udp: limit number of reads per event loop

[danzh2010]

Commit Message: To prevent long event loop when too many UDP packets are in the queue, limit how many packets to read in each event loop. If haven't finished reading, artifacts a READ event to continue in the next event loop.
Additional Description:
Add numPacketsExpectedPerEventLoop() callback to UdpListenerCallback, so that QUIC listener can tell how many packets it wants to read in each loop. The actually number of packets read are still bound by MAX_NUM_PACKETS_PER_EVENT_LOOP (6000).
Quic listener returns numPacketsExpectedPerEventLoop() based on number of connections it has at the moment and the configured envoy::config::listener::QuicProtocolOptions.packets_to_read_to_connection_count_ratio.
Made InjectableSingleton really thread safe.

Risk Level: medium, other than quic listener, other UdpListenerCallbacks return max size_t for numPacketsExpectedPerEventLoop(). This will cause those callbacks to read 6000 packets per READ event.
Testing: added udp listener unit tests.

Fixes #16335 #16278
Part of #16198 #16493

[antoniovicente]

I think this will result in too few packets being read when the number of active QUIC connections is small.

[danzh2010]

We can change the lower bound in readPacketsFromSocket() to something larger than 1. What's a reasonable number for that? Google internal code also use 1 as lower bound actually.

[antoniovicente]

I would say that for parity with TCP you probably need this to be 32 to 100 per active QUIC connection in the small number of connections case. It's hard to say without loadtests.

[danzh2010]

Please note that this number will *16 when using recvmmsg. If there is one connection, the event loop duration is 500us and the lower bound is 100 reads, the expected max bandwidth is 100 * 16 * 1400 bytes / 0.0005s = 4.17GB/s = 33Gbps. Would a connection have such send rate?

[antoniovicente]

It would be good to make the packet read rate the same when recvmmsg is in-use / not-in-use

What are your thoughts in making these limits in number of packets and adjusting the number of calls in cases recvmmsg is used?

Regarding the math above, my concerned is about proxy behavior when event loop duration grows above 5ms, which would result in a decrease in the number of UDP packets that can be processed per second. Also, what are the more common QUIC packets that you expect to receive? I think they are ACKs and window updates which use smaller UDP packets; actual receive bps would be relatively small unless the proxy somehow is mostly receiving large POSTs from the clients.

[danzh2010]

ACKs are most common packets if we are doing large download.

[antoniovicente]

I think that at least for downstreams downloads are more common than uploads.

Thoughts about making these limits configurable and accepting the same number of packets per wakeup for both recvmmsg and recvmsg ?

[antoniovicente]

Consider making this limit configurable. In a way 100 seems too small, QUIC will be at a disadvantage against TCP; the whole QUIC subsystem will be allowed to read the equivalent of 1 to 3 HTTP2 connections per wakeup. When there's moderate load on the proxy, QUIC traffic will grind to a halt while HTTP2 will continue performing fine.

[danzh2010]

What's a reasonable number for this?

[antoniovicente]

I don't know. I would suggest running load tests that compare H2 and QUIC throughput when there are competing requests at the proxy. I would consider config parameters that specify the number of packets or MB of QUIC data to process per worker wakeup.

Another alternative to consider if having the limit grow in cases where the UDP code notices that it wasn't able to fully drain the socket. Or attempt to drain as many packets as they are in the UDP receive buffer at the start of the UDP receive loop.

Also consider the consequences of these limits:
Say that you have a UDP receive packet limit in the kernel of 10,000 packets but you only allow draining 100 per wakeup. As the duration of each wakeup increases, you start getting older and older packets in each subsequent wakeup until every packet you read ends up being so old that the client has given up by the time you start processing the packet. This can be a problem specially when handling DNS; a burst of attack DNS requests could lead to real requests backing up and failing for an extended period of time as you slowly drain old requests from the queue.

[alyssawilk]

So if I understand this, right now UDP floods can starve TCP, and if we flip this, UDP floods would starve UDP. I agree that this should scale with session load, but as QUIC is alpha I'd prefer it be affected by starvation, and have a TODO for scaling. This would need a relnote and a config or runtime override for non-QUIC UDP. I think basic scaling is a fixed number of packets (was it 16?) per QUIC session if you want to address it in place.

[antoniovicente]

I'm saying that with this change, TCP will starve UDP.

[danzh2010]

A question please, do we have read limit for TCP connections? RawBufferSocket::doRead() doesn't seem to have it, but I'm not 100% sure.

[alyssawilk]

yeah, shouldDrainReadBuffer is how it's limited - stops when you hit the configured buffer limit

[danzh2010]

So if I understand this, right now UDP floods can starve TCP, and if we flip this, UDP floods would starve UDP. I agree that this should scale with session load, but as QUIC is alpha I'd prefer it be affected by starvation, and have a TODO for scaling. This would need a relnote and a config or runtime override for non-QUIC UDP.

For non-QUIC, do we still want to drain the socket on each read event?

I think basic scaling is a fixed number of packets (was it 16?) per QUIC session if you want to address it in place.

If we are using recvmmsg, we get a multiplier of 16 from existing implementation. That's why numReadsExpectedPerEventLoop() just return session number.

[antoniovicente]

A possible question is how many hot fds we can get back from epoll_wait per wakeup. I expect the answer to be somewhere in the 16 to 256 range. For fairness between TCP and UDP on the upper side of that range with a TCP read size of 32kb per connection I think we should allow read of about 6k UDP packets per wakeup. I guess 100 attempts returning 16 packets each is only a factor of 4 away from that, so the threshold of 100 recvmmsg with each returning up to 16 packets is actually pretty good. I thought that the limits above resulted in 1 packet per active QUIC connection up to a limit of 100 packets.

[danzh2010]

I changed the logic to limit number of packets read per loop and put upper limit to be 6000.

[antoniovicente]

tests?

[danzh2010]

I realize I shouldn't make decision for UDP proxy how many packets to read. Will leave it as max size_t and TODO for @mattklein123

[antoniovicente]

CI detected a compile failure:

2021-05-03T21:18:48.7400427Z bazel-out/k8-opt/bin/source/common/quic/_virtual_includes/active_quic_listener_lib/common/quic/active_quic_listener.h:55:10: error: declaration of 'numPacketsExpectedPerEventLoop' overrides a 'final' function
2021-05-03T21:18:48.7401278Z   size_t numPacketsExpectedPerEventLoop() const override;
2021-05-03T21:18:48.7401756Z          ^
2021-05-03T21:18:48.7402670Z bazel-out/k8-opt/bin/source/server/_virtual_includes/active_udp_listener/server/active_udp_listener.h:40:10: note: overridden virtual function is here
2021-05-03T21:18:48.7403415Z   size_t numPacketsExpectedPerEventLoop() const final {
2021-05-03T21:18:48.7421776Z          ^
2021-05-03T21:18:48.7422316Z 1 error generated.

[antoniovicente]

Still seeing compile errors.

/wait

opt/bin/include/envoy/server/overload/_virtual_includes/thread_local_test/common/network/udp_fuzz.cc:68:30: error: variable type 'Envoy::(anonymous namespace)::FuzzUdpListenerCallbacks' is an abstract class
2021-05-05T16:48:52.3387670Z     FuzzUdpListenerCallbacks fuzzCallbacks(this);
2021-05-05T16:48:52.3388166Z                              ^
2021-05-05T16:48:52.3389409Z bazel-out/k8-opt/bin/include/envoy/network/_virtual_includes/listener_interface/envoy/network/listener.h:337:18: note: unimplemented pure virtual method 'numPacketsExpectedPerEventLoop' in 'FuzzUdpListenerCallbacks'
2021-05-05T16:48:52.3390197Z   virtual size_t numPacketsExpectedPerEventLoop() const PURE;
2021-05-05T16:48:52.3390618Z                  ^
2021-05-05T16:48:52.3391158Z 1 error generated.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @lizan
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #16180 was synchronize by danzh2010.

see: more, trace.

[antoniovicente]

Please look at CI spell check error.

/wait

[alyssawilk]

LGTM, though needs a main merge to land

[alyssawilk]

also if this solves #16335 does it also fix any of
#16278 (flaky quic_http_integration_test)
#16493 (flaky QuicHttpIntegrationTest)
#16198 (slow tests)
basically I wonder if the others were caused by looping/starvation?

[danzh2010]

also if this solves #16335 does it also fix any of
#16278 (flaky quic_http_integration_test)

Yeah, this PR should fix these two.

#16493 (flaky QuicHttpIntegrationTest)

There is another data race in FakeUpstream needs to be addressed in the test helper function.

#16198 (slow tests)
basically I wonder if the others were caused by looping/starvation?

It didn't fully resolve the slowness as I retried to remove the TSAN timeout factor and extra upstream timeout, the tests still failed, though at a much lower rate.

[alyssawilk]

@lizan this is ready for API review

[adisuissa]

/lgtm api