ws-daemon: Use a pair of veths instead of slirp4netns

[utam0k]

Description

This PR creates a pair of veth between the workspace and ring1.

Related Issue(s)

Fixed #8106

How to test

in gitpod workspace
https://to-setup-veth.staging.gitpod-dev.com/workspaces

$ docker run hello-world

maybe you have to kill slirp4netns's process.

Release Notes

Use a pair of veths instead of slirp4netns

Documentation

No

[utam0k]

I will have more drawings and other information on Monday that will show more of what I intend to do.

[utam0k]

/hold

[aledbf]

Why do we need to set lo up?

[utam0k]

@aledbf Thanks for your review!
For now, I guess slirp4netns enable lo automatically. So, when we want to remove slirp4netns, we have to enable lo manually.

[iQQBot]

Is it ready for review?

[kylos101]

Hey @utam0k , given the commit message in 23346cf, I am going to mark this back as draft (it seems like you're unsure if netlink will work because you use the word "try" in the commit message). May I ask you to confirm if this is ready for review? If yes, feel free to mark as ready for review.

[kylos101]

Hi @utam0k , while this is in draft, if you would like "an early review". that is totally okay to request. 💌 😍 See you tomorrow!

[utam0k]

@kylos101 Thanks for organizing the PR. This PR will be available for review soon. I had a little trouble verifying it.

[utam0k]

/unhold

[utam0k]

@princerachit @aledbf @iQQBot @kylos101 Sorry to keep you waiting. I have finished brushing up on this PR. PTAL.
I recommend taking a look at this picture before you start reviewing. This whole attempt is too large to be in one PR, so it is divided into two phases(PRs). This PR is the first these. There should be no problem if only this PR is merged and deployed.

[utam0k]

docker is still using slirp4netns.

[csweichel]

We disabled the docker slirp4netns use when we introduced slirp4netns for the workspace as a whole. We have however not yet removed that code from docker-up. We should do that in a follow-up PR.

[utam0k]

@princerachit @aledbf @iQQBot @kylos101 @csweichel This PR is ready for review again. PTAL. Load and other measurements will be done tomorrow, but the code itself is available for review.

[utam0k]

/hold Until the numerical measurements are completed.

[utam0k]

Network IO metrics

I measured the limits of traffic from workspace to ring1 using iperf3.

slirp4netns

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  9.78 GBytes  8.40 Gbits/sec    0             sender
[  5]   0.00-10.00  sec  9.78 GBytes  8.40 Gbits/sec                  receiver

veth

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  50.5 GBytes  43.4 Gbits/sec  284             sender
[  5]   0.00-10.00  sec  50.5 GBytes  43.4 Gbits/sec                  receiver

CPU metrics

This is the CPU utilization when 8 Gbit/sec of traffic continues to flow(workspace -> ring1)

	slirp4netns	veth
avg of user	4.46 %	2.64 %
avg of system	10.07 %	1.69%

More details can be found in the vmstat results in this spreadsheet.

[utam0k]

/unhold

[utam0k]

@csweichel I think you are probably interested in these above metrics.

[csweichel]

Works like a charm - love the new performance!
Really great work @utam0k.

[iQQBot]

great work 👍 , will have a look for tomorrow
Another thing to consider is how to deploy, supervisor / workspacekit and ws-daemon has different deploy cycle

[kylos101]

Another thing to consider is how to deploy, supervisor / workspacekit and ws-daemon has different deploy cycle

@iQQBot We use installer to ship workspace-clusters. When we do this, it uses the versions.yaml to parse necessary versions. For example: docker run --rm -it eu.gcr.io/gitpod-core-dev/build/versions:main.2836 cat versions.yaml.ws-daemon and registry-facade, as well as supervisor and workspacekit, will use versions from that file. The configmap for registry-facade will specify supervisor and workspacekit versions.

For WebApp, they currently use helm, but I believe it uses a similar versions strategy, so if we merge to main, all these components should ship too. @geropl , can you confirm?

How do you deploy IDE changes? I see this job updates web app clusters using argo. So it seems like, if we merge to main, IDE should avoid doing IDE deploy until web app has deployed. WDYT?

[akosyakov]

i have not tried, clean up in supervisor looks good.