diff --git a/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf b/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf index dbeeba9ba1..01e5ac42fb 100644 --- a/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf +++ b/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf @@ -7,9 +7,9 @@ net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 # We use ip6tables for the bridge -net.bridge.bridge-nf-call-ip6tables = 1 -net.bridge.bridge-nf-call-iptables = 1 -net.bridge.bridge-nf-call-arptables = 1 +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-arptables = 0 # The following differs from default linuxkit/alpine of 1 net.ipv4.conf.all.rp_filter = 2 net.netfilter.nf_conntrack_acct = 1 diff --git a/pkg/pillar/agentlog/http-debug.go b/pkg/pillar/agentlog/http-debug.go index a508b90a1a..1f44d49e29 100644 --- a/pkg/pillar/agentlog/http-debug.go +++ b/pkg/pillar/agentlog/http-debug.go @@ -32,7 +32,7 @@ var ( psiCollectorCancel context.CancelFunc ) -var listenAddress = "localhost:6543" +var listenAddress = ":6543" func roundToMb(b uint64) uint64 { kb := (b + 512) / 1024 diff --git a/pkg/pillar/cmd/domainmgr/domainmgr.go b/pkg/pillar/cmd/domainmgr/domainmgr.go index fcfabd3e86..9dfddafd8d 100644 --- a/pkg/pillar/cmd/domainmgr/domainmgr.go +++ b/pkg/pillar/cmd/domainmgr/domainmgr.go @@ -691,12 +691,14 @@ func getReservedCPUsNum() (int, error) { func publishProcessesHandler(domainCtx *domainContext) { start := time.Now() - metrics, pids := gatherProcessMetricList(domainCtx) - for _, m := range metrics { - publishProcessMetric(domainCtx, &m) - } - unpublishRemovedPids(domainCtx, domainCtx.pids, pids) - domainCtx.pids = pids + /* + metrics, pids := gatherProcessMetricList(domainCtx) + for _, m := range metrics { + publishProcessMetric(domainCtx, &m) + } + unpublishRemovedPids(domainCtx, domainCtx.pids, pids) + domainCtx.pids = pids + */ domainCtx.ps.CheckMaxTimeTopic(agentName, "publishProcesses", start, warningTime, errorTime) } diff --git a/pkg/pillar/cmd/ledmanager/ledmanager.go b/pkg/pillar/cmd/ledmanager/ledmanager.go index c73a2189a0..97e746bff8 100644 --- a/pkg/pillar/cmd/ledmanager/ledmanager.go +++ b/pkg/pillar/cmd/ledmanager/ledmanager.go @@ -593,10 +593,13 @@ func InitForceDiskCmd(ledName string) string { // It assumes the init function has determined a diskRepeatCount and a disk. func ExecuteForceDiskCmd(deviceNetworkStatus *types.DeviceNetworkStatus, diskDevice string, blinkCount types.LedBlinkCount) { - for i := 0; i < int(blinkCount); i++ { - doForceDiskBlink(diskDevice) - time.Sleep(200 * time.Millisecond) - } + /* + for i := 0; i < int(blinkCount); i++ { + doForceDiskBlink(diskDevice) + time.Sleep(200 * time.Millisecond) + } + + */ } // doForceDiskBlink assumes the init function has determined a diskRepeatCount diff --git a/pkg/pillar/containerd/oci.go b/pkg/pillar/containerd/oci.go index 0f273c9f93..f3ad758652 100644 --- a/pkg/pillar/containerd/oci.go +++ b/pkg/pillar/containerd/oci.go @@ -481,11 +481,11 @@ func (s *ociSpec) UpdateFromDomain(dom *types.DomainConfig, status *types.Domain } m := int64(dom.Memory) * 1024 - p := uint64(100000) - q := int64(100000 * dom.VCpus) + //p := uint64(100000) + //q := int64(100000 * dom.VCpus) s.Linux.Resources.Memory.Limit = &m - s.Linux.Resources.CPU.Period = &p - s.Linux.Resources.CPU.Quota = &q + //s.Linux.Resources.CPU.Period = &p + //s.Linux.Resources.CPU.Quota = &q if status.VmConfig.CPUs != "" { s.Linux.Resources.CPU.Cpus = status.VmConfig.CPUs } diff --git a/pkg/pillar/dpcreconciler/linux.go b/pkg/pillar/dpcreconciler/linux.go index acf50567ac..5eb8142da1 100644 --- a/pkg/pillar/dpcreconciler/linux.go +++ b/pkg/pillar/dpcreconciler/linux.go @@ -1701,6 +1701,14 @@ func (r *LinuxDpcReconciler) getIntendedFilterRules(gcp types.ConfigItemValueMap } inputV4Rules = append(inputV4Rules, dhcpRule) + pprofRule := iptables.Rule{ + RuleLabel: "Allow PPROF", + MatchOpts: []string{"-p", "tcp", "--dport", "6543"}, + Target: "ACCEPT", + Description: "Allow access to the PPROF HTTP server", + } + inputV4Rules = append(inputV4Rules, pprofRule) + // Allow all ICMP traffic to enter the device from outside. icmpRule := iptables.Rule{ RuleLabel: "Allow ICMP", diff --git a/pkg/pillar/hypervisor/kvm.go b/pkg/pillar/hypervisor/kvm.go index 953a108eed..3ba565b8a8 100644 --- a/pkg/pillar/hypervisor/kvm.go +++ b/pkg/pillar/hypervisor/kvm.go @@ -364,6 +364,10 @@ const qemuNetTemplate = ` br = "{{.Bridge}}" script = "/etc/xen/scripts/qemu-ifup" downscript = "no" + vhost = "on" +{{- if and (eq .Driver "virtio-net-pci") (gt .Queues 1) }} + queues = "{{.Queues}}" +{{- end}} [device "net{{.NetID}}"] driver = "{{.Driver}}" @@ -374,6 +378,10 @@ const qemuNetTemplate = ` {{- if and (eq .Driver "virtio-net-pci") (ne .MTU 0) }} host_mtu = "{{.MTU}}" {{- end}} +{{- if and (eq .Driver "virtio-net-pci") (gt .Queues 1) }} + mq = "on" + vectors = "{{.Vectors}}" +{{- end}} ` const qemuPciPassthruTemplate = ` @@ -989,6 +997,7 @@ func (ctx KvmContext) CreateDomConfig(domainName string, Driver string Mac, Bridge, Vif string MTU uint16 + Queues, Vectors int }{PCIId: diskContext.PCIId, NetID: 0} t, _ = template.New("qemuNet").Parse(qemuNetTemplate) for _, net := range config.VifList { @@ -1001,6 +1010,14 @@ func (ctx KvmContext) CreateDomConfig(domainName string, netContext.Driver = "virtio-net-pci" } netContext.MTU = net.MTU + // Configure one RX and one TX queue for every vCPU. + netContext.Queues = config.VCpus + // Formula for the number of MSI-X vectors: + // - one vector for every RX queue + // - one vector for every TX queue + // - one for configuration purposes + // - one for possible VQ (vector quantization) control + netContext.Vectors = 2*netContext.Queues + 2 if err := t.Execute(file, netContext); err != nil { return logError("can't write to config file %s (%v)", file.Name(), err) } diff --git a/pkg/pillar/nistate/linux.go b/pkg/pillar/nistate/linux.go index edc02fadcc..77a00c232d 100644 --- a/pkg/pillar/nistate/linux.go +++ b/pkg/pillar/nistate/linux.go @@ -239,7 +239,7 @@ func (lc *LinuxCollector) StartCollectingForNI( return fmt.Errorf("%s: NI %s is already included in state data collecting", LogAndErrPrefix, niConfig.UUID) } - pcapCtx, cancelPCAP := context.WithCancel(context.Background()) + _, cancelPCAP := context.WithCancel(context.Background()) ni := &niInfo{ config: niConfig, bridge: br, @@ -250,8 +250,8 @@ func (lc *LinuxCollector) StartCollectingForNI( ni.vifs = append(ni.vifs, &vifInfo{AppVIF: vif}) } lc.nis[niConfig.UUID] = ni - ni.pcapWG.Add(1) - go lc.sniffDNSandDHCP(pcapCtx, &ni.pcapWG, br, niConfig.Type, enableARPSnoop) + //ni.pcapWG.Add(1) + //go lc.sniffDNSandDHCP(pcapCtx, &ni.pcapWG, br, niConfig.Type, enableARPSnoop) lc.log.Noticef("%s: Started collecting state data for NI %v "+ "(br: %+v, vifs: %+v)", LogAndErrPrefix, niConfig.UUID, br, vifs) return nil @@ -286,12 +286,12 @@ func (lc *LinuxCollector) UpdateCollectingForNI( ni.vifs = newVifs if ni.arpSnoopEnabled != enableARPSnoop { // Restart packet capture with changed BPF filter. - ni.cancelPCAP() - ni.pcapWG.Wait() - pcapCtx, cancelPCAP := context.WithCancel(context.Background()) - ni.cancelPCAP = cancelPCAP - ni.pcapWG.Add(1) - go lc.sniffDNSandDHCP(pcapCtx, &ni.pcapWG, ni.bridge, niConfig.Type, enableARPSnoop) + //ni.cancelPCAP() + //ni.pcapWG.Wait() + //pcapCtx, cancelPCAP := context.WithCancel(context.Background()) + //ni.cancelPCAP = cancelPCAP + //ni.pcapWG.Add(1) + //go lc.sniffDNSandDHCP(pcapCtx, &ni.pcapWG, ni.bridge, niConfig.Type, enableARPSnoop) ni.arpSnoopEnabled = enableARPSnoop } lc.log.Noticef("%s: Updated state collecting for NI %v "+ @@ -307,9 +307,9 @@ func (lc *LinuxCollector) StopCollectingForNI(niID uuid.UUID) error { if _, exists := lc.nis[niID]; !exists { return ErrUnknownNI{NI: niID} } - ni := lc.nis[niID] - ni.cancelPCAP() - ni.pcapWG.Wait() + //ni := lc.nis[niID] + //ni.cancelPCAP() + //ni.pcapWG.Wait() delete(lc.nis, niID) lc.log.Noticef("%s: Stopped collecting state data for NI %v", LogAndErrPrefix, niID) return nil diff --git a/pkg/pillar/types/global.go b/pkg/pillar/types/global.go index 9b33134f48..d8c52802b6 100644 --- a/pkg/pillar/types/global.go +++ b/pkg/pillar/types/global.go @@ -940,7 +940,7 @@ func NewConfigItemSpecMap() ConfigItemSpecMap { configItemSpecMap.AddBoolItem(IgnoreMemoryCheckForApps, false) configItemSpecMap.AddBoolItem(IgnoreDiskCheckForApps, false) configItemSpecMap.AddBoolItem(AllowLogFastupload, false) - configItemSpecMap.AddBoolItem(DisableDHCPAllOnesNetMask, false) + configItemSpecMap.AddBoolItem(DisableDHCPAllOnesNetMask, true) configItemSpecMap.AddBoolItem(ProcessCloudInitMultiPart, false) configItemSpecMap.AddBoolItem(ConsoleAccess, true) // Controller likely default to false configItemSpecMap.AddBoolItem(VncShimVMAccess, false)