system/socket: propagate backpressure from output

[adriansr]

What does this PR do?

This PR modifies the socket dataset so that it is affected by output backpressure.

Originally, it operated as two separate goroutines. One would read kernel tracing events as fast as possible and maintain a view of the open sockets/flows on the system. Once a flow is deemed terminated, it would be stored on a linked list (done) for it to be published to the output.

A separate goroutine consumes that linked list and publishes the flows.

Under heavy network load, it can generate flows faster than the output is able to accept. Due to the linked list being unbounded, it would store more and more flows, causing Auditbeat's memory usage to grow over time.

This PR simplifies flow publication in such a way that if the output blocks, the main reader goroutine will block too, preventing the consumption of new kernel events and the generation of additional flows until the output is able to accept more documents.

Also it contains a necessary refactor: Moving the linked list implementation to a helper package. This adds a bit of noise.

Why is it important?

To prevent high-memory usage of Auditbeat under heavy network I/O.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

With the below code it's easy to increase the memory usage of Auditbeat dramatically. With this patch, it will stabilize.

Flow flooder script

package main

import (
	"fmt"
	"math/rand"
	"net"
	"os"
)

const (
	NSOCKS     = 8000
	ADDR       = "127.0.0.1"
	ADDRLISTEN = ADDR + ":0"
)

func main() {
	addr, err := net.ResolveUDPAddr("udp4", ADDRLISTEN)
	if err != nil {
		panic(fmt.Errorf("ResolveUDPAddr(%s): %w", ADDRLISTEN, err))
	}
	var sock [NSOCKS]*net.UDPConn
	for idx := range sock {
		c, err := net.ListenUDP("udp4", addr)
		if err != nil {
			panic(fmt.Errorf("ListenUDP(%s): %w", addr, err))
		}
		sock[idx] = c
		laddr := c.LocalAddr().(*net.UDPAddr)
		fmt.Fprintf(os.Stderr, "sock[%d] is at %d\n", idx, laddr.Port)
	}
	data := []byte("Some random data")
	for {
		for _, src := range sock {
			dst := sock[rand.Intn(NSOCKS)]
			if _, err = src.WriteTo(data, dst.LocalAddr()); err != nil {
				panic(fmt.Errorf("WriteTo(%v -> %v): %w", src.LocalAddr(), dst.LocalAddr(), err))
			}
		}
	}
}

Related issues

• Closes Auditbeat: Propagate output backpressure in socket dataset #32191

Use cases

Screenshots

Logs

[botelastic]

This pull request doesn't have a Team:<team> label.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-07-22T14:58:51.626+0000

• Duration: 50 min 44 sec

Test stats 🧪

Test	Results
Failed	0
Passed	300
Skipped	49
Total	349

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[efd6]

This is my initial look, I will take another look later.

I'd just like to confirm/fix my understanding of the approach here. ISTM that this is decoupling the publication of events from the list of captured events from holding the list of events once the timeouts have happened. To prevent the publication from getting bound by publication rate limiting it. Is this correct?

I think it would be helpful to have a description of the approach in the PR description with a view to including it in the commit message when the squash happens.

[efd6]

sent cannot be negative, so sent != 0?

[adriansr]

👍

[efd6]

Just for clarity, the caller to l.append never uses b again, true? Otherwise this is not safe since their b will continue to be a tail of its previous head. This is always what is happening here since b is always a newly constructed value, but it is probably worth documenting that this is the case.

[adriansr]

Makes sense. I've updated the function to take a pointer for the second argument and zero it before returning.

[efd6]

😄

[efd6]

This is a minor point, but I'm wondering if s.clock() should be pulled out into now and have that used in the places here.

[adriansr]

done

[efd6]

👍

[efd6]

I'm wondering at this point, when it is now a matter of collecting items, if it wouldn't be simpler to have a []linkedElement for reportFlows to work on; the allocations would likely be reduced (particularly if the size hints were used to preallocate) and the code would be simpler. This would involve changes in onSockTerminated and onFlowTerminated as well.

[adriansr]

I'm not sure I follow. Removing elements from linkedLists and creating a new linked list from those existing elements is a zero-alloc operation. I'll add a test to ensure this is always the case.

[efd6]

I think checking the escape analysis would be worthwhile. The head that is being obtained for adding to toReport is not the same memory that is in the source since we are not using the pointer, so it must be allocated. Since it is being used after the function returns, it cannot be on the stack, so I think the allocation needs to be on the heap. The tail of that head will all be already allocated and so they are certainly zero-alloc.

[efd6]

You are right; I've looked at the escape analysis and it doesn't escape.

[efd6]

I've gone over this more carefully because I was unable to find a fault in my logic (the -m report is not in source order so I missed it previously and accepted the output I saw) and I can see that the b parameter to append does leak.

./state.go:901:29: leaking param content: b

[efd6]

s/_ //g

[adriansr]

👍

[efd6]

Add t.Helper() above this?

[adriansr]

👍

[adriansr]

@efd6 please re-review. I've updated the description with an explanation.

[efd6]

OK, I have the logic now and it looks OK to me. Thanks for the clarification above. I think it would be helpful to also say that the back pressure is exerted through *state.Mutex. I'll take another look tomorrow.

[efd6]

Assuming my interpretation of the back pressure being exerted via the *state mutex is correct, this LGTM.

[efd6]

If *state.reportFlow returns a conditional 1 for success and 0 for failure then the count would more accurately reflect what was reported (depending on whether you are interested in the attempts or the succeeds).

[adriansr]

makes sense, done.

[efd6]

Is it worth logging the count here?

[adriansr]

I didn't want to log in the main thread as this will report a flow every time a socket is closed.

The logging in ExpireFlows is there to have a way to tell when backpressure is happening without causing too much impact.

[adriansr]

We have users testing this change. Waiting for feedback before moving out of the draft state.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)