Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ddtrace/tracer: Tracing as transport-only mode (APPSEC_STANDALONE) #3033

Merged
merged 9 commits into from
Dec 19, 2024

Conversation

eliottness
Copy link
Contributor

@eliottness eliottness commented Dec 12, 2024

What does this PR do?

This PR adds a new tracingAsTransport running mode for the tracer. This mode was created to disable APM biling but still allow customers to use other products that use APM as it's transport layer.

In short, what was done is:

  • Add the (*config).tracingAsTransport boolean field
  • Move the trace rate limit configuration value to the config struct for ease of use
  • Allow other parts of dd-trace-go than the tracer to set propagating tags (_dd.p.*)
  • When the env var DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED, do these:
    • Add a global tag named _dd.apm.enabled=0
    • disable trace metrics and runtime metrics
    • disable agent side metrics with the Datadog-Client-Computed-Stats http header
    • Set rate limit to 1 trace par minute as kind of heartbeat to make sure the service still appears in the UI
    • Disable tracing propagation injection and extraction when the tag _dd.p.appsec=1 is not received upstream or set locally

All of this should make sure APM UI is disabled, but setting ManualKeep on certain traces will allow to bypass the rate limiter and will allow other products to still work when tracing-as-transport mode is enabled.

Motivation

This PR is the result of 1 approved RFC on ASM side and one draft RFC on APM side.

System-tests Run

https://github.com/DataDog/dd-trace-go/actions/runs/12397569796/job/34608280725

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.
  • For internal contributors, a matching PR should be created to the v2-dev branch and reviewed by @DataDog/apm-go.

Unsure? Have a question? Request a review!

@eliottness eliottness force-pushed the eliottness/APPSEC-56100/standalone-asm branch from dbd4501 to 8abea1d Compare December 12, 2024 16:20
@pr-commenter
Copy link

pr-commenter bot commented Dec 12, 2024

Benchmarks

Benchmark execution time: 2024-12-19 11:16:26

Comparing candidate commit 1a458ca in PR branch eliottness/APPSEC-56100/standalone-asm with baseline commit d15e61a in branch main.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 0 unstable metrics.

scenario:BenchmarkSetTagMetric-24

  • 🟩 execution_time [-8.430ns; -5.970ns] or [-6.727%; -4.764%]

@eliottness eliottness force-pushed the eliottness/APPSEC-56100/standalone-asm branch from 8abea1d to 666c79a Compare December 13, 2024 14:45
@datadog-datadog-prod-us1
Copy link

datadog-datadog-prod-us1 bot commented Dec 13, 2024

Datadog Report

Branch report: eliottness/APPSEC-56100/standalone-asm
Commit report: 9f624a5
Test service: dd-trace-go

✅ 0 Failed, 2981 Passed, 24 Skipped, 2m 27.99s Total Time

ddtrace/tracer/option.go Outdated Show resolved Hide resolved
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
@eliottness eliottness force-pushed the eliottness/APPSEC-56100/standalone-asm branch from ffc34c3 to 16c4012 Compare December 18, 2024 16:47
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
@eliottness eliottness marked this pull request as ready for review December 18, 2024 17:10
@eliottness eliottness requested review from a team as code owners December 18, 2024 17:10
@github-actions github-actions bot added the apm:ecosystem contrib/* related feature requests or bugs label Dec 18, 2024
Copy link
Member

@darccio darccio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@@ -53,7 +53,7 @@ func (op *ContextOperation) Run(eventReceiver dyngo.Operation, addrs waf.RunAddr
actions.SendActionEvents(eventReceiver, result.Actions)

if result.HasEvents() {
log.Debug("appsec: WAF detected a suspicious event")
dyngo.EmitData(op, &SecurityEvent{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so meta indeed

@@ -59,6 +59,7 @@ type startupInfo struct {
FeatureFlags []string `json:"feature_flags"`
PropagationStyleInject string `json:"propagation_style_inject"` // Propagation style for inject
PropagationStyleExtract string `json:"propagation_style_extract"` // Propagation style for extract
TracingAsTransport bool `json:"tracing_as_transport"` // Whether the tracer is disabled and other products are using it as a transport
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice one

@@ -423,7 +426,9 @@ func (t *tracer) worker(tick <-chan time.Time) {
t.statsd.Incr("datadog.tracer.flush_triggered", []string{"reason:invoked"}, 1)
t.traceWriter.flush()
t.statsd.Flush()
t.stats.flushAndSend(time.Now(), withCurrentBucket)
if !t.config.tracingAsTransport {
t.stats.flushAndSend(time.Now(), withCurrentBucket)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what happens with the data in withCurrentBucket?
should we mute the emitter side of things too (this place being the receiver)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the emitter side of things is muted via the change done to canComputeStats()

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit for the next PR to come but I suggest then to update t.stats methods to noop them when this is disabled

ddtrace/tracer/tracer.go Show resolved Hide resolved
ddtrace/tracer/tracer.go Show resolved Hide resolved
internal/appsec/listener/waf/waf.go Outdated Show resolved Hide resolved
internal/appsec/listener/waf/tags.go Show resolved Hide resolved
@@ -53,7 +53,7 @@ func (op *ContextOperation) Run(eventReceiver dyngo.Operation, addrs waf.RunAddr
actions.SendActionEvents(eventReceiver, result.Actions)

if result.HasEvents() {
log.Debug("appsec: WAF detected a suspicious event")
dyngo.EmitData(op, &SecurityEvent{})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so meta indeed

internal/appsec/listener/waf/waf.go Show resolved Hide resolved
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
@@ -14,7 +14,6 @@ import (
"strings"

"gopkg.in/DataDog/dd-trace-go.v1/appsec/events"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️
image

ddtrace/tracer/option.go Show resolved Hide resolved
ddtrace/tracer/option.go Outdated Show resolved Hide resolved
ddtrace/tracer/option.go Outdated Show resolved Hide resolved
ddtrace/tracer/option.go Outdated Show resolved Hide resolved
ddtrace/tracer/option.go Show resolved Hide resolved
ddtrace/tracer/rules_sampler.go Outdated Show resolved Hide resolved
ddtrace/tracer/rules_sampler.go Outdated Show resolved Hide resolved
ddtrace/tracer/option.go Show resolved Hide resolved
internal/appsec/listener/waf/tags.go Show resolved Hide resolved
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
@eliottness eliottness enabled auto-merge (squash) December 19, 2024 12:50
@eliottness eliottness merged commit 2dfcb2a into main Dec 19, 2024
179 of 181 checks passed
@eliottness eliottness deleted the eliottness/APPSEC-56100/standalone-asm branch December 19, 2024 12:57
@hannahkm
Copy link
Contributor

hannahkm commented Dec 20, 2024

@eliottness Could you backport this PR into the v2 branch? Thanks! 🙏🏼 resolved!

e-n-0 pushed a commit that referenced this pull request Dec 23, 2024
…3033)

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
e-n-0 added a commit that referenced this pull request Dec 23, 2024
Applied comments

appsec: stop storing span tags, directly call span.SetTag (#3044)

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>

ddtrace/tracer: Tracing as transport-only mode (APPSEC_STANDALONE) (#3033)

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>

fix: improving test logic for TestStreamSendsErrorCode to avoid flakiness (#3049)

vuln: upgrade golang.org/x/{crypto,net} to non-vulnerable versions (#3050)

contrib/miekg/dns: resolve flaky test in TestExchange* (#3045)

ddtrace/tracer: report datadog.tracer.api.errors health metric (#3024)

build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#3001)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Rodrigo Argüello <rodrigo.arguello@datadoghq.com>

ddtrace/tracer: Report datadog.tracer.queue.enqueued.traces as health metric (#3019)

ddtrace/tracer: Tracing as transport-only mode (APPSEC_STANDALONE) (#3033)

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>

fix: improving test logic for TestStreamSendsErrorCode to avoid flakiness (#3049)

vuln: upgrade golang.org/x/{crypto,net} to non-vulnerable versions (#3050)

contrib/miekg/dns: resolve flaky test in TestExchange* (#3045)

ddtrace/tracer: report datadog.tracer.api.errors health metric (#3024)

build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#3001)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Rodrigo Argüello <rodrigo.arguello@datadoghq.com>

ddtrace/tracer: Report datadog.tracer.queue.enqueued.traces as health metric (#3019)
e-n-0 added a commit that referenced this pull request Dec 23, 2024
Applied comments

appsec: stop storing span tags, directly call span.SetTag (#3044)

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>

ddtrace/tracer: Tracing as transport-only mode (APPSEC_STANDALONE) (#3033)

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>

fix: improving test logic for TestStreamSendsErrorCode to avoid flakiness (#3049)

vuln: upgrade golang.org/x/{crypto,net} to non-vulnerable versions (#3050)

contrib/miekg/dns: resolve flaky test in TestExchange* (#3045)

ddtrace/tracer: report datadog.tracer.api.errors health metric (#3024)

build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#3001)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Rodrigo Argüello <rodrigo.arguello@datadoghq.com>

ddtrace/tracer: Report datadog.tracer.queue.enqueued.traces as health metric (#3019)

ddtrace/tracer: Tracing as transport-only mode (APPSEC_STANDALONE) (#3033)

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>

fix: improving test logic for TestStreamSendsErrorCode to avoid flakiness (#3049)

vuln: upgrade golang.org/x/{crypto,net} to non-vulnerable versions (#3050)

contrib/miekg/dns: resolve flaky test in TestExchange* (#3045)

ddtrace/tracer: report datadog.tracer.api.errors health metric (#3024)

build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#3001)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Rodrigo Argüello <rodrigo.arguello@datadoghq.com>

ddtrace/tracer: Report datadog.tracer.queue.enqueued.traces as health metric (#3019)
hannahkm pushed a commit that referenced this pull request Jan 2, 2025
…3033)

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
apm:ecosystem contrib/* related feature requests or bugs appsec
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants