Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bridge: read only required chain on cni del instead of the entire ruleset #880

Merged
merged 3 commits into from
Apr 24, 2023
Merged

bridge: read only required chain on cni del instead of the entire ruleset #880

merged 3 commits into from
Apr 24, 2023

Conversation

maiqueb
Copy link
Contributor

@maiqueb maiqueb commented Apr 5, 2023
edited
Loading

This PR changes the bridge-cni mac spoof protection to only read the required chain on CNI DELs (instead of the entire ruleset). This is required since without it we read the entire ruleset, which takes too long when there are plenty of provisioned rules.

It requires an updated version of go-nft, which also imposes a timeout when trying to read the NFT configuration.

These 2 features will hopefully reduce the time it takes to teardown pod networking on CNI DELs.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2175041

@maiqueb maiqueb force-pushed the mac-spoof-improv-read-only-required-chain-on-cni-del branch from 3c0cc97 to c10c1cf Compare April 19, 2023 08:49
@maiqueb maiqueb marked this pull request as ready for review April 19, 2023 09:03
@maiqueb maiqueb changed the title WIP/DNM: Mac spoof improv read only required chain on cni del bridge: read only required chain on cni del instead of the entire ruleset Apr 19, 2023
@maiqueb maiqueb force-pushed the mac-spoof-improv-read-only-required-chain-on-cni-del branch from c10c1cf to 8b86929 Compare April 19, 2023 09:11
EdDev
EdDev reviewed Apr 20, 2023
View reviewed changes
Copy link
Contributor

@EdDev EdDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

I had a small suggestion inline, let me know what you think.
Also, please consider using now ReadConfigContext and pass it with a explicit timeout. We could do this in a following PR if you prefer.

BTW, go-nft 0.3.0 is released, so you can use it now.

@maiqueb
build: consume specific tables/chains via go-nft
83fe87c 
This go-nft version allows its users to only read particular
tables/chains when invoking `ReadConfig`, instead of the entire ruleset.

This will make deleting rules from a large ruleset faster, thus speeding
up CNI DELs.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2175041

Signed-off-by: Miguel Duarte Barroso <[email protected]>
@maiqueb maiqueb force-pushed the mac-spoof-improv-read-only-required-chain-on-cni-del branch from 8b86929 to 6a3eb15 Compare April 20, 2023 08:34
@maiqueb maiqueb force-pushed the mac-spoof-improv-read-only-required-chain-on-cni-del branch from 6a3eb15 to f793e70 Compare April 20, 2023 08:36
@maiqueb maiqueb requested a review from EdDev April 20, 2023 08:37
EdDev
EdDev suggested changes Apr 20, 2023
View reviewed changes
@maiqueb maiqueb force-pushed the mac-spoof-improv-read-only-required-chain-on-cni-del branch from f793e70 to ee90f39 Compare April 20, 2023 09:14
@maiqueb maiqueb requested a review from EdDev April 20, 2023 09:14
@maiqueb
bridge, del: timeout after 55 secs of trying to list rules
135292e 
Making sure the exec'ed nft command is executed in 55 secs allows for
CNI to fail early, thus preventing CRI from sending another CNI DEL
while the previous NFT call is still being processed.

This fix prevents part of the behavior described in [0], in which:
> cnv-bridge and nft comes pile up in a loop, increasing every 60, never
completes

The timeout had to be less than 60 seconds (otherwise CRI would still
trigger CNI DEL again) but large enough for this feature to have a
chance of working on older kernels (e.g. centOS 8), where it takes
longer to access even a specific chain/table.

Signed-off-by: Miguel Duarte Barroso <[email protected]>
@maiqueb maiqueb force-pushed the mac-spoof-improv-read-only-required-chain-on-cni-del branch from ee90f39 to 135292e Compare April 20, 2023 09:19
EdDev
EdDev approved these changes Apr 20, 2023
View reviewed changes
Copy link
Contributor

@EdDev EdDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@maiqueb
Copy link
Contributor Author

maiqueb commented Apr 24, 2023

@squeed / @dcbw can you take a look ?

@squeed
Copy link
Member

squeed commented Apr 24, 2023

Looks good, thanks for chasing these sorts of performance wins down!

@squeed squeed merged commit c10af01 into containernetworking:main Apr 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed approved these changes

@EdDev EdDev EdDev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maiqueb @squeed @EdDev