[Carry 1534] Improve scalabiltiy of bridge network isolation rules #2117
Conversation
- This reduces complexity from O(N^2) to O(2N) Signed-off-by: Alessandro Boch <aboch@docker.com> Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Codecov Report
@@ Coverage Diff @@
## master #2117 +/- ##
=========================================
Coverage ? 40.41%
=========================================
Files ? 139
Lines ? 22388
Branches ? 0
=========================================
Hits ? 9047
Misses ? 12014
Partials ? 1327
Continue to review full report at Codecov.
|
|
❤️ thanks! ping @fcrisciani @ctelfer PTAL |
drivers/bridge/setup_ip_tables.go
Outdated
| if err != nil { | ||
| return nil, nil, nil, fmt.Errorf("failed to create FILTER isolation chain: %v", err) | ||
| return nil, nil, nil, nil, fmt.Errorf("failed to create FILTER isolation chain: %v", err) | ||
| } | ||
|
|
There was a problem hiding this comment.
If creating isolationChain2 fails, this code will not roll back the creation of isolationChain1. Please add a deferred cleanup function as above w/ the DockerChains for Filter and NAT. Also, although the original code didn't have a cleanup for isolationChain (now isolationChain1), please add one to gracefully handle failure to add the return rule2.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
|
Fixes to address my comments look good. Doing one more pass on a review. Thanks! |
drivers/bridge/bridge.go
Outdated
| } | ||
| // Install the rules to isolate this network against each of the other networks | ||
| if err := setINC(thisConfig.BridgeName, enable); err != nil { | ||
| return err | ||
| } | ||
|
|
||
| return nil |
There was a problem hiding this comment.
Hrmm.. I didn't catch this the first time around, but when doing a quick build test locally, my machine flagged something that CI apparently didn't with golint. Maybe I have a different golint version.
drivers/bridge/bridge.go:316:2: redundant if ...; err != nil check, just return error instead.
Makefile:109: recipe for target 'lint' failed
It is right: it would be cleaner to change the last few lines to:
return setINC(thisConfig.BridgeName, enable)It builds fine once that change is made. Sorry, for not catching this when requesting the error handling change.
There was a problem hiding this comment.
Agreed @ctelfer , If there is an error anyway we are not printing any error messages inside the if case.
| networks map[string]*bridgeNetwork | ||
| store datastore.DataStore | ||
| nlh *netlink.Handle | ||
| configNetwork sync.Mutex | ||
| sync.Mutex | ||
| } | ||
|
|
There was a problem hiding this comment.
What changed in the entire structure ? new change and old attributes looks same to me except "isolationChain1 , isolationChain2"
There was a problem hiding this comment.
It's due to go's formatting; it will align all variables, and 1 and 2 make the left column one position wider. If you add ?w=1 to the GitHub URL you'll see the diff without whitespace changes; https://github.com/docker/libnetwork/pull/2117/files?w=1
|
LGTM |
|
Thats make it cleaner to view diff. Thanks *@thaJeztah*
…On Mon, Mar 26, 2018 at 2:56 PM, Sebastiaan van Stijn < ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In drivers/bridge/bridge.go
<#2117 (comment)>:
> - filterChain *iptables.ChainInfo
- isolationChain *iptables.ChainInfo
- networks map[string]*bridgeNetwork
- store datastore.DataStore
- nlh *netlink.Handle
- configNetwork sync.Mutex
+ config *configuration
+ network *bridgeNetwork
+ natChain *iptables.ChainInfo
+ filterChain *iptables.ChainInfo
+ isolationChain1 *iptables.ChainInfo
+ isolationChain2 *iptables.ChainInfo
+ networks map[string]*bridgeNetwork
+ store datastore.DataStore
+ nlh *netlink.Handle
+ configNetwork sync.Mutex
sync.Mutex
}
It's due to go's formatting; it will align all variables, and 1 and 2
make the left column one position wider. If you add ?w=1 to the GitHub
URL you'll see the diff without whitespace changes;
https://github.com/docker/libnetwork/pull/2117/files?w=1
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2117 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AKEKn9ewKieEOKdqpbI2Nyj_wp0wyBmPks5tiTnvgaJpZM4Svq1V>
.
|
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
|
fixed lint issue, PTAL |
|
LGTM |
|
Thanks @AkihiroSuda |
Carry #1534
Related to moby/moby#26435
Reported as example the time measurement for creating 50 bridge networks and for pruning them.
Also because of the removal of the loop in isolateNetwork(), the timing is drastically improved: