merge: integrate origin/metrics-p1-pr936 into sync branch

Author: MaurUppi

.github/workflows/dae-post-actions.local.yml

@@ -0,0 +1,46 @@
+---
+name: Post-Build Actions (Local)
+
+on:
+  workflow_call:
+    inputs:
+      check-run-id:
+        type: string
+        description: "name of the check run"
+        required: true
+      check-run-conclusion:
+        type: string
+        description: "workflow run status (success|failure|skipped|aborted)"
+        required: true
+
+jobs:
+  report-workflow-run:
+    if: ${{ startsWith(github.event.pull_request.head.repo.full_name, github.repository_owner) && inputs.check-run-conclusion != 'skipped' }}
+    runs-on: ubuntu-latest
+    steps:
+      - id: check-gh-app-secrets
+        name: Check GH App secrets
+        env:
+          GH_APP_ID: ${{ secrets.GH_APP_ID }}
+          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
+        run: |
+          if [ -n "$GH_APP_ID" ] && [ -n "$GH_APP_PRIVATE_KEY" ]; then
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+            echo "GH App secrets are missing; skip workflow run report."
+          fi
+      - uses: actions/checkout@master
+        if: ${{ steps.check-gh-app-secrets.outputs.enabled == 'true' }}
+        with:
+          repository: daeuniverse/ci-seed-jobs
+          ref: master
+
+      - name: Report workflow run status
+        if: ${{ steps.check-gh-app-secrets.outputs.enabled == 'true' }}
+        uses: ./common/report-workflow-run
+        with:
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          id: ${{ inputs.check-run-id }}
+          conclusion: ${{ inputs.check-run-conclusion }}

.github/workflows/kernel-test.yml

@@ -60,7 +60,6 @@ jobs:
           test-name: dae-test
           image-version: ${{ matrix.kernel }}
           host-mount: ./
-          dns-resolver: '1.1.1.1'
           install-dependencies: 'true'
           cmd: |
             chmod +x /host/dae/dae

.github/workflows/pr-build.yml

@@ -23,11 +23,13 @@ on:
       - "go.sum"
       - ".github/workflows/pr-build.yml"
       - ".github/workflows/seed-build.yml"
+      - ".github/workflows/pre-actions.local.yml"
+      - ".github/workflows/dae-post-actions.local.yml"
 
 jobs:
   pre-actions:
     if: ${{ github.event.pull_request.draft == false }}
-    uses: daeuniverse/ci-seed-jobs/.github/workflows/pre-actions.yml@master
+    uses: ./.github/workflows/pre-actions.local.yml
     with:
       repository: ${{ github.repository }}
       ref: ${{ github.event.pull_request.head.sha }}
@@ -38,7 +40,7 @@ jobs:
   build:
     needs: [pre-actions]
     if: ${{ github.event.pull_request.draft == false }}
-    uses: daeuniverse/dae/.github/workflows/seed-build.yml@main
+    uses: ./.github/workflows/seed-build.yml
     with:
       ref: ${{ github.event.pull_request.head.sha }}
       pr-number: ${{ github.event.pull_request.number }}
@@ -48,7 +50,7 @@ jobs:
   post-actions:
     if: always()
     needs: [build]
-    uses: daeuniverse/ci-seed-jobs/.github/workflows/dae-post-actions.yml@master
+    uses: ./.github/workflows/dae-post-actions.local.yml
     with:
       check-run-id: "dae-bot[bot]/pr-build-passed"
       check-run-conclusion: ${{ needs.build.result }}

.github/workflows/pre-actions.local.yml

@@ -0,0 +1,112 @@
+---
+name: Pre-Build Actions (Local)
+
+on:
+  workflow_call:
+    inputs:
+      repository:
+        required: true
+        type: string
+      ref:
+        required: true
+        type: string
+      fetch-depth:
+        required: false
+        default: 0
+        type: string
+      check-runs:
+        type: string
+        required: false
+        default: "[]"
+      notify:
+        type: boolean
+        default: false
+    outputs:
+      git_sha_long:
+        description: "git sha (long)"
+        value: ${{ jobs.export-metadata.outputs.git_sha_long }}
+      git_sha_short:
+        description: "git sha (short)"
+        value: ${{ jobs.export-metadata.outputs.git_sha_short }}
+      git_commit_msg:
+        description: "git commit message"
+        value: ${{ jobs.export-metadata.outputs.git_commit_msg }}
+
+jobs:
+  set-vars:
+    runs-on: ubuntu-latest
+    outputs:
+      check-runs-matrix: ${{ steps.set-check-runs-matrix.outputs.check-runs-matrix }}
+    steps:
+      - name: Set check-runs matrix
+        id: set-check-runs-matrix
+        run: |
+          echo "check-runs-matrix=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.check-runs }}
+
+  export-metadata:
+    runs-on: ubuntu-latest
+    outputs:
+      git_sha_long: ${{ steps.export.outputs.git_sha_long }}
+      git_sha_short: ${{ steps.export.outputs.git_sha_short }}
+      git_commit_msg: ${{ steps.export.outputs.git_commit_msg }}
+    steps:
+      - uses: actions/checkout@master
+        with:
+          repository: ${{ inputs.repository }}
+          fetch-depth: ${{ inputs.fetch-depth }}
+          ref: ${{ inputs.ref }}
+      - name: Get metadata from HEAD
+        id: export
+        run: |
+          echo "git_sha_long=${{ inputs.ref }}" >> $GITHUB_OUTPUT
+          echo "git_sha_short=$(echo ${{ inputs.ref }} | cut -c1-6)" >> $GITHUB_OUTPUT
+          echo "git_commit_msg=$(git log --format=%s -n 1 ${{ inputs.ref }})" >> $GITHUB_OUTPUT
+
+  notify-build-start:
+    if: startsWith(github.event.pull_request.head.repo.full_name, github.repository_owner) && inputs.notify
+    runs-on: ubuntu-latest
+    needs: [export-metadata]
+    steps:
+      - uses: actions/checkout@master
+        with:
+          repository: daeuniverse/ci-seed-jobs
+          ref: master
+      - id: send-notification
+        uses: ./notification/notify-build-start
+        with:
+          telegram_to: ${{ secrets.TELEGRAM_TO }}
+          telegram_token: ${{ secrets.TELEGRAM_TOKEN }}
+          git_sha_long: ${{ needs.export-metadata.outputs.git_sha_long }}
+          git_sha_short: ${{ needs.export-metadata.outputs.git_sha_short }}
+          git_commit_msg: ${{ needs.export-metadata.outputs.git_commit_msg }}
+
+  instantiate-check-runs:
+    needs: [set-vars]
+    if: startsWith(github.event.pull_request.head.repo.full_name, github.repository_owner)
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        id: ${{ fromJson(needs.set-vars.outputs.check-runs-matrix) }}
+    steps:
+      - id: check-gh-app-secrets
+        name: Check GH App secrets
+        env:
+          GH_APP_ID: ${{ secrets.GH_APP_ID }}
+          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
+        run: |
+          if [ -n "$GH_APP_ID" ] && [ -n "$GH_APP_PRIVATE_KEY" ]; then
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+            echo "GH App secrets are missing; skip check-run instantiation."
+          fi
+      - name: Instantiate required check runs
+        if: ${{ inputs.check-runs != '[]' && steps.check-gh-app-secrets.outputs.enabled == 'true' }}
+        uses: daeuniverse/ci-seed-jobs/common/instantiate-check-runs@master
+        with:
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          id: "dae-bot[bot]/${{ matrix.id }}"

.github/workflows/seed-build.yml

@@ -137,12 +137,26 @@ jobs:
       - name: Upload files to Artifacts
         uses: actions/upload-artifact@v4
         with:
-          name: dae-${{ steps.get_filename.outputs.ASSET_NAME }}
+          name: dae-${{ steps.get_filename.outputs.ASSET_NAME }}.zip
           path: build/*
 
+      - id: check-gh-app-secrets
+        name: Check GH App secrets
+        if: always() && inputs.build-type == 'pr-build' && startsWith(github.event.pull_request.head.repo.full_name, github.repository_owner)
+        env:
+          GH_APP_ID: ${{ secrets.GH_APP_ID }}
+          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
+        run: |
+          if [ -n "$GH_APP_ID" ] && [ -n "$GH_APP_PRIVATE_KEY" ]; then
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+            echo "GH App secrets are missing; skip check-run report."
+          fi
+
       - name: Report result
         uses: daeuniverse/ci-seed-jobs/common/report-check-run@master
-        if: always() && inputs.build-type == 'pr-build' && startsWith(github.event.pull_request.head.repo.full_name, github.repository_owner)
+        if: always() && inputs.build-type == 'pr-build' && startsWith(github.event.pull_request.head.repo.full_name, github.repository_owner) && steps.check-gh-app-secrets.outputs.enabled == 'true'
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}

CHANGELOGS.md

@@ -14,6 +14,7 @@ curl --silent "https://api.github.com/repos/daeuniverse/dae/releases" | jq -r '.
 
 <!-- BEGIN NEW TOC ENTRY -->
 
+- [Unreleased](#unreleased)
 - [v1.1.0rc1 (Pre-release)](#v110rc1-pre-release)
 - [v1.0.0 (Latest)](#v100-latest)
 - [v0.9.0)](#v090)
@@ -48,6 +49,21 @@ curl --silent "https://api.github.com/repos/daeuniverse/dae/releases" | jq -r '.
 - [v0.1.0](#v010)
 <!-- BEGIN NEW CHANGELOGS -->
 
+### Unreleased
+
+#### Features
+
+- feat(dns): add robust DNS forward fallback path for `tcp+udp` upstream (UDP-first with TCP fallback on request failure).
+
+#### Bug Fixes
+
+- fix(dns): report DNS forward failures to dialer health feedback path to improve failover quality.
+- fix(control): harden DNS/UDP connection lifecycle handling in high-concurrency paths.
+
+#### Others
+
+- test(control): add regression tests for DNS fallback, timeout cleanup, and pool concurrency safety.
+
 ### v1.1.0rc1 (Pre-release)
 
 > Release date: 2025/11/03

cmd/run.go

@@ -26,8 +26,6 @@ import (
 	"github.com/daeuniverse/outbound/protocol/direct"
 	"gopkg.in/natefinch/lumberjack.v2"
 
-	_ "net/http/pprof"
-
 	"github.com/daeuniverse/dae/cmd/internal"
 	"github.com/daeuniverse/dae/common"
 	"github.com/daeuniverse/dae/common/consts"
@@ -37,6 +35,7 @@ import (
 	"github.com/daeuniverse/dae/control"
 	"github.com/daeuniverse/dae/pkg/config_parser"
 	"github.com/daeuniverse/dae/pkg/logger"
+	"github.com/daeuniverse/dae/pkg/metrics"
 	"github.com/mohae/deepcopy"
 	"github.com/okzk/sdnotify"
 	"github.com/sirupsen/logrus"
@@ -134,12 +133,25 @@ func Run(log *logrus.Logger, conf *config.Config, externGeoDataDirs []string) (e
 		return err
 	}
 
-	var pprofServer *http.Server
-	if conf.Global.PprofPort != 0 {
-		pprofAddr := fmt.Sprintf("localhost:%d", conf.Global.PprofPort)
-		pprofServer = &http.Server{Addr: pprofAddr, Handler: nil}
-		go pprofServer.ListenAndServe()
+	metricsState := metrics.NewState()
+	metricsState.SetControlPlane(c)
+	metricsRegistry := metrics.NewRegistry(metricsState)
+
+	var endpointServer *http.Server
+	startEndpointServer := func(cfg metrics.EndpointConfig) {
+		if cfg.ListenAddress == "" {
+			endpointServer = nil
+			return
+		}
+		endpointServer = metrics.NewEndpointServer(cfg, metricsRegistry)
+		go func(server *http.Server, endpointCfg metrics.EndpointConfig) {
+			if e := metrics.StartEndpointServer(server, endpointCfg); e != nil && !errors.Is(e, http.ErrServerClosed) {
+				log.WithError(e).Errorln("Endpoint server stopped with error")
+			}
+		}(endpointServer, cfg)
 	}
+	endpointCfg := endpointConfigFromGlobal(conf, log)
+	startEndpointServer(endpointCfg)
 
 	// Serve tproxy TCP/UDP server util signals.
 	var listener *control.Listener
@@ -263,7 +275,7 @@ loop:
 			if err := c.StopDNSListener(); err != nil {
 				log.Warnf("[Reload] Failed to stop old DNS listener: %v", err)
 			}
-			
+
 			log.Warnln("[Reload] Load new control plane")
 			newC, err := newControlPlane(log, obj, dnsCache, newConf, externGeoDataDirs)
 			if err != nil {
@@ -295,21 +307,21 @@ loop:
 			c = newC
 			conf = newConf
 			reloading = true
+			metricsState.SetControlPlane(newC)
 
 			// Ready to close.
 			if abortConnections {
 				oldC.AbortConnections()
 			}
 			oldC.Close()
 
-			if pprofServer != nil {
-				pprofServer.Shutdown(context.Background())
-				pprofServer = nil
-			}
-			if newConf.Global.PprofPort != 0 {
-				pprofAddr := fmt.Sprintf("localhost:%d", conf.Global.PprofPort)
-				pprofServer = &http.Server{Addr: pprofAddr, Handler: nil}
-				go pprofServer.ListenAndServe()
+			newEndpointCfg := endpointConfigFromGlobal(newConf, log)
+			if endpointConfigChanged(endpointCfg, newEndpointCfg) {
+				if endpointServer != nil {
+					_ = endpointServer.Shutdown(context.Background())
+				}
+				endpointCfg = newEndpointCfg
+				startEndpointServer(endpointCfg)
 			}
 		case syscall.SIGHUP:
 			// Ignore.
@@ -321,12 +333,37 @@ loop:
 	}
 	defer os.Remove(PidFilePath)
 	defer control.GetDaeNetns().Close()
+	if endpointServer != nil {
+		_ = endpointServer.Shutdown(context.Background())
+	}
 	if e := c.Close(); e != nil {
 		return fmt.Errorf("close control plane: %w", e)
 	}
 	return nil
 }
 
+func endpointConfigFromGlobal(conf *config.Config, log *logrus.Logger) metrics.EndpointConfig {
+	cfg := metrics.EndpointConfig{
+		ListenAddress:     conf.Global.EndpointListenAddress,
+		Username:          conf.Global.EndpointUsername,
+		Password:          conf.Global.EndpointPassword,
+		TlsCertificate:    conf.Global.EndpointTlsCertificate,
+		TlsKey:            conf.Global.EndpointTlsKey,
+		PrometheusEnabled: conf.Global.EndpointPrometheusEnabled,
+		PrometheusPath:    conf.Global.EndpointPrometheusPath,
+		PprofEnabled:      conf.Global.PprofPort != 0,
+	}
+	if cfg.ListenAddress == "" && conf.Global.PprofPort != 0 {
+		log.Warnln("pprof_port is deprecated, please use endpoint_listen_address instead")
+		cfg.ListenAddress = fmt.Sprintf("localhost:%d", conf.Global.PprofPort)
+	}
+	return cfg
+}
+
+func endpointConfigChanged(a, b metrics.EndpointConfig) bool {
+	return a != b
+}
+
 func newControlPlane(log *logrus.Logger, bpf interface{}, dnsCache map[string]*control.DnsCache, conf *config.Config, externGeoDataDirs []string) (c *control.ControlPlane, err error) {
 	// Deep copy to prevent modification.
 	conf = deepcopy.Copy(conf).(*config.Config)