Probe: use netlink to talk to conntrack #3298
Conversation
|
CI is failing on the MacOS (Darwin) build - now we have four files depending on Linux-specific code, and I'm uncertain whether it is better to stub out all of their interfaces or introduce an insulating abstraction. EDIT: I stubbed it out at a higher level |
|
Cool to see this being picked up. 👍 |
bboreham
force-pushed
the
conntrack-netlink-upstream
branch
7 times, most recently
from
0e54459 to
3153544
Compare
bboreham
force-pushed
the
conntrack-netlink-upstream
branch
from
3153544 to
025b0b4
Compare
| quit chan struct{} | ||
| } | ||
|
|
||
| // newConntracker creates and starts a new conntracker. | ||
| func newConntrackFlowWalker(useConntrack bool, procRoot string, bufferSize int, args ...string) flowWalker { | ||
| func newConntrackFlowWalker(useConntrack bool, procRoot string, bufferSize int, natOnly bool) flowWalker { |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
What's the performance improvement? The code is much cleaner like this, but it would also be good to know the performance improvement. |
|
@2opremio the performance is only slightly better in my trials; I don't think we have a cluster that would really stress this code. But after adding typetypetype/conntrack#15 the whole probe uses 10% less CPU. |
|
Just noticed a panic on exit: |
|
I have updated the conntrack package to bring in the perf improvement and a fix to the panic. |
|
@2opremio any chance you can give this one more glance over so I can merge? |
|
Now I would like to get typetypetype/conntrack#19 merged since it doesn't pick up pre-existing NAT mappings without it. (it's merged now) |
bboreham
force-pushed
the
conntrack-netlink-upstream
branch
2 times, most recently
from
635ee0c to
88d805e
Compare
Replacement for the --any-nat command-line parameter
- don't need another wrapper round `conntrack.Connections()` - logPipe() was only for the command-line conntrack - nobody closes the `event` chan now, so no need to pre-check for quit
When the probe first starts we should only be interested in active connections, and if the loop re-starts it's probably because too many connections are opening and closing to keep up with, so it's good to drop any that are already closed then too. Refactor the code so `handleFlow` is only called on events, and handle the initial list of connections directly.
Split Reporter into Linux and non-Linux parts, and stubbed it out for non-Linux targets.
From revision 1ea26629 to 9d9dd841, to bring in a couple of bug fixes and some performance improvements.
bboreham
force-pushed
the
conntrack-netlink-upstream
branch
from
503b37c to
c732fee
Compare
This is an update of #2130 with all necessary* changes upstreamed (typetypetype/conntrack#12, typetypetype/conntrack#13 and typetypetype/conntrack#14).
The objective is to reduce the CPU usage of the Scope probe, because it will no longer be running a
conntrackbinary which converts netlink into text then parsing that text.The commits on this branch include the original #2130, rebased, then some changes to make it easier to diff that code against the upstream, then replacing with upstream, then tidying up and ensuring CI passes. Most of that should be squashed before merging, but I like the idea that we might preserve the authorship of @josephglanville who did much of the work.
As of the time of writing I have run some small tests which suggest it broadly works; have not done any big tests or checked performance.
I looked at https://github.com/vishvananda/netlink, but the conntrack code there is rudimentary: to get equal functionality I would basically have to copy most of the implementation from
typetypetype/conntrack.(*) I hope I didn't miss anything!