Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use correct cgroups root path when operating in host-mapped mode #473

Merged
merged 5 commits into from
Feb 4, 2025
Merged

fix: use correct cgroups root path when operating in host-mapped mode #473

merged 5 commits into from
Feb 4, 2025

Conversation

tobz
Copy link
Member

@tobz tobz commented Feb 4, 2025
edited
Loading

Summary

In the scenario where ADP (and, likewise, the Datadog Agent) is deployed in a containerized environment, it will attempt to query the host for the current cgroups hierarchy (either v1 or v2) in order to discover any containers running on the host. It does so by taking some configuration around where the host's /proc and /sys/fs/cgroup (container_proc_root and container_cgroup_root, respectively) have been mapped to within the ADP container, and then examines all mountpoints to find the active cgroups hierarchy. Based on what it finds, it uses that information to inform subsequent calls, whether that be finding all child cgroups mapped to containers, or attempting to find the cgroup attached to a specific process ID.

This process is meant to ultimately provide the "root" path -- the base of all cgroup controllers -- which is then prepended to relative per-cgroup paths, allowing for canonicalizing the path to individual cgroup controllers, which is necessary for extracting information like the cgroup controller inode, that ultimately plays a role in Origin Detection.

This PR fixes a bug with this querying process where we did not correctly filter out duplicate mountpoints when trying to find a matching cgroupfs mountpoint. Based on the host's /sys/fs/cgroup path is mapped into the ADP container, the "mounts" file (/host/proc/mounts) will have two sets of cgroupfs entries: one under /sys/fs/cgroup and one under /host/sys/fs/cgroup. The host-mapped path is the one that must be used, as it relates to the entire host and all containers running therein, whereas the "normal" one is scoped to the ADP container itself.

The Datadog Agent has logic to skip cgroupfs mountpoints that aren't rooted within the configured container_cgroup_root path, but ADP was missing this logic. As such, we first encountering the ADP container-scoped cgroupfs mounts at /sys/fs/cgroup, and choosing that as our cgroup root path for all subsequent operations, leading to never actually finding any of the intended container cgroups.

Change Type

  • Bug fix
  • New feature
  • Non-functional (chore, refactoring, docs)
  • Performance

How did you test this PR?

Prior to the PR, deployed ADP to staging and observed (through debug logging) that ADP was trying to query cgroup controllers rooted at /sys/fs/cgroup/.... After the fix, I deployed to staging again and, looking at the same logging, could see it using the correctly rooted /host/sys/fs/cgroup/... paths.

I additionally used a dashboard that tracked the count of a specific metric, which depended on Origin Detection functioning correctly, grouped by a certain origin-based tag having either no value or any value at all. Prior to this PR, the value for the "no value" variant was non-zero, and was the reciprocal of the "any value at all" variant. After this PR, the "no value" variant dropped to 0 and the "any value at all" variant returned to its previous value.

References

N/A

@github-actions github-actions bot added the area/config Configuration. label Feb 4, 2025
@pr-commenter
Copy link

pr-commenter bot commented Feb 4, 2025
edited
Loading

Regression Detector (DogStatsD)

Regression Detector Results

Run ID: 1a349bdf-e412-4e2b-bf4d-ea80f71ac647

Baseline: 7.63.0-rc.2
Comparison: 7.63.0-rc.2

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
quality_gates_idle_rss memory utilization +0.20 [+0.10, +0.31] 1
dsd_uds_100mb_3k_contexts_distributions_only memory utilization +0.15 [-0.02, +0.31] 1
dsd_uds_1mb_50k_contexts_memlimit ingress throughput +0.00 [-0.00, +0.00] 1
dsd_uds_512kb_3k_contexts ingress throughput +0.00 [-0.01, +0.01] 1
dsd_uds_1mb_3k_contexts ingress throughput -0.00 [-0.00, +0.00] 1
dsd_uds_1mb_50k_contexts ingress throughput -0.00 [-0.00, +0.00] 1
dsd_uds_1mb_3k_contexts_dualship ingress throughput -0.00 [-0.00, +0.00] 1
dsd_uds_40mb_12k_contexts_40_senders ingress throughput -0.00 [-0.01, +0.00] 1
dsd_uds_10mb_3k_contexts ingress throughput -0.01 [-0.02, +0.00] 1
dsd_uds_100mb_3k_contexts ingress throughput -0.01 [-0.06, +0.04] 1
dsd_uds_100mb_250k_contexts ingress throughput -0.01 [-0.04, +0.01] 1
dsd_uds_500mb_3k_contexts ingress throughput -1.71 [-1.84, -1.57] 1

Bounds Checks: ❌ Failed

perf experiment bounds_check_name replicates_passed links
quality_gates_idle_rss memory_usage 0/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

@pr-commenter
Copy link

pr-commenter bot commented Feb 4, 2025
edited
Loading

Regression Detector (Saluki)

Regression Detector Results

Run ID: 03166c9a-074b-4b92-b60f-f0ec79dead7e

Baseline: 2b44efa
Comparison: 945d871
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
quality_gates_idle_rss memory utilization +0.04 [+0.01, +0.06] 1
dsd_uds_40mb_12k_contexts_40_senders ingress throughput +0.02 [-0.01, +0.05] 1
dsd_uds_10mb_3k_contexts ingress throughput +0.00 [-0.02, +0.03] 1
dsd_uds_100mb_3k_contexts ingress throughput +0.00 [-0.04, +0.05] 1
dsd_uds_1mb_3k_contexts_dualship ingress throughput +0.00 [-0.00, +0.00] 1
dsd_uds_50mb_10k_contexts_no_inlining ingress throughput +0.00 [-0.07, +0.07] 1
dsd_uds_100mb_250k_contexts ingress throughput -0.00 [-0.04, +0.04] 1
dsd_uds_512kb_3k_contexts ingress throughput -0.00 [-0.01, +0.01] 1
dsd_uds_1mb_50k_contexts ingress throughput -0.01 [-0.02, +0.01] 1
dsd_uds_50mb_10k_contexts_no_inlining_no_allocs ingress throughput -0.01 [-0.05, +0.03] 1
dsd_uds_1mb_3k_contexts ingress throughput -0.01 [-0.03, +0.00] 1
dsd_uds_1mb_50k_contexts_memlimit ingress throughput -0.32 [-0.85, +0.20] 1
dsd_uds_100mb_3k_contexts_distributions_only memory utilization -0.66 [-0.79, -0.54] 1
dsd_uds_500mb_3k_contexts ingress throughput -1.94 [-2.06, -1.82] 1

Bounds Checks: ✅ Passed

perf experiment bounds_check_name replicates_passed links
quality_gates_idle_rss memory_usage 10/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

@pr-commenter
Copy link

pr-commenter bot commented Feb 4, 2025
edited
Loading

Regression Detector Links

Experiment Result Links

experiment link(s)
dsd_uds_100mb_250k_contexts [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_100mb_3k_contexts [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_100mb_3k_contexts_distributions_only [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_10mb_3k_contexts [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_1mb_3k_contexts [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_1mb_3k_contexts_dualship [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_1mb_50k_contexts [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_1mb_50k_contexts_memlimit [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_40mb_12k_contexts_40_senders [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_500mb_3k_contexts [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_512kb_3k_contexts [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
quality_gates_idle_rss [Profiling (ADP)] [Profiling (DSD)] [SMP Dashboard]
dsd_uds_50mb_10k_contexts_no_inlining (ADP only) [Profiling (ADP)] [SMP Dashboard]
dsd_uds_50mb_10k_contexts_no_inlining_no_allocs (ADP only) [Profiling (ADP)] [SMP Dashboard]

@tobz tobz marked this pull request as ready for review February 4, 2025 19:12
@tobz tobz requested a review from a team as a code owner February 4, 2025 19:12
@tobz tobz changed the title chore: additional debugging output in CgroupsReader fix: use correct cgroups root path when operating in host-mapped mode Feb 4, 2025
@tobz tobz added the type/bug Bug fixes. label Feb 4, 2025
lukesteensen
lukesteensen previously approved these changes Feb 4, 2025
View reviewed changes
@tobz tobz merged commit f056199 into main Feb 4, 2025
21 checks passed
@tobz tobz deleted the tobz/nested-process-id-additional-cgroups-reader-debugging branch February 4, 2025 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukesteensen lukesteensen lukesteensen approved these changes

Assignees
No one assigned
Labels
area/config Configuration. type/bug Bug fixes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tobz @lukesteensen