h2/ready #996
Closed
h2/ready #996
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Refactor connection tracker * Track outbound connections as well * fix test
Bumps [rustls](https://github.com/rustls/rustls) from 0.23.4 to 0.23.5. - [Release notes](https://github.com/rustls/rustls/releases) - [Changelog](https://github.com/rustls/rustls/blob/main/CHANGELOG.md) - [Commits](rustls/rustls@v/0.23.4...v/0.23.5) --- updated-dependencies: - dependency-name: rustls dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This is a super security sensitive codepath, and mostly and experiment. Make it opt in so we don't stumble into a CVE when we ship beta.
* metrics: Don't log 'hbone_target' as a string. The other SocketAddr fields (src.addr and dst.addr) don't log as strings, so make them all consistent. * metrics: Fix linter errors from 'hbone_target' commit.
* metrics: make traffic metrics faster Before, each r/w we lookup the metric and increment it. Now, we look it up once and then just increment. The increment is just Atomic.increment, which on x86 is the same as a simple `add`, which is very fast (measured 1ns, but presumably its so fast benchmarking isn't meaningful). Since this is on the hot path, this is meaningful. Given this, I don't think we will ever need to do istio#927 (comment). Also, addressed istio#927 (comment) and cleaned up inbound which broke a function up into 2 which made things more complex, not simpler. * Drop the return type
Enhance the `Forwarded` header we already send to include `host` as part of the header. This is used to guess the service for inbound telemetry (as an extra input to our existing heuristic), and also reported in the connection dump.
Blocking merge into istio/istio istio/istio#50544
* test: run `namespaced` tests without root This gives full coverage, without requiring root. It also prevents issues around failure to cleanup network namespaces, etc, and generally allows us to mess with the environment a lot more than we were doing now. * try to create
* rbac: log unknown policies for debugging purposes * Update src/state.rs Co-authored-by: Ben Leggett <[email protected]> --------- Co-authored-by: Ben Leggett <[email protected]>
* Cleanup nesting * e2e tests: use inpod mode more * Assert access logs * wip * better logs * WIP admin tasks (cherry picked from commit ba9c6c9) * wip * fix * Revert "WIP admin tasks" This reverts commit 0ca900b. * fix * re-enable * cleanup * more cleanup, need to undo the prefix * Revert "Cleanup nesting" This reverts commit cfb81b0. * Add more tests * Malicious calls test * mismatch test * policy test * vip test * cleanups * fmt * lint scripts
We only did this for inbound. This double check provides a stronger guarantee than IP address matching
* Attempt at smarter HBONE pooling between ztunnels Signed-off-by: Benjamin Leggett <[email protected]> * Lints Signed-off-by: Benjamin Leggett <[email protected]> * lints 2 Signed-off-by: Benjamin Leggett <[email protected]> * Hmm Signed-off-by: Benjamin Leggett <[email protected]> * Fixup Signed-off-by: Benjamin Leggett <[email protected]> * Fixup Signed-off-by: Benjamin Leggett <[email protected]> * More comments Signed-off-by: Benjamin Leggett <[email protected]> * cleanup Signed-off-by: Benjamin Leggett <[email protected]> * fixup Signed-off-by: Benjamin Leggett <[email protected]> * Clean Signed-off-by: Benjamin Leggett <[email protected]> * Fix jemalloc Signed-off-by: Benjamin Leggett <[email protected]> * WIP: move out of proxyinfo Signed-off-by: Benjamin Leggett <[email protected]> * Evict pooled conns after $INTERVAL Signed-off-by: Benjamin Leggett <[email protected]> * Update src/proxy/pool.rs Co-authored-by: Ian Rudie <[email protected]> * Evict pooled conns after $INTERVAL Signed-off-by: Benjamin Leggett <[email protected]> * For now, just do the foolproof collision check Signed-off-by: Benjamin Leggett <[email protected]> * Don't be silly Signed-off-by: Benjamin Leggett <[email protected]> * Naming, review comments Signed-off-by: Benjamin Leggett <[email protected]> * Tidy Arcs+drains Signed-off-by: Benjamin Leggett <[email protected]> * Cleanups Signed-off-by: Benjamin Leggett <[email protected]> * Format Signed-off-by: Benjamin Leggett <[email protected]> * Use the fancy lockless outer map, drop realm-io Signed-off-by: Benjamin Leggett <[email protected]> * Cleanup comments Signed-off-by: Benjamin Leggett <[email protected]> * Fix outdent (review comment) Signed-off-by: Benjamin Leggett <[email protected]> * Fixups/review comments Signed-off-by: Benjamin Leggett <[email protected]> * resync Signed-off-by: Benjamin Leggett <[email protected]> * Droptests Signed-off-by: Benjamin Leggett <[email protected]> * fix testhang Signed-off-by: Benjamin Leggett <[email protected]> * add smarter evict test Signed-off-by: Benjamin Leggett <[email protected]> * Interesting failure Signed-off-by: Benjamin Leggett <[email protected]> * No, it's not Signed-off-by: Benjamin Leggett <[email protected]> * Make this a bit simpler Signed-off-by: Benjamin Leggett <[email protected]> * Separate out the connspawner Signed-off-by: Benjamin Leggett <[email protected]> * Tidy logging a bit Signed-off-by: Benjamin Leggett <[email protected]> * Add serverside keepalive Signed-off-by: Benjamin Leggett <[email protected]> * fixup Signed-off-by: Benjamin Leggett <[email protected]> * Just for kicks Signed-off-by: Benjamin Leggett <[email protected]> * D'oh - use mthread runtime for tests Signed-off-by: Benjamin Leggett <[email protected]> * Fix none race Signed-off-by: Benjamin Leggett <[email protected]> * Propagate connection establish errors Signed-off-by: Benjamin Leggett <[email protected]> * Cleanup Signed-off-by: Benjamin Leggett <[email protected]> * Work around local test server getting overloaded Signed-off-by: Benjamin Leggett <[email protected]> * Move the rest to multi_thread, chill out on iterations, work around test rig flakes Signed-off-by: Benjamin Leggett <[email protected]> * Tidy comments Signed-off-by: Benjamin Leggett <[email protected]> * lints Signed-off-by: Benjamin Leggett <[email protected]> * Clarify comment Signed-off-by: Benjamin Leggett <[email protected]> --------- Signed-off-by: Benjamin Leggett <[email protected]> Co-authored-by: Ian Rudie <[email protected]>
(cherry picked from commit c68413be4387680372df53fb496b50132fb6fef3)
* performance: reduce and test size of futures Prior to this PR, each outbound connection future was 22k. This is really big. The reason behind this is how Rust sizes Futures; the stack size is allocated based on the maximum required size through any branch. This means even obscure code paths can bloat up the entire future for everyone. This PR optimizes a bunch of these. This is done in a few ways: * Box::pin expensive futures. While we have to allocate these when we hit them, of course, when we don't hit these codepaths they are now "free". We have a lot of uncommon expensive code paths. Especially HBONE vs passthrough; hbone is way more expensive. But also on demand XDS, DNS, etc * Arc the Config which is large * A variety of other micro-optimizations A new `assertions` module is added to verify we do not regress * Fix the upgrade drop issue * fmt
We are storing these in a list and never removing. We don't use them, so no need to store.
* refactor pool * wip h2 * wip * WIP * first test passing * test working reliably * working except idle_eviction_with_persistent * Ready to go * Ready to go * fixes * lock
This is "required" per the docs. I don't think it really is, but good to be safe and follow the docs
howardjohn
added
the
release-notes-none
istio-testing
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
istio-testing
added
the
size/XXL
|
@howardjohn: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
namespacedtests without root (test: runnamespacedtests without root #962)h2usage for outbound HBONE (Replace hyper with directh2usage for outbound HBONE #990)