feat: asynchronous outputs and slow outputs detection #1451
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
force-pushed
the
feat/non-blocking-outputs
branch
from
afcbd9d
to
0478ec9
Compare
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
changed the title
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
force-pushed
the
feat/non-blocking-outputs
branch
from
8dd92eb
to
97b7610
Compare
leodido
approved these changes
Nov 30, 2020
|
LGTM label has been added. Git tree hash: ac6f76b0f8c7db45259b70b4dddcf70c056bf372
|
fntlnz
approved these changes
Nov 30, 2020
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Since the release of Falco 0.27 has been postponed I let this go in! 🥳 /hold cancel |
|
/milestone 0.27.0 |
leogr
added a commit
to falcosecurity/charts
that referenced
this pull request
Jan 18, 2021
See falcosecurity/falco#1451 Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
added a commit
to falcosecurity/charts
that referenced
this pull request
Jan 19, 2021
See falcosecurity/falco#1451 Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
added a commit
to falcosecurity/charts
that referenced
this pull request
Jan 19, 2021
See falcosecurity/falco#1451 Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
poiana
pushed a commit
to falcosecurity/charts
that referenced
this pull request
Jan 19, 2021
See falcosecurity/falco#1451 Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
mstemm
added a commit
that referenced
this pull request
Aug 26, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
added a commit
that referenced
this pull request
Oct 4, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
added a commit
that referenced
this pull request
Oct 4, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
added a commit
that referenced
this pull request
Oct 5, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
added a commit
that referenced
this pull request
Oct 5, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
added a commit
that referenced
this pull request
Oct 5, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
poiana
pushed a commit
that referenced
this pull request
Oct 12, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
This PR aims to introduce a non-blocking Falco's outputs processing, as per #1417. In details:
output_event()andoutput_msg());Incoming messages are being formatted in the main thread, then send to the worker thru the queue. Finally, the worker receives the formatted messages, then fanouts them to the enabled outputs.
Since the new implementation forwards both the usual messages (i.e., those that happen when a rule is matched) and other kinds of messages (i.e., drop alerts) to the same method (
falco::outputs::abstract_output::output(const message *msg)), now the gRPC output inherits the ability to subscribe to dropped events.Finally, d6f2a3a and 4e520fa introduced a watchdog for slow output channels. Basically, when the consumer blocks an output channel for a while, an error is logged (that signals a misconfiguration or a problem that the user should fix).
Which issue(s) this PR fixes:
Fixes #531
Fixes #1417
Fixes #884 (drop alerts for gRPC)
Also, reduce the likelihood of dropped events, see #1403.
Special notes for your reviewer:
There is no guard to avoid that the message queue grows indefinitely. However, the message queue growth is limited by the embedded notification rate limiter. There is also no guard for the gRPC queue, but it's a different issue (in this case depends on the ability/presence of a client to consume notifications). It's not a goal of this PR solving these issues.
I'm assuming 2 seconds is a sane default to detect slow output channel consumers. You can simulate a slow output by configuring the
program_outputas following:AFAIK one blocker for adding drop alerts was the decision about using the existing API or a newer one (see gRPC outputs: stream drop alerts #884).
Since even with drop alert we will not have any empty field, I believe it's acceptable to re-use the same proto also in case of a drop alert message.
However, I have added a new source:
internal. It's needed because Falco internal messages (e.g., drop alerts) did not have their own source, and the proto requires that (we cannot just leave it empty).Below an example of how a drop alert will look like to a gRPC client:
Does this PR introduce a user-facing change?: