From 771848941c06711acbcb2407c7ba0338762f186d Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Tue, 22 Oct 2024 16:52:00 +0200 Subject: [PATCH 1/9] Disable CPU quotas Signed-off-by: Milan Lenco --- pkg/pillar/containerd/oci.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/pillar/containerd/oci.go b/pkg/pillar/containerd/oci.go index 0f273c9f93..f3ad758652 100644 --- a/pkg/pillar/containerd/oci.go +++ b/pkg/pillar/containerd/oci.go @@ -481,11 +481,11 @@ func (s *ociSpec) UpdateFromDomain(dom *types.DomainConfig, status *types.Domain } m := int64(dom.Memory) * 1024 - p := uint64(100000) - q := int64(100000 * dom.VCpus) + //p := uint64(100000) + //q := int64(100000 * dom.VCpus) s.Linux.Resources.Memory.Limit = &m - s.Linux.Resources.CPU.Period = &p - s.Linux.Resources.CPU.Quota = &q + //s.Linux.Resources.CPU.Period = &p + //s.Linux.Resources.CPU.Quota = &q if status.VmConfig.CPUs != "" { s.Linux.Resources.CPU.Cpus = status.VmConfig.CPUs } From 25cfeb8209540e2d6e4b97457758795e5a94a99f Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Thu, 31 Oct 2024 11:28:04 +0100 Subject: [PATCH 2/9] Disable packet sniffing Signed-off-by: Milan Lenco --- pkg/pillar/nistate/linux.go | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/pkg/pillar/nistate/linux.go b/pkg/pillar/nistate/linux.go index edc02fadcc..77a00c232d 100644 --- a/pkg/pillar/nistate/linux.go +++ b/pkg/pillar/nistate/linux.go @@ -239,7 +239,7 @@ func (lc *LinuxCollector) StartCollectingForNI( return fmt.Errorf("%s: NI %s is already included in state data collecting", LogAndErrPrefix, niConfig.UUID) } - pcapCtx, cancelPCAP := context.WithCancel(context.Background()) + _, cancelPCAP := context.WithCancel(context.Background()) ni := &niInfo{ config: niConfig, bridge: br, @@ -250,8 +250,8 @@ func (lc *LinuxCollector) StartCollectingForNI( ni.vifs = append(ni.vifs, &vifInfo{AppVIF: vif}) } lc.nis[niConfig.UUID] = ni - ni.pcapWG.Add(1) - go lc.sniffDNSandDHCP(pcapCtx, &ni.pcapWG, br, niConfig.Type, enableARPSnoop) + //ni.pcapWG.Add(1) + //go lc.sniffDNSandDHCP(pcapCtx, &ni.pcapWG, br, niConfig.Type, enableARPSnoop) lc.log.Noticef("%s: Started collecting state data for NI %v "+ "(br: %+v, vifs: %+v)", LogAndErrPrefix, niConfig.UUID, br, vifs) return nil @@ -286,12 +286,12 @@ func (lc *LinuxCollector) UpdateCollectingForNI( ni.vifs = newVifs if ni.arpSnoopEnabled != enableARPSnoop { // Restart packet capture with changed BPF filter. - ni.cancelPCAP() - ni.pcapWG.Wait() - pcapCtx, cancelPCAP := context.WithCancel(context.Background()) - ni.cancelPCAP = cancelPCAP - ni.pcapWG.Add(1) - go lc.sniffDNSandDHCP(pcapCtx, &ni.pcapWG, ni.bridge, niConfig.Type, enableARPSnoop) + //ni.cancelPCAP() + //ni.pcapWG.Wait() + //pcapCtx, cancelPCAP := context.WithCancel(context.Background()) + //ni.cancelPCAP = cancelPCAP + //ni.pcapWG.Add(1) + //go lc.sniffDNSandDHCP(pcapCtx, &ni.pcapWG, ni.bridge, niConfig.Type, enableARPSnoop) ni.arpSnoopEnabled = enableARPSnoop } lc.log.Noticef("%s: Updated state collecting for NI %v "+ @@ -307,9 +307,9 @@ func (lc *LinuxCollector) StopCollectingForNI(niID uuid.UUID) error { if _, exists := lc.nis[niID]; !exists { return ErrUnknownNI{NI: niID} } - ni := lc.nis[niID] - ni.cancelPCAP() - ni.pcapWG.Wait() + //ni := lc.nis[niID] + //ni.cancelPCAP() + //ni.pcapWG.Wait() delete(lc.nis, niID) lc.log.Noticef("%s: Stopped collecting state data for NI %v", LogAndErrPrefix, niID) return nil From 4d3ceef84d8a793144ee6744c2ae6b833c835f48 Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Thu, 31 Oct 2024 12:26:48 +0100 Subject: [PATCH 3/9] Allow to connect to pprof from outside Signed-off-by: Milan Lenco --- pkg/pillar/agentlog/http-debug.go | 2 +- pkg/pillar/dpcreconciler/linux.go | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/pillar/agentlog/http-debug.go b/pkg/pillar/agentlog/http-debug.go index a508b90a1a..1f44d49e29 100644 --- a/pkg/pillar/agentlog/http-debug.go +++ b/pkg/pillar/agentlog/http-debug.go @@ -32,7 +32,7 @@ var ( psiCollectorCancel context.CancelFunc ) -var listenAddress = "localhost:6543" +var listenAddress = ":6543" func roundToMb(b uint64) uint64 { kb := (b + 512) / 1024 diff --git a/pkg/pillar/dpcreconciler/linux.go b/pkg/pillar/dpcreconciler/linux.go index acf50567ac..5eb8142da1 100644 --- a/pkg/pillar/dpcreconciler/linux.go +++ b/pkg/pillar/dpcreconciler/linux.go @@ -1701,6 +1701,14 @@ func (r *LinuxDpcReconciler) getIntendedFilterRules(gcp types.ConfigItemValueMap } inputV4Rules = append(inputV4Rules, dhcpRule) + pprofRule := iptables.Rule{ + RuleLabel: "Allow PPROF", + MatchOpts: []string{"-p", "tcp", "--dport", "6543"}, + Target: "ACCEPT", + Description: "Allow access to the PPROF HTTP server", + } + inputV4Rules = append(inputV4Rules, pprofRule) + // Allow all ICMP traffic to enter the device from outside. icmpRule := iptables.Rule{ RuleLabel: "Allow ICMP", From eb3b1c55e293f72258ca1847eba6ee0065203ce8 Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Thu, 31 Oct 2024 12:57:44 +0100 Subject: [PATCH 4/9] Disable LED blinking Signed-off-by: Milan Lenco --- pkg/pillar/cmd/ledmanager/ledmanager.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/pillar/cmd/ledmanager/ledmanager.go b/pkg/pillar/cmd/ledmanager/ledmanager.go index c73a2189a0..97e746bff8 100644 --- a/pkg/pillar/cmd/ledmanager/ledmanager.go +++ b/pkg/pillar/cmd/ledmanager/ledmanager.go @@ -593,10 +593,13 @@ func InitForceDiskCmd(ledName string) string { // It assumes the init function has determined a diskRepeatCount and a disk. func ExecuteForceDiskCmd(deviceNetworkStatus *types.DeviceNetworkStatus, diskDevice string, blinkCount types.LedBlinkCount) { - for i := 0; i < int(blinkCount); i++ { - doForceDiskBlink(diskDevice) - time.Sleep(200 * time.Millisecond) - } + /* + for i := 0; i < int(blinkCount); i++ { + doForceDiskBlink(diskDevice) + time.Sleep(200 * time.Millisecond) + } + + */ } // doForceDiskBlink assumes the init function has determined a diskRepeatCount From 31e60351cafc8f6d42027991445dca8b422e0fd9 Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Thu, 31 Oct 2024 14:25:57 +0100 Subject: [PATCH 5/9] Disable process metrics publishing Signed-off-by: Milan Lenco --- pkg/pillar/cmd/domainmgr/domainmgr.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pkg/pillar/cmd/domainmgr/domainmgr.go b/pkg/pillar/cmd/domainmgr/domainmgr.go index fcfabd3e86..9dfddafd8d 100644 --- a/pkg/pillar/cmd/domainmgr/domainmgr.go +++ b/pkg/pillar/cmd/domainmgr/domainmgr.go @@ -691,12 +691,14 @@ func getReservedCPUsNum() (int, error) { func publishProcessesHandler(domainCtx *domainContext) { start := time.Now() - metrics, pids := gatherProcessMetricList(domainCtx) - for _, m := range metrics { - publishProcessMetric(domainCtx, &m) - } - unpublishRemovedPids(domainCtx, domainCtx.pids, pids) - domainCtx.pids = pids + /* + metrics, pids := gatherProcessMetricList(domainCtx) + for _, m := range metrics { + publishProcessMetric(domainCtx, &m) + } + unpublishRemovedPids(domainCtx, domainCtx.pids, pids) + domainCtx.pids = pids + */ domainCtx.ps.CheckMaxTimeTopic(agentName, "publishProcesses", start, warningTime, errorTime) } From 1be90e91264a575d1b419f9483a18483388aed32 Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Thu, 31 Oct 2024 15:00:33 +0100 Subject: [PATCH 6/9] Disable iptables for L2-only traffic Signed-off-by: Milan Lenco --- pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf b/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf index dbeeba9ba1..01e5ac42fb 100644 --- a/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf +++ b/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf @@ -7,9 +7,9 @@ net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 # We use ip6tables for the bridge -net.bridge.bridge-nf-call-ip6tables = 1 -net.bridge.bridge-nf-call-iptables = 1 -net.bridge.bridge-nf-call-arptables = 1 +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-arptables = 0 # The following differs from default linuxkit/alpine of 1 net.ipv4.conf.all.rp_filter = 2 net.netfilter.nf_conntrack_acct = 1 From 10eb4ffccd9973f11ec9835eeb31d43d04665865 Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Thu, 31 Oct 2024 15:01:57 +0100 Subject: [PATCH 7/9] Disable all-ones netmask by default Signed-off-by: Milan Lenco --- pkg/pillar/types/global.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/pillar/types/global.go b/pkg/pillar/types/global.go index 9b33134f48..d8c52802b6 100644 --- a/pkg/pillar/types/global.go +++ b/pkg/pillar/types/global.go @@ -940,7 +940,7 @@ func NewConfigItemSpecMap() ConfigItemSpecMap { configItemSpecMap.AddBoolItem(IgnoreMemoryCheckForApps, false) configItemSpecMap.AddBoolItem(IgnoreDiskCheckForApps, false) configItemSpecMap.AddBoolItem(AllowLogFastupload, false) - configItemSpecMap.AddBoolItem(DisableDHCPAllOnesNetMask, false) + configItemSpecMap.AddBoolItem(DisableDHCPAllOnesNetMask, true) configItemSpecMap.AddBoolItem(ProcessCloudInitMultiPart, false) configItemSpecMap.AddBoolItem(ConsoleAccess, true) // Controller likely default to false configItemSpecMap.AddBoolItem(VncShimVMAccess, false) From d1b23a6f98e70d5f98136162009f8701d1d45e1c Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Fri, 11 Oct 2024 11:18:24 +0200 Subject: [PATCH 8/9] Use vhost as backend for tap interfaces Signed-off-by: Milan Lenco --- pkg/pillar/hypervisor/kvm.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/pillar/hypervisor/kvm.go b/pkg/pillar/hypervisor/kvm.go index 953a108eed..1373d7b739 100644 --- a/pkg/pillar/hypervisor/kvm.go +++ b/pkg/pillar/hypervisor/kvm.go @@ -364,6 +364,7 @@ const qemuNetTemplate = ` br = "{{.Bridge}}" script = "/etc/xen/scripts/qemu-ifup" downscript = "no" + vhost = "on" [device "net{{.NetID}}"] driver = "{{.Driver}}" From 1a7334b179662c8d793c25dc24b3e096c54b413f Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Thu, 31 Oct 2024 17:12:29 +0100 Subject: [PATCH 9/9] Enable multiqueues on virtio-net interfaces Signed-off-by: Milan Lenco --- pkg/pillar/hypervisor/kvm.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkg/pillar/hypervisor/kvm.go b/pkg/pillar/hypervisor/kvm.go index 1373d7b739..3ba565b8a8 100644 --- a/pkg/pillar/hypervisor/kvm.go +++ b/pkg/pillar/hypervisor/kvm.go @@ -365,6 +365,9 @@ const qemuNetTemplate = ` script = "/etc/xen/scripts/qemu-ifup" downscript = "no" vhost = "on" +{{- if and (eq .Driver "virtio-net-pci") (gt .Queues 1) }} + queues = "{{.Queues}}" +{{- end}} [device "net{{.NetID}}"] driver = "{{.Driver}}" @@ -375,6 +378,10 @@ const qemuNetTemplate = ` {{- if and (eq .Driver "virtio-net-pci") (ne .MTU 0) }} host_mtu = "{{.MTU}}" {{- end}} +{{- if and (eq .Driver "virtio-net-pci") (gt .Queues 1) }} + mq = "on" + vectors = "{{.Vectors}}" +{{- end}} ` const qemuPciPassthruTemplate = ` @@ -990,6 +997,7 @@ func (ctx KvmContext) CreateDomConfig(domainName string, Driver string Mac, Bridge, Vif string MTU uint16 + Queues, Vectors int }{PCIId: diskContext.PCIId, NetID: 0} t, _ = template.New("qemuNet").Parse(qemuNetTemplate) for _, net := range config.VifList { @@ -1002,6 +1010,14 @@ func (ctx KvmContext) CreateDomConfig(domainName string, netContext.Driver = "virtio-net-pci" } netContext.MTU = net.MTU + // Configure one RX and one TX queue for every vCPU. + netContext.Queues = config.VCpus + // Formula for the number of MSI-X vectors: + // - one vector for every RX queue + // - one vector for every TX queue + // - one for configuration purposes + // - one for possible VQ (vector quantization) control + netContext.Vectors = 2*netContext.Queues + 2 if err := t.Execute(file, netContext); err != nil { return logError("can't write to config file %s (%v)", file.Name(), err) }