2:41 a.m.
Hi, all.
On fat hosts which are capable to run hundreds of VMs restarting libvirtd
makes it's services unavailable for a long time if VMs use network filters. In
my tests each of 100 VMs has no-promisc [1] and no-mac-spoofing filters and
executing virsh list right after daemon restart takes appoximately 140s if no
firewalld is running (that is ebtables/iptables/ip6tables commands are used to
configure kernel tables).
The problem is daemon does not even start to read from client connections
because state drivers are not initialized. Initialization is blocked in state
drivers autostart which grabs VMs locks. And VMs locks are hold by VMs
reconnection code. Each VM reloads network tables on reconnection and this
reloading is serialized on updateMutex in gentech nwfilter driver.
Workarounding autostart won't help much because even if state drivers will
initialize listing VM won't be possible because listing VMs takes each VM lock
one by one too. However managing VM that passed reconnection phase will be
possible which takes same 140s in worst case.
Note that this issue is only applicable if we use filters configuration that
don't need ip learning. In the latter case situation is different because
reconnection code spawns new thread that apply network rules only after ip is
learned from traffic and this thread does not grab VM lock. As result VMs are
managable but reloading filters in background takes appoximately those same
140s. I guess managing network filters during this period can have issues too.
Anyway this situation does not look good so fixing the described issue by
spawning threads even without ip learning does not look nice to me.
What speed up is possible on conservative approach? First we can remove for
test purpuses firewall ruleLock, gentech dirver updateMutex and filter object
mutex which do not serve function in restart scenario. This gives 36s restart
time. The speed up is archived because heavy fork/preexec steps are now run
concurrently.
Next we can try to reduce fork/preexec time. To estimate its contibution alone
let's bring back the above locks. It turns out the most time takes fork itself
and closing 8k (on my system) file descriptors in preexec. Using vfork gives
2x boost and so does dropping mass close. (I check this mass close contribution
because I not quite understand the purpose of this step - libvirt typically set
close-on-exec flag on it's descriptors). So this two optimizations alone can
result in restart time of 30s.
Unfortunately combining the above two approaches does not give boost multiple
of them along. The reason is due to concurrency and high number of VMs (100)
preexec boost does not have significant role and using vfork dininishes
concurrency as it freezes all parent threads before execve. So dropping locks
and closes gives 33s restart time and adding vfork to this gives 25s restart
time.
Another approach is to use --atomic-file option for ebtables
(iptables/ip6tables unfortunately does not have one). The idea is to save table
to file/edit file/commit table to kernel. I hoped this could give performance
boost because we don't need to load/store kernel network table for a single
rule update. In order to isolate approaches I also dropped all ip/ip6 updates
which can not be done this way. In this approach we can not drop ruleLock in
firewall because no other VM threads should change tables between save/commit.
This approach gives restart time 25s. But this approach is broken anyway as we
can not be sure another application doesn't change newtork table between
save/commit in which case these changes will be lost.
After all I think we need to move in a different direction. We can add API to
all binaries and firewalld to execute many commands in one run. We can pass
commands as arguments or wrote them into file which is then given to binary.
Then libvirt itself can update for example bridge network table in couple of
commands. The exact number depends on new API. For example if we add option to
delete chains recursively and an option not to fail on NOENT error we can
change table in one command (no listing current rules is required).
[1] no-promisc filter
<filter name='no-promisc' chain='root' priority='-750'>
<uuid>6d055022-1192-4a3d-ae1f-576baa5564b6</uuid>
<rule action='return' direction='in' priority='500'>
<mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
</rule>
<rule action='return' direction='in' priority='500'>
<mac dstmacaddr='$MAC'/>
</rule>
<rule action='return' direction='in' priority='500'>
<mac dstmacaddr='33:33:00:00:00:00'
dstmacmask='ff:ff:00:00:00:00'/>
</rule>
<rule action='drop' direction='in' priority='500'>
<mac/>
</rule>
<rule action='return' direction='in' priority='500'>
<mac dstmacaddr='01:00:5e:00:00:00'
dstmacmask='ff:ff:ff:80:00:00'/>
</rule>
</filter>
7:19 a.m.
ping
On 24.09.2018 10:41, Nikolay Shirokovskiy wrote:
Hi, all.
On fat hosts which are capable to run hundreds of VMs restarting libvirtd
makes it's services unavailable for a long time if VMs use network filters. In
my tests each of 100 VMs has no-promisc [1] and no-mac-spoofing filters and
executing virsh list right after daemon restart takes appoximately 140s if no
firewalld is running (that is ebtables/iptables/ip6tables commands are used to
configure kernel tables).
The problem is daemon does not even start to read from client connections
because state drivers are not initialized. Initialization is blocked in state
drivers autostart which grabs VMs locks. And VMs locks are hold by VMs
reconnection code. Each VM reloads network tables on reconnection and this
reloading is serialized on updateMutex in gentech nwfilter driver.
Workarounding autostart won't help much because even if state drivers will
initialize listing VM won't be possible because listing VMs takes each VM lock
one by one too. However managing VM that passed reconnection phase will be
possible which takes same 140s in worst case.
Note that this issue is only applicable if we use filters configuration that
don't need ip learning. In the latter case situation is different because
reconnection code spawns new thread that apply network rules only after ip is
learned from traffic and this thread does not grab VM lock. As result VMs are
managable but reloading filters in background takes appoximately those same
140s. I guess managing network filters during this period can have issues too.
Anyway this situation does not look good so fixing the described issue by
spawning threads even without ip learning does not look nice to me.
What speed up is possible on conservative approach? First we can remove for
test purpuses firewall ruleLock, gentech dirver updateMutex and filter object
mutex which do not serve function in restart scenario. This gives 36s restart
time. The speed up is archived because heavy fork/preexec steps are now run
concurrently.
Next we can try to reduce fork/preexec time. To estimate its contibution alone
let's bring back the above locks. It turns out the most time takes fork itself
and closing 8k (on my system) file descriptors in preexec. Using vfork gives
2x boost and so does dropping mass close. (I check this mass close contribution
because I not quite understand the purpose of this step - libvirt typically set
close-on-exec flag on it's descriptors). So this two optimizations alone can
result in restart time of 30s.
Unfortunately combining the above two approaches does not give boost multiple
of them along. The reason is due to concurrency and high number of VMs (100)
preexec boost does not have significant role and using vfork dininishes
concurrency as it freezes all parent threads before execve. So dropping locks
and closes gives 33s restart time and adding vfork to this gives 25s restart
time.
Another approach is to use --atomic-file option for ebtables
(iptables/ip6tables unfortunately does not have one). The idea is to save table
to file/edit file/commit table to kernel. I hoped this could give performance
boost because we don't need to load/store kernel network table for a single
rule update. In order to isolate approaches I also dropped all ip/ip6 updates
which can not be done this way. In this approach we can not drop ruleLock in
firewall because no other VM threads should change tables between save/commit.
This approach gives restart time 25s. But this approach is broken anyway as we
can not be sure another application doesn't change newtork table between
save/commit in which case these changes will be lost.
After all I think we need to move in a different direction. We can add API to
all binaries and firewalld to execute many commands in one run. We can pass
commands as arguments or wrote them into file which is then given to binary.
Then libvirt itself can update for example bridge network table in couple of
commands. The exact number depends on new API. For example if we add option to
delete chains recursively and an option not to fail on NOENT error we can
change table in one command (no listing current rules is required).
[1] no-promisc filter
<filter name='no-promisc' chain='root' priority='-750'>
<uuid>6d055022-1192-4a3d-ae1f-576baa5564b6</uuid>
<rule action='return' direction='in' priority='500'>
<mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
</rule>
<rule action='return' direction='in' priority='500'>
<mac dstmacaddr='$MAC'/>
</rule>
<rule action='return' direction='in' priority='500'>
<mac dstmacaddr='33:33:00:00:00:00'
dstmacmask='ff:ff:00:00:00:00'/>
</rule>
<rule action='drop' direction='in' priority='500'>
<mac/>
</rule>
<rule action='return' direction='in' priority='500'>
<mac dstmacaddr='01:00:5e:00:00:00'
dstmacmask='ff:ff:ff:80:00:00'/>
</rule>
</filter>
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
5:20 a.m.
On Mon, Sep 24, 2018 at 10:41:37AM +0300, Nikolay Shirokovskiy wrote:
Hi, all.
On fat hosts which are capable to run hundreds of VMs restarting libvirtd
makes it's services unavailable for a long time if VMs use network filters. In
my tests each of 100 VMs has no-promisc [1] and no-mac-spoofing filters and
executing virsh list right after daemon restart takes appoximately 140s if no
firewalld is running (that is ebtables/iptables/ip6tables commands are used to
configure kernel tables).
Yep, this is not entirely surprising given the huge number of rules we try
to create.
The problem is daemon does not even start to read from client
connections
because state drivers are not initialized. Initialization is blocked in state
drivers autostart which grabs VMs locks. And VMs locks are hold by VMs
reconnection code. Each VM reloads network tables on reconnection and this
reloading is serialized on updateMutex in gentech nwfilter driver.
Workarounding autostart won't help much because even if state drivers will
initialize listing VM won't be possible because listing VMs takes each VM lock
one by one too. However managing VM that passed reconnection phase will be
possible which takes same 140s in worst case.
In the QEMU driver we call qemuProcesssReconnectAll(). This spawns one
thread per VM that needs connecting to.
So AFAICT, state driver initialization should not be blocked. Libvirtd
should accept commands, but any APIs that touch a virDomainObj will of
course still be blocked until reconnect is completed.
Note that this issue is only applicable if we use filters
configuration that
don't need ip learning. In the latter case situation is different because
reconnection code spawns new thread that apply network rules only after ip is
learned from traffic and this thread does not grab VM lock. As result VMs are
managable but reloading filters in background takes appoximately those same
140s. I guess managing network filters during this period can have issues too.
I believe it should be possible to still change network filters while this
reconnect is taking place - it would mean that any VMs affected by the filter
change would have their iptables rules re-built a second time. However...
Anyway this situation does not look good so fixing the described
issue by
spawning threads even without ip learning does not look nice to me.
this is tricky - we want to know filters are built before we allow the VM
to start running, so we don't want to spawn a background thread in general.
IP learning has special code that sets up a minimal safe ruleset before
spawning the thread and waiting todo the real ruleset creation based on
the learn IP address. So I don't think it is desirable to change all
rule creation to run in a background thread.
What speed up is possible on conservative approach? First we can
remove for
test purpuses firewall ruleLock, gentech dirver updateMutex and filter object
mutex which do not serve function in restart scenario. This gives 36s restart
time. The speed up is archived because heavy fork/preexec steps are now run
concurrently.
To me the most obvious speedup is not to run any commands at all.
99% of the time when we restart libvirtd and re-build network filters
we are achieving nothing useful. We tear down the rules and replace
them by exactly the same rules.
The idea behind rebuilding at startup is that someone might have changed
the config on diks while libvirtd was not running, and we want to ensure
that the VMs have the correct live config after this.
Alternatively libvirtd has been upgraded to a newer version, and we want
to rebuild with the new code in case old code had a bug causing it to
create incorrect rules.
I think we should look at how to optimize this to be more intelligent.
We could somehow record a hash of what rule contents was used
originally. Only rebuild the rules if we see the hash of nwfilter
rules has changed, or if libvirtd binary has had code changes.
Next we can try to reduce fork/preexec time. To estimate its
contibution alone
let's bring back the above locks. It turns out the most time takes fork itself
and closing 8k (on my system) file descriptors in preexec. Using vfork gives
2x boost and so does dropping mass close. (I check this mass close contribution
because I not quite understand the purpose of this step - libvirt typically set
close-on-exec flag on it's descriptors). So this two optimizations alone can
result in restart time of 30s.
I don't like the idea of using vfork(). It is already hard to do stuff between
fork() and execve() safely as you're restricted to async signal safe functions.
vfork() places an even greater number of restrictions on code that can be
run. It is especially dangerous in threaded programs as only the calling thread
is suspended.
Unfortunately we cannot rely on close-on-exec. Depending on OS and/or version,
clsoe-on-exec setting may or may not be atomic. eg
open(...., O_CLOEXEC)
vs
open(...)
fcntl(O_CLOSEXEC)
the later has a race we'd hit.
In addition libvirt links to a huge number of 3rd party libraries and I have
essentially zero confidence in them setting O_CLOEXEC correctly all the time.
IOW, the mass close is inescapable IMHO.
The only thing I could see us doing is to spawn some minimalist helper process
which then spawns iptables as needed. We'd only need the mass-close once for
the helper process, which can then just spawn iptables without mass-close,
or simply set a tiny max files ulimit for this helper process so that it
only 'mass close' 20 FDs.
We'd have to write the set of desired iptables rules into some data format,
send it to the helper to execute and wait for results. Probably not too
difficult to achieve.
Unfortunately combining the above two approaches does not give boost
multiple
of them along. The reason is due to concurrency and high number of VMs (100)
preexec boost does not have significant role and using vfork dininishes
concurrency as it freezes all parent threads before execve. So dropping locks
and closes gives 33s restart time and adding vfork to this gives 25s restart
time.
Another approach is to use --atomic-file option for ebtables
(iptables/ip6tables unfortunately does not have one). The idea is to save table
to file/edit file/commit table to kernel. I hoped this could give performance
boost because we don't need to load/store kernel network table for a single
rule update. In order to isolate approaches I also dropped all ip/ip6 updates
which can not be done this way. In this approach we can not drop ruleLock in
firewall because no other VM threads should change tables between save/commit.
This approach gives restart time 25s. But this approach is broken anyway as we
can not be sure another application doesn't change newtork table between
save/commit in which case these changes will be lost.
After all I think we need to move in a different direction. We can add API to
all binaries and firewalld to execute many commands in one run. We can pass
commands as arguments or wrote them into file which is then given to binary.
This sounds like 'iptables-restore' command which accepts a batch of commands
in a file. There's also ip6tables-restore and ebtables-restore.
There's no way to execute these via firewalld though.
It is also tricky when we need to check the output of certan commands
before making a decision on which other commands to run. It would
certainly speed things up though to load batches of rules at once.
IMHO the most immediately useful thing would be to work on optimization
to skip re-creating nwfilter rules on startup, unless we detect there
are likely changes.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
6:37 a.m.
On 11.10.2018 13:20, Daniel P. Berrangé wrote:
On Mon, Sep 24, 2018 at 10:41:37AM +0300, Nikolay Shirokovskiy
wrote:
> Hi, all.
>
> On fat hosts which are capable to run hundreds of VMs restarting libvirtd
> makes it's services unavailable for a long time if VMs use network filters. In
> my tests each of 100 VMs has no-promisc [1] and no-mac-spoofing filters and
> executing virsh list right after daemon restart takes appoximately 140s if no
> firewalld is running (that is ebtables/iptables/ip6tables commands are used to
> configure kernel tables).
Yep, this is not entirely surprising given the huge number of rules we try
to create.
> The problem is daemon does not even start to read from client connections
> because state drivers are not initialized. Initialization is blocked in state
> drivers autostart which grabs VMs locks. And VMs locks are hold by VMs
> reconnection code. Each VM reloads network tables on reconnection and this
> reloading is serialized on updateMutex in gentech nwfilter driver.
> Workarounding autostart won't help much because even if state drivers will
> initialize listing VM won't be possible because listing VMs takes each VM lock
> one by one too. However managing VM that passed reconnection phase will be
> possible which takes same 140s in worst case.
In the QEMU driver we call qemuProcesssReconnectAll(). This spawns one
thread per VM that needs connecting to.
So AFAICT, state driver initialization should not be blocked. Libvirtd
should accept commands, but any APIs that touch a virDomainObj will of
course still be blocked until reconnect is completed.
> Note that this issue is only applicable if we use filters configuration that
> don't need ip learning. In the latter case situation is different because
> reconnection code spawns new thread that apply network rules only after ip is
> learned from traffic and this thread does not grab VM lock. As result VMs are
> managable but reloading filters in background takes appoximately those same
> 140s. I guess managing network filters during this period can have issues too.
I believe it should be possible to still change network filters while this
reconnect is taking place - it would mean that any VMs affected by the filter
change would have their iptables rules re-built a second time. However...
> Anyway this situation does not look good so fixing the described issue by
> spawning threads even without ip learning does not look nice to me.
this is tricky - we want to know filters are built before we allow the VM
to start running, so we don't want to spawn a background thread in general.
IP learning has special code that sets up a minimal safe ruleset before
spawning the thread and waiting todo the real ruleset creation based on
the learn IP address. So I don't think it is desirable to change all
rule creation to run in a background thread.
> What speed up is possible on conservative approach? First we can remove for
> test purpuses firewall ruleLock, gentech dirver updateMutex and filter object
> mutex which do not serve function in restart scenario. This gives 36s restart
> time. The speed up is archived because heavy fork/preexec steps are now run
> concurrently.
To me the most obvious speedup is not to run any commands at all.
99% of the time when we restart libvirtd and re-build network filters
we are achieving nothing useful. We tear down the rules and replace
them by exactly the same rules.
The idea behind rebuilding at startup is that someone might have changed
the config on diks while libvirtd was not running, and we want to ensure
that the VMs have the correct live config after this.
Alternatively libvirtd has been upgraded to a newer version, and we want
to rebuild with the new code in case old code had a bug causing it to
create incorrect rules.
I think we should look at how to optimize this to be more intelligent.
We could somehow record a hash of what rule contents was used
originally. Only rebuild the rules if we see the hash of nwfilter
rules has changed, or if libvirtd binary has had code changes.
> Next we can try to reduce fork/preexec time. To estimate its contibution alone
> let's bring back the above locks. It turns out the most time takes fork itself
> and closing 8k (on my system) file descriptors in preexec. Using vfork gives
> 2x boost and so does dropping mass close. (I check this mass close contribution
> because I not quite understand the purpose of this step - libvirt typically set
> close-on-exec flag on it's descriptors). So this two optimizations alone can
> result in restart time of 30s.
I don't like the idea of using vfork(). It is already hard to do stuff between
fork() and execve() safely as you're restricted to async signal safe functions.
vfork() places an even greater number of restrictions on code that can be
run. It is especially dangerous in threaded programs as only the calling thread
is suspended.
Unfortunately we cannot rely on close-on-exec. Depending on OS and/or version,
clsoe-on-exec setting may or may not be atomic. eg
open(...., O_CLOEXEC)
vs
open(...)
fcntl(O_CLOSEXEC)
the later has a race we'd hit.
In addition libvirt links to a huge number of 3rd party libraries and I have
essentially zero confidence in them setting O_CLOEXEC correctly all the time.
IOW, the mass close is inescapable IMHO.
The only thing I could see us doing is to spawn some minimalist helper process
which then spawns iptables as needed. We'd only need the mass-close once for
the helper process, which can then just spawn iptables without mass-close,
or simply set a tiny max files ulimit for this helper process so that it
only 'mass close' 20 FDs.
We'd have to write the set of desired iptables rules into some data format,
send it to the helper to execute and wait for results. Probably not too
difficult to achieve.
> Unfortunately combining the above two approaches does not give boost multiple
> of them along. The reason is due to concurrency and high number of VMs (100)
> preexec boost does not have significant role and using vfork dininishes
> concurrency as it freezes all parent threads before execve. So dropping locks
> and closes gives 33s restart time and adding vfork to this gives 25s restart
> time.
>
> Another approach is to use --atomic-file option for ebtables
> (iptables/ip6tables unfortunately does not have one). The idea is to save table
> to file/edit file/commit table to kernel. I hoped this could give performance
> boost because we don't need to load/store kernel network table for a single
> rule update. In order to isolate approaches I also dropped all ip/ip6 updates
> which can not be done this way. In this approach we can not drop ruleLock in
> firewall because no other VM threads should change tables between save/commit.
> This approach gives restart time 25s. But this approach is broken anyway as we
> can not be sure another application doesn't change newtork table between
> save/commit in which case these changes will be lost.
>
> After all I think we need to move in a different direction. We can add API to
> all binaries and firewalld to execute many commands in one run. We can pass
> commands as arguments or wrote them into file which is then given to binary.
This sounds like 'iptables-restore' command which accepts a batch of commands
in a file. There's also ip6tables-restore and ebtables-restore.
There's no way to execute these via firewalld though.
It is also tricky when we need to check the output of certan commands
before making a decision on which other commands to run. It would
certainly speed things up though to load batches of rules at once.
IMHO the most immediately useful thing would be to work on optimization
to skip re-creating nwfilter rules on startup, unless we detect there
are likely changes.
Thanx! Quite simple and effective indeed.
Nikolay
2:57 p.m.
On 10/11/2018 06:20 AM, Daniel P. Berrangé wrote:
On Mon, Sep 24, 2018 at 10:41:37AM +0300, Nikolay Shirokovskiy
wrote:
> What speed up is possible on conservative approach? First we can remove for
> test purpuses firewall ruleLock, gentech dirver updateMutex and filter object
> mutex which do not serve function in restart scenario. This gives 36s restart
> time. The speed up is archived because heavy fork/preexec steps are now run
> concurrently.
To me the most obvious speedup is not to run any commands at all.
99% of the time when we restart libvirtd and re-build network filters
we are achieving nothing useful. We tear down the rules and replace
them by exactly the same rules.
The idea behind rebuilding at startup is that someone might have changed
the config on diks while libvirtd was not running, and we want to ensure
that the VMs have the correct live config after this.
Alternatively libvirtd has been upgraded to a newer version, and we want
to rebuild with the new code in case old code had a bug causing it to
create incorrect rules.
I think we should look at how to optimize this to be more intelligent.
We could somehow record a hash of what rule contents was used
originally. Only rebuild the rules if we see the hash of nwfilter
rules has changed, or if libvirtd binary has had code changes.
Since we pre-emptively delete any existing copy of a rule just prior to
adding that rule, another way we could reduce startup time would be to
spend less time deleting. one way of doing that would (I think) be if we
could add all of our rules in a set of chains that we create ourselves.
Then when libvirtd restarted, we could just issue a few commands to
flush those chains. (come to think of it, nwfilter *already* puts
most/all of its rules in self-created chains. Hmm....
> Next we can try to reduce fork/preexec time. To estimate its contibution alone
> let's bring back the above locks. It turns out the most time takes fork itself
> and closing 8k (on my system) file descriptors in preexec. Using vfork gives
> 2x boost and so does dropping mass close. (I check this mass close contribution
> because I not quite understand the purpose of this step - libvirt typically set
> close-on-exec flag on it's descriptors). So this two optimizations alone can
> result in restart time of 30s.
I don't like the idea of using vfork(). It is already hard to do stuff between
fork() and execve() safely as you're restricted to async signal safe functions.
vfork() places an even greater number of restrictions on code that can be
run. It is especially dangerous in threaded programs as only the calling thread
is suspended.
Unfortunately we cannot rely on close-on-exec. Depending on OS and/or version,
clsoe-on-exec setting may or may not be atomic. eg
open(...., O_CLOEXEC)
vs
open(...)
fcntl(O_CLOSEXEC)
the later has a race we'd hit.
In addition libvirt links to a huge number of 3rd party libraries and I have
essentially zero confidence in them setting O_CLOEXEC correctly all the time.
IOW, the mass close is inescapable IMHO.
The only thing I could see us doing is to spawn some minimalist helper process
which then spawns iptables as needed. We'd only need the mass-close once for
the helper process, which can then just spawn iptables without mass-close,
or simply set a tiny max files ulimit for this helper process so that it
only 'mass close' 20 FDs.
We'd have to write the set of desired iptables rules into some data format,
send it to the helper to execute and wait for results. Probably not too
difficult to achieve.
The best way to reduce fork/exec time is of course to never fork/exec at
all :-). So, a chain of current/future events that could lead to 0
fork/execs:
1) upstream firewalld now has an nftables backend available
(hang with me, this really is related...)
2) some distros have already switched to it (someone running debian on
#virt a couple weeks ago had a problem that turned out to be due to
using the nftables backend, and Fedora 29 *tried* to switch to using the
nftables backend, but had to revert/postpone the change due to the
networking problems it caused with libvirt virtual networks.)
3) due to (1) and (2) we're looking into making libvirt work properly
with a firewalld using nftables (it's going to take new code in both
libvirt *and* firewalld)
4) an upcoming release of firewalld will be to adding/deleting nftables
rules using calls to a library rather than a fork/exec of the nft command.
Once libvirt is working with an nftables backend to firewalld, and
firewalld is using an API to access nftables, there will be 0
fork/execs! Yay!
(The bad news is that libvirt's nwfilter rules require more new
functionality that doesn't yet exist in firewalld (e.g. outbound rules),
so while the firewall rules that we add for libvirt networks could be
switched over fairly soo, the nwfilter part is going to take awhile :-/
> Unfortunately combining the above two approaches does not give boost multiple
> of them along. The reason is due to concurrency and high number of VMs (100)
> preexec boost does not have significant role and using vfork dininishes
> concurrency as it freezes all parent threads before execve. So dropping locks
> and closes gives 33s restart time and adding vfork to this gives 25s restart
> time.
>
> Another approach is to use --atomic-file option for ebtables
> (iptables/ip6tables unfortunately does not have one). The idea is to save table
> to file/edit file/commit table to kernel. I hoped this could give performance
> boost because we don't need to load/store kernel network table for a single
> rule update. In order to isolate approaches I also dropped all ip/ip6 updates
> which can not be done this way. In this approach we can not drop ruleLock in
> firewall because no other VM threads should change tables between save/commit.
> This approach gives restart time 25s. But this approach is broken anyway as we
> can not be sure another application doesn't change newtork table between
> save/commit in which case these changes will be lost.
>
> After all I think we need to move in a different direction. We can add API to
> all binaries and firewalld to execute many commands in one run. We can pass
> commands as arguments or wrote them into file which is then given to binary.
This sounds like 'iptables-restore' command which accepts a batch of commands
in a file. There's also ip6tables-restore and ebtables-restore.
There's no way to execute these via firewalld though.
...even though firewalld itself internally uses iptables-restore in
certain cases (according to what I was told by one of the firewalld
developers).
(also, for those naughty people who have firewalld disabled, libvirt
could use iptables-restore)
It is also tricky when we need to check the output of certan commands
before making a decision on which other commands to run. It would
certainly speed things up though to load batches of rules at once.
IMHO the most immediately useful thing would be to work on optimization
to skip re-creating nwfilter rules on startup, unless we detect there
are likely changes.
Agreed. That is something that could be done now, with no new features
required from any other package.
2:47 a.m.
On Thu, Oct 11, 2018 at 03:57:10PM -0400, Laine Stump wrote:
On 10/11/2018 06:20 AM, Daniel P. Berrangé wrote:
> On Mon, Sep 24, 2018 at 10:41:37AM +0300, Nikolay Shirokovskiy wrote:
>
>> What speed up is possible on conservative approach? First we can remove for
>> test purpuses firewall ruleLock, gentech dirver updateMutex and filter object
>> mutex which do not serve function in restart scenario. This gives 36s restart
>> time. The speed up is archived because heavy fork/preexec steps are now run
>> concurrently.
> To me the most obvious speedup is not to run any commands at all.
>
> 99% of the time when we restart libvirtd and re-build network filters
> we are achieving nothing useful. We tear down the rules and replace
> them by exactly the same rules.
>
> The idea behind rebuilding at startup is that someone might have changed
> the config on diks while libvirtd was not running, and we want to ensure
> that the VMs have the correct live config after this.
>
> Alternatively libvirtd has been upgraded to a newer version, and we want
> to rebuild with the new code in case old code had a bug causing it to
> create incorrect rules.
>
> I think we should look at how to optimize this to be more intelligent.
>
> We could somehow record a hash of what rule contents was used
> originally. Only rebuild the rules if we see the hash of nwfilter
> rules has changed, or if libvirtd binary has had code changes.
Since we pre-emptively delete any existing copy of a rule just prior to
adding that rule, another way we could reduce startup time would be to
spend less time deleting. one way of doing that would (I think) be if we
could add all of our rules in a set of chains that we create ourselves.
Then when libvirtd restarted, we could just issue a few commands to
flush those chains. (come to think of it, nwfilter *already* puts
most/all of its rules in self-created chains. Hmm....
I don't think deletion is a big problem - we only delete the custom
chains with nwfilter, and that's a small part of the command count.
The best way to reduce fork/exec time is of course to never fork/exec
at
all :-). So, a chain of current/future events that could lead to 0
fork/execs:
1) upstream firewalld now has an nftables backend available
(hang with me, this really is related...)
2) some distros have already switched to it (someone running debian on
#virt a couple weeks ago had a problem that turned out to be due to
using the nftables backend, and Fedora 29 *tried* to switch to using the
nftables backend, but had to revert/postpone the change due to the
networking problems it caused with libvirt virtual networks.)
3) due to (1) and (2) we're looking into making libvirt work properly
with a firewalld using nftables (it's going to take new code in both
libvirt *and* firewalld)
4) an upcoming release of firewalld will be to adding/deleting nftables
rules using calls to a library rather than a fork/exec of the nft command.
Once libvirt is working with an nftables backend to firewalld, and
firewalld is using an API to access nftables, there will be 0
fork/execs! Yay!
Sadly not.
We don't fork/exec but we do call dbus *synchronously* to get firewalld
to add the rules, and firewalld does a fork/exec.
IOW, we still have the fork/exec for every command, but we also now
have a dbus roundtrip on top.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
3:13 a.m.
On Fri, Oct 12, 2018 at 08:47:55AM +0100, Daniel P. Berrangé wrote:
On Thu, Oct 11, 2018 at 03:57:10PM -0400, Laine Stump wrote:
> On 10/11/2018 06:20 AM, Daniel P. Berrangé wrote:
> > On Mon, Sep 24, 2018 at 10:41:37AM +0300, Nikolay Shirokovskiy wrote:
> >
> >> What speed up is possible on conservative approach? First we can remove
for
> >> test purpuses firewall ruleLock, gentech dirver updateMutex and filter
object
> >> mutex which do not serve function in restart scenario. This gives 36s
restart
> >> time. The speed up is archived because heavy fork/preexec steps are now
run
> >> concurrently.
> > To me the most obvious speedup is not to run any commands at all.
> >
> > 99% of the time when we restart libvirtd and re-build network filters
> > we are achieving nothing useful. We tear down the rules and replace
> > them by exactly the same rules.
> >
> > The idea behind rebuilding at startup is that someone might have changed
> > the config on diks while libvirtd was not running, and we want to ensure
> > that the VMs have the correct live config after this.
> >
> > Alternatively libvirtd has been upgraded to a newer version, and we want
> > to rebuild with the new code in case old code had a bug causing it to
> > create incorrect rules.
> >
> > I think we should look at how to optimize this to be more intelligent.
> >
> > We could somehow record a hash of what rule contents was used
> > originally. Only rebuild the rules if we see the hash of nwfilter
> > rules has changed, or if libvirtd binary has had code changes.
>
> Since we pre-emptively delete any existing copy of a rule just prior to
> adding that rule, another way we could reduce startup time would be to
> spend less time deleting. one way of doing that would (I think) be if we
> could add all of our rules in a set of chains that we create ourselves.
> Then when libvirtd restarted, we could just issue a few commands to
> flush those chains. (come to think of it, nwfilter *already* puts
> most/all of its rules in self-created chains. Hmm....
I don't think deletion is a big problem - we only delete the custom
chains with nwfilter, and that's a small part of the command count.
> The best way to reduce fork/exec time is of course to never fork/exec at
> all :-). So, a chain of current/future events that could lead to 0
> fork/execs:
>
> 1) upstream firewalld now has an nftables backend available
> (hang with me, this really is related...)
>
> 2) some distros have already switched to it (someone running debian on
> #virt a couple weeks ago had a problem that turned out to be due to
> using the nftables backend, and Fedora 29 *tried* to switch to using the
> nftables backend, but had to revert/postpone the change due to the
> networking problems it caused with libvirt virtual networks.)
>
> 3) due to (1) and (2) we're looking into making libvirt work properly
> with a firewalld using nftables (it's going to take new code in both
> libvirt *and* firewalld)
>
> 4) an upcoming release of firewalld will be to adding/deleting nftables
> rules using calls to a library rather than a fork/exec of the nft command.
>
> Once libvirt is working with an nftables backend to firewalld, and
> firewalld is using an API to access nftables, there will be 0
> fork/execs! Yay!
Sadly not.
We don't fork/exec but we do call dbus *synchronously* to get firewalld
to add the rules, and firewalld does a fork/exec.
IOW, we still have the fork/exec for every command, but we also now
have a dbus roundtrip on top.
Sigh, of course I missed the key paragraph in your point (4) about
using the API for nftables :-(
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
2235
days inactive
2253
days old
6 comments
3 participants
participants (3)
-
Daniel P. Berrangé -
Laine Stump -
Nikolay Shirokovskiy