Add 14 metrics for TCP connections created for tunnels. #9403
Conversation
ywkaras
force-pushed
the
tunnel_stats
branch
from
9e31835 to
13079d5
Compare
zwoop
left a comment
zwoop
left a comment
There was a problem hiding this comment.
There's a number of refactoring / class changes as well here. Even if that is necessary for the new metrics, can we maybe break that out into two separate PRs?
|
Fine, this is why we can't have nice class hierarchies. |
ywkaras
force-pushed
the
tunnel_stats
branch
from
13079d5 to
322189f
Compare
|
Need to describes these in documentation before this will be ready to merge. |
ywkaras
force-pushed
the
tunnel_stats
branch
3 times, most recently
from
907de5f to
e559370
Compare
proxy/http/HttpSM.cc
Outdated
| c_os = tunnel.add_consumer(server_entry->vc, ua_entry->vc, &HttpSM::tunnel_handler_ssl_consumer, HT_HTTP_SERVER, | ||
| "http server - tunnel"); | ||
|
|
||
| ua_entry->vc->make_tunnel_endpoint(); |
There was a problem hiding this comment.
ua_entry->vc is a VConnection pointer, which is why make_tunnel_endpoint() has to be virtual member function of VConnection.
proxy/http/HttpSM.cc
Outdated
| "http server - tunnel"); | ||
|
|
||
| ua_entry->vc->make_tunnel_endpoint(); | ||
| server_entry->vc->make_tunnel_endpoint(); |
There was a problem hiding this comment.
server_entry->vc is a VConnection pointer, which is why make_tunnel_endpoint() has to be virtual member function of VConnection.
ywkaras
force-pushed
the
tunnel_stats
branch
2 times, most recently
from
b9540ac to
597e442
Compare
ywkaras
changed the title
ywkaras
changed the title
|
It turns out that SSL connections to servers made for tunnels are not marked with an SNI tunnel type. I decided not to add this, unless someone feels there's a need for it. This is why the number of new metrics dropped from 20 to 14. 8 metrics for SSL connections to servers for tunnels collaped to 2 (current and total). |
ywkaras
force-pushed
the
tunnel_stats
branch
4 times, most recently
from
600ce3a to
b4db5f2
Compare
ywkaras
force-pushed
the
tunnel_stats
branch
2 times, most recently
from
e5a1505 to
e0f71fd
Compare
|
This change has been running in Yahoo prod for over a month. |
|
Use "mark as" when more appropriate than "make". |
|
@masaori335 ready for review. |
| // This function should be called when the VConnection is a tunnel endpoint. By default, a VConnection does not care if it | ||
| // is a tunnel endpoint. | ||
| virtual void | ||
| mark_as_tunnel_endpoint() |
There was a problem hiding this comment.
Why do we need this virtual function in the VConnection class? As you commented, VConnection doesn't care about it's tunnel or something else.
There was a problem hiding this comment.
Because it's called through a VConnection pointer at certain places.
There was a problem hiding this comment.
This one?
HttpSM::setup_blind_tunnel(bool send_response_hdr, IOBufferReader *initial) {
...
ua_entry->vc->mark_as_tunnel_endpoint();
server_entry->vc->mark_as_tunnel_endpoint();
Can we use ua_txn->get_netvc() and server_txn->get_netvc() instead of ua_entry->vc and server_entry->vc here? If possible, I prefer NetVConnection to have this virtual function.
There was a problem hiding this comment.
OK I just tried that. server_txn is null at that point in the code, so it doesn't work.
There was a problem hiding this comment.
Fair enough, thanks for checking.
| :type: counter | ||
|
|
||
| Total number of TLS connections for tunnels where the far end is the client | ||
| initiated with an HTTP request. |
There was a problem hiding this comment.
This covers "HTTP CONNECT" over TLS connection?
There was a problem hiding this comment.
Does that include QUIC connection once we support it?
There was a problem hiding this comment.
Not currently. QUICNetVConnection would have to override _in_context_tunnel(). It could use the same metrics or different metrics.
| :type: counter | ||
|
|
||
| Total number of TCP connections for TLS tunnels where the far end is the server | ||
| created based on a ``partial_blind_route`` key in a table in the :file:`sni.yaml` file. |
There was a problem hiding this comment.
Do we need similar server-side metrics for forward_route?
There was a problem hiding this comment.
A partial blind tunnel is the only one for which the outgoing connection corresponds to an SSLNetVConnection object rather than a UnixNetVConnection object. It's not straight forward how to implement separate counters for outgoing/server connections for the other TLS tunnel types, but it may be possible if they're needed.
|
@masaori335 this has been waiting more than a month for review. |
|
[approve ci] |
ywkaras
force-pushed
the
tunnel_stats
branch
from
4778ddc to
68b1090
Compare
|
Rebased to remove merge conflicts. |
Add current and total metrics for TCP connetions towards clients for blind TCP tunnels, and TLS tunnel, forward, and partial blind tunnel SNI-based tunnels. Add current and total metrics for TCP connetions towards servers, for blind TCP tunnels and TLS tunnels. Only partial blind tunnel SNI-based tunnels are counted as TLS tunnels on the outgoing side, because they are only SNI-based tunnels where ATS termitates the TLS connection form the client and originates a new one towards the server.
Due to change in usage of HttpTransact::State::method.
iocore/net/Net.cc iocore/net/SSLNetVConnection.cc iocore/net/UnixNetVConnection.cc proxy/http/HttpTransact.cc
|
Rebased, ready for review. |
masaori335
left a comment
masaori335
left a comment
There was a problem hiding this comment.
Let's ship this. At least this gives us more clue of what's going on with tunnel.
4 participants
Add current and total metrics for TCP connetions towards clients for blind TCP tunnels, and TLS tunnel, forward, and partial blind tunnel SNI-based tunnels.
Add current and total metrics for TCP connetions towards servers, for blind TCP tunnels and TLS tunnels. Only partial blind tunnel SNI-based tunnels are counted as TLS tunnels on the outgoing side, because they are only SNI-based tunnels where ATS termitates the TLS connection form the client and originates a new one towards the server.