Bug 1820083: configure metal3 metrics collection #671
Conversation
dhellmann
commented
Aug 6, 2020
dhellmann
commented
- Refactor some of the proxy container setup so it can be reused.
- Add a metal3-metrics Service
- Add a metal3 ServiceMonitor
openshift-ci-robot
added
do-not-merge/work-in-progress
|
@dhellmann: This pull request references Bugzilla bug 1820083, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
bugzilla/valid-bug
|
/cc @JoelSpeed I don't think this is working right, but I'm putting it up for review so I can get some help understanding why. |
dhellmann
force-pushed
the
bz1820083-bmo-prometheus
branch
from
f2b7c0e to
8a90498
Compare
| selector: | ||
| matchLabels: | ||
| k8s-app: controller |
There was a problem hiding this comment.
Is this not going to select the Machine API core components as well? Is there a specific label that is applied to only the metal3 components?
There was a problem hiding this comment.
There is not, right now. I'm exploring whether I can change that as part of this PR in some local changes I haven't published yet. I tried with an earlier version and got an error and undid the changes so I could make progress in other areas.
There was a problem hiding this comment.
It turns out that field is immutable, which means we have to delete and recreate the deployment to change it (at least as far as I can tell). It doesn't seem to hurt anything to have it this way for now, and we can do something about renaming when we move all of the metal3 logic into the CBO if it turns into a problem.
There was a problem hiding this comment.
My concern is that it is going to try and scrape all of the Machine API controllers, not just the metal3 ones. When you tried this out, did you notice in prometheus if it was trying to scrape more than just the one pod, it might have left some errors in the prometheus targets page showing that it couldn't scrape the machine-api-controllers pod?
There was a problem hiding this comment.
This new stuff will only be set up when the platform is "baremetal" though, right? So it will look at the cluster-api-provider-baremetal and metal3. Maybe there are other pods?
If we have to change the label, then I think we're going to have to defer fixing the bug to 4.7 or later, because we're trying to focus on building the new operator to manage metal3 and can't afford the time to build the logic to recreate the deployment with the new setting in the MAO.
There was a problem hiding this comment.
Which field you mean immutable exactly @dhellmann? This selector is for the new service you are defining in this PR https://github.com/openshift/machine-api-operator/pull/671/files#diff-03a356cadfb070910ca0faa53a4ab4bfR313thttps://github.com/openshift/machine-api-operator/pull/671/files#diff-03a356cadfb070910ca0faa53a4ab4bfR313 so you can choose anything.
There was a problem hiding this comment.
It is not possible to change the k8s-app label value in the Deployment.Spec.Selector.MatchLabels field. Attempting to change that with a patch like https://paste.centos.org/view/b0f842e8 causes the MAO to log an error every time it tries to update the Deployment:
W0916 15:42:54.324744 1050505 recorder_logging.go:46] &Event{ObjectMeta:{dummy.16355b11bbdfeaac dummy 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},
InvolvedObject:ObjectReference{Kind:Pod,Namespace:dummy,Name:dummy,UID:,APIVersion:v1,ResourceVersion:,FieldPath:,},
Reason:DeploymentUpdateFailed,
Message:Failed to update Deployment.apps/metal3 -n openshift-machine-api: Deployment.apps "metal3" is invalid: spec.selector: Invalid value:
v1.LabelSelector{MatchLabels:map[string]string{"api":"clusterapi", "k8s-app":"metal3"},
MatchExpressions:[]v1.LabelSelectorRequirement(nil)} field is immutable,
Source:EventSource{Component:,Host:,},
FirstTimestamp:2020-09-16 15:42:54.324665004 -0400 EDT m=+105.798620314,
LastTimestamp:2020-09-16 15:42:54.324665004 -0400 EDT m=+105.798620314,
Count:1,Type:Warning,
EventTime:0001-01-01 00:00:00 +0000 UTC,Series:nil,Action:,Related:nil,ReportingController:,ReportingInstance:,}
I suspect that means adding a different label is going to result in the same error, because it would mean changing the same field in the Deployment.
There was a problem hiding this comment.
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#label-selector-updates
"In API version apps/v1, a Deployment's label selector is immutable after it gets created."
So yeah. This feels pretty wrong though, as requests will go to a bunch of things we aren't intending.
There was a problem hiding this comment.
They don't, though. The label selector is the same, but the port is not, and both are used to filter. Only the metal3 deployment matches both.
| Selector: map[string]string{ | ||
| "k8s-app": "controller", | ||
| }, |
There was a problem hiding this comment.
Is this not going to select the Machine API core components as well? Is there a specific label that is applied to only the metal3 components?
There was a problem hiding this comment.
Same concern as above, this is going to try and expose the port on the machine-api-onctrollers pod as well isn't it? Or will this only come into effect when they're running in their own namespace?
If you check the endpoints for this service, which pods has it targeted?
There was a problem hiding this comment.
I see it includes the machine-api-controllers pod as well as the metal3 pod. Those both run in the openshift-machine-api namespace.
There was a problem hiding this comment.
In that case, we need to verify that prometheus and in particular alerts are happy. IIRC there's an alert that first if any servicemonitor target is down, I would expect machine-api-controllers to show as down in this case since it won't have the correct port open?
There was a problem hiding this comment.
This can may be match a specific label that should be added/replaced in the baremetal deployment so only those endpoints are covered by the service.
|
@dhellmann Can you elaborate on why you don't think it's working, from the code there's nothing obvious that screams out that it shouldn't be working. |
Well, when I replace the MAO in my cluster with this code prometheus doesn't report any of the metrics I expect it to report. I'm currently rebuilding the cluster to try that again. |
Haha ok, I guess we just have to start debugging from the ground up on this one to find where the fault is. I'm trying to bring up a cluster-bot cluster with these changes, if that works I'll play around with that and see if I can advise. Otherwise I don't have access to a metal cluster to try this on. |
openshift-ci-robot
added
the
needs-rebase
dhellmann
force-pushed
the
bz1820083-bmo-prometheus
branch
from
8a90498 to
d851aa7
Compare
openshift-ci-robot
removed
the
needs-rebase
dhellmann
force-pushed
the
bz1820083-bmo-prometheus
branch
from
d851aa7 to
cc76b64
Compare
dhellmann
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
I've rebased the PR and re-tested locally and it seems to be working fine. |
|
/retest |
| @@ -14,6 +14,7 @@ const ( | |||
| DefaultHealthCheckMetricsAddress = ":8083" | |||
| DefaultMachineSetMetricsAddress = ":8082" | |||
| DefaultMachineMetricsAddress = ":8081" | |||
| DefaultMetal3MetricsAddress = ":60000" | |||
There was a problem hiding this comment.
Would be good to know the motivation behind choosing this number, any reason not to try 8085? (To match the exposed port)
There was a problem hiding this comment.
Part of the motivation was not changing the port where it was already listening. The pod uses host networking, so it needs to be on a port where it won't conflict with anything else. That port is already being used https://github.com/openshift/machine-api-operator/blob/master/pkg/operator/baremetal_pod.go#L407 so this is just adding a constant to share the value in the multiple places that now need it.
| selector: | ||
| matchLabels: | ||
| k8s-app: controller |
There was a problem hiding this comment.
My concern is that it is going to try and scrape all of the Machine API controllers, not just the metal3 ones. When you tried this out, did you notice in prometheus if it was trying to scrape more than just the one pod, it might have left some errors in the prometheus targets page showing that it couldn't scrape the machine-api-controllers pod?
| Selector: map[string]string{ | ||
| "k8s-app": "controller", | ||
| }, |
There was a problem hiding this comment.
Same concern as above, this is going to try and expose the port on the machine-api-onctrollers pod as well isn't it? Or will this only come into effect when they're running in their own namespace?
If you check the endpoints for this service, which pods has it targeted?
There was a problem hiding this comment.
If we changed the label on the metal3 deployment object https://github.com/openshift/machine-api-operator/blob/master/pkg/operator/baremetal_pod.go#L280 to something that doesn't clash with other deployments in MAO and update the metal3ServiceMonitorDefinition to look for this label, would that address concerns regarding scrapping the machine-api-controllers pod?
It would, but that field is immutable. So we would need enough logic in the MAO to delete the Deployment and recreate it when the label values are wrong. See #671 (comment) |
dhellmann
force-pushed
the
bz1820083-bmo-prometheus
branch
from
cc76b64 to
a7f7b58
Compare
pkg/operator/baremetal_pod.go
Outdated
| matchLabels: | ||
| k8s-app: controller | ||
| endpoints: | ||
| - port: metrics |
pkg/operator/baremetal_pod.go
Outdated
| Type: corev1.ServiceTypeNodePort, | ||
| Ports: []corev1.ServicePort{ | ||
| { | ||
| Name: "metrics", |
pkg/operator/baremetal_pod.go
Outdated
| Port: metal3ExposeMetricsPort, | ||
| TargetPort: intstr.IntOrString{ | ||
| Type: intstr.String, | ||
| StrVal: "metrics", |
pkg/operator/baremetal_pod.go
Outdated
|
|
||
| func newMetal3Containers(config *OperatorConfig, baremetalProvisioningConfig BaremetalProvisioningConfig) []corev1.Container { | ||
| containers := []corev1.Container{ | ||
| newKubeProxyContainer(config.Controllers.KubeRBACProxy, "metrics", |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/hold @dhellmann This is going to need a rebase to remove |
openshift-ci-robot
added
the
do-not-merge/hold
Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
include the necessary volumes and drop the old ContainerPort setting that exposed the metrics directly Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
Most of the Service and ServiceMonitor resources used for prometheus data are created by manifests but we only want to create the ones for metal3 if we are deploying metal3, so that is done in code. The operator therefore needs permission to work with the new types. Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
dhellmann
force-pushed
the
bz1820083-bmo-prometheus
branch
from
d04fc03 to
922fb93
Compare
|
Rebased and |
|
/retest |
|
@dhellmann: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest @JoelSpeed the required CI jobs are passing and the Azure failures look like quota or other platform issues. I'm not sure what's up with GCP, but given that the job built a cluster and then a bunch of tests failed I don't expect that it's related to this PR. I'm retesting, but I think it's probably safe to remove your hold? |
|
I chatted with @elmiko about the hold on this, and he said it should be OK to remove it. I'm happy to rework anything in a follow-up, if that's necessary. /hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
as the code has been updated with regards to glog, i am removing the hold after talking with Doug. |
|
@dhellmann: All pull requests linked via external trackers have merged: Bugzilla bug 1820083 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| Port: metal3ExposeMetricsPort, | ||
| TargetPort: intstr.IntOrString{ | ||
| Type: intstr.String, | ||
| StrVal: "metal3-mtrc", |
There was a problem hiding this comment.
This doesn't appear to be a real IANA-registered service type. How does this work?
