Automatic recording rules #356
Conversation
andrewazores
force-pushed
the
auto-rules
branch
3 times, most recently
from
305ceca to
64fc283
Compare
|
This isn't ready for a full-blown code review yet, but I think it's ready enough for some proof-of-concept testing to exercise the basic API setup and see if it makes sense to continue developing in the direction I'm currently taking it in. When you all get a chance, could you try it out? |
andrewazores
force-pushed
the
auto-rules
branch
from
6836472 to
912b5ba
Compare
|
Tried it out and it looks good! No criticisms that I can think of right now. |
andrewazores
force-pushed
the
auto-rules
branch
2 times, most recently
from
0c3a130 to
fb3c424
Compare
Credentials persist optionally (default: false)
andrewazores
force-pushed
the
auto-rules
branch
from
8172ff6 to
d1e1c6d
Compare
andrewazores
force-pushed
the
auto-rules
branch
from
8b06ec1 to
3abd45a
Compare
andrewazores
changed the title
|
I have polished this up somewhat, resolved some TODOs/FIXMEs I had added earlier in the proof-of-concept, and added some unit tests (more coverage for failure cases could be added) as well as created an integration test equivalent to the @ebaron @vic-ma @Alexjsenn @jiekang any takers? |
|
I tested it earlier, so I guess I'll also do the review heh. |
src/main/java/com/redhat/rhjmc/containerjfr/configuration/CredentialsManager.java
Show resolved
Hide resolved
|
Should this PR include the necessary docs changes, or will you do that in a seperate PR? |
I think I'll hold off on documenting the new API stuff until it's a bit more settled. There are a lot of additions to be made, and along the way there are probably going to be changes to what new API is already here. I'll file a tracking issue so it isn't forgotten. |
|
Here are some observations and suggestions I came up with from my testing. Mostly just small stuff that fall under the category of potential API refinements that should be done as follow-up PRs, which you mentioned. If there aren't any changes you think are appropriate for this PR, I can approve it. In proper use cases everything seems to be working well.
When a rule with the same name as an existing rule is created, it will overwrite that rule. Maybe this should be prevented and the user should have to delete the existing rule first. Or there could be a note in the response that says that a rule was overwritten. The numerical parameters don't give an error if they are set to negative numbers. They get set to zero when this happens, but I think ideally negative numbers shouldn't be allowed. This would also more in line with When a required parameter is missing, the response is a Some stuff, like setting the numerical parameters to letters, or setting
Deleting a non-existent rule, as well as an existing one, gives a If a rule is already running, and the user would like to stop that rule (delete the active recording and stop the
When both the username and password are missing, the error message only says that the username is missing. It would be better if both missing parameters were mentioned.
Maybe the response could specify if credentials were found and deleted, or if there were no credentials to be deleted? Not super important, but might be helpful. When a rule for a target is running, and I delete the credentials for that target, the archiver is still able to archive recordings, despite the fact that JMX auth is required for this, and the saved JMX auth credentials have been deleted. I see that this is because in the code, the credentials are given to the General Deleting the recording created by an automatic rule causes an exception whenever the archiver tries to archive the recording (expectedly). I imagine there's no good way to protect that recording from being deleting, but maybe there is a way to stop the archiver if the recording does get deleted? It does seem unlikely that a user would accidentally delete the automatic recording, though. When a target that has a rule running is killed, I get a few exceptions from the archiver trying to archive the recording, before the target is discovered as |
andrewazores
force-pushed
the
auto-rules
branch
from
9dcbe6e to
0d008f4
Compare
|
@vic-ma those are all very good and valid points. I think most/all of those should be addressed before this makes it into I think what I will do at this point is push my |
|
Superceded by #416 . |
…er (cryostatio#356) * fix(matchexpressions): correct endpoint case for JSON ID request filter * allow IDs in per-rule request paths do not allow IDs in rule creation POSTS, but do allow in modification PATCHes - the ID field will be ignored here anyway
Based on top of #348
#355
Requires cryostatio/cryostat-core#53
This PR has become massive, so from this point I will only add tests or bugfixes. The API needs further refinement, but I think this should either be done as follow-up PRs or as PRs against this one to incorporate the additional changes without further inflating this PR on its own. The review overhead and complexity is already relatively enormous.
I have pushed an image for testing at
quay.io/andrewazores/container-jfr:2.0.0-autorules- ieCONTAINER_JFR_IMAGE=quay.io/andrewazores/container-jfr:2.0.0-autorules sh smoketest.sh.Several API handlers are added:
GET /api/v2/rules- get the list of currently defined rulesGET /api/v2/rules/:ruleName- get the definition of a single rule by namePOST /api/v2/rules- add a new rule definition, either by multipart form or JSON body string formatDELETE /api/v2/rules/:ruleName- delete a rule by namePOST /api/v2/targets/:targetId/credentials- add stored (in-memory by default, on disk implemented but currently can't be enabled intentionally) credentials to apply when processing auto rulesDELETE /api/v2/targets/:targetId/credentials- delete stored credentialsThere are also various supporting classes behind these:
CredentialsManager- used by theTargetCredentialshandlers, requiring changes to theCredentialsstructure provided in -core. This handles reading/writing persistent credentials to/from disk and maintains an in-memory cache that theRuleProcessorcan access as needed.RuleRegistry- handles reading/writing/caching rule definitions (always persisted to disk) and providing methods to find definitions by name or by applicable targetRuleProcessor- receives notifications of targets appearing or disappearing. When a target appears theRuleRegistryis checked for any applicable rules (currently meaning that the newly appeared target has an alias that is exactly equal to thetargetAliasfield of the rule definition). Each applicable rule is applied, starting a new recording with options as specified by theRuledefinition. If theRulespecification requires it, aPeriodicArchiveris also created corresponding to theRule/TargetIdcombination, which is scheduled in a thread pool to run at aRule-definition-specified interval and create archived copies of the automatically created recording. When a target disappears then anyPeriodicArchivers associated with any of its matched rules are cancelled.PeriodicArchiver- simply aRunnablewhich handles creating archived copies from the automatically created recording from aRuledefinition within a specific target, and then handles pruning any old archive copies if theRuledefinition requires it.Rule- a simple data structure defining the trigger for recording creation (ie matching target alias, currently), which events/template are used for the created recording, if/when archival is performed, etc.rulestest.shis also included as a temporary script for testing/demoing the new APIs.