[CORE-10975] Add QoS packet rate limit #9947
Conversation
Add packet rate limiting QoS control implementation, using iptables (using '-m limit' and a new mark) and nftables (using 'limit rate over') rules to limit ingress and/or egress packet rate based on workload QoSControls (from pod annotations in k8s).
coutinhop
added
release-note-required
| @@ -123,6 +123,8 @@ func StartDataplaneDriver( | |||
| markScratch0, _ = markBitsManager.NextSingleBitMark() | |||
| markScratch1, _ = markBitsManager.NextSingleBitMark() | |||
|
|
|||
| markLimitPacketRate, _ = markBitsManager.NextSingleBitMark() | |||
There was a problem hiding this comment.
This may be absolutely fine, but can you check with the relevant people - probably @fasaxc and @tomastigera - in case we need to be more careful with using up new mark bits? It might be possible to reuse an existing one, if the places where they are used, for different features, do not overlap with each other.
There was a problem hiding this comment.
Considering we invariably use the mark in 2 consecutive iptables rules, I suppose we could reuse an existing 'scratch' mark instead of allocating a new one, but then I think we'd need a 3rd rule to clear the mark (considering it could/would be used for other purposes as well, as we're only using the mark to "bypass" the iptables -m limit module limitation of not being able to drop packets above the limit, we could clear the mark in a rule immediately after the one dropping the packets without the mark). @nelljerram do you think that's a better approach?
| } | ||
|
|
||
| It("should limit packet rate correctly", func() { | ||
| format.MaxLength = 1000000 |
There was a problem hiding this comment.
I think this is going to affect all following tests. Personally, I'm a fan of putting format.MaxLength = 0 somewhere, like in libcalico-go/lib/clientv3/tier_e2e_test.go:
func init() {
// Stop Gomega from chopping off diffs in logs.
format.MaxLength = 0
}
There was a problem hiding this comment.
(IOW, my only concern is that it looks like this might be a local-only setting, but in fact it won't be.)
There was a problem hiding this comment.
good point! I blindly copied what happened in another test case I saw, but I agree this should be improved. Will do
| By("Running iperf3 client on workload 1") | ||
| out, err := w[1].ExecOutput("iperf3", "-c", w[0].IP, "-O5", "-M1000", "-J") | ||
| Expect(err).NotTo(HaveOccurred()) | ||
| baselineRate, err := getRateFromJsonOutput(out) |
There was a problem hiding this comment.
Note, this is in bits per sec.
There was a problem hiding this comment.
this is noted in the Info log a few lines below it:
calico/felix/fv/qos_controls_test.go
Line 189 in 483cc0e
should I add a comment in addition to that?
| // Expect the baseline rate to be much greater (>=100x) the bandwidth that we | ||
| // would get with the packet rate we are going to configure just below. In | ||
| // practice we see several Gbps here. | ||
| Expect(baselineRate).To(BeNumerically(">=", 800000.0*100)) |
There was a problem hiding this comment.
Is there a connection between 800000 here and IngressPacketRate: 100 below?
There was a problem hiding this comment.
Not exactly a connection, just expecting 100x+ faster traffic with no limits than when limited. I'll add a comment for how we arrived at 800000 here too (as below)
|
|
||
| By("Waiting for the config to appear in 'iptables-save' on workload 0") | ||
| // ingress config should be present | ||
| Eventually(getRules(0), "10s", "1s").Should(And(MatchRegexp(`-A cali-tw-`+regexp.QuoteMeta(w[0].InterfaceName)+` .* -m comment --comment "Mark packets within ingress packet rate limit" -m limit --limit `+regexp.QuoteMeta("100/sec")+` -j MARK --set-xmark 0x\d+/0x\d+`), MatchRegexp(`-A cali-tw-`+regexp.QuoteMeta(w[0].InterfaceName)+` .* -m comment --comment "Drop packets over ingress packet rate limit" -m mark ! --mark 0x\d+/0x\d+ -j DROP`))) |
There was a problem hiding this comment.
In this check, iptables-save -c will be called only once, returning a string, and then that same string will be analysed up to 10 times. If it fails the first time, it won't make any difference to keep trying for the next 10s.
What you really want is:
getRules := func(felixId int) func() string {
return func() {
out, err := tc.Felixes[felixId].ExecOutput("iptables-save", "-c")
log.Infof("iptables-save -c output:\n%v", out)
Expect(err).NotTo(HaveOccurred())
return out
}
}
| ingressLimitedRate, err := getRateFromJsonOutput(out) | ||
| Expect(err).NotTo(HaveOccurred()) | ||
| log.Infof("iperf client rate with ingress packet rate limit on server (bps): %v", ingressLimitedRate) | ||
| // Expect the limited rate to be below an estimated desired rate (1000 byte packets * 8 bits/byte * 100 packets/s = 800000 bps) |
There was a problem hiding this comment.
Ah nice. Please explain that relation above as well.
| Expect(err).NotTo(HaveOccurred()) | ||
| log.Infof("iperf client rate with ingress packet rate limit on server (bps): %v", ingressLimitedRate) | ||
| // Expect the limited rate to be below an estimated desired rate (1000 byte packets * 8 bits/byte * 100 packets/s = 800000 bps) | ||
| Expect(ingressLimitedRate).To(BeNumerically("<=", 800000.0)) |
There was a problem hiding this comment.
Should there be a bit of leeway here, e.g. * 1.2
There was a problem hiding this comment.
In my experience, this upperbound was never even close to hitting when I ran the test (the max was typically 640kbps), but I suppose it doesn't hurt to have some margin, will add!
| @@ -1359,6 +1369,82 @@ var _ = Describe("Endpoints", func() { | |||
| }, | |||
| })) | |||
| }) | |||
|
|
|||
| It("should render a workload endpoint with packet rate limiting QoSControls", func() { | |||
| format.MaxLength = 1000000 | |||
There was a problem hiding this comment.
same comment about this as in FV test
There was a problem hiding this comment.
oh, I think this showed up after running make generate, will remove
Thanks so much! Yes, currently all 3 planned controls will only support iptables and nftables, but not eBPF. This control (and the future connection limit control) relies on iptables/nftables itself, and will need to be implemented differently on eBPF. The bandwidth control has an incompatibility between the |
Description
Add packet rate limiting QoS control implementation, using iptables (using '-m limit' and a new mark) and nftables (using 'limit rate over') rules to limit ingress and/or egress packet rate based on workload QoSControls (from pod annotations in k8s).
Related issues/PRs
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.