ROX-24945: adds rate limiting of network events per container

[Stringy]

Description

This adds new rate limiting of network connections per container, on top of the existing afterglow and batching methods in order to provide a safety mechanism (upper limit) to the number of reported network connections for a given workload. When External IPs is enabled, the volume of connections will naturally be much higher, so this limit is primarily in service to controlling that volume.

Some caveats and decisions:

• The rate limiting is implemented at the last possible moment, as the batch message is being constructed. This is means we do not rate limit connections that would otherwise be dropped by afterglow. It also means that we're rate limiting the delta between the old state and the new state.
• Close events (those with a close timestamp) are not rate limited. Otherwise we could end up with a situation where a connection exists in Sensor's model, but its close event is never sent so that connection will exist forever.
• The time window for rate limiting is pegged to the scrape interval, to provide a logical and well-understood time frame for scale. This means we can also think of this rate limit as a constraint on the maximum size of batch we'll ever send to Sensor.
• The rate limiting is enabled regardless of external IPs. I think this makes the overall behaviour of network event reporting much clearer and more predictable, but I am not married to this notion and should we want to retain old behaviour for the vast majority of cases, we can change this.

Depends on: stackrox/stackrox#13228

Checklist

• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

TODO(replace-me)
Use this space to explain how you tested your PR, or, if you didn't test it, why you did not do so. (Valid reasons include "CI is sufficient" or "No testable changes")
In addition to reviewing your code, reviewers must also review your testing instructions, and make sure they are sufficient.

For more details, ref the Confluence page about this section.

[Molter73]

[nitpick] There's a helper method that should make it a bit clear this is a read lock.

Suggested change

	std::shared_lock<std::shared_mutex> lock(mutex_);
	auto lock = ReadLock();

[Stringy]

Done

[Molter73]

This handling is getting out of hand, we need to make it so all this configuration is always stored in the runtime_config_ object and, if we are not using it, just overwrite the value in there ourselves.

[Molter73]

Why do we need chrono now?

[Stringy]

We don't - removed

[Molter73]

Last time I tried adding something like this it completely destroyed performance in debug mode, have you tried it?

[Stringy]

Yeah this was just for manual verification - removed now.

[Molter73]

Are we sure we need sstream? I would assume Logging.h is enough.

[Stringy]

Removed

[Molter73]

Why are we constructing a RateLimitCache and then copy constructing another one? Couldn't we just...

Suggested change

	connections_rate_limiter_(RateLimitCache(config.PerContainerRateLimit(), config.PerContainerRateLimit(), config.ScrapeInterval())) {
	connections_rate_limiter_(config.PerContainerRateLimit(), config.PerContainerRateLimit(), config.ScrapeInterval()) {

[Stringy]

This was due to my ignorance about how these constructors worked - my bad! I've removed the connections_rate_limiter_ member now anyway so this problem has also been removed.

[Molter73]

🦀

[Molter73]

I mean...

Suggested change

	berserker_img := image_store.QaImageByKey("performance-berserker")
	images := []string{
	berserker_img,
	}
	for _, image := range images {
	err := s.executor.PullImage(image)
	s.Require().NoError(err)
	}
	berserker_img := image_store.QaImageByKey("performance-berserker")
	err := s.Executor().PullImage(berserker_img)
	s.Require().NoError(err)

Unless you are actively planning to add more images to the test.

[Stringy]

I've (temporarily) removed this test suite now, in favour of unit tests. I'll work on it on the side and add it back in in another PR.

[Molter73]

[nitpick]

Suggested change

	berserkerID, err := s.Executor().StartContainer(config.ContainerStartConfig{
	Name: "berserker-server",
	Image: berserker_img,
	Env: map[string]string{
	"BERSERKER__WORKLOAD__NCONNECTIONS": "100",
	"RUST_BACKTRACE": "full",
	},
	Command: []string{"/etc/berserker/network/server.toml"},
	NetworkMode: "host",
	Privileged: true,
	})
	s.Require().NoError(err)
	s.serverID = berserkerID
	s.serverID, err = s.Executor().StartContainer(config.ContainerStartConfig{
	Name: "berserker-server",
	Image: berserker_img,
	Env: map[string]string{
	"BERSERKER__WORKLOAD__NCONNECTIONS": "100",
	"RUST_BACKTRACE": "full",
	},
	Command: []string{"/etc/berserker/network/server.toml"},
	NetworkMode: "host",
	Privileged: true,
	})
	s.Require().NoError(err)

[Molter73]

[nitpick]

Suggested change

	berserkerID, err = s.Executor().StartContainer(config.ContainerStartConfig{
	Name: "berserker-client",
	Image: berserker_img,
	Env: map[string]string{
	"BERSERKER__WORKLOAD__NCONNECTIONS": "100",
	"RUST_BACKTRACE": "full",
	},
	Command: []string{"/etc/berserker/network/client.toml"},
	NetworkMode: "host",
	Privileged: true,
	})
	s.Require().NoError(err)
	s.clientID = berserkerID
	}
	s.clientID, err = s.Executor().StartContainer(config.ContainerStartConfig{
	Name: "berserker-client",
	Image: berserker_img,
	Env: map[string]string{
	"BERSERKER__WORKLOAD__NCONNECTIONS": "100",
	"RUST_BACKTRACE": "full",
	},
	Command: []string{"/etc/berserker/network/client.toml"},
	NetworkMode: "host",
	Privileged: true,
	})
	s.Require().NoError(err)
	}

[Molter73]

LGTM! Left a few comments but nothing major.

[Molter73]

Think we can now remove this include as well.

[Molter73]

Suggested change

//

[Molter73]

Could we group these in a vector or array?

[Stringy]

I've tried this out but I think I prefer the clarity of statically defining the connections and the deltas - manipulating vectors hides a bit of the intention behind each one. To make it all a bit clearer, though, I've statically define active and closed statuses so there's no more duplication in the deltas

[Molter73]

Same for these two to be grouped in a vector or array.

[Molter73]

With the connections in a container, this can be generated in a for loop:

Suggested change

	ConnMap deltaSingle = {
	{conn1, ConnStatus(1234, true)},
	{conn2, ConnStatus(1234, true)},
	{conn3, ConnStatus(1234, true)},
	{conn4, ConnStatus(1234, true)},
	};
	ConnMap deltaSingle{};
	for {const auto& conn : connections) {
	deltaSingle.emplace(conn, ConnStatus(1234, true));
	};

[Molter73]

There's probably something similar you can do to deltaDuo and deltaClose.

[Molter73]

[nitpick] I had a bit of problem understanding these are 3 separate variables of type google::protobuf::RepeatedPtrField<sensor::NetworkConnection>, probably a skill issue, so feel free to ignore this, but you could define a shorter name for the type and declare all three variables separately:

Suggested change

	google::protobuf::RepeatedPtrField<sensor::NetworkConnection>
	updatesSingle,
	updatesDuo,
	updatesClose;
	using UpdatedConnections = google::protobuf::RepeatedPtrField<sensor::NetworkConnection>;
	UpdatedConnections updatesSingle;
	UpdatedConnections updatesDuo;
	UpdatedConnections updatesClose;

[Molter73]

Or you could use an array

Suggested change

	google::protobuf::RepeatedPtrField<sensor::NetworkConnection>
	updatesSingle,
	updatesDuo,
	updatesClose;
	using UpdatedConnections = google::protobuf::RepeatedPtrField<sensor::NetworkConnection>;
	std::array<UpdatedConnections, 3> updatedConnections;

[ovalenti]

Thanks for the stats counter. Overall, this looks good !

I tend to agree with @Molter73 on the fact that it would be easier to make sure that the runtime config always contains the value to use (even if it requires us to write the default values there).

[Stringy]

it would be easier to make sure that the runtime config always contains the value to use (even if it requires us to write the default values there).

Yes, I agree, though I don't think we can define the defaults in the proto itself (due to limitations with protobufs) so I think we'll need to enforce them somewhere. It might make sense to encapsulate that in Collector, but outside of the existing CollectorConfig class. I'll look into it in a follow up PR.

[JoukoVirtanen]

LGTM!