Add support for Container CPU Utilization Resource Monitor

[nix1n]

Risk Level: Low
Testing: Unit tests
Docs Changes:
Release Notes:
Platform Specific Features: Today this is only implemented for Linux

In my org we use envoy in containerised K8s environment, this PR will allow us to trigger overload actions based on the container cpu utilization of the pod where envoy is running.

[repokitteh-read-only]

Hi @nix1n, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #37792 was opened by nix1n.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #37792 was opened by nix1n.

see: more, trace.

[KBaichoo]

Thank you for working on this! I think we can try to reuse some of the existing components from the other cpu monitor to make this even better.

[KBaichoo]

If we did the folding this file would effectively merge with the existing https://github.com/envoyproxy/envoy/blob/main/source/extensions/resource_monitors/cpu_utilization/cpu_utilization_monitor.h which it looks to me to be very similar.

[KBaichoo]

/wait

[markdroth]

I'm having trouble parsing this sentence. Can you please clarify?

[KBaichoo]

Thanks for working on simplifying this, this looks much better.

/wait

[KBaichoo]

What is the reason we can't use the existing cpu times structure given it has effectively the same fields?

This would simplify the utilization monitor as it could then just use the CpuStatsReader interface vs the concrete implementation class.

[nix1n]

@KBaichoo actually, for Host CPU Utilization, we just need /proc/stat file to read cpu_work and cpu_times both of the field in CpuTimes.
While to calculate container cpu utilization we need to read two different files to read allocated quota at some time, usage seconds total in nanoseconds at that time, and the time_difference from the timer only I could find to calculate. This method we are using in our ambassador edge stack service also, but to update injected resource pressure from a parallely running python script using same calculation strategy.

ref: google/cadvisor#2026 (comment)

So I created another class to read cgroup stats, which read allocated quota, total cpu time in nanoseconds.

This can be merged with CpuTimes class itself but not sure what meaningful naming would suffice for these two though both are uint64_t data type only. But yeah then the reader class also would need to access config mode and based on config mode it should calculate and return stats accordingly.

[nix1n]

Time difference can be calculated by timeSource only in case of cgroup metrics . Which we don't need while calculating usage of host from /proc/stat file since all the data in this is time dependent already.

[KBaichoo]

This is a good point, if we were to push down the time source into the cgroup stats reader (along with some other logic) we would be able to produce the same format for CpuTimes -- e.g. https://github.com/envoyproxy/envoy/pull/37792/files#diff-1183c2c3937672e9d4c85d700d1e54ef13d360b4b517a0c643a8e46c13c3eb79R120

we could then de-dup a lot of the implementation details from being brought up at the monitor layer to avoid the monitoring layer having to have implementations for all of the different readers.

[nix1n]

@KBaichoo in that case, in cgroupstatsreader, I have to derive some calculation to incorporate timing also to allocated millicores and usage seconds total metrics to make it equivalent to , cputimes fields total time and work time ? Something like that you are meaning ? And then the resource monitor would still using the original strategy without checking config mode and switching the calculation strategy?

[nix1n]

This is a good point, if we were to push down the time source into the cgroup stats reader (along with some other logic) we would be able to produce the same format for CpuTimes -- e.g.

have checked the calculation strategy, It should work. But trying now to pushdown timesource from context in stats reader.

[nix1n]

@KBaichoo /proc/uptime has precision till 100th of a second. We can use this without using timesource if refresh_interval is not selected below 0.01 seconds. But where to set it's limit ? How much less refresh_interval we can set ? Is it given ? We use 5 second of refresh_interval for loadshedding in our ambassador edgestack. Will there be any usecase that devs would use this for even less than 0.01 second refresh interval ?

[nix1n]

Using proc/uptime metrics to calculate will get us rid of timesource in reader class and much simpler implementaion. Just with 1 limitation, refresh_interval less than 0.01 second won't work properly, but might update resource pressure as soon as the monitor's loop interval crosses 0.01 second. For refresh_interval greater than 0.01 seconds, it would be perfect. Please let me know if you will allow this. For us it should be sufficient.

[nix1n]

Have implemented all tests and functionality using proc/uptime. @KBaichoo . This should be sufficient for us.

[KBaichoo]

I might be missing something, why do we need to use uptime vs the timesource? ISTM it might be cheaper to use timesource e.g. no file open, etc. and no limitation on uptime granularity.

100% agree that for most use cases polling resource monitors faster is a great way to eat up CPU.

[KBaichoo]

as mentioned above in https://github.com/envoyproxy/envoy/pull/37792/files#diff-9281e66aafccb8196311602044a32a4ac53a877d7bae55cc591df8f30ae15810R25 if we go that route this can then just inherit directly from CpuStatsReader interface.

[nix1n]

@KBaichoo have got rid of timesource and removed multiple redundancies and simplified the monitor as well , our org would not use refresh_interval smaller than even 1 second. And envoy's cpu overhead again increases if we use more smaller refresh_interval . So sticking with /proc/uptime stats which has precision of 0.01 second. Which is more than enough for most usecases and from now on linux cpu stats reader will be sending stats to monitor based on the strategy configured.

[KBaichoo]

/wait

[KBaichoo]

to be more specific I meant to use the non-mangled named like:

envoy::extensions::resource_monitors::cpu_utilization::v3::CpuUtilizationConfig::UtilizationComputeStrategy

[nix1n]

I did try this earlier already, it won't build. Previous two ways were only compiling successfully for me. If we use this we have to use default in switch statement then only it builds which you said to avoid.

[nix1n]

[nix1n]

we can try something like this then, container is specific mode. rest for default computeHostUsage()

[KBaichoo]

This is a good point, if we were to push down the time source into the cgroup stats reader (along with some other logic) we would be able to produce the same format for CpuTimes -- e.g. https://github.com/envoyproxy/envoy/pull/37792/files#diff-1183c2c3937672e9d4c85d700d1e54ef13d360b4b517a0c643a8e46c13c3eb79R120

we could then de-dup a lot of the implementation details from being brought up at the monitor layer to avoid the monitoring layer having to have implementations for all of the different readers.

[nix1n]

/ready

[KBaichoo]

This is looking much better and almost ready to land. Thank you for iterating on this @nix1n!

[KBaichoo]

Can you fix the grammar in this sentence, something like:
The CPU utilization resource monitors and reports CPU usage across different platforms.

[nix1n]

done

[KBaichoo]

s/for//

[nix1n]

done

[KBaichoo]

s/HOST ,/HOST,/.

[nix1n]

done

[KBaichoo]

I see you used kind of the "strategy" pattern here, I think we could simplify this by having two different implementations since e.g.

LinuxHostCpuStatReader which inherits and implement CpuStatsReader and
LinuxContainerCpuStatsReader which inherits and implements CpuStatsReader.

The implementations would just be getCpuTimes having the corresponding code of getHostCpuTimes or getContainerCpuTimes and we'd avoid the check every time -- instead just doing the check once in the factor for making the cpu utilization monitor.

The other nice part about that is that only the relevant files would need to be provided to the different implementations.

Since both return the same underlying CPUTimes and the CPU Utilization monitor uses the interface to interact with them there shouldn't be any friction there.

[nix1n]

Done and got the timesource implemented in reader itself.

[KBaichoo]

I might be missing something, why do we need to use uptime vs the timesource? ISTM it might be cheaper to use timesource e.g. no file open, etc. and no limitation on uptime granularity.

100% agree that for most use cases polling resource monitors faster is a great way to eat up CPU.

[KBaichoo]

Why did we need to switch these to doubles?

[nix1n]

Updated calculation strategy, Now it's just
double work_time, [ This is due to division operation by allocated cpu millicores for averaging. So for container mode, it will divide that's why to accomodate the calculation. ]
and total_time is uint64_t again,
, and since now I have incorporated timesource within LinuxContainerCpuStatsReader, we can return time in nanoseconds as integer itself. Previously it was using proc/uptime so to accomodate it's 1/100th precision it was double. Have changed it back to uint64_t.
So now it's
double work_time;
uint64_t total_time;

Can you get it released soon ? @KBaichoo .

[nix1n]

Will there be a problem in merging it if coverage test is failing but for other extension. @KBaichoo

Per-extension coverage failed:
Code coverage for source/common/quic is lower than limit of 93.4 (93.3)
Yesterday it was fine.

[KBaichoo]

/wait