new(metrics): add rules_counters_enabled option
#3192
Conversation
|
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped. Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION. /hold |
|
Proposing /milestone 0.38.0 so that we can start the deprecation cycle for https://github.com/falcosecurity/falco-exporter @leogr . |
|
@sgaist this PR includes super minor touch ups re variable naming for the Prometheus webserver code. |
If we are able to get the PR reviewed in time, +1 for me. I'll take a look as soon as I can. /assign |
userspace/falco/falco_metrics.cpp
Outdated
| auto rule = rules.at(i); | ||
| std::string rules_metric_name = "rules." + rule->name; | ||
| // Separate processing of rules counter metrics given we add extra tags | ||
| auto metric = libs_metrics_collector.new_metric(rules_metric_name.c_str(), |
There was a problem hiding this comment.
Out of scope for this PR; but since we only instantiate libs_metrics_collector to add metrics to it, that, given the code: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/metrics_collector.h#L260
seems like it can be made static, if we made the change in libs (ie: make new_metric static), can we drop the libs_metrics_collector instance?
There was a problem hiding this comment.
Yup, I'll create an issue later to track all the post Falco 0.38.0 metrics items.
userspace/falco/falco_metrics.cpp
Outdated
| @@ -86,26 +86,59 @@ std::string falco_metrics::to_text(const falco::app::state& state) | |||
| { | |||
| prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("evt_source", "falcosecurity", "falco", {{"evt_source", source}}); | |||
| } | |||
| std::vector<metrics_v2> static_metrics; | |||
| static_metrics.push_back(libs_metrics_collector.new_metric("start_ts", | |||
| std::vector<metrics_v2> falco_metrics; | |||
There was a problem hiding this comment.
It would be nice to split this method into multiple logical pieces, like:
- scap_engines_to_text()
- falco_rules_to_text()
- agent_info_to_text()
...and so on.
Do you think it is feasible?
There was a problem hiding this comment.
Of course. Big question is now or wait until a more major cleanup follows post Falco 0.38.0, cc @sgaist?
There was a problem hiding this comment.
Don't have strong opinion; for me, the sooner the better (helps code readability), but we can postpone it without any problem.
There was a problem hiding this comment.
userspace/engine/stats_manager.h
Outdated
| std::vector<std::unique_ptr<std::atomic<uint64_t>>> m_by_priority; | ||
| std::vector<std::unique_ptr<std::atomic<uint64_t>>> m_by_rule_id; |
There was a problem hiding this comment.
Outside of this PR scope but why unique pointers to atomic rather than just atomic ?
incertum
force-pushed
the
rule-counters-metrics
branch
from
1e60496 to
a4fd515
Compare
|
LGTM label has been added. Git tree hash: 66ff78a9dd26a9b03a03f354cd1bedb00612fff1
|
userspace/falco/falco_metrics.cpp
Outdated
| for (size_t i = 0; i < rule_stats_manager.get_by_rule_id().size(); i++) | ||
| { | ||
| auto rule = rules.at(i); | ||
| std::string rules_metric_name = "rules." + rule->name; | ||
| // Separate processing of rules counter metrics given we add extra tags | ||
| auto metric = libs_metrics_collector.new_metric(rules_metric_name.c_str(), | ||
| METRICS_V2_RULE_COUNTERS, | ||
| METRIC_VALUE_TYPE_U64, | ||
| METRIC_VALUE_UNIT_COUNT, | ||
| METRIC_VALUE_METRIC_TYPE_MONOTONIC, | ||
| rule_stats_manager.get_by_rule_id()[i]->load()); |
There was a problem hiding this comment.
What about minimizing the number of calls to get_by_rule_id ?
| for (size_t i = 0; i < rule_stats_manager.get_by_rule_id().size(); i++) | |
| { | |
| auto rule = rules.at(i); | |
| std::string rules_metric_name = "rules." + rule->name; | |
| // Separate processing of rules counter metrics given we add extra tags | |
| auto metric = libs_metrics_collector.new_metric(rules_metric_name.c_str(), | |
| METRICS_V2_RULE_COUNTERS, | |
| METRIC_VALUE_TYPE_U64, | |
| METRIC_VALUE_UNIT_COUNT, | |
| METRIC_VALUE_METRIC_TYPE_MONOTONIC, | |
| rule_stats_manager.get_by_rule_id()[i]->load()); | |
| auto rules_by_id = rule_stats_manager.get_by_rule_id(); | |
| for (size_t i = 0; i < rules_by_id.size(); i++) | |
| { | |
| auto rule = rules.at(i); | |
| std::string rules_metric_name = "rules." + rule->name; | |
| // Separate processing of rules counter metrics given we add extra tags | |
| auto metric = libs_metrics_collector.new_metric(rules_metric_name.c_str(), | |
| METRICS_V2_RULE_COUNTERS, | |
| METRIC_VALUE_TYPE_U64, | |
| METRIC_VALUE_UNIT_COUNT, | |
| METRIC_VALUE_METRIC_TYPE_MONOTONIC, | |
| rules_by_id[i]->load()); |
There was a problem hiding this comment.
Incorporated, thanks.
|
@sgaist: changing LGTM is restricted to collaborators In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Intended to replace https://github.com/falcosecurity/falco-exporter when used with Prometheus output Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
incertum
force-pushed
the
rule-counters-metrics
branch
from
f9fd0a3 to
02c112a
Compare
Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
incertum
force-pushed
the
rule-counters-metrics
branch
from
02c112a to
ea01751
Compare
|
Note that just occurred to me: Let me check in the morning if white spaces in the rules names cause issues for Prometheus. Perhaps let's replace white spaces of the rules names with underscore? Other ideas? |
Based on the OpenMetrics text format the metric name should follow these rules: So white spaces would indeed be wrong. As a safety measure, I would recommend turning anything that does not fit the metric name definition into an underscore. |
userspace/engine/falco_utils.cpp
Outdated
| std::string sanitize_metric_name(const std::string& name) | ||
| { | ||
| std::string sanitized_name = name; | ||
| RE2::GlobalReplace(&sanitized_name, "\\s+", "_"); |
There was a problem hiding this comment.
Are we sure that only white spaces are the problematic characters that can be found in a metric name ?
There was a problem hiding this comment.
i read your comment after I pushed lol, repushed just now.
incertum
force-pushed
the
rule-counters-metrics
branch
from
0b03b07 to
805b552
Compare
incertum
force-pushed
the
rule-counters-metrics
branch
from
805b552 to
ea01751
Compare
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
|
A rule name like or for Prometheus: |
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
|
LGTM label has been added. Git tree hash: 62368cf1074053cda7d7b3356a98a1f9bdb62dd7
|
|
@sgaist: changing LGTM is restricted to collaborators In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, incertum, LucaGuerra, sgaist The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
Intended to replace https://github.com/falcosecurity/falco-exporter when used with Prometheus output
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
new(metrics): add rules_counters_enabled option
Intended to replace https://github.com/falcosecurity/falco-exporter when used with Prometheus output.
CC @leogr and @jasondellaluce (current maintainers of https://github.com/falcosecurity/falco-exporter).
Which issue(s) this PR fixes:
Fixes #3132
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: