diff --git a/falco.yaml b/falco.yaml index 1da8b07c606..bbffbfff419 100644 --- a/falco.yaml +++ b/falco.yaml @@ -39,7 +39,8 @@ # json_include_tags_property # buffered_outputs # outputs (throttling) -# queue_capacity_outputs +# rule_matching +# outputs_queue # Falco outputs channels # stdout_output # syslog_output @@ -305,7 +306,7 @@ outputs: # defined. rule_matching: first -# [Experimental] `queue_capacity_outputs` +# [Experimental] `outputs_queue` # # Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter # allows you to customize the queue capacity. Please refer to the official documentation: @@ -320,18 +321,17 @@ rule_matching: first # as a parameter. # However, it will not address the root cause of the event pipe not keeping up. # -# `items`: the maximum number of items allowed in the queue, defaulting to 0. This means that -# the queue is unbounded. +# `capacity`: the maximum number of items allowed in the queue, defaulting to 0. This means that +# the queue remains unbounded aka this setting is disabled. # You can experiment with values greater or smaller than the anchor value 1000000. # # `recovery`: the strategy to follow when the queue becomes filled up. This also applies when # the queue is unbounded, and all available memory on the system is consumed. -# recovery: 0 means continue. -# recovery: 1 means simply exit (default behavior). -# recovery: 2 means empty the queue and then continue. -queue_capacity_outputs: - items: 0 - recovery: 1 +# `exit` is default, `continue` does nothing special and `empty` empties the queue and then +# continues. +outputs_queue: + capacity: 0 + recovery: exit ########################## diff --git a/userspace/engine/falco_common.cpp b/userspace/engine/falco_common.cpp index 44b7a489ecf..92fddf12e1d 100644 --- a/userspace/engine/falco_common.cpp +++ b/userspace/engine/falco_common.cpp @@ -27,10 +27,18 @@ static std::vector priority_names = { "Debug" }; +<<<<<<< HEAD static std::vector rule_matching_names = { "first", "all" }; +======= +static std::vector outputs_recovery_names = { + "continue", + "exit", + "empty", + }; +>>>>>>> 92bd5767 (cleanup(outputs): adopt different style for outputs_queue params encodings) bool falco_common::parse_priority(std::string v, priority_type& out) { @@ -59,6 +67,19 @@ falco_common::priority_type falco_common::parse_priority(std::string v) return out; } +bool falco_common::parse_recovery(std::string v, outputs_recovery_type& out) +{ + for (size_t i = 0; i < outputs_recovery_names.size(); i++) + { + if (!strcasecmp(v.c_str(), outputs_recovery_names[i].c_str())) + { + out = (outputs_recovery_type) i; + return true; + } + } + return false; +} + bool falco_common::format_priority(priority_type v, std::string& out, bool shortfmt) { if ((size_t) v < priority_names.size()) diff --git a/userspace/engine/falco_common.h b/userspace/engine/falco_common.h index 6c63eec9d42..e0c7ebedc08 100644 --- a/userspace/engine/falco_common.h +++ b/userspace/engine/falco_common.h @@ -21,6 +21,8 @@ limitations under the License. #include #include +#define DEFAULT_OUTPUTS_QUEUE_CAPACITY 0 + // // Most falco_* classes can throw exceptions. Unless directly related // to low-level failures like inability to open file, etc, they will @@ -52,6 +54,13 @@ struct falco_exception : std::exception namespace falco_common { + + enum outputs_recovery_type { + RECOVERY_CONTINUE = 0, /* queue_capacity_outputs recovery strategy of continuing on. */ + RECOVERY_EXIT = 1, /* queue_capacity_outputs recovery strategy of exiting, self OOM kill. */ + RECOVERY_EMPTY = 2, /* queue_capacity_outputs recovery strategy of emptying queue then continuing. */ + }; + const std::string syscall_source = sinsp_syscall_event_source_name; // Same as numbers/indices into the above vector @@ -69,6 +78,7 @@ namespace falco_common bool parse_priority(std::string v, priority_type& out); priority_type parse_priority(std::string v); + bool parse_recovery(std::string v, outputs_recovery_type& out); bool format_priority(priority_type v, std::string& out, bool shortfmt=false); std::string format_priority(priority_type v, bool shortfmt=false); diff --git a/userspace/falco/app/actions/init_outputs.cpp b/userspace/falco/app/actions/init_outputs.cpp index 13ce1460229..17c41ca7c18 100644 --- a/userspace/falco/app/actions/init_outputs.cpp +++ b/userspace/falco/app/actions/init_outputs.cpp @@ -63,8 +63,8 @@ falco::app::run_result falco::app::actions::init_outputs(falco::app::state& s) s.config->m_json_include_tags_property, s.config->m_output_timeout, s.config->m_buffered_outputs, - s.config->m_queue_capacity_outputs_items, - s.config->m_queue_capacity_outputs_recovery, + s.config->m_outputs_queue_capacity, + s.config->m_outputs_queue_recovery, s.config->m_time_format_iso_8601, hostname)); diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index caf945e7fbb..43b10e2bb57 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -28,7 +28,6 @@ limitations under the License. #include "falco_utils.h" #include "configuration.h" -#include "configuration_aux.h" #include "logger.h" #include "banned.h" // This raises a compilation error when certain functions are used @@ -41,8 +40,8 @@ falco_configuration::falco_configuration(): m_watch_config_files(true), m_rule_matching(falco_common::rule_matching::FIRST), m_buffered_outputs(false), - m_queue_capacity_outputs_items(DEFAULT_ITEMS_QUEUE_CAPAXITY_OUTPUTS), - m_queue_capacity_outputs_recovery(RECOVERY_EXIT), + m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY), + m_outputs_queue_recovery(falco_common::RECOVERY_EXIT), m_time_format_iso_8601(false), m_output_timeout(2000), m_grpc_enabled(false), @@ -261,8 +260,13 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h } m_buffered_outputs = config.get_scalar("buffered_outputs", false); - m_queue_capacity_outputs_items = config.get_scalar("queue_capacity_outputs.items", DEFAULT_ITEMS_QUEUE_CAPAXITY_OUTPUTS); - m_queue_capacity_outputs_recovery = config.get_scalar("queue_capacity_outputs.recovery", RECOVERY_EXIT); + m_outputs_queue_capacity = config.get_scalar("outputs_queue.capacity", DEFAULT_OUTPUTS_QUEUE_CAPACITY); + std::string recovery = config.get_scalar("outputs_queue.recovery", "exit"); + if (!falco_common::parse_recovery(recovery, m_outputs_queue_recovery)) + { + throw std::logic_error("Unknown recovery \"" + recovery + "\"--must be one of exit, continue, empty"); + } + m_time_format_iso_8601 = config.get_scalar("time_format_iso_8601", false); falco_logger::log_stderr = config.get_scalar("log_stderr", false); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 1f0579c2aaa..86bf813f2b6 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -72,8 +72,8 @@ class falco_configuration bool m_watch_config_files; bool m_buffered_outputs; - size_t m_queue_capacity_outputs_items; - uint32_t m_queue_capacity_outputs_recovery; + size_t m_outputs_queue_capacity; + falco_common::outputs_recovery_type m_outputs_queue_recovery; bool m_time_format_iso_8601; uint32_t m_output_timeout; diff --git a/userspace/falco/configuration_aux.h b/userspace/falco/configuration_aux.h deleted file mode 100644 index 31504e30041..00000000000 --- a/userspace/falco/configuration_aux.h +++ /dev/null @@ -1,22 +0,0 @@ -/* -Copyright (C) 2023 The Falco Authors. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -#pragma once - -#define DEFAULT_ITEMS_QUEUE_CAPAXITY_OUTPUTS 0 - -enum outputs_recovery_code { - RECOVERY_DROP_CURRENT = 0, /* queue_capacity_outputs recovery strategy of continuing on. */ - RECOVERY_EXIT = 1, /* queue_capacity_outputs recovery strategy of exiting, self OOM kill. */ - RECOVERY_EMPTY = 2, /* queue_capacity_outputs recovery strategy of emptying queue then continuing. */ -}; diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp index 889f1b65ed7..5add811e27e 100644 --- a/userspace/falco/falco_outputs.cpp +++ b/userspace/falco/falco_outputs.cpp @@ -20,7 +20,6 @@ limitations under the License. #include "falco_outputs.h" #include "config_falco.h" -#include "configuration_aux.h" #include "formats.h" #include "logger.h" @@ -47,8 +46,8 @@ falco_outputs::falco_outputs( bool json_include_tags_property, uint32_t timeout, bool buffered, - size_t queue_capacity_outputs_items, - uint32_t queue_capacity_outputs_recovery, + size_t outputs_queue_capacity, + falco_common::outputs_recovery_type outputs_queue_recovery, bool time_format_iso_8601, const std::string& hostname) { @@ -68,12 +67,12 @@ falco_outputs::falco_outputs( } m_worker_thread = std::thread(&falco_outputs::worker, this); - if (queue_capacity_outputs_items > 0) + if (outputs_queue_capacity > 0) { - m_queue.set_capacity(queue_capacity_outputs_items); + m_queue.set_capacity(outputs_queue_capacity); } - m_recovery = queue_capacity_outputs_recovery; + m_recovery = outputs_queue_recovery; } falco_outputs::~falco_outputs() @@ -278,12 +277,13 @@ inline void falco_outputs::push(const ctrl_msg& cmsg) { switch (m_recovery) { - case RECOVERY_EXIT: + case falco_common::RECOVERY_EXIT: fprintf(stderr, "Fatal error: Output queue out of memory. Exiting ... \n"); exit(EXIT_FAILURE); - case RECOVERY_EMPTY: + case falco_common::RECOVERY_EMPTY: fprintf(stderr, "Output queue out of memory. Empty queue and continue ... \n"); m_queue.empty(); + break; default: fprintf(stderr, "Output queue out of memory. Continue on ... \n"); break; diff --git a/userspace/falco/falco_outputs.h b/userspace/falco/falco_outputs.h index cbee55d09fe..00f47f0b7a4 100644 --- a/userspace/falco/falco_outputs.h +++ b/userspace/falco/falco_outputs.h @@ -46,8 +46,8 @@ class falco_outputs bool json_include_tags_property, uint32_t timeout, bool buffered, - size_t queue_capacity_outputs_items, - uint32_t queue_capacity_outputs_recovery, + size_t outputs_queue_capacity, + falco_common::outputs_recovery_type outputs_queue_recovery, bool time_format_iso_8601, const std::string& hostname); diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 673b62c71de..d910034f512 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -86,9 +86,9 @@ stats_writer::stats_writer( m_config = config; // capacity and controls should not be relevant for stats outputs, adopt capacity // for completeness, but do not implement config recovery strategies. - if (config->m_queue_capacity_outputs_items > 0) + if (config->m_outputs_queue_capacity > 0) { - m_queue.set_capacity(config->m_queue_capacity_outputs_items); + m_queue.set_capacity(config->m_outputs_queue_capacity); } if (config->m_metrics_enabled) {