This PR started as part of a degradation in performance for the
gateways.
The way to test performance in a realistic enviroment is using a GCP vm
as a client and an AWS vm as a gateway with a single iperf server behind
the gateway.
Then the `iperf` results with current main:
```
Connecting to host 172.31.92.238, port 5201
Reverse mode, remote host 172.31.92.238 is sending
[ 5] local 100.83.194.77 port 58426 connected to 172.31.92.238 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 1.01 MBytes 8.50 Mbits/sec
[ 5] 1.00-2.00 sec 1.14 MBytes 9.59 Mbits/sec
[ 5] 2.00-3.00 sec 699 KBytes 5.73 Mbits/sec
[ 5] 3.00-4.00 sec 1.11 MBytes 9.31 Mbits/sec
[ 5] 4.00-5.00 sec 664 KBytes 5.44 Mbits/sec
[ 5] 5.00-6.00 sec 591 KBytes 4.84 Mbits/sec
[ 5] 6.00-7.00 sec 722 KBytes 5.91 Mbits/sec
[ 5] 7.00-8.00 sec 833 KBytes 6.83 Mbits/sec
[ 5] 8.00-9.00 sec 738 KBytes 6.04 Mbits/sec
[ 5] 9.00-10.00 sec 836 KBytes 6.85 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.06 sec 8.78 MBytes 7.32 Mbits/sec 3 sender
[ 5] 0.00-10.00 sec 8.23 MBytes 6.90 Mbits/sec receiver
iperf Done.
```
Most of the performance problems were due to using SCTP and DTLS.
So I created a
[fork](https://github.com/firezone/webrtc/tree/expose-new-endpoint) of
webrtc that let us circumvent those, since we don't need them because we
are depending on wireguard for encryption.
With those changes much better throughput is achieved:
```
gabriel@cloudshell:~ (firezone-personal-instances)$ iperf3 -R -c 172.31.92.238
Connecting to host 172.31.92.238, port 5201
Reverse mode, remote host 172.31.92.238 is sending
[ 5] local 100.83.194.77 port 51206 connected to 172.31.92.238 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 5.60 MBytes 47.0 Mbits/sec
[ 5] 1.00-2.00 sec 17.2 MBytes 144 Mbits/sec
[ 5] 2.00-3.00 sec 15.8 MBytes 132 Mbits/sec
[ 5] 3.00-4.00 sec 14.8 MBytes 125 Mbits/sec
[ 5] 4.00-5.00 sec 15.9 MBytes 133 Mbits/sec
[ 5] 5.00-6.00 sec 15.8 MBytes 133 Mbits/sec
[ 5] 6.00-7.00 sec 15.3 MBytes 128 Mbits/sec
[ 5] 7.00-8.00 sec 15.6 MBytes 131 Mbits/sec
[ 5] 8.00-9.00 sec 15.6 MBytes 131 Mbits/sec
[ 5] 9.00-10.00 sec 16.0 MBytes 134 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.05 sec 151 MBytes 126 Mbits/sec 74 sender
[ 5] 0.00-10.00 sec 148 MBytes 124 Mbits/sec receiver
iperf Done
```
However, this is still worse than it was achieved with a previous
commit(`21afdf0a9a113c996d60a63b2e8c8f32d3aeb87`):
```
gabriel@cloudshell:~ (firezone-personal-instances)$ iperf3 -R -c 172.31.92.238
Connecting to host 172.31.92.238, port 5201
Reverse mode, remote host 172.31.92.238 is sending
[ 5] local 100.100.68.41 port 49762 connected to 172.31.92.238 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 6.14 MBytes 51.5 Mbits/sec
[ 5] 1.00-2.00 sec 17.1 MBytes 144 Mbits/sec
[ 5] 2.00-3.00 sec 22.8 MBytes 191 Mbits/sec
[ 5] 3.00-4.00 sec 23.5 MBytes 197 Mbits/sec
[ 5] 4.00-5.00 sec 23.0 MBytes 193 Mbits/sec
[ 5] 5.00-6.00 sec 22.1 MBytes 185 Mbits/sec
[ 5] 6.00-7.00 sec 23.0 MBytes 193 Mbits/sec
[ 5] 7.00-8.00 sec 22.7 MBytes 190 Mbits/sec
[ 5] 8.00-9.00 sec 21.0 MBytes 176 Mbits/sec
[ 5] 9.00-10.00 sec 19.9 MBytes 167 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.05 sec 204 MBytes 170 Mbits/sec 127 sender
[ 5] 0.00-10.00 sec 201 MBytes 169 Mbits/sec receiver
```
My profiling suggested that this is due to reading/writing packets
happening in its own dedicated tasks. So much so that maybe in the
future we should even consider spawning their own dedicated runtime so
that those loops have a dedicated OS thread.
Also, probably using a multi-queue interface will give us huge gains if
we have a dedicated task for each queue(currently the interface is
started as a multi-queue but a single file descriptor is used) for
handling multiple concurrent clients.
However, the changes proposed in this PR are good enough for now as long
as performance don't degrade.
In that line I will create a CI that reports the throughput using the
local `docker-compose.yml` file that we should always check before
merging, that is not the be all end all of the performance story but for
smaller PRs the correlation to real world throughput should be enough.
For bigger PRs we should manually test before merging for now, until we
have a way in CI to spin up some realistic tests(note that vms should be
in separate cloud enviroments, the same-cloud links are so reliable that
we miss actual performance degradation due to dropped packets). On this
note I'll write a small manual on how to conduct those tests with full
current results that we should use always before merging new PRs that
affect the hot-path. cc @thomaseizinger
Finally, when testing these changes I found some flakiness regarding the
re-connection path. So I changed things so that we cleanup connections
only using wireguard's error(connection expiration). This is quite slow
for now (~120 seconds) but in the future we can issue an ice restart
each time wireguard keepalive expires(rekey timeout) so that we can
restart connection each ~30 seconds and we can reduce the keepalive time
out from the portal to accelerate it even more. And in the future we can
get smarter about it.
---------
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Bumps [env_logger](https://github.com/rust-cli/env_logger) from 0.10.0
to 0.10.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rust-cli/env_logger/blob/main/CHANGELOG.md">env_logger's
changelog</a>.</em></p>
<blockquote>
<h2>[0.10.1] - 2023-11-10</h2>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="36623f573b"><code>36623f5</code></a>
chore: Release env_logger version 0.10.1</li>
<li><a
href="8a033d8438"><code>8a033d8</code></a>
chore: Fix packaging</li>
<li><a
href="9df7e6c081"><code>9df7e6c</code></a>
Merge pull request <a
href="https://redirect.github.com/rust-cli/env_logger/issues/241">#241</a>
from ChrisDenton/simple-insert</li>
<li><a
href="46ccdd94f5"><code>46ccdd9</code></a>
perf: Replace <code>HashMap</code> with a <code>Vec</code></li>
<li><a
href="bdc96a421f"><code>bdc96a4</code></a>
Merge pull request <a
href="https://redirect.github.com/rust-cli/env_logger/issues/249">#249</a>
from atouchet/v10</li>
<li><a
href="983837c47b"><code>983837c</code></a>
Update links and remove broken badge</li>
<li><a
href="dcd220dfaf"><code>dcd220d</code></a>
Update listed version number</li>
<li><a
href="36b1508ea1"><code>36b1508</code></a>
Merge pull request <a
href="https://redirect.github.com/rust-cli/env_logger/issues/260">#260</a>
from y-yagi/2018-edition</li>
<li><a
href="6f64347c6a"><code>6f64347</code></a>
Merge pull request <a
href="https://redirect.github.com/rust-cli/env_logger/issues/282">#282</a>
from epage/syntax</li>
<li><a
href="b29735781a"><code>b297357</code></a>
chore: Update docs and examples to 2018 edition</li>
<li>Additional commits viewable in <a
href="https://github.com/rust-cli/env_logger/compare/v0.10.0...v0.10.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Gabi <gabrielalejandro7@gmail.com>
Bumps [proptest](https://github.com/proptest-rs/proptest) from 1.3.1 to
1.4.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="63ef67c71f"><code>63ef67c</code></a>
[Release] 1.4.0 : adds missing changelog entries (<a
href="https://redirect.github.com/proptest-rs/proptest/issues/397">#397</a>)</li>
<li><a
href="3d40220e74"><code>3d40220</code></a>
Merge pull request <a
href="https://redirect.github.com/proptest-rs/proptest/issues/393">#393</a>
from tzemanovic/tomas/compile-fail-must-be-debug</li>
<li><a
href="a9123f3eda"><code>a9123f3</code></a>
Merge pull request <a
href="https://redirect.github.com/proptest-rs/proptest/issues/389">#389</a>
from proptest-rs/tomas/nightly-coroutine-trait</li>
<li><a
href="0a1ba017f8"><code>0a1ba01</code></a>
fix 🤷</li>
<li><a
href="5e17be759b"><code>5e17be7</code></a>
fix nightly build (re: <a
href="https://redirect.github.com/rust-lang/rust/pull/116958">rust-lang/rust#116958</a>)</li>
<li><a
href="6f534cb228"><code>6f534cb</code></a>
Merge pull request <a
href="https://redirect.github.com/proptest-rs/proptest/issues/377">#377</a>
from sameer/master</li>
<li><a
href="d6f95d46e7"><code>d6f95d4</code></a>
Update compiletest_rs requirement from 0.9 to 0.10 (<a
href="https://redirect.github.com/proptest-rs/proptest/issues/383">#383</a>)</li>
<li><a
href="8b0670379b"><code>8b06703</code></a>
Update regex-syntax requirement from 0.7 to 0.8 (<a
href="https://redirect.github.com/proptest-rs/proptest/issues/386">#386</a>)</li>
<li><a
href="f8c489d42b"><code>f8c489d</code></a>
Update message-io requirement from 0.17.0 to 0.18.0 (<a
href="https://redirect.github.com/proptest-rs/proptest/issues/384">#384</a>)</li>
<li><a
href="539bd55416"><code>539bd55</code></a>
Enable Dependabot (<a
href="https://redirect.github.com/proptest-rs/proptest/issues/380">#380</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/proptest-rs/proptest/compare/v1.3.1...v1.4.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Gabi <gabrielalejandro7@gmail.com>
Small bug fix in the Resource index view. All the entries in the `SITES`
column were linking to the sites index, rather than an individual site
show page.
Closes: #2624
The only exception for this is IdP redirect URL's that must be
configured on a third-party system, we will keep using ID's for them so
that if slug changes users don't need to go and reconfigured all the
IdPs.
This was confusing - people can be thinking that they create a user
account for their organization while IRL they will be creating a
Firezone account.
Closes#2583
The idea is to allow users to explicitly name them so they are easier to
identify in the UI.
@thomaseizinger we will need to add an optional `FIREZONE_NAME`
environment variable for the relays and send it along with other
attributes when you connect to a WebSocket.
We encapsulate the internals of `Device` by providing high-level
functions on `Device` itself and make all the fields private. From the
outside, each consumer this only has an `Arc<Device>` that they can
interact with.
To achieve this, we use the `arc-swap` crate to atomically swap out the
reference to the `Arc<Device>` instead of relying on an `RwLock`. Note
that the _reference_ to this `ArcSwapOption` is also wrapped in an `Arc`
because we need to share this pointer across many `peer_handler`s.
Once we get rid of `Arc<Tunnel>`, this will become a lot simpler.
Why:
* The traffic filter functionality is not quite ready in the system as a
whole, so the web UI will give the ability to hide the section of the
forms to allow for a better end user experience.
