network: Use tc filtering rules in bridge mode

[amshinde]

Instead of creating a bridge, use tc filter rules to redirect
traffic between veth and tap interface.

Signed-off-by: Archana Shinde [email protected]

[amshinde]

/test

[sboeuf]

@amshinde maybe a dumb question, but why did you replace the bridge mode, instead of creating a new internetworking model?

[jodh-intel]

What happens if index < 0? Does netlink.QdiscAdd() handle that? Is it a valid index? (might be given QdiscAttrs.Index is an int wheres all other members are uint32?!?)

[amshinde]

@jodh-intel netlink.QdiscAdd will handle the case where the network index is negative.
It will error out if it cannot find an interface with the specified index.

[jodh-intel]

Same question - what if either of these two params are negative?

[amshinde]

Same as above.

[amshinde]

@sboeuf I was planning to replace the bridge mode initially. I pushed the changes for testing.
I have now introduced a new mode. I plan to do some testing for different plugins out there, plan is to then deprecate bridged mode in a future PR.

[amshinde]

cc @mcastelino PTAL.

[mcastelino]

Minor comment. We need to undo the qdisk we added on ingress on the CNI/CNM created interface.

[mcastelino]

@amshinde you need to remove the ingress qdisc you added to the veth/incoming interface. As part of the cleanup you should remove that too.

So you need to undo what do you did before

	if err := addQdiscIngress(attrs.Index); err != nil {
		return err
	}

[amshinde]

@mcastelino Have addressed this. PTAL.

[sboeuf]

I would rename it removeTCFiltering()

[mcastelino]

Some more context for this review
https://gist.github.com/mcastelino/7d85f4164ffdaf48242f9281bb1d0f9b

[amshinde]

@bergwolf Can you take a look as well, I think you guys are using tc in runv?

[amshinde]

/retest

[mcastelino]

@amshinde you should not need to do this. Removing the qdisk removes the filters. But does not hurt.

[mcastelino]

LGTM

[amshinde]

/retest

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@5a8b738). Click here to learn what that means.
The diff coverage is 51.2%.

@@            Coverage Diff            @@
##             master     #827   +/-   ##
=========================================
  Coverage          ?   66.09%           
=========================================
  Files             ?       87           
  Lines             ?    10705           
  Branches          ?        0           
=========================================
  Hits              ?     7076           
  Misses            ?     2897           
  Partials          ?      732

[amshinde]

@grahamwhaley Is the metrics failure here a valid failure?

[grahamwhaley]

@amshinde probably not - we had a bunch of fails for the last 36h - I have tweaked the settings as per XXX to avoid false failures whilst I look at how to get things more stable.
The logs for your fail look like:

02:47:48 Report Summary:
02:47:48 +-----+----------------------+-------+--------+--------+-------+--------+--------+-------+------+-----+
02:47:48 | P/F |         NAME         |  FLR  |  MEAN  |  CEIL  |  GAP  |  MIN   |  MAX   |  RNG  | COV  | ITS |
02:47:48 +-----+----------------------+-------+--------+--------+-------+--------+--------+-------+------+-----+
02:47:48 | P   | boot-times           | 90.0% | 91.5%  | 110.0% | 20.0% | 88.7%  | 100.6% | 13.4% | 2.7% |  20 |
02:47:48 | *F* | memory-footprint     | 92.3% | 113.8% | 107.7% | 15.4% | 113.8% | 113.8% | 0.0%  | 0.0% |   1 |
02:47:48 | P   | memory-footprint-ksm | 89.3% | 92.4%  | 110.7% | 21.4% | 92.4%  | 92.4%  | 0.0%  | 0.0% |   1 |
02:47:48 +-----+----------------------+-------+--------+--------+-------+--------+--------+-------+------+-----+

but, as we discussed, you are better off running the network cpu test and/or other network tests locally to check if you have made any network impact. I'm half way through adding that test to the report gen btw.

[grahamwhaley]

s/XXX/ kata-containers/ci#72 /

[sboeuf]

@amshinde This PR looks very good to me, just a few comments, but mostly related to the fact that you should add more comments to make easy the understanding of this code ;)

[sboeuf]

This is not needed. The switch already checks this variable, there's no reason to reassign it.

[sboeuf]

Just a comment about naming here. I think it'd be clearer to call it setupTCFiltering().

[sboeuf]

I would rename it removeTCFiltering()

[sboeuf]

I know it's not only related to this PR, but we should define a constant for this. We don't want to play around with strings like this.

[sboeuf]

A comment about this function role would be nice (along those lines):

// addQdiscIngress creates a traffic rule for any incoming traffic to the interface
// designated by its index.

[sboeuf]

same here, a comment could be nice ;)

[sboeuf]

you can remove this blank line

[sboeuf]

Have we measured the perf impact before we take this decision?

[amshinde]

@sboeuf I ran some iperf tests to compare macvtap, bridge and tcfilter solutions on an Intel nuc.
With macvtap I got around 15Gbs throughtput, tcfiltering giving 13.5 Gbs while bridge gave around 12.9 to 13.5 Gbs.
So we get slightly better performance with tcfiltering as compared to bridge mode, but less performance as compared to macvtap. But I think, given that we get added functionality in terms of support for ipvlan, we can make this as the default. In case ipvlan support is not needed, users can choose to use macvtap instead.
WDYT?

[sboeuf]

Oh that's cool, thanks for running those tests :)
I don't have any strong opinion on this, but we need the community feedback here. I think we need to decide if we want the default to be the most performant or the most functional.

/cc @bergwolf @jodh-intel @egernst @mcastelino @WeiZhang555 @grahamwhaley @kata-containers/runtime

[mcastelino]

@amshinde have you measured if this impacts launch time latency? As this is simpler, we may be a bit faster to launch a kata-container with this. If @egernst can let us know how this performs when pushing 40Gbps, that may give us a better data point.

/cc @grahamwhaley

[amshinde]

@mcastelino I did see the latency was about the same, but did see some improvements in jitter, but this was over a tiny data set. I'll rerun the tests few more times for latency and post my results.

[raravena80]

@amshinde ping :)

[amshinde]

@sboeuf I have addressed all your comments. PTAL.

[sboeuf]

/test

[sboeuf]

@amshinde thanks!
LGTM

[amshinde]

/retest

[amshinde]

@sboeuf As discussed, I have dropped the commit to make this mode as the default. Will open another PR to address that.

[sboeuf]

@amshinde I'll merge as soon as we get the CI all green!

[amshinde]

@sboeuf Can we merge this?

[amshinde]

@jodh-intel Can you take another look?

[amshinde]

/retest

[amshinde]

Retriggering CI for code coverage.

[jodh-intel]

lgtm

Although you have conflicts...

[amshinde]

/retest

[mcastelino]

@amshinde a long time ago I added a mode called enlighted interworking mode. The goal of that was to use it after we added tc support.

The way I saw it implemented was

1. If the interface is something macvtap can handle use macvtap mode
2. If we know macvtap cannot handle it (or we are not familiar with) use the tc mode.

That way the user does not make the call. We do.