-
Notifications
You must be signed in to change notification settings - Fork 819
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
perf: OPAProcessor.updateResults taking too much memory resources #1051
Comments
@matthyx @dwertent I'll push a PR to github.com/kubescap/opa-utils with a quick fix. I could introduce a better design there, for instance adding there an "ExceptionProcessor" struct and making package-level funcs mere methods of this new type. I don't have full visibility yet on the use cases for the "opa-utils" package, other than being called by the kubescape CLI. For this first round, I've focused on cutting memory usage, without breaking the opa-utils interface. Please advise how best to move from there. |
Thanks Fred. I'll have a look on Monday 😃 |
Profile of the scan after the optimizations proposed by kubescape/opa-utils#74 and armosec/armoapi-go#44 Allocs (/100 compared to the above which was 20M): Total amount of memory allocated: (67MB to be compared to 2GB) |
Well done, it looks much better this way. I'll play with it tomorrow and confirm... So I need both PRs to see the improvement? |
Wow! Well done 🥇 |
I will review the changes you made in opa-utils. In short - Our SaaS uses the package as well, so I'm not sure it's a good idea to have global variables, in some way, I prefer we break the interfaces and not use global variables. I will try to suggest a solution after I see what you have done there. |
/cc @vladklokun |
These screenshots are from scanning |
@dwertent I just ran on my smalll dev cluster, so this is definitely not a huge cluster. However, this was already enough to witness 20 millions allocs and 2GB of allocated/initialized/deallocated memory. As you can see, the proposed improvement is simplistic and doesn't challenge the method or the overall algorithm: it just caches previously found critical results (compiled regexps, resolved attributes) as these are used over and over again. I am pretty sure we could find a more efficient way to detect exceptions, but to be honest, I missed too much context to find one. |
@dwertent ok I was suspecting that the opa-utils was also used in some server-side API component of some sort. Therefore, I agree, package-level globals to use as a cache is not really an option. It is rather easy to transform into object-level caching, though. This would bring in more changes to kubescape/opa-utils#74 to reach that state. For my initial round, I've focused on minimal changes so the first review can focus on the concepts & methods, but I sure can adapt it. The information I am missing is how much of the opa-utils/exceptions package can bear breaking changes? Also please note another less important, but still useful improvement proposal there: armosec/armoapi-go#45 |
@dwertent @matthyx another note about the proposed optimizations. Essentially, I am trading gc activity CPU for cache-access CPU. The eventual result is overall a bit disappointing because the massive gains on In particular, the CPU goes to great lengths to compute a hash on the map of attributes. Another, less impacting but still itching point was why sometimes we wanted case-sensitive regexps and sometimes not. |
Very good results indeed, now the biggest time consuming is the (unique)list handling we do inside: I am pretty sure we can jump all this by storing reports in a more efficient way to avoid calling hundreds of times |
@matthyx FYI I've started working on the "Process()" part now... The story is slightly different, as the time is dominated by calls to ast.Compile of the OPA agent. Will push a draft some time this week. Cheers. |
I'm not sure you can save much time there, but look at the unique and trim above |
yeah I already found them. There is room for improvement, but not much. These are low hanging fruits anyhow, so I can go for it |
|
@fredbi can we close this one? |
I believe we can :) |
Description
As per our discussion with @matthyx (#1047 (comment)),
it appears that this part of the scanning process ( OPAProcessor.updateResults) is a drag on memory alloc/space usage,
and represent a very significant portion of the scanning time.
Environment
OS:
Version:
Steps To Reproduce
Expected behavior
updateResult should not be that heavy on memory and execute in a smaller timeframe.
Actual Behavior
Profiling this method specifically, then running a kubescape scan results in a very high memory activity.
Additional context
Profiling the updateResult method leads to a few findings:
cc: @dwertent
The text was updated successfully, but these errors were encountered: