Network binding plugin: Support compute container resource overhead

[orelmisan]

What this PR does / why we need it:
Some network binding plugins require compute resource overhead, for example the passt plugin requires additional memory overhead in the virt-launcher pod's compute container.
Suggest several alternatives to address this issue.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• Design: A design document was considered and is present (link) or not required
• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Testing: New code requires new unit tests. New features and bug fixes require at least on e2e test
• Documentation: A user-guide update was considered and is present (link) or not required. You want a user-guide update if it's a user facing feature / API change.
• Community: Announcement to kubevirt-dev was considered

Release note:

NONE

[kubevirt-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign alonakaplan for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[orelmisan]

/cc @EdDev @ormergi

[orelmisan]

/uncc @aburdenthehand @jobbler

[ormergi]

Thanks for the PR, overall looks good, see my inline comments.

Regarding the the PR description and second commit message, I think it should also mention that memory overhead is necessary to avoid pod eviction due to passt VMs consume more memory then expected, and improve passt VMs scheduling results; passt VMs wont be scheduled on nodes that doesnt have enough memory.

[ormergi]

I think resource limits should be as well, in case the pod satisfy QoS class Guaranteed the plugin overhead will not become the reason for violating it.

[orelmisan]

AFAIK, there is logic [1] to automatically add memory limits when needed (there is also an equivalent for CPU).

[1] https://github.com/kubevirt/kubevirt/blob/main/pkg/virt-controller/services/renderresources.go#L189

[ormergi]

I would rephrase this section to be vogue about the concrete plugin or dependency inside virt-launcher that requires it, saying in case a plugin requires memory overhead it should be specified in the CR, and refer to passt example.

[orelmisan]

Adjusted the wording, please tell me what you think.

[ormergi]

I would simplify this section saying the sidecar adds passt interface to the domain, similar to vDPA example, maybe mention it use libvirt user-space networking settings https://libvirt.org/formatdomain.html#userspace-slirp-or-passt-connection.
You can also refer to slirp example section saying passt sidecar works in similar way.

[EdDev]

First commit review.

Although I placed comments inline on that commit, I think it is not a must example addition.

At the design level, we are not really interested in a specific binding, but on the general concept.
The general concept can be applied on other bindings, just to provide an example on how to use it.

[EdDev]

Maybe we should use 1.0.X in the example.

[orelmisan]

This was removed.
Please ack so we can resolve the thread.

[EdDev]

I think the logicNetworkName is supposed to be passtnet.

[orelmisan]

This was removed.
Please ack so we can resolve the thread.

[EdDev]

We do configure networking for passt.

[orelmisan]

This was removed.
Please ack so we can resolve the thread.

[EdDev]

This should say: Not required for passt binding.

[orelmisan]

This was removed.
Please ack so we can resolve the thread.

[EdDev]

This name is not in-sync with the network name used in the VM spec.

[orelmisan]

This was removed.
Please ack so we can resolve the thread.

[EdDev]

Second commit:

The commit message hints and explains the passt binding and everything is driven from it. While this is correct in terms of why we do all this, I do not think we should start the story there.

The story should start from the need, mentioning passt as an example.
The fact that there is a binary alongside libvirt is not that important. If it was part of libvirt we would have needed to take that into account as well.

Also, it would be better to leave the details to the design and in the commit just provide the topic/subject. That way we can easily review it and adjusts it per that review.

[EdDev]

I would be specific here and mention the compute-container in the name.
E.g. computeResources.

This also opens up the different questions and options which should be discussed in a proposal:

• Should we consider only the compute container? What about the sidecar container?
• Ref the compute container, we can use a specific name for the field (e.g. computeResources) or we can make it configurable using a flag under a general resources.
• What is the reason for not just doing a computeMemoryRequest needs to convince the reviewers.

Now, we can make it even more general by moving away from the specific network usage of this and look at a general sidecar hook that KubeVirt supports.
E.g.: The Kubvirt CR will have a policy for allocating resources to sidecar containers and possible the compute container. Referencing this policy from the network binding definition or from a sidecar hook. This may be an overkill, but thinking about it and examining the pors/cons of it can be useful.

[EdDev]

I do not think we need to limit it to an additional binary. It could be just more resources from the cgroupv2 of the compute container, consumed by an existing binary (e.g. libvirt).

[orelmisan]

Done.

[EdDev]

I think you will have to explain why not:

• Directly memoryOverhead: 500Mi (BTW, it should be 500 and not 800).
• With explicit request and being open for adding limit.

[fabiand]

runtimeClasses have a pretty similar concept, maybe worth aligning the API idea
https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/

ie.

overhead:
  podFixed:
    memory: "120Mi"
    cpu: "250m"

[EdDev]

runtimeClasses have a pretty similar concept, maybe worth aligning the API idea

Interesting, thanks for sharing this.
I think the API could be in sync with the general resources concept.
This allows to control the resource additions to the container, with the ability to extend it in the future to any type of resource and define both request and limits.

The oddity here, as I see it, is how we express the resources of a different container (i.e. compute) and still not lock the ability to do the same for the sidecar itself.

[vladikr]

@EdDev I'm late to review this, but I don't understand why this API needs to add anything to the compute container and not simply advertise the resources needed to run this binding container?!
Same way as it's done for hotplug / other containers?
https://github.com/kubevirt/kubevirt/blob/main/pkg/virt-controller/services/renderresources.go#L611

[vladikr]

runtimeClasses have a pretty similar concept, maybe worth aligning the API idea https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/

ie.

overhead:
  podFixed:
    memory: "120Mi"
    cpu: "250m"

@fabiand I doubt it aligns well. This overhead API was invented for kata and the overhead is being added to any pod created with this runtimeclass, I don't think it aligns.

[vladikr]

@EdDev I'm late to review this, but I don't understand why this API needs to add anything to the compute container and not simply advertise the resources needed to run this binding container?! Same way as it's done for hotplug / other containers? https://github.com/kubevirt/kubevirt/blob/main/pkg/virt-controller/services/renderresources.go#L611

@EdDev do we expect all network binding to affect the compute container or is it just passt?
passt specifically uses a feature in qemu there for the GetMemoryOverhead functional can identify that passt will be used and add a passt specific overhead - this is instead of a kubevirt CR API.
What do you think?

[orelmisan]

@vladikr It is unknown at this stage how future network binding plugins will affect the compute container's resource consumption.
Network binding plugins have the ability to configure the domain, thus the virt stack might consume additional compute resources which KubeVirt cannot account for.

In the past year, the passt binding was converted from being a core feature to a plugin, so KubeVirt will not know in advance that is is used.
Also, we should strive for treating all plugins as equal IMO.

[fabiand]

@vladikr my comment was only about the API design, not about using the POD api.

[enp0s3]

@vladikr Hi
I see that according to the network binding plugin design document, one of the integration points that seems legit is the pod definition phase
There were no exceptions regarding resource rendering, and Kubevirt CR was advised as a potential API to extend in order to integrate into that point.

Given that the network binding design was accepted, and also the implementation of this design also got into the codebase, I am not sure how to proceed, I'm in favor of accepting this design.

Can you please advice @vladikr ?

[orelmisan]

Change: Removed the passt example, as it is not essential for to the proposal.

Addressed sidecar and compute container resource specification.

[orelmisan]

@EdDev @ormergi PTAL.

[EdDev]

First commit review.

[EdDev]

Please keep here the decided solution and place the alternatives (with a ref from here) to a dedicated appendix.

[orelmisan]

Done.

[EdDev]

This is specific for the binding plugin, not the sidecar. The sentence is not clear about this.
The definition is per the network binding plugin, and applied if the plugin uses a sidecar.

[orelmisan]

Done.

[EdDev]

I do not understand this one.

[orelmisan]

Discussed this point offline.
It was removed.

[EdDev]

The cluster admin is responsible to register the binding plugin in the first place, so I am unclear what this point means.

[orelmisan]

Discussed this point offline, improved the wording.

[EdDev]

The specified resource is define for each instance of usage or per the sidecar, irrelevant of the usage?
E.g. there may be 1 interface using the plugin or there may be 3 interfaces using the plugins in the same VM.

[orelmisan]

Addressed it in the text.

[EdDev]

How will the admission webhook be able to identify the relevant container?

[orelmisan]

Addressed it in the text.

[EdDev]

Thank you for the proposal.

The following general points should be considered and added:

• Effort cost estimation for each option.

[EdDev]

Please do not limit it to running an additional binary, the addition in memory or other resources may come from different reasons (e.g. libvirt itself requiring more memory due to the expected configuration).

[orelmisan]

Done.

[EdDev]

The current logic that adds overhead per internal core logic is colliding with adding manually an overhead? Specifically, if one specifies explicitly resource requests, are these being increased by Kubevirt logic or something else is happening?

[orelmisan]

The way it works is as follows:
A VM could be defined with both guest memory and memory resource specification:

apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: vm-cirros
spec:
  template:
    spec:
      domain:
        memory:
          guest: 128Mi
        resources:
          requests:
            memory: 640Mi # 128Mi for the guest + 512Mi for the network binding plugin

The virt-launcher pod's compute container will have a memory request which contains the sum of:

• Guest VM's memory (128Mi in this example).
• Memory overhead for KubeVirt's components (its size is dependent on the VMI's spec)
• Arbitrary memory overhead (512Mi in this example)

The domain XML will contains the the guest's memory specification (128Mi in this example).

As a side note, it is also possible to specify a memory request with less memory than the guest requires.

[EdDev]

I guess this is related to my prev question. Can you please confirm this is indeed the case?
I would be surprise if this is how it works.

[orelmisan]

This is not true.
I removed this line.

[EdDev]

Like with the sidecar previously, these points are not clear.

[orelmisan]

Discussed this point offline, adjusted the text.

[EdDev]

There is a need to explicitly specify if this overhead is added per plugin type or per plugin usage count (i.e. per the number of interfaces referencing it from the VM).

It is also important to specify if it is dependent on any other field/setup.
The previous sidecar resource are dependent on the existence of a sidecar, but this one may not have such a dependency.

[orelmisan]

Done.

[orelmisan]

Change: Split the sidecar's resource specification to #309

[EdDev]

Thank you!

[vladikr]

Could you please explain what binary can be executed and how it gets there?
How can an external plugin rely on the fact that a specific binary is part of the virt-launcher image?

[orelmisan]

This example was derived from the passt use case, on which the passt binary is shipped as part of the virt-launcher compute image.

Another example could be that the plugin configures the domain in a way that causes the virt-stack to consume additional compute resources that KubeVirt cannot account for.

[vladikr]

I think, we should speak of a specific functionality and not about arbitrary binaries.
virt-launcher should be well defined.
If we know what functionality we're enabling that requires additional overhead, kubevirt needs to know the resources it requires. Similar to other aspects accounted for in GetMemoryOverhead.

I would say that if we want an API for this it should be based on a functionality, not a binding.

Each resource consumption of it.

[orelmisan]

The plugin can perform actions that affect KubeVirt in ways it cannot account for.
Thus the need to externally add resources to the compute container.

[orelmisan]

Thank you for reviewing this proposal @vladikr, sorry it took some time to respond.

[aburdenthehand]

On behalf of SIG-compute, can one of @jean-edouard @stu-gott @enp0s3 @vladikr please re-review to move this forward. I can merge if I receive an approve or second lgtm from one of you. Thank you.

[kubevirt-bot]

Pull requests that are marked with lgtm should receive a review
from an approver within 1 week.

After that period the bot marks them with the label needs-approver-review.

/label needs-approver-review

[enp0s3]

/cc

[enp0s3]

Deferring the discussion for after the end year holidays

[kubevirt-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[fossedihelm]

/remove-lifecycle stale

[kubevirt-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[orelmisan]

/remove-lifecycle stale

[kubevirt-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[orelmisan]

/remove-lifecycle stale