ipsec: cache xfrm state list #32588
ipsec: cache xfrm state list #32588
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
d4637f1
to
b90b538
Compare
marseel
changed the title
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
b90b538
to
f5dd892
Compare
marseel
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
f5dd892
to
76a9b0b
Compare
|
/test |
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
2 times, most recently
from
4ce9faf
to
0bb20b5
Compare
|
/test |
|
@pchaigno I wonder which CI test runs IPSec privileged test? 🤷 |
But it prints tests="0" for every single packages, doesn't it? I'm not sure we can rely on that. |
maintainer-s-little-helper
bot
added
the
ready-to-merge
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
0bb20b5
to
522c126
Compare
|
@marseel @pchaigno I originally reported this issue and I've been playing around with a patch on my side also. Instead of calling xfrm state list here and looping until we find a match, can we just use I haven't tested the impact of this on the GC on a large cluster however, but wondering why we wouldn't want to do this instead of the looping logic? I'm a bit wary of caching the states in general just because it feels like troubleshooting issues with the cache in the future may be difficult or hard to find. |
|
@sjdot I do agree that we should use While
I would say adding caching should be safer than refactoring that part (also safer for backports), as long as we ensure we don't have other calls that are modifying xfrmState with CI test. |
|
Thanks @marseel Yeah in my patch there are still cases where I have to call list and pass to the functions you mentioned (e.g. a state that needs to be deleted an re-added), I've also not handled the migration of old state so I agree back porting is painful/difficult. I see the usefulness of the caching given this, I'm just nervous given our long history of very painful ipsec issues. Given it's a pretty significant change, do you think it would be feasible to put this behind a feature flag initially? I would like the ability to turn this off if we hit an issue we suspect might be related to be able to quickly verify if this is the cause or not. |
Yup, I think that definitely makes sense. |
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
522c126
to
ccf72a2
Compare
|
So I've tested it manually as well to make sure that flag works, we can disable caching by following helm values: I intentionally made this flag hidden as I don't expect that we will need to turn it off. For backports, I am considering turning it off as default and switching to true by default later on once we get more confidence on main branch. |
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
3 times, most recently
from
35541fe
to
306901f
Compare
|
/test |
maintainer-s-little-helper
bot
removed
the
ready-to-merge
|
I just checked and it seems we don't run privileged runtime tests on main: I've checked that while trying to make a backport to hotix branch I've noticed that it fails: #32665 @sayboras is looking into fixing running these tests on main. |
|
Converting to draft till tests are being correctly run. |
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
306901f
to
d7ea263
Compare
|
/ci-runtime |
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
d7ea263
to
8ce2344
Compare
|
/ci-runtime |
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
8ce2344
to
0a4d0bc
Compare
|
/ci-runtime |
Reduces GC CPU usage and memory allocations coming from XfrmStateList. To ensure we have up-to-date cache, wrap all XfrmState related functions inside cache, which is invalidated whenever XfrmState changes. This is follow-up to #32577 While that PR averages out CPU usage over time, in large cluster 100+ nodes amount of allocations coming from netlink.XfrmStateList() is high due to backgroundSync where we usually don't change any Xfrm states. This becomes more and more expensive as number of nodes increases. Added CI test to make sure that we accidentally don't add calls that modify XFRMState without going through cache. Also, added hidden option that allows to turn of caching. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
marseel
force-pushed
the
improve_background_check_and_cache_xfrm_test
branch
from
0a4d0bc
to
1164b7a
Compare
|
Rebased to pick up #32687 |
|
/test |
|
@borkmann friendly ping :) |
Reduces GC CPU usage and memory allocations coming from XfrmStateList.
To ensure we have up-to-date cache, wrap all XfrmState related
functions inside cache, which is invalidated whenever XfrmState changes.
This is follow-up to #32577
While that PR averages out CPU usage over time, in large cluster 100+
nodes amount of allocations coming from netlink.XfrmStateList() is high
due to backgroundSync where we usually don't change any Xfrm states.
This becomes more and more expensive as number of nodes increases.
Some pprofs/GC CPU time graphs.
Before:
Number of alloc objects:
Total GC time for 100 nodes:
After:
Number of alloc objects:
Total GC time for 100 nodes:
This would become even more important for larger clusters, as XfrmStateList allocations in backgroundSync are essentially O(n^2).