the client retry, then I think we would need to drop the response (not respond at all).

[miekg]

Fair enough, servfail works for me. We should never not reply.

…

On Thu, 30 Jan 2020, 17:20 chrisohaver, ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In plugin/forward/forward.go <#3640 (comment)>: > @@ -68,6 +76,15 @@ func (f *Forward) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg return plugin.NextOrFailure(f.Name(), f.Next, ctx, w, r) } + if f.maxConcurrent > 0 { + count := atomic.AddInt64(&(f.concurrent), 1) + defer atomic.AddInt64(&(f.concurrent), -1) + if count > f.maxConcurrent { + MaxConcurrentRejectCount.Add(1) + return dns.RcodeServerFailure, ErrLimitExceeded In a sense, this kind of failure is like a timeout, in that there is some transient condition (some action has exceeded a configured limit) that makes it so we are not going to answer. Although in a timeout, we *cannot* get an answer, and in the concurrent limit case, we *choose* not to. I think clients would treat either of these equally, as a negative response. Since the definition of REFUSED/SERVFAIL is fuzzy, it would be unwise for a client to draw special conclusions in a general context for one answer vs the other. If the desired behavior is to have the client retry, then I think we would need to drop the response (not respond at all). — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#3640?email_source=notifications&email_token=AACWIW5PVSKZDQYYF4N2ESLRAMD6DA5CNFSM4KNKI3LKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCTV5ZUA#discussion_r373084321>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACWIW73JRCNUPQWHGUM2TLRAMD6DANCNFSM4KNKI3LA> .

[rdrozhdzh]

Here may be a race condition. When coredns is reloaded (e.g. with SIGUSR1) the old instance of forward plugin is still handling traffic and may access ErrLimitExceeded, and the new instance of forward plugin can update ErrLimitExceeded at the same time

[miekg]

Just create the err in forward when you return, this is getting silly. If you worry about allocations, there is plenty of lowhanging fruit with more bang for the buck

…

On Thu, 30 Jan 2020, 17:34 Ruslan Drozhdzh, ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In plugin/forward/setup.go <#3640 (comment)>: > @@ -211,6 +213,19 @@ func parseBlock(c *caddy.Controller, f *Forward) error { default: return c.Errf("unknown policy '%s'", x) } + case "max_concurrent": + if !c.NextArg() { + return c.ArgErr() + } + n, err := strconv.Atoi(c.Val()) + if err != nil { + return err + } + if n < 0 { + return fmt.Errorf("max_concurrent can't be negative: %d", n) + } + ErrLimitExceeded = errors.New("concurrent queries exceeded maximum " + c.Val()) Here may be a race condition. When coredns is reloaded (e.g. with SIGUSR1) the old instance of forward plugin is still handling traffic and may access ErrLimitExceeded, and the new instance of forward plugin can update ErrLimitExceeded at the same time — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#3640?email_source=notifications&email_token=AACWIW5EC6FHKWFOFITA74TRAMFTPA5CNFSM4KNKI3LKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCTWACNA#pullrequestreview-351011124>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACWIWY5HGQSFQH5XEAZJVLRAMFTPANCNFSM4KNKI3LA> .

[rdrozhdzh]

Well, since the error text is not a constant anymore, that would be a reasonable choice.
Alternatively, the error can be saved in a Forward object.

[miekg]

I think mem usage is a good one..with the assumption a goroutine is 2kb. I was pondering a similar text for discarding packets directly in miekg/dns, but this pr is probably better, because here you can actually have lingering go-routines. Also note we timeout after 5s (I think), we can probably discard writing an answer if that happens, cause the client is long gone (but that's a different pr)

…

On Thu, 30 Jan 2020, 17:46 chrisohaver, ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In plugin/forward/README.md <#3640 (comment)>: > @@ -83,6 +84,8 @@ forward FROM TO... { * `round_robin` is a policy that selects hosts based on round robin ordering. * `sequential` is a policy that selects hosts based on sequential ordering. * `health_check`, use a different **DURATION** for health checking, the default duration is 0.5s. +* `max_concurrent` **MAX** will limit the number of concurrent queries to **MAX**. Any new query that would I put in notes for these. For picking a value, I describe a lower bound. I didn't tackle describing an upper bound yet. For an upper bound (to bind memory usage), it's a matter of how much memory an average query takes up inflight in CoreDNS - which is variable (e.g. encryption). I can try to estimate this experimentally. I don't know how globally applicable or accurate that would be. — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#3640?email_source=notifications&email_token=AACWIW6SDAIID5KQUU4B7PLRAMG6HA5CNFSM4KNKI3LKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCTWB2BI#discussion_r373097141>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACWIW5DRYEZWT3WAONSPT3RAMG6HANCNFSM4KNKI3LA> .