Add throughput calculation into flow-aggregator

[heanlan]

Flow-visibility solution is moving away from elk flow collector, we are moving throughput calculation from logstash into flow-aggregator: vmware/go-ipfix#270

This PR makes the necessary changes on Antrea side corresponding to the changes in the above PR. More description can be found on the PR description of the above Go-ipfix PR.

fixes: #2211

[codecov-commenter]

Codecov Report

Merging #2692 (8089b7e) into main (fb57d91) will decrease coverage by 9.45%.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##             main    #2692      +/-   ##
==========================================
- Coverage   60.85%   51.39%   -9.46%     
==========================================
  Files         292      462     +170     
  Lines       24766    53579   +28813     
==========================================
+ Hits        15072    27539   +12467     
- Misses       8050    23706   +15656     
- Partials     1644     2334     +690     

Flag	Coverage Δ
e2e-tests	51.03% <0.00%> (?)
integration-tests	31.59% <ø> (?)
kind-e2e-tests	47.36% <66.66%> (-0.67%)	⬇️
unit-tests	40.35% <60.60%> (+0.26%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/flowaggregator/flowaggregator.go	51.66% <50.00%> (-16.54%)	⬇️
pkg/agent/cniserver/ipam/antrea_ipam_controller.go	18.60% <0.00%> (-46.78%)	⬇️
pkg/agent/cniserver/pod_configuration_linux.go	26.31% <0.00%> (-40.36%)	⬇️
pkg/ipam/poolallocator/allocator.go	22.27% <0.00%> (-40.15%)	⬇️
pkg/ipfix/ipfix_intermediate.go	51.51% <0.00%> (-37.96%)	⬇️
pkg/agent/cniserver/ipam/antrea_ipam.go	41.46% <0.00%> (-35.01%)	⬇️
pkg/ipfix/ipfix_collector.go	50.00% <0.00%> (-31.82%)	⬇️
pkg/ipam/ipallocator/allocator.go	54.22% <0.00%> (-29.99%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	61.46% <0.00%> (-29.97%)	⬇️
pkg/controller/egress/validate.go	47.54% <0.00%> (-26.27%)	⬇️
... and 448 more

[antoninbas]

could you clarify why we get a more accurate throughput calculation by performing it at the aggregator? It seems to me that the formula you give in vmware/go-ipfix#270 (diff(octetTotalCount) / diff(flowEndSeconds)) could also be computed at the collector.

[antoninbas]

I didn't remember us having all these *SourceNode and *DestinationNodes IE variations for octet and packet counts. I wonder if this is really necessary. For octant and packet counts, do we actually use all these field variations?

[heanlan]

Yes, we have all these IE variations. Currently the only use case is we are using octetDeltaCountFromSourceNode/DestinationNode to compute node throughput in logstash. I agree these IE variations can be removed if we decide to add throughput information into the exported records.

[heanlan]

could you clarify why we get a more accurate throughput calculation by performing it at the aggregator? It seems to me that the formula you give in vmware/go-ipfix#270 (diff(octetTotalCount) / diff(flowEndSeconds)) could also be computed at the collector.

Hi @antoninbas , about why we want to do the throughput calculation in aggregator, I re-summarized the intuitions by a little bit, hope it will make a little bit more sense:

*Node specific fields: *SourceNode and *DestinationNodes IE variations for octet and packet counts
*common fields: octetDeltaCount/octetTotalCount

• Separate from elk-flow-collector. Previously we do throughput calculation in logstash, now we want to develop a new pipeline without elk. So we need to find a new place to do the throughput calculation. And essentially there will be more than one applications, we want to do the throughput calculation in a single place and the results can be used by all the apps.
• Accuracy. In the case of inter-node flows, there is some data discrepancy between source and destination stats. In this PR, source node throughput is calculated based on byte count and timestamp sent from the source node, destination node throughput is calculated based on byte count and timestamp sent from destination node. If we decide to remove the node specific fields, only export the common fields, and do the calculation at the front end, both source and destination node throughput will be calculated from the common fields. The result will be less accurate compare to calculated in aggregator.

[antoninbas]

@heanlan My concern is the growing size of the flow records and potentially the increasing CPU & memory consumption in the Flow Aggregator that goes with it. If you think this isn't an issue, we can add these fields. I originally thought throughput computation at the collector or collectors wouldn't be too much of a problem. Or that we would use a Kafka transformer to add throughput to the data once.

[heanlan]

@heanlan My concern is the growing size of the flow records and potentially the increasing CPU & memory consumption in the Flow Aggregator that goes with it. If you think this isn't an issue, we can add these fields. I originally thought throughput computation at the collector or collectors wouldn't be too much of a problem. Or that we would use a Kafka transformer to add throughput to the data once.

With IPFIX encoding we convert data into bytes, and Kai and Srikar suggested we would use protobuf later for better efficiency. So this would not be a big issue?
Also we want to remove the *SourceNode and *DestinationNodes IE variations for octet and packet counts in a follow-up PR, since there are no use cases for those fields.

[heanlan]

@antoninbas Do you think we can include this PR into v1.5 release?

[antoninbas]

@heanlan Antrea v1.5 is scheduled for December 22nd, so I don't see why not. This is not a very large PR.

[heanlan]

E2E test will fail as the ipfix-collector image is not available yet in registry. Will re-run when it's available.

[antoninbas]

I would simplify a bit the phrasing: "The number of packets for this flow as reported by the source Node, since the previous report for this flow at the observation point"

let me know if that works

[heanlan]

Thanks, Antonin. I simplified it accordingly.

[heanlan]

Image ipfix-collector:v0.5.11 still not available in the registry. Will ask help from the team tomorrow to fix it up.

[heanlan]

/test-all
/test-conformance
/test-integration
/test-e2e
/test-networkpolicy

[antoninbas]

Approving again

[tnqn]

LGTM, a typo

[tnqn]

Suggested change

	| tcpState | 136 | string | The state of the TCP connection. The states are: LISTEN, SYN-SENT, SYNRECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and CLOSED. |
	| tcpState | 136 | string | The state of the TCP connection. The states are: LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and CLOSED. |

[heanlan]

thanks Quan, updated

[tnqn]

LGTM

[tnqn]

@heanlan Some aggregator tests always failed in my local testbed because the following errors:

=== RUN   TestFlowAggregator/IPv4/LocalServiceAccess
    flowaggregator_test.go:633: Iperf throughput: 12800.00 Mbits/s, IPFIX record throughput: 0.00 Mbits/s
    flowaggregator_test.go:634:
                Error Trace:    flowaggregator_test.go:634
                                                        flowaggregator_test.go:525
                Error:          Max difference between 0 and 12800 allowed is 1920, but difference was -12800
                Test:           TestFlowAggregator/IPv4/LocalServiceAccess
                Messages:       Difference between Iperf bandwidth and IPFIX record bandwidth should be lower than 15%%
    flowaggregator_test.go:633: Iperf throughput: 12800.00 Mbits/s, IPFIX record throughput: 0.00 Mbits/s

I ran same tests for other PRs, they can pass most of times. So I'm not sure if it's related to this PR.
CI has recovered, but I'm not sure if the PR will run with the latest merged code (with a patch to fix CI). I will take a try anyway.
/test-e2e

[heanlan]

@heanlan Some aggregator tests always failed in my local testbed because the following errors:

Thanks Quan. I haven't seen this error before in my local vagrant env. And I triggered another run last night, it also passed:

=== RUN   TestFlowAggregator/IPv4/IntraNodeFlows
    flowaggregator_test.go:866: Network Policies are realized.
    flowaggregator_test.go:633: Iperf throughput: 27648.00 Mbits/s, IPFIX record throughput: 27868.87 Mbits/s
    flowaggregator_test.go:633: Iperf throughput: 27648.00 Mbits/s, IPFIX record throughput: 24829.58 Mbits/s
    flowaggregator_test.go:633: Iperf throughput: 27648.00 Mbits/s, IPFIX record throughput: 24934.12 Mbits/s
   
=== RUN   TestFlowAggregator/IPv4/InterNodeFlows
I0113 20:15:35.498249   83327 k8s_util.go:675] Creating/updating Antrea NetworkPolicy antrea-test/test-flow-aggregator-antrea-networkpolicy-ingress
I0113 20:15:35.514235   83327 k8s_util.go:675] Creating/updating Antrea NetworkPolicy antrea-test/test-flow-aggregator-antrea-networkpolicy-egress
    flowaggregator_test.go:901: Antrea Network Policies are realized.
    flowaggregator_test.go:633: Iperf throughput: 800.00 Mbits/s, IPFIX record throughput: 776.51 Mbits/s
    flowaggregator_test.go:633: Iperf throughput: 800.00 Mbits/s, IPFIX record throughput: 788.06 Mbits/s
    flowaggregator_test.go:633: Iperf throughput: 800.00 Mbits/s, IPFIX record throughput: 738.05 Mbits/s
    
=== RUN   TestFlowAggregator/IPv4/LocalServiceAccess
    flowaggregator_test.go:633: Iperf throughput: 28979.20 Mbits/s, IPFIX record throughput: 28160.11 Mbits/s
    flowaggregator_test.go:633: Iperf throughput: 28979.20 Mbits/s, IPFIX record throughput: 29254.94 Mbits/s
    flowaggregator_test.go:633: Iperf throughput: 28979.20 Mbits/s, IPFIX record throughput: 26198.28 Mbits/s
    
    
=== RUN   TestFlowAggregator/IPv4/RemoteServiceAccess
    flowaggregator_test.go:633: Iperf throughput: 813.00 Mbits/s, IPFIX record throughput: 854.69 Mbits/s
    flowaggregator_test.go:633: Iperf throughput: 813.00 Mbits/s, IPFIX record throughput: 713.43 Mbits/s
    flowaggregator_test.go:633: Iperf throughput: 813.00 Mbits/s, IPFIX record throughput: 749.17 Mbits/s

It seems the e2e test was not running with the CI fix-patch.

Does the error only happen in LocalServiceAccess? We might need to dump more log in order to triage the fail run in your local env. e.g. Add a line in L578 in flowaggregator_test:

t.Log(record)

to see the received IPFIX records. The throughput field can be 0 when all the received records having the same timestamp.

[heanlan]

/test-e2e

[tnqn]

@heanlan This is the previous e2e log I collected: e2e.log

I reran the test with the line added: e2e-2.log, and the antrea component logs: antrea-test-506706938.tar.gz

[heanlan]

/test-e2e

[heanlan]

@heanlan This is the previous e2e log I collected: e2e.log

I reran the test with the line added: e2e-2.log, and the antrea component logs: antrea-test-506706938.tar.gz

Thanks Quan.

• In your local testbed:
  It seems to be the flow-aggregator image issue. The newly-added throughput fields were not reflected in the records you printed out. Usually when I run test locally, in order to reflect the new changes in flow-aggregator code, I will build the image manually and use it in the flow-aggregator yaml file.
  If you would please to try again, you could change antrea/build/yamls/flow-aggregator.yml: L266 to the line below, and scp the yaml file to the node to run again.

hanlan/flow-aggregator:latest

• In the recovered Jenkins testbed:
  The bandwidth checks have all passed. The test failure in log is unrelated to the changes in this PR. The failure never happened before on other testbeds, e.g. vagrant, kind, your local testbed. I'm re-running the test to see if the failure is stable.

=== CONT  TestFlowAggregator
    fixtures.go:396: Deleting 'antrea-test' K8s Namespace
    fixtures.go:382: Error when gracefully exiting Flow Aggregator: error when gracefully exiting Flow Aggregator - copy flow-aggregator coverage files out: cannot retrieve content of file 'flow-aggregator.cov.out' from Pod 'flow-aggregator-5d46df4797-bcct8', stderr: <cat: flow-aggregator.cov.out: No such file or directory
        >, err: <command terminated with exit code 1>
--- FAIL: TestFlowAggregator (219.90s)
    --- PASS: TestFlowAggregator/IPv4 (108.15s)
        --- PASS: TestFlowAggregator/IPv4/IntraNodeFlows (13.46s)
        --- PASS: TestFlowAggregator/IPv4/IntraNodeDenyConnIngressANP (6.09s)
        --- PASS: TestFlowAggregator/IPv4/IntraNodeDenyConnEgressANP (2.89s)
        --- PASS: TestFlowAggregator/IPv4/IntraNodeDenyConnNP (8.24s)
        --- PASS: TestFlowAggregator/IPv4/InterNodeFlows (13.79s)
        --- PASS: TestFlowAggregator/IPv4/InterNodeDenyConnIngressANP (6.43s)
        --- PASS: TestFlowAggregator/IPv4/InterNodeDenyConnEgressANP (2.95s)
        --- PASS: TestFlowAggregator/IPv4/InterNodeDenyConnNP (8.23s)
        --- PASS: TestFlowAggregator/IPv4/ToExternalFlows (9.35s)
        --- PASS: TestFlowAggregator/IPv4/LocalServiceAccess (14.18s)
        --- PASS: TestFlowAggregator/IPv4/RemoteServiceAccess (13.52s)
        --- PASS: TestFlowAggregator/IPv4/Antctl (5.93s)

[heanlan]

/test-e2e

[heanlan]

/test-e2e

[tnqn]

@heanlan thanks for pointing out the issue in my local testbed and sorry for forgetting to rebuild flow-aggregator image. I have reran the test and it passed.
The e2e failure in CI was unrelated, I will skip it.
/skip-e2e