conntrack: Add update reports for long connections

[ronensc]

This PR adds a new type of output records to the connection tracking module: update report for long connections.

There's a new setting in the conntrack config UpdateConnectionInterval to set the amount of time to wait between update reports.

This PR also extends the connectionStore data structure from an ordered map to a multi-ordered map. The actual implementation of the data structure were extracted to a new file which simplifies connectionStore. This extension was needed to optimize the search for connections that require update report - rather than going through all the connections and inspecting their nextUpdateReport field, we keep them ordered by this field (in addition to the order by expiry time) and going through only those that require update report.

There is still 1 issue with the suggested implementation:

The scan for connections that need update report is done for every incoming batch of flow logs. This could be a problem when the incoming batch frequency is too high. A possible solution would be to scan once in a while. We can set the scan interval to be 50% of UpdateConnectionInterval.
Note: The same problem exists with end connections

Additional refactors and minor changes:

1. Instead of storing the lastUpdate of a connection, we store the expiryTime (which is lastUpdate + ConnectionTimeout). Changing the word "update" reduces confusion with the new feature of update reports. In my opinion, this also makes the expiry condition more understandable.
2. connectionStore was extracted to a file of its own.
3. require.Equal() was replaced with require.JSONEq() in pkg/config/pipeline_builder_test.go

[codecov-commenter]

Codecov Report

Merging #287 (f72140c) into main (009a086) will increase coverage by 0.51%.
The diff coverage is 88.62%.

@@            Coverage Diff             @@
##             main     #287      +/-   ##
==========================================
+ Coverage   67.39%   67.90%   +0.51%     
==========================================
  Files          73       75       +2     
  Lines        4278     4381     +103     
==========================================
+ Hits         2883     2975      +92     
- Misses       1212     1219       +7     
- Partials      183      187       +4     

Flag	Coverage Δ
unittests	67.90% <88.62%> (+0.51%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/pipeline/extract/conntrack/store.go	61.22% <61.22%> (ø)
pkg/api/conntrack.go	87.00% <100.00%> (+0.13%)	⬆️
pkg/pipeline/extract/conntrack/conn.go	89.28% <100.00%> (+1.28%)	⬆️
pkg/pipeline/extract/conntrack/conntrack.go	92.00% <100.00%> (+2.97%)	⬆️
pkg/pipeline/utils/multiorderedmap.go	100.00% <100.00%> (ø)
pkg/pipeline/ingest/ingest_collector.go	49.62% <0.00%> (+1.50%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[eranra]

why this is removed, should not be connected to this PR???

[ronensc]

That field was changed from struct to struct ptr and the api-to-doc script doesn't handle such types at the moment.
I've submitted a different PR to solve this: #288

[ronensc]

That PR is merged so I rebased this one.

[eranra]

@ronensc this feels like a generic helper utility, can you move that to utils ??

[ronensc]

Done

[eranra]

@ronensc can you update the README file ... currently it is still talking on the old implementation

[eranra]

Do you want to add this as another build step instead of explicitaly calling the function

[ronensc]

Done

[KalmanMeth]

Shouldn't GetRecord() already give the element?

[ronensc]

GetRecord() indeed returns the element. But, here were interested in the element's wrapper.
I'll remove the call to GetRecord() to make it clearer.

[KalmanMeth]

Is the name IterateFrontToBack doubled intentionally or is it a copy-paste error?

[ronensc]

it's an error. good catch!

[jotak]

LGTM - I guess it's a step toward the option to entirely remove raw flowlogs from storage in the future.

At some point I'd like to measure the performance impact of using conntracking:

• on FLP (I guess more memory used, more compute)
• on Loki if we don't store raw flowlogs, we save a lot of space

[ronensc]

• on Loki if we don't store raw flowlogs, we save a lot of space

@jotak In theory, this is correct.
But, it depends on the characteristics of the connections in the cluster and the output records settings of the connection tracking module.
i.e. If most of the connections are short (starts and ends in the same flow-log) and the connection tracking is set to output both new connection and end connection records,
then, we'll end up with 2 records in loki for each connection, rather than 1 in the current settings without conntrack.