shared_client: Bump request id

[jrajahalme]

Only fail out if non-conflicting request id can not be found.

This works on the premise that the callers are fine with the request id
being modified at this point. Current use sets a random id just prior to
Exchange call, so this premise is satisfied.

[gandro]

This seems harmless to me, but I'm still not confident in my understanding of SharedClient.

cc @marseel if you also want to take a look, since you know that particular piece better than I do

[marseel]

I was thinking about it yesterday :)

I think it looks alright, but the main trigger for this issue is probably something like this:

• We are sending a constant stream of DNS requests
• For some of them we get responses, for some we don't
• We never time out waiting for requests in waitingResponses and they get stuck there - this happens because we have only a single timeout here that is never triggered as we still receive some of the responses.

So I think this change definitely makes sense, but more important IMHO would be to have separate timeouts per request in waitingResponses

Does it make sense @jrajahalme ?

[jrajahalme]

I was thinking about it yesterday :)

I think it looks alright, but the main trigger for this issue is probably something like this:

• We are sending a constant stream of DNS requests
• For some of them we get responses, for some we don't
• We never time out waiting for requests in waitingResponses and they get stuck there - this happens because we have only a single timeout here that is never triggered as we still receive some of the responses.

So I think this change definitely makes sense, but more important IMHO would be to have separate timeouts per request in waitingResponses

Does it make sense @jrajahalme ?

Makes total sense. I'll look into adding request-specific timeouts.

[jrajahalme]

@marseel Added per-request timeout handling via a deadline queue using container/heap, please have a look!

[marseel]

@gandro probably you want to take another look as well :)

[marseel]

nit: return time.Until(wq.waiters[0].deadline)

[jrajahalme]

done!

[marseel]

We will need to change https://github.com/cilium/cilium/blob/931b8167ea29bfd3ae8e6f11f41a8a1c531c33c8/pkg/fqdn/dnsproxy/proxy.go#L599
or switch this error to net.Error Timeout IIUC.

[jrajahalme]

Good point, not sure how to return a net.Error Timeout though?

[jrajahalme]

Have to implement net.Error interface:

// errTimeout is an an error representing a request timeout.
// Implements net.Error
type errTimeout struct {
}

func (e errTimeout) Timeout() bool { return true }

// Temporary is deprecated. Return false.
func (e errTimeout) Temporary() bool { return false }

func (e errTimeout) Error() string {
	return "request timed out"
}

var netErrorTimeout errTimeout

[jrajahalme]

done!

[marseel]

I'm not sure how safe it is to use kind of "predictable" Ids - https://nvd.nist.gov/vuln/detail/CVE-2008-0087 . I would probably try a few times (for example 3) Id() instead. That would also give a more predictable runtime.

[jrajahalme]

Each request starts from a random number (via Id()) by the caller), so it should not be likely that the Id's of consecutive requests would be sequential. This relies on the caller, though.

IMO 3 random tries might not work if there are a lot of requests in flight?

[marseel]

IMO 3 random tries might not work if there are a lot of requests in flight?

true, but that would require ~10s of thousands of inflight requests - meaning probably something else is wrong already. I would consider using fixed-number as a circuit-breaker.

For example, with 32k inflight requests, we would still have a chance of 1 - (32000/65000)^4 ~= 0.94 of getting a new correct ID.

[jrajahalme]

Done, with 5 tries.

[jrajahalme]

I would consider using fixed-number as a circuit-breaker.

Did not get this, though?

[marseel]

ah, nvm that's what I meant essentially, fixed loop.

[gandro]

I need to do a more in-depth review of the last commit, but here are is a bit of feedback from a first pass

[gandro]

I don't follow this comment. Sending on closed channel panics - surely that's not how we prevent the senders from sending requests? I assume the real check from preventing senders is that conn is nil, right?

[jrajahalme]

SharedClient.close() (note: not a close(<channel>)) is called when the shared client can no longer be used for new requests. So there is nothing sent to the closed channel. The point of the comment is that the range loop on the channel completes only after the channel is closed (by the side sending to the channel), so we are guaranteed to send replies to all requests received on this channel.

[gandro]

unrelated nit: Given the sheer amount of highly concurrent code in shared client, we should also run with go test -race in this workflow

[gandro]

Reset is not safe to use when the timer is not drained https://pkg.go.dev/time#Timer.Reset

How do we know that the timer is drained here?

[jrajahalme]

Thanks for noting this, will have to work around this...

[jrajahalme]

@marseel FYI we are seeing CI flakes due to ID collisions in cilium main, so it is prudent to at least be retrying to get a good ID (like in this PR):

  ❌ Found 1 logs in kind-kind/kube-system/cilium-jgxqz (cilium-agent) matching list of errors that must be investigated:
time="2024-05-03T07:20:54Z" level=error msg="Cannot forward proxied DNS lookup" DNSRequestID=45017 dnsName=one.one.one.one. endpointID=1252 error="duplicate request id 224" identity=10831 ipAddr="10.244.2.92:47175" subsys=fqdn/dnsproxy (1 occurrences)

[marseel]

FYI we are seeing CI flakes due to ID collisions in cilium main, so it is prudent to at least be retrying to get a good ID (like in this PR):

Interesting, that would mean we were hitting this issue even with a low number of concurrent requests 🤔
In that case, I guess we could merge retry only first to mitigate these failures and then follow-up with heap and timeouts.

[jrajahalme]

FYI we are seeing CI flakes due to ID collisions in cilium main, so it is prudent to at least be retrying to get a good ID (like in this PR):

Interesting, that would mean we were hitting this issue even with a low number of concurrent requests 🤔 In that case, I guess we could merge retry only first to mitigate these failures and then follow-up with heap and timeouts.

Here's a PR for the 1st commit only: #13