proxy/iptables: don't call iptables-restore when we don't need to

[dcbw]

Diff old and new rules and don't bother calling iptables-restore when nothing has actually changed.

iptables-restore is a very heavy operation and depending on the kernel,
the CPU, and the number of rules to restore, can take a very long time
(~500ms or more).

i7-5600U @ 2.6GHz: 700ms for 1000 services (2+4 cores+threads, kernel 4.6.6)
i7-4790 @ 3.6GHz: 270ms for 1000 services (4+8 cores+threads, kernel 4.6.7)

Other parts of kubernetes (eg kubenet) might be running iptables-restore
too, leading to some pileup as each iptables-restore waits for others to
complete.

Related: #26637
Related: #33693
Related: #35334

---

This change is

@thockin @timothysc @danwinship @eparis

[dcbw]

@k8s-bot unit test this #35898

[dcbw]

Rebase to get revert that fixes #35898

[dcbw]

@k8s-bot node e2e test this issue #35983

[danwinship]

This change (and the destPort change below) seems wrong; it only tests that r has some destination, not that it's the right one

[dcbw]

Fixed.

[danwinship]

SaveLines seems to be unused

[dcbw]

Moved to the commit that actually uses it.

[danwinship]

should be a global (and const?)

[dcbw]

Arrays can't be 'const' in Go, something about being able to take the address of an array element which would be illegal for a const. It also shouldn't really be global since it's used in only one function, so I moved the struct declaration into the function too.

[danwinship]

But that means it's going to be constructing the array every time you call the function. If you made it global it would only have to do it once.

[danwinship]

actually it just means there were multiple spaces rather than just 1... which doesn't seem like it should necessarily be invalid. (also, you don't check for empty argument if it's quoted)

[dcbw]

Fixed, multiple spaces are now handled initially by a helper that splits the line, and empty quoted arguments are passed through as-is (sans quoting of course).

[danwinship]

maybe use HasPrefix for the initial quote above for consistency?

[dcbw]

Fixed.

[danwinship]

return nil, err? (likewise elsewhere)

[dcbw]

Fixed for the error cases.

[danwinship]

possibly in the wrong commit?

[thockin]

This is not right. At least on my machines, it is actually best-fit:

-A FOO -j MARK --set-xmark 0x1/0x1
-A FOO -j MARK --set-xmark 0x10/0x10
-A FOO -j MARK --set-xmark 0x100/0x100
-A FOO -j MARK --set-xmark 0x1000/0x1000
-A FOO -j MARK --set-xmark 0x10000/0x10000
-A FOO -j MARK --set-xmark 0x100000/0x100000
-A FOO -j MARK --set-xmark 0x1000000/0x1000000
-A FOO -j MARK --set-xmark 0x10000000/0x10000000

[danwinship]

There's a difference between oldLines failing to parse and newLines failing to parse: oldLines can fail to parse if the administrator mucks around with iptables behind our back, or if the format of iptables-save changes. But newLines can only fail to parse in the event of a programmer error.

[dcbw]

True, fixed.

[danwinship]

In some failure cases (eg, iptables-save output format changes), every single call to sameIptablesRuleset() will fail... we might want to not log every time?

[dcbw]

It'll now only warn if parsing the new rules failed, which should be entirely under our control.

[danwinship]

not sure what happened there but this isn't gofmt'ed correctly

[dcbw]

actually it is; that's what gofmt -s -w spit out for this file. Maybe Go 1.7 now considers variable length?

[timothysc]

re-assigning, b/c daniel is out.

[dcbw]

@danwinship PTAL, thanks!

[dcbw]

integration test flake is #36473

[dcbw]

@k8s-bot test this #36473

[danwinship]

consider make([]string, 0, len(items)) as an optimization

[dcbw]

Done.

[danwinship]

as mentioned above, this has to be re-built every time you call parseRule(), while if it was global it would only have to be built once

[danwinship]

also maybe sort them into four groups by the optionAttr values, with a comment above each group? (// arg required, can't negate, etc)

[dcbw]

Done.

[danwinship]

hm, I think there are some more places where you said %v when you meant %q (across multiple commits)

[dcbw]

Done.

[danwinship]

It would simplify the loop if you just did an i++ here like you do for options with arguments. (eg, then both opt and negated would be local to the loop body)

[dcbw]

I had it that way before, but then we have to also check if i == len(items) a lot. I'll try it again this way and see.

[dcbw]

Done.

[danwinship]

err.Error(). Although none of the test cases sets tc.err anyway

[dcbw]

Done, and added some error testcases.

[danwinship]

err.Error()

[dcbw]

Done.

[danwinship]

With just a warning, I fear that this is just going to get broken. Someone will add a new rule that the parsing code doesn't know how to parse, no one will notice the warning message, and we'll ship a release where all of this parsing and comparing ends up just being an expensive no-op. OTOH, the code is complicated enough that I'm not comfortable saying we should panic if parsing fails...

Maybe utiliptables.EnsureRule() should return an error if it finds itself about to add a rule that it wouldn't later be able to parse? (Though in that case we'd want to validate module names too, to ensure that there aren't going to be any new "fixups for default module options" needed.)

[dcbw]

The proxy testcases should pick up changes to the ruleset though, so it should fail pretty early if syncProxyRules() gets changed. And it's at least designed to fail safe, as in it shouldn't change existing behavior if things don't work, it'll just always sync and log a message.

Ideally instead of adding textual rules we'd have a more structured iptables module that would use the vishvananda/netlink to read/write stuff and thus be able to more directly compare instead of screen-scraping, but that's a ton of work...

If you really want it I can try the EnsureRule thing and add hostports, userspace proxy, and other testcases too.

[danwinship]

Oh, it didn't occur to me that the parsing code didn't deal with hostports, etc, already...

Maybe just add warning comments to all the relevant bits of the iptables proxy then where people might change things in ways that would cause breakage

[dcbw]

@danwinship the proxy code is the only one so far that uses ParseTableRules(), and while the others could use this too, they don't get called anywhere near as often so they aren't a hotpath like the proxy stuff is. I'll definitely add comments.

[dcbw]

@danwinship PTAL, thanks

[dims]

@thockin @wojtek-t @danwinship @saad-ali : seems a bit big change at the tail end of v1.5. right?

[saad-ali]

@thockin @wojtek-t @danwinship @saad-ali : seems a bit big change at the tail end of v1.5. right?

Agreed, we are well into the code freeze for 1.5. Is this a bug fix? @kubernetes/sig-network for more context. Removing 1.5 milestone until we have verfication.

[k8s-ci-robot]

Jenkins GCI GCE e2e failed for commit 12fa2af. Full PR test history.

The magic incantation to run this job again is @k8s-bot gci gce e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[dcbw]

@k8s-bot gci gce e2e test this issue #37361

[jeremyeder]

To give you a sense of what we're seeing wrt iptables save/restore churn, here is a graph showing CPU utilization across a variety of system roles in a cluster. Avg in the 2+ core range for iptables rule validation.

This cluster has 1000 nodes and 14,000 pods. At scales far lower than this, you can find iptables consuming a core or so on every node in the cluster at any given time. For RH'rs reading, if you'd like access please ping me internally.

[rantoniuk]

@jeremyeder out of curiosity, how many services do you have in the cluster?

[jeremyeder]

Approximately 600 services.

[widgetpl]

@jeremyeder do you have any network issues like packet drops etc. couse we have faced such issues when we hit to around 500 services.

[jeremyeder]

@widgetpl Just confirmed, no drops or errors on any of the interfaces.

[k8s-github-robot]

@dcbw PR needs rebase

[k8s-github-robot]

[APPROVALNOTIFIER] Needs approval from an approver in each of these OWNERS Files:

• pkg/OWNERS

We suggest the following people:
cc @brendandburns
You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

This PR hasn't been active in 62 days. It will be closed in 27 days (Mar 16, 2017).

cc @danwinship @dcbw @dchen1107 @smarterclayton @thockin @wojtek-t

You can add 'keep-open' label to prevent this from happening, or add a comment to keep it open another 90 days

[dcbw]

Going to close this one too, as the core issue may have already been addressed by other changes like #41022 and #38996