-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate disabling cgo for all Antrea binaries #5724
Comments
I suggest looking into this once #5691 has been addressed. |
FindingsImpact on binary sizeCurrent buildAgent:
Controller:
With cgo disabledAgent:
Controller:
FindingsBinary size is (very) slightly smaller when disabling cgo: 98.60MB -> 98.47MB for antrea-agent, 90.39MB -> 90.27MB for antrea-controller. Impact on build timeWe evaluate the impact of running the default Current build9m49s With cgo disabled6m42s FindingsBuild time is reduced by around 30%. This is because the Go cache can be reused more effectively. If we look at these 2 commands: antrea/build/images/Dockerfile.build.agent.ubuntu Lines 28 to 37 in a5e2792
When running the second command, the cache is mostly invalidated, because the value of CG_ENABLED is different between the 2 go build commands.
FunctionalityUsage of cgo in the Go standard library is mostly limited to the
Shared system libraries when cgo enabled``` root@ba2971b2126c:/# ldd `which antrea-agent` linux-vdso.so.1 (0x00007fff5a526000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f0ce320e000) /lib64/ld-linux-x86-64.so.2 (0x00007f0ce343c000) ```
```
libc namesroot@ba2971b2126c:/# nm `which antrea-agent` | grep " U " U __errno_location U abort U fprintf U fputc U free U freeaddrinfo U fwrite U gai_strerror U getaddrinfo U getgrgid_r U getgrnam_r U getnameinfo U getpwnam_r U getpwuid_r U malloc U mmap U munmap U nanosleep U pthread_attr_destroy U pthread_attr_getstack U pthread_attr_getstacksize U pthread_attr_init U pthread_cond_broadcast U pthread_cond_wait U pthread_create U pthread_detach U pthread_getattr_np U pthread_key_create U pthread_mutex_lock U pthread_mutex_unlock U pthread_self U pthread_setspecific U pthread_sigmask U res_search U setenv U sigaction U sigaddset U sigemptyset U sigfillset U sigismember U stderr U strerror U sysconf U unsetenv U vfprintf ```Note that on Windows, the net and os/user packages have never used cgo. One thing to look out for is name resolution for names ending in In theory, it is possible to have antrea/pkg/agent/controller/networkpolicy/fqdn.go Lines 177 to 189 in a5e2792
antrea/pkg/agent/controller/networkpolicy/fqdn.go Lines 690 to 697 in a5e2792
Use of net.LookupIP in Antrea codebase``` abasSMD6R:antrea abas$ git grep -i "lookupIP" pkg/agent/controller/networkpolicy/fqdn.go:func (f *fqdnController) lookupIP(ctx context.Context, fqdn string) error { pkg/agent/controller/networkpolicy/fqdn.go: if ips, err := resolver.LookupIP(ctx, "ip4", fqdn); err == nil { pkg/agent/controller/networkpolicy/fqdn.go: if ips, err := resolver.LookupIP(ctx, "ip6", fqdn); err == nil { pkg/agent/controller/networkpolicy/fqdn.go: return f.lookupIP(ctx, fqdn) pkg/agent/controller/networkpolicy/fqdn_test.go:func TestLookupIPFallback(t *testing.T) { pkg/agent/controller/networkpolicy/fqdn_test.go: err := f.lookupIP(ctx, "www.google.com") third_party/ipam/nodeipam/node_ipam_controller.go: lookupIP func(host string) ([]net.IP, error) third_party/ipam/nodeipam/node_ipam_controller.go: lookupIP: net.LookupIP, third_party/proxy/util/utils.go: LookupIPAddr(ctx context.Context, host string) ([]net.IPAddr, error) ``` The references in `third_party/` don't seem to be actually used / relevant.ConclusionIt seems that we can disable cgo without risk (forcing the pure Go resolver to always be used should not impact either the Antrea Agent or the Antrea Controller), and with a small benefit when it comes to container image build time. |
Note that while by default (when cgo is available), go defaults to the cgo-based resolver (which uses libc) to resolve names ending with I did some experiments with a program which simply calls
So it seems that the choice of resolver does not really impact resolution of K8s cluster local names. |
I'm also planning to disable cgo for the flow-aggregator, based on the observations above (FA typically needs to resolve cluster local names to connect to collectors). Disabling cgo has no noticeable impact on binary size / build time. |
Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes antrea-io#5724 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes antrea-io#5724 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
* Disable cgo for all Antrea binaries Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes #5724 * Revert "Add git to antrea-build image for UBI build (#5727)" This reverts commit 2f8441b. * Revert "Fix antrea-ubi image build (#5723)" This reverts commit 2afab06. --------- Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
* Disable cgo for all Antrea binaries Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes antrea-io#5724 * Revert "Add git to antrea-build image for UBI build (antrea-io#5727)" This reverts commit 2f8441b. * Revert "Fix antrea-ubi image build (antrea-io#5723)" This reverts commit 2afab06. --------- Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
* Disable cgo for all Antrea binaries Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes #5724 * Revert "Add git to antrea-build image for UBI build (#5727)" This reverts commit 2f8441b. * Revert "Fix antrea-ubi image build (#5723)" This reverts commit 2afab06. --------- Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
* Disable cgo for all Antrea binaries Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes antrea-io#5724 * Revert "Add git to antrea-build image for UBI build (antrea-io#5727)" This reverts commit 2f8441b. * Revert "Fix antrea-ubi image build (antrea-io#5723)" This reverts commit 2afab06. --------- Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
* Disable cgo for all Antrea binaries Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes #5724 * Revert "Add git to antrea-build image for UBI build (#5727)" This reverts commit 2f8441b. * Revert "Fix antrea-ubi image build (#5723)" This reverts commit 2afab06. --------- Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
* Disable cgo for all Antrea binaries Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes antrea-io#5724 * Revert "Add git to antrea-build image for UBI build (antrea-io#5727)" This reverts commit 2f8441b. * Revert "Fix antrea-ubi image build (antrea-io#5723)" This reverts commit 2afab06. --------- Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
* Disable cgo for all Antrea binaries Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes #5724 * Revert "Add git to antrea-build image for UBI build (#5727)" This reverts commit 2f8441b. * Revert "Fix antrea-ubi image build (#5723)" This reverts commit 2afab06. --------- Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
This is a follow-up to #5722
To avoid similar issues in the future (e.g., with the
antrea/antrea-ubuntu
image), we should investigate disabling cgo (CGO_ENABLED=0
) for all Antrea binaries (antrea-agent
/antrea-controller
), and not just for theantctl
binaries.Rather than blindly setting
CGO_ENABLED=0
, let's think of the possible impact. We should look at impact on binary size, and identify whether there will be any impact on functionality (this is unlikely).The text was updated successfully, but these errors were encountered: