Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[backport v1.0] pkg/sensors: reduce ratelimit map memory footprint #2584

Merged
merged 6 commits into from
Jul 19, 2024
Merged

[backport v1.0] pkg/sensors: reduce ratelimit map memory footprint #2584

merged 6 commits into from
Jul 19, 2024

Conversation

mtardy
Copy link
Member

@mtardy mtardy commented Jun 19, 2024

Backport of #2551 and #2583

Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the ratelimit feature when unused (around ~10MB per kprobe).

@mtardy mtardy added kind/backport This PR provides functionality previously merged into master. release-note/bug This PR fixes an issue in a previous release of Tetragon. labels Jun 19, 2024
@mtardy mtardy requested a review from a team as a code owner June 19, 2024 11:12
@mtardy mtardy requested review from kkourt and removed request for a team June 19, 2024 11:12
@mtardy mtardy marked this pull request as draft June 19, 2024 15:45
@mtardy mtardy force-pushed the pr/mtardy/backport-v1.0-ratelimit-memory branch from ef7606e to 7fe8d49 Compare July 2, 2024 10:09
@mtardy mtardy marked this pull request as ready for review July 2, 2024 10:10
@mtardy mtardy marked this pull request as draft July 3, 2024 08:28
@mtardy mtardy force-pushed the pr/mtardy/backport-v1.0-ratelimit-memory branch from 7fe8d49 to 60482a9 Compare July 16, 2024 18:39
mtardy and others added 5 commits July 16, 2024 20:40
@mtardy
bpf: remove rate limit maps and structs for kernel <5.3
303611b 
[ upstream commit ed824b3 ]

Since the rate limit feature is only available for LARGE_BPF_PROG, let's
remove the unnecessary map and the struct from the small BPF progs.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy
pkg/sensors: pin the ratelimit_map to the fs
16f4c33 
[ upstream commit 38ab012 ]

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy
pkg/sensors: reduce ratelimit map memory footprint
083d49e 
[ upstream commit 850410b ]

This commit is very similar to 22510d9

For every ratelimit map loaded, we add ~10MB of kernel memory, and each
kprobe added was adding a ratelimit map. We now only load that map if
the user used the rateLimit field in a matchActions to reduce the memory
footprint of this feature when unused.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@kevsecurity @mtardy
pkg/sensors: add rate limit test
0120ac3 
[ upstream commit 1eea47b ]

Add a NoRateLimit test and a RateLimitTest.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>
@mtardy
pkg/sensors: fix for ratelimit_map wrong path pinning
ca3509c 
[ upstream commit a1a2499 ]

Commit 38ab012 pinned the ratelimit_map
to the fs but used sensorPath instead pinPath since this is a per kprobe
map and not a per sensor map.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy mtardy force-pushed the pr/mtardy/backport-v1.0-ratelimit-memory branch from 60482a9 to ca3509c Compare July 16, 2024 18:40
@mtardy mtardy requested a review from kevsecurity July 16, 2024 18:41
@mtardy mtardy marked this pull request as ready for review July 16, 2024 18:41
@kevsecurity
Copy link
Contributor

I'm sure it's all good. LMK when it's green.

@mtardy mtardy mentioned this pull request Jul 17, 2024
Closed
2 tasks
@mtardy
vmtests: bump base image used to root-images:20240717.161638
cef36a3 
[ upstream commit 9e8f005 ]

For the base image to have nc.openbsd, see
cilium/little-vm-helper-images@2af406c.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy mtardy force-pushed the pr/mtardy/backport-v1.0-ratelimit-memory branch from 32952d2 to cef36a3 Compare July 18, 2024 17:10
@mtardy
Copy link
Member Author

mtardy commented Jul 18, 2024

cc @kevsecurity it's green

@mtardy mtardy merged commit e729574 into v1.0 Jul 19, 2024
30 checks passed
@mtardy mtardy deleted the pr/mtardy/backport-v1.0-ratelimit-memory branch July 19, 2024 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olsajiri olsajiri olsajiri approved these changes

@kkourt kkourt Awaiting requested review from kkourt kkourt is a code owner automatically assigned from cilium/tetragon

@kevsecurity kevsecurity Awaiting requested review from kevsecurity

Assignees
No one assigned
Labels
kind/backport This PR provides functionality previously merged into master. release-note/bug This PR fixes an issue in a previous release of Tetragon.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mtardy @kevsecurity @olsajiri