NETOBSERV-2118 add missing sampling and exclude interfaces options

[jpinsonneau]

Description

Add sampling and exclude_interfaces options

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
  • If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
  • If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
  • If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 22.60%. Comparing base (f3bd130) to head (d2408e3).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #209   +/-   ##
=======================================
  Coverage   22.60%   22.60%           
=======================================
  Files          14       14           
  Lines        1451     1451           
=======================================
  Hits          328      328           
  Misses       1099     1099           
  Partials       24       24           

Flag	Coverage Δ
unittests	22.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jotak]

not sure how much text we can write here without being too verbose, but when referring to sampling I like to be more accurate about what it really does, because it's not obvious for newcomers. E.g: "a value of 50 means one packet every 50 is sampled".

Also: it would be better to talk about sampling ratio rather than rate (but this remark applies to everywhere, not just here/CLI) - see here for the difference. A sampling rate would generally mean how many packets per second are sampled, whereas a sampling ratio is what we want here - the proportion of packets that we keep.
I'll open PRs in other parts to do this change.

[jpinsonneau]

That description should remain short but we can include this option in an example and put the full sentence to explain it 👌

In that case we should write the ratio divisor as the dividend is forced to 1 in our usage ?

[jotak]

See netobserv/netobserv-operator#1342

[jotak]

That description should remain short but we can include this option in an example and put the full sentence to explain it 👌

In that case we should write the ratio divisor as the dividend is forced to 1 in our usage ?

Technically true but that makes the sentence quite more complicated! I think we can make it easy to understand without being too pedantic (that's why a short example helps IMO). Another way to put it would be: "value that defines the ratio of packets being sampled".

[jpinsonneau]

done in ba6ec93

[memodi]

/ok-to-test

@jpinsonneau tests are failing here, could you PTAL? I am assuming this is ready for testing.

[github-actions]

New image:
quay.io/netobserv/network-observability-cli:910ce9b

It will expire after two weeks.

To use this build, update your commands using:

USER=netobserv VERSION=910ce9b make commands

or download the updated commands.

[jpinsonneau]

/ok-to-test

@jpinsonneau tests are failing here, could you PTAL? I am assuming this is ready for testing.

@memodi I had some issues during rebase
0c2275f should fix it 🤞

[memodi]

/ok-to-test

[github-actions]

New image:
quay.io/netobserv/network-observability-cli:b1ce1f3

It will expire after two weeks.

To use this build, update your commands using:

USER=netobserv VERSION=b1ce1f3 make commands

or download the updated commands.

[memodi]

@jpinsonneau about exclude_interfaces, when I have I exclude certain interface, I still see flows being collected for that interface:

for e.g.: here, I am excluding ens5 interface and there are still flows from that interface.

[jotak]

/lgtm

[memodi]

/needs-changes

[memodi]

/label needs-changes

[openshift-ci]

@memodi: The label(s) /label needs-changes cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, ux-approved, no-qe, downstream-change-needed, rebase/manual, cluster-config-api-changed, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, stability-fix-approved, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

Details

In response to this:

/label needs-changes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jpinsonneau]

@jpinsonneau about exclude_interfaces, when I have I exclude certain interface, I still see flows being collected for that interface:

for e.g.: here, I am excluding ens5 interface and there are still flows from that interface.

I doubt that's coming from this PR but I will retry as soon as quay is up 😸
I feel it's more an issue with the eBPF implementation. @jotak do you know if we still show the excluded interfaces in the flow when multiple interfaces are involved ?

[jpinsonneau]

@memodi I'm not reproducing the behavior you describe locally using --exclude_interfaces=eth0 🤔

Could you please ensure the eBPF agents have the exclude interfaces env variable set properly ?

$ oc describe pod netobserv-cli-5zskz -n netobserv-cli
Name:             netobserv-cli-5zskz
Namespace:        netobserv-cli
...
Containers:
  netobserv-cli:
...
    Image:          quay.io/netobserv/netobserv-ebpf-agent:main
...
    Environment:
...
      EXCLUDE_INTERFACES:                eth0
...

Else maybe there is something particular with ens5 interface or the cluster itself

[openshift-ci]

New changes are detected. LGTM label has been removed.

[memodi]

@memodi I'm not reproducing the behavior you describe locally using --exclude_interfaces=eth0 🤔

Could you please ensure the eBPF agents have the exclude interfaces env variable set properly ?

$ oc describe pod netobserv-cli-5zskz -n netobserv-cli
Name:             netobserv-cli-5zskz
Namespace:        netobserv-cli
...
Containers:
  netobserv-cli:
...
    Image:          quay.io/netobserv/netobserv-ebpf-agent:main
...
    Environment:
...
      EXCLUDE_INTERFACES:                eth0
...

Else maybe there is something particular with ens5 interface or the cluster itself

the configuration happens fine in ebpf-agent, I checked that too, but I was expecting the flows with those interfaces not to appear for any matching Src/Dest. I am not sure if this is broken in ebpf-agent, don't think we have a regression test that's covering it.

[jpinsonneau]

/retest

[github-actions]

New image:
quay.io/netobserv/network-observability-cli:056fe4f

It will expire after two weeks.

To use this build, update your commands using:

USER=netobserv VERSION=056fe4f make commands

or download the updated commands.

[jpinsonneau]

@memodi & @jotak looking at the eBPF logs, I confirm that setting the exclude interface params on ens5 remove the log line:

time="2025-05-14T08:37:04Z" level=info msg="interface detected. trying to attach TCX hook" component=agent.Flows interface="{ens5 2 NS(36: 4, 4026531840) 1a7d7268-11f5-435e-a895-4f3e246997b1}"

However, the collected flows still contains the related interface 🤔
This happens using any 1.6+ ebpf images

The only exclude interface that truely works is the default one lo which appears back when you filter on something else

---

On parallel, I tried back the INTERFACES param and found an issue on that one too. Having:

      INTERFACES: ens5
      EXCLUDE_INTERFACES: lo

Results in both ens5 and eth0 flows 😮

---

This issue happens when the agent is privileged. On CLI, it's always true to keep things simple.
See https://issues.redhat.com/browse/NETOBSERV-2257

[jotak]

interesting, thanks for opening a bug

[memodi]

/label qe-approved

@jpinsonneau thanks for investigating this, to have this feature useful I wonder if it makes sense to introduce auto-detect of privileged setting based on the feature (I know we discussed this for Operator), probably it would be good to introduce in CLI so that exclude_interfaces feature could be useful in CLI.

[jpinsonneau]

/label qe-approved

@jpinsonneau thanks for investigating this, to have this feature useful I wonder if it makes sense to introduce auto-detect of privileged setting based on the feature (I know we discussed this for Operator), probably it would be good to introduce in CLI so that exclude_interfaces feature could be useful in CLI.

I can check that in parallel indeed but the best would be to fix the eBPF issue

[memodi]

I can check that in parallel indeed but the best would be to fix the eBPF issue

Agreed. Filed a story https://issues.redhat.com/browse/NETOBSERV-2262

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jpinsonneau]

Rebased without changes

[github-actions]

New image:
quay.io/netobserv/network-observability-cli:21cae8a

It will expire after two weeks.

To use this build, update your commands using:

USER=netobserv VERSION=21cae8a make commands

or download the updated commands.