To verify whether the iptables regression patches improve performance for both direct iptables executions and for garden NetOut API calls.
time (./list-addrs 1000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real 0m2.678s
user 0m0.072s
sys 0m0.748s
time (./list-addrs 3000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real 0m31.723s
user 0m1.244s
sys 0m24.448s
time (./list-addrs 1000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real 0m0.960s
user 0m0.012s
sys 0m0.068s
time (./list-addrs 3000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real 0m4.357s
user 0m0.060s
sys 0m0.208s
note: These numbers were collected in original regression report, on different machine with similar specs and are provided only for comparison.
time (./list-addrs 1000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real 0m0.815s
user 0m0.061s
sys 0m0.742s
time (./list-addrs 3000 | xargs -n1 iptables -A FORWARD -j ACCEPT -s)
real 0m3.975s
user 0m0.504s
sys 0m3.402s
This test timed:
- Container Creation
- Calling NetOut N times
- Container deletion
note: This test does more than just iptables rule addition so the numbers are not directly comparable with the previous section, only against each other. The garden-runc version was built from 1.1
Ran 5 samples:
1000 rules:
Fastest Time: 8.784417s
Slowest Time: 9.193594s
Average Time: 8.921823s ± 0.143394s
Ran 5 samples:
3000 rules:
Fastest Time: 65.672428s
Slowest Time: 73.553792s
Average Time: 68.520923s ± 2.832919s
Ran 5 samples:
1000 rules:
Fastest Time: 5.600424s
Slowest Time: 5.866776s
Average Time: 5.712451s ± 0.099277s
Ran 5 samples:
3000 rules:
Fastest Time: 19.531686s
Slowest Time: 21.095214s
Average Time: 20.554699s ± 0.617351s
There is a clear increase in speed between the 4.2 kernel which has the regression and the 4.4 patched kernel, which is closer to the 3.19 performance.
We also confirmed that garden BulkNetOut operations using iptables-restore remained fast.