Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backports/v1.0/1762 #1763

Merged
merged 6 commits into from
Nov 17, 2023
Merged

Backports/v1.0/1762 #1763

merged 6 commits into from
Nov 17, 2023

Conversation

willfindlay
Copy link
Contributor

@willfindlay willfindlay commented Nov 16, 2023
edited
Loading

Backport of #1762

Fix a few bugs related to field filter configuration and significantly improve performance of field filters.

@willfindlay willfindlay added the release-note/bug This PR fixes an issue in a previous release of Tetragon. label Nov 16, 2023
@willfindlay
fieldfilter: reuse NewFieldFilter in FieldFilterFromProto
d516034 
Signed-off-by: William Findlay <will@isovalent.com>
@willfindlay
fieldfilters: split into new package
462f7b0 
[upstream commit b9c2f08]

These don't work the same as our other filter types, so having everything under the
filters package doesn't really make sense. Split field filters out into their own package.

Signed-off-by: William Findlay <will@isovalent.com>
@willfindlay
fieldfilters: add benchmarks
234e415 
[upstream commit 9150906]

Signed-off-by: William Findlay <will@isovalent.com>
@willfindlay
makefile: add bench target
62d1c89 
[upstream commit f4b30e6]

Signed-off-by: William Findlay <will@isovalent.com>
@willfindlay
fieldfilters: fix snake_case names for multiple filters
d003f25 
[upstream commit 08a7d91]

We had a bug in our implementatation for fixing up snake_case names in field filter
definitions when field filters were defined on multiple lines. Fix the issue by using
a decoder instead of trying to unmarshal the entire string.

Signed-off-by: William Findlay <will@isovalent.com>
@willfindlay
fieldfilters: implement near zero-overhead copy-on-filter
bd2788c 
[upstream commit 19b2000]

Our previous implementation of field filters relied on creating a deep copy of the event
before filtering, because otherwise clearing important fields could lead to segmentation
faults due to the way we cache process information or cause filters to interfere with each
other under multiple concurrent GetEventsRequests. Creating the deep copy fixed the above issues,
but absolutely killed performance.

This patch introduces a new implementation that lazily copies fields into a new protobuf
message only when they "pass" the filter. The result is a near zero-overhead field filter
implementation that actually significantly improves performance over the base case when
filtering many fields.

The following is output from the benchmark. Serialize is the base case with no filtering
while DeepCopy roughly approximates our old implementation. The new implementation is
nearly zero overhead in the worst case and performs significantly better when filtering
lots of fields since we save significant cycles on JSON serialization.

    ❯ go test -seed 7996182721713197025 -bench=. -benchtime=20000x
    goos: linux
    goarch: amd64
    pkg: github.com/cilium/tetragon/pkg/fieldfilters
    cpu: 12th Gen Intel(R) Core(TM) i9-12900K
    BenchmarkSerialize-24                                              20000             57269 ns/op
    --- BENCH: BenchmarkSerialize-24
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
    BenchmarkSerialize_DeepCopy-24                                     20000             67012 ns/op
    --- BENCH: BenchmarkSerialize_DeepCopy-24
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
    BenchmarkSerialize_DeepCopyProcess-24                              20000             61535 ns/op
    --- BENCH: BenchmarkSerialize_DeepCopyProcess-24
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
    BenchmarkSerialize_FieldFilters-24                                 20000             57372 ns/op
    --- BENCH: BenchmarkSerialize_FieldFilters-24
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
    BenchmarkSerialize_FieldFilters_NoProcessInfo-24                   20000             26625 ns/op
    --- BENCH: BenchmarkSerialize_FieldFilters_NoProcessInfo-24
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
    BenchmarkSerialize_FieldFilters_NoProcesInfoKeepExecid-24          20000             36356 ns/op
    --- BENCH: BenchmarkSerialize_FieldFilters_NoProcesInfoKeepExecid-24
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
        benchmark_test.go:56: configured random event generator (seed=7996182721713197025)
    PASS
    ok      github.com/cilium/tetragon/pkg/fieldfilters     19.345s

Signed-off-by: William Findlay <will@isovalent.com>
@willfindlay willfindlay marked this pull request as ready for review November 16, 2023 22:04
@willfindlay willfindlay requested a review from a team as a code owner November 16, 2023 22:04
@willfindlay willfindlay requested review from kevsecurity and removed request for a team November 16, 2023 22:04
@jrfastab jrfastab self-requested a review November 16, 2023 22:19
@willfindlay willfindlay merged commit 26e5cff into v1.0 Nov 17, 2023
27 checks passed
@willfindlay willfindlay deleted the backports/v1.0/1762 branch November 17, 2023 00:36
@krehel krehel mentioned this pull request Dec 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrfastab jrfastab jrfastab approved these changes

@kevsecurity kevsecurity Awaiting requested review from kevsecurity kevsecurity is a code owner automatically assigned from cilium/tetragon

Assignees
No one assigned
Labels
release-note/bug This PR fixes an issue in a previous release of Tetragon.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@willfindlay @jrfastab