Improve Kestrel connection metrics with error reasons

[JamesNK]

Fixes #53358

This PR improves the kestrel.connection.duration metric by adding information about why the connection ended.

Tags added or changed:

• http.connection.protocol_code - Standards based, publicly communicated code for the connection ending. Often sent to the client. The value is either the HTTP/2 error code or HTTP/3 error code that the connection ended with. Doesn't apply to HTTP/1.1.
• kestrel.connection.end_reason - A more detailed internal reason about why a connection ended. Always present.
• error.type - If the end reason is an error, e.g. connection killed because of timeout, excessive stream resets, transport ended while there are active HTTP requests, invalid frame, etc. error.type could be the same as the end reason. The value could also be an exception type name if an unhandled exception is thrown from connection middleware pipeline. The first error recorded wins. Only present if there is an error.

We need to decide what the new tags is. Is it the end reason or error reason? For example, a connection can be ended by the client sending a go away frame. Do we want to track that? It's not an error to close a connection like that, so in this case we're are tracking all end reasons. On the other hand, we might want to only track unexpected and unhealthy reasons that end the connection. The benefit of only tracking errors is it is very easy to get just the unhealthy connections by filtering metrics to ones that have this tag. However, I think we can achieve this by also putting error reasons into the error.type tag.

tldr kestrel.connection.end_reason is always present and provides the reason, error.type is present if the end reason is considered an error and has the same value as kestrel.connection.end_reason.

Questions for folks:

• Is having information about all connection end reasons useful? If it isn't then we could remove kestrel.connection.end_reason and just have error.type.
• What end reasons are an error? For example, are the following errors or not...
  • Transport closing when there are no active HTTP requests
  • Transport closing when there are active HTTP requests
  • Connection closing because the application is shutting down
  • Client sends GOAWAY with error code of NO_ERROR
  • Client sends GOAWAY with error code of INTERNAL_ERROR

Tasks:

• Add to HTTP/1.1
• Add to HTTP/2
• Add to HTTP/3
• Add to HTTPS middleware
• Tests
• Bike shed tag and enum names
• Review reasons are correct
• Validate metrics output useful data in some known situations

cc @noahfalk @tarekgh @lmolkova @samsp-msft

[JamesNK]

@amcasey I added a HttpConnection.Abort overload that has an Http2ErrorCode argument. When there are excessive resets I made the passed in value ENHANCE_YOUR_CALM instead of INTERNAL_ERROR. That seems a more appropriate error.

Did you choose INTERNAL_ERROR for a reason here, or is it returned because that is what abort already sent?

[amcasey]

This was a hotfix, so I suspect I was making the smallest change possible, but I no longer recall.

[noahfalk]

Is having information about all connection end reasons useful?

What was the motivation to add the data initially? I can hypothesize a reason someone might find it useful (diagnosing why connections didn't live as long as they were expected to live) but I don't know how often someone needs to diagnose that issue in practice and what alternatives would they have available if this metric attribute didn't exist?

What end reasons are an error? For example, are the following errors or not..

Any attempt at classification gets very subjective but a few suggestions at least:

1. Ideally errors represent situations that do not occur frequently and are undesirable. For example "Connection closing because the application is shutting down" might be infrequent but it doesn't sound undesirable.
2. Ideally metric error classifications would consistent with other observable behavior that implies an error classification. For example if in-proc code throws an Exception or some error code is transmitted in the wire protocol then it would consistent for the metrics to also classify that condition as an error. If "Client sends GOAWAY with error code of NO_ERROR" then it would consistent for metrics also not to treat that as an error.

[lmolkova]

I think it's valuable to know the end reason even if it's not an error and even if we don't have a specific scenario in mind.
I also don't see any drawbacks from including it - it would not increase cardinality much.

The change looks great from semconv perspective! LMK if you need any help adding new attributes to otel.

[samsp-msft]

This seems like data that should be going into logs not metrics. Metric dimensions should be kept small as adding additional properties and values adds incremental storage. If we can reduce this data down to one property - was the connection closed cleanly or due to an error, and provide logs to give more details as to why. Metrics are supposed to be about aggregated statistics not detailed analysis as to what happened.

Anyone who is going to be doing analysis, can the use the metric to determine if the trend is changing, and then go to a log query to understand why.

Once exemplars are better supported in .NET/OTel they will provide the correlation between metrics and traces/logs.

[JamesNK]

@samsp-msft

There is prior art for showing more error info in error.type. That tag is already on HTTP requests for server and client in spans and metrics. Reducing error info down to a boolean is optimizing too much and goes against conventions.

http.connection.protocol_code (exact name TBD) is the HTTP connection version of request's HTTP status code. I don't think it is controversial.

kestrel.connection.end_reason is more debatable. My feeling from talking to people using Kestrel over the years is connections are a black box and people want more insight here. If there are performance/technical reasons why an extra tag is problematic, then I can reach out to ops folks to get feedback on whether end reasons for "non-error" situations would be useful.

Note that while the ConnectionEndReason enum has a lot of potential values (about 35), many of them are for protocol violations which will almost never happen, or are specific to one particular HTTP protocol (e.g. closing a critical stream is specific to HTTP/3). There are about half a dozen would occur in typical usage:

• ConnectionReset
• UnexpectedError
• AbortedByApplication
• ApplicationShutdown
• ServerTimeout
• IOError
• ClientGoAway
• TransportCompleted

That is similar to how there are many HTTP status codes, but most of them you'll never see.

[amcasey]

It feels like we might want to distinguish between "the application requested an abort" and "the application failed and we had to abort".

[JamesNK]

I went with AbortedByApp because the log message says the app aborted the connection. I agree that the reason isn't clear.

What do you think about the logging and end reason here @halter73 @Tratcher @mgravell ?

[halter73]

I think the assumption here is that the only reason TryReadInternal would throw an InvalidOperationException is because middleware exited after calling HttpContext.Request.BodyReader.ReadAsync without a corresponding call to AdvanceTo, and rather than try to recover we bail out since we assume it's an unlikely scenario anyway.

I should have created a custom message explaining this rather than reuse CoreStrings.ConnectionAbortedByApplication for the exception passed to ReportApplicationError.

Ideally, we'd use "application_abort" only for HttpContext.Abort() on HTTP/1.1 connections, and then use "application_left_bodyreader_in_invalid_state" for this, and "application_canceled_response_flush" for the usage of AbortedByApplication in TimingPipeFlusher.

If we reused the same ConnectionEndReason for HttpCotnext.Abort() and this issue with leaving the body reader in an invalid state, I won't be too upset since this scenario is pretty niche. Cancelling a response body flush on an HTTP/1.1 connection probably deserves its own ConnectionEndReason though.

[amcasey]

Nit: I don't think && _gracefulCloseReason != ConnectionEndReason.Unknown actually accomplishes anything.

[JamesNK]

What do you mean? Is it that _gracefulCloseReason != ConnectionEndReason.Unknown condition could be removed and an unknown value is set to unknown?

[amcasey]

It's been a while, but I probably meant that reason == ConnectionEndReason.Unknown implies _gracefulCloseReason != ConnectionEndReason.Unknown at this point in the code. I may well have been mistaken.

[amcasey]

Is having information about all connection end reasons useful? If it isn't then we could remove kestrel.connection.end_reason and just have error.type.

With the notable disclaimer that I haven't actually monitored the health of a real service...

I think I'd want to have it for all connections. Sure, the majority will be graceful shutdowns (hopefully), but it's (I assume) easy enough to filter out a few uninteresting values and which values are uninteresting seems (as mentioned above) very subjective.

Another reason to include things that don't seem like errors is for making attack signatures. Something that's "normal" for a single connection may be problematic when it happens on many connections simultaneously. Or it may not be problematic, but still indicate that a change that signals a problem will soon occur.

Personally, I think I'd have just end_reason and drop error_type altogether (with the caveat that we might want a special way to represent unhandled exceptions).

If we go the other way, we have all sorts of strange cases to consider like whether cutting off a slow-reading client is an error. Arguably, that's the system functioning as expected and desired, but it's still interesting.

[amcasey]

This seems like data that should be going into logs not metrics

@samsp-msft I'm not sure I'm following this line of reasoning. Given that logs are structured and queryable, why would anything not be logs-only? When would you use metrics instead?

[amcasey]

Consider extracting a helper for new MetricCollector<double>(testMeterFactory, "Microsoft.AspNetCore.Server.Kestrel", "kestrel.connection.duration").

[amcasey]

This PR is big enough that I could keep giving feedback indefinitely, but I have no fundamental concerns and would be okay with merging it.

[amcasey]

This seems similar to UnexpectedFrame

[JamesNK]

What do you mean?

InvalidHandshake is only used for HTTP/2 and occurs when the client doesn't start the connection with the HTTP/2 preface.

[amcasey]

I think that comment was supposed to be about FrameAfterStreamClose. My bad.

[amcasey]

Hm, I wonder if I was commenting on an older commit. I can't find a refresh button in the VS Code UI that seems to cover moving forward to the latest revision of the PR.

[halter73]

I think it'd be fine to say it's some sort of transport level error.

[halter73]

Like I mentioned in my other comment, I think indicating that this was client initiated would be good. If ClientFin is too TCP specific, we could go with ClientClosedTransport or something.

[JamesNK]

/benchmark plaintext aspnet-citrine-win kestrel

[pr-benchmarks]

Benchmark started for plaintext on aspnet-citrine-win with kestrel. Logs: link

[pr-benchmarks]

An error occurred, please check the logs