Merge pull request #77522 from skrthomas/no-1.6-integration-ocpdoc-main

No 1.6 integration ocpdoc main

Author: kalexand-rh

_topic_maps/_topic_map.yml

@@ -2913,9 +2913,22 @@ Topics:
     File: metrics-alerts-dashboards
   - Name: Monitoring the Network Observability Operator
     File: network-observability-operator-monitoring
-  - Name: API reference
+  - Name: Scheduling resources
+    File: network-observability-scheduling-resources
+  - Name: Network Observability CLI
+    Dir: netobserv_cli
+    Topics:
+    - Name: Installing the Network Observability CLI
+      File: netobserv-cli-install
+    - Name: Using the Network Observability CLI
+      File: netobserv-cli-using
+    - Name: Network Observability CLI reference
+      File: netobserv-cli-reference
+  - Name: FlowCollector API reference
     File: flowcollector-api
-  - Name: JSON flows format reference
+  - Name: FlowMetric API reference
+    File: flowmetric-api
+  - Name: Flows format reference
     File: json-flows-format-reference
   - Name: Troubleshooting Network Observability
     File: troubleshooting-network-observability

modules/network-observability-RTT-overview.adoc

@@ -5,24 +5,24 @@
 :_mod-docs-content-type: CONCEPT
 [id="network-observability-RTT-overview_{context}"]
 = Round-Trip Time
-You can use TCP handshake Round-Trip Time (RTT) to analyze network flows. You can use RTT captured from the `fentry/tcp_rcv_established` eBPF hookpoint to read SRTT from the TCP socket to help with the following:
+You can use TCP smoothed Round-Trip Time (sRTT) to analyze network flow latencies. You can use RTT captured from the `fentry/tcp_rcv_established` eBPF hookpoint to read sRTT from the TCP socket to help with the following:
 
 
-* Network Monitoring: Gain insights into TCP handshakes, helping
+* Network Monitoring: Gain insights into TCP latencies, helping
   network administrators identify unusual patterns, potential bottlenecks, or
   performance issues.
 * Troubleshooting: Debug TCP-related issues by tracking latency and identifying
   misconfigurations.
 
-By default, when RTT is enabled, you can see the following TCP handshake RTT metrics represented in the *Overview*:
+By default, when RTT is enabled, you can see the following TCP RTT metrics represented in the *Overview*:
 
-* Top X 90th percentile TCP handshake Round Trip Time with overall
-* Top X average TCP handshake Round Trip Time with overall
-* Bottom X minimum TCP handshake Round Trip Time with overall
+* Top X 90th percentile TCP Round Trip Time with overall
+* Top X average TCP Round Trip Time with overall
+* Bottom X minimum TCP Round Trip Time with overall
 
 Other RTT panels can be added in *Manage panels*:
 
-* Top X maximum TCP handshake Round Trip Time with overall
-* Top X 99th percentile TCP handshake Round Trip Time with overall
+* Top X maximum TCP Round Trip Time with overall
+* Top X 99th percentile TCP Round Trip Time with overall
 
 See the _Additional Resources_ in this section for more information about enabling and working with this view.

modules/network-observability-RTT.adoc

@@ -23,7 +23,6 @@ metadata:
   name: cluster
 spec:
   namespace: netobserv
-  deploymentModel: Direct
   agent:
     type: eBPF
     ebpf:

modules/network-observability-cli-capturing-flows.adoc

@@ -0,0 +1,88 @@
+//Module included in the following assemblies:
+//
+// observability/network_observability/netobserv_cli/netobserv-cli-using.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-cli-capturing-flows_{context}"]
+= Capturing flows
+
+You can capture flows and filter on any resource or zone in the data to solve use cases, such as displaying Round-Trip Time (RTT) between two zones. Table visualization in the CLI provides viewing and flow search capabilities.
+
+.Prerequisites
+* Install the {oc-first}.
+* Install the Network Observability CLI (`oc netobserv`) plugin.
+
+.Procedure
+. Capture flows with filters enabled by running the following command:
++
+[source,terminal]
+----
+$ oc netobserv flows --enable_filter=true --action=Accept --cidr=0.0.0.0/0 --protocol=TCP --port=49051
+----
+. Add filters to the `live table filter` prompt in the terminal to further refine the incoming flows. For example:
++ 
+[source,terminal]
+----
+live table filter: [SrcK8S_Zone:us-west-1b] press enter to match multiple regular expressions at once
+----
+. To stop capturing, press kbd:[Ctrl+C]. The data that was captured is written to two separate files in an `./output` directory located in the same path used to install the CLI. 
+. View the captured data in the `./output/flow/<capture_date_time>.json` JSON file, which contains JSON arrays of the captured data.
++
+.Example JSON file
+[source,json]
+----
+{
+  "AgentIP": "10.0.1.76",
+  "Bytes": 561,
+  "DnsErrno": 0,
+  "Dscp": 20,
+  "DstAddr": "f904:ece9:ba63:6ac7:8018:1e5:7130:0",
+  "DstMac": "0A:58:0A:80:00:37",
+  "DstPort": 9999,
+  "Duplicate": false,
+  "Etype": 2048,
+  "Flags": 16,
+  "FlowDirection": 0,
+  "IfDirection": 0,
+  "Interface": "ens5",
+  "K8S_FlowLayer": "infra",
+  "Packets": 1,
+  "Proto": 6,
+  "SrcAddr": "3e06:6c10:6440:2:a80:37:b756:270f",
+  "SrcMac": "0A:58:0A:80:00:01",
+  "SrcPort": 46934,
+  "TimeFlowEndMs": 1709741962111,
+  "TimeFlowRttNs": 121000,
+  "TimeFlowStartMs": 1709741962111,
+  "TimeReceived": 1709741964
+}
+----
+. You can use SQLite to inspect the `./output/flow/<capture_date_time>.db` database file. For example:
+.. Open the file by running the following command:
++
+[source,terminal]
+----
+$ sqlite3 ./output/flow/<capture_date_time>.db
+----
+
+.. Query the data by running a SQLite `SELECT` statement, for example:
++
+[source,terminal]
+----
+sqlite> SELECT DnsLatencyMs, DnsFlagsResponseCode, DnsId, DstAddr, DstPort, Interface, Proto, SrcAddr, SrcPort, Bytes, Packets FROM flow WHERE DnsLatencyMs >10 LIMIT 10;
+----
++
+.Example output
+[source,terminal]
+----
+12|NoError|58747|10.128.0.63|57856||17|172.30.0.10|53|284|1
+11|NoError|20486|10.128.0.52|56575||17|169.254.169.254|53|225|1
+11|NoError|59544|10.128.0.103|51089||17|172.30.0.10|53|307|1
+13|NoError|32519|10.128.0.52|55241||17|169.254.169.254|53|254|1
+12|NoError|32519|10.0.0.3|55241||17|169.254.169.254|53|254|1
+15|NoError|57673|10.128.0.19|59051||17|172.30.0.10|53|313|1
+13|NoError|35652|10.0.0.3|46532||17|169.254.169.254|53|183|1
+32|NoError|37326|10.0.0.3|52718||17|169.254.169.254|53|169|1
+14|NoError|14530|10.0.0.3|58203||17|169.254.169.254|53|246|1
+15|NoError|40548|10.0.0.3|45933||17|169.254.169.254|53|174|1
+----

modules/network-observability-cli-capturing-packets.adoc

@@ -0,0 +1,29 @@
+//Module included in the following assemblies:
+//
+// observability/network_observability/netobserv_cli/netobserv-cli-using.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-cli-capturing-packets_{context}"]
+= Capturing packets
+You can capture packets using the Network Observability CLI. 
+
+.Prerequisites
+* Install the {oc-first}.
+* Install the Network Observability CLI (`oc netobserv`) plugin.
+
+.Procedure
+. Run the packet capture with filters enabled:
++
+[source,terminal]
+----
+$ oc netobserv packets --filter=tcp,80
+----
+. Add filters to the `live table filter` prompt in the terminal to refine the incoming packets. An example filter is as follows:
++ 
+[source,terminal]
+----
+live table filter: [SrcK8S_Zone:us-west-1b] press enter to match multiple regular expressions at once
+----
+. To stop capturing, press kbd:[Ctrl+C].
+. View the captured data, which is written to a single file in an `./output/pcap` directory located in the same path that was used to install the CLI:
+.. The `./output/pcap/<capture_date_time>.pcap` file can be opened with Wireshark. 

modules/network-observability-configuring-custom-metrics.adoc

@@ -0,0 +1,85 @@
+// Module included in the following assemblies:
+//
+// network_observability/metrics-alerts-dashboards.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-configuring-custom-metrics_{context}"]
+= Configuring custom metrics by using FlowMetric API
+You can configure the `FlowMetric` API to create custom metrics by using flowlogs data fields as Prometheus labels. You can add multiple `FlowMetric` resources to a project to see multiple dashboard views.
+
+.Procedure
+
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+. In the *Provided APIs* heading for the *NetObserv Operator*, select *FlowMetric*.
+. In the *Project:*  dropdown list, select the project of the Network Observability Operator instance. 
+. Click *Create FlowMetric*.
+. Configure the `FlowMetric` resource, similar to the following sample configurations:
++
+.Generate a metric that tracks ingress bytes received from cluster external sources
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowMetric
+metadata:
+  name: flowmetric-cluster-external-ingress-traffic
+  namespace: netobserv                              <1>
+spec:
+  metricName: cluster_external_ingress_bytes_total  <2>
+  type: Counter                                     <3>
+  valueField: Bytes
+  direction: Ingress                                <4>
+  labels: [DstK8S_HostName,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType] <5>
+  filters:                                          <6>
+  - field: SrcSubnetLabel
+    matchType: Absence
+----
+<1> The `FlowMetric` resources need to be created in the namespace defined in the `FlowCollector` `spec.namespace`, which is `netobserv` by default.
+<2> The name of the Prometheus metric, which in the web console appears with the prefix `netobserv-<metricName>`. 
+<3> The `type` specifies the type of metric. The `Counter` `type` is useful for counting bytes or packets.
+<4> The direction of traffic to capture. If not specified, both ingress and egress are captured, which can lead to duplicated counts. 
+<5> Labels define what the metrics look like and the relationship between the different entities and also define the metrics cardinality. For example, `SrcK8S_Name` is a high cardinality metric.
+<6> Refines results based on the listed criteria. In this example,  selecting only the cluster external traffic is done by matching only flows where `SrcSubnetLabel` is absent. This assumes the subnet labels feature is enabled (via `spec.processor.subnetLabels`), which is done by default.
+
+.Verification
+. Once the pods refresh, navigate to *Observe* -> *Metrics*.
+. In the *Expression* field, type the metric name to view the corresponding result. You can also enter an expression, such as `topk(5, sum(rate(netobserv_cluster_external_ingress_bytes_total{DstK8S_Namespace="my-namespace"}[2m])) by (DstK8S_HostName, DstK8S_OwnerName, DstK8S_OwnerType))`
+====
++
+.Show RTT latency for cluster external ingress traffic
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowMetric
+metadata:
+  name: flowmetric-cluster-external-ingress-rtt
+  namespace: netobserv    <1>
+spec:
+  metricName: cluster_external_ingress_rtt_seconds
+  type: Histogram                 <2>
+  valueField: TimeFlowRttNs
+  direction: Ingress
+  labels: [DstK8S_HostName,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType]
+  filters:
+  - field: SrcSubnetLabel
+    matchType: Absence
+  - field: TimeFlowRttNs
+    matchType: Presence
+  divider: "1000000000"      <3>
+  buckets: [".001", ".005", ".01", ".02", ".03", ".04", ".05", ".075", ".1", ".25", "1"]  <4>
+----
+<1> The `FlowMetric` resources need to be created in the namespace defined in the `FlowCollector` `spec.namespace`, which is `netobserv` by default.
+<2> The `type` specifies the type of metric. The `Histogram` `type` is useful for a latency value (`TimeFlowRttNs`).
+<3> Since the Round-trip time (RTT) is provided as nanos in flows, use a divider of 1 billion to convert into seconds, which is standard in Prometheus guidelines.
+<4> The custom buckets specify precision on RTT, with optimal precision ranging between 5ms and 250ms.
+
+.Verification
+. Once the pods refresh, navigate to *Observe* -> *Metrics*.
+. In the *Expression* field, you can type the metric name to view the corresponding result. 
+====
+
+
+

modules/network-observability-custom-metrics.adoc

@@ -0,0 +1,8 @@
+// Module included in the following assemblies:
+//
+// network_observability/metrics-alerts-dashboards.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-custom-metrics_{context}"]
+= Custom metrics
+You can create custom metrics out of the flowlogs data using the `FlowMetric` API. In every flowlogs data that is collected, there are a number of fields labeled per log, such as source name and destination name. These fields can be leveraged as Prometheus labels to enable the customization of cluster information on your dashboard. 

modules/network-observability-dns-tracking.adoc

@@ -27,7 +27,6 @@ metadata:
   name: cluster
 spec:
   namespace: netobserv
-  deploymentModel: Direct
   agent:
     type: eBPF
     ebpf:
@@ -36,7 +35,7 @@ spec:
       sampling: 1              <2>
 ----
 <1> You can set the `spec.agent.ebpf.features` parameter list to enable DNS tracking of each network flow in the web console.
-<2> You can set `sampling` to a value of `1` for more accurate metrics.
+<2> You can set `sampling` to a value of `1` for more accurate metrics and to capture *DNS latency*. For a `sampling` value greater than 1, you can observe flows with *DNS Response Code* and *DNS Id*, and it is unlikely that *DNS Latency* can be observed.
 
 . When you refresh the *Network Traffic* page, there are new DNS representations you can choose to view in the *Overview* and *Traffic Flow* views and new filters you can apply.
 .. Select new DNS choices in *Manage panels* to display graphical visualizations and DNS metrics in the *Overview*.

modules/network-observability-ebpf-agent-alert.adoc

@@ -0,0 +1,38 @@
+// Module included in the following assemblies:
+// * network_observability/network-observability-operator-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-netobserv-dashboard-ebpf-agent-alerts_{context}"]
+= Using the eBPF agent alert
+
+An alert, `NetObservAgentFlowsDropped`, is triggered when the Network Observability eBPF agent hashmap table is full or when the capacity limiter is triggered. If you see this alert, consider increasing the `cacheMaxFlows` in the `FlowCollector`, as shown in the following example.
+
+[NOTE]
+====
+Increasing the `cacheMaxFlows` might increase the memory usage of the eBPF agent. 
+====
+
+.Procedure
+
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+
+. Under the *Provided APIs* heading for the *Network Observability Operator*, select *Flow Collector*.
+
+. Select *cluster*, and then select the *YAML* tab.
+
+. Increase the `spec.agent.ebpf.cacheMaxFlows` value, as shown in the following YAML sample:
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+  namespace: netobserv
+  deploymentModel: Direct
+  agent:
+    type: eBPF                                
+    ebpf:
+      cacheMaxFlows: 200000 <1>
+----
+<1> Increase the `cacheMaxFlows` value from its value at the time of the `NetObservAgentFlowsDropped` alert.

modules/network-observability-ebpf-rule-flow-filter.adoc

@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// network_observability/observing-network-traffic.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-ebpf-flow-rule-filter_{context}"]
+= eBPF flow rule filter
+You can use rule-based filtering to control the volume of packets cached in the eBPF flow table. For example, a filter can specify that only packets coming from port 100 should be recorded. Then only the packets that match the filter are cached and the rest are not cached. 
+
+[id="ingress-and-egress-traffic-filtering_{context}"]
+== Ingress and egress traffic filtering
+CIDR notation efficiently represents IP address ranges by combining the base IP address with a prefix length. For both ingress and egress traffic, the source IP address is first used to match filter rules configured with CIDR notation. If there is a match, then the filtering proceeds. If there is no match, then the destination IP is used to match filter rules configured with CIDR notation. 
+
+After matching either the source IP or the destination IP CIDR, you can pinpoint specific endpoints using the `peerIP` to differentiate the destination IP address of the packet. Based on the provisioned action, the flow data is either cached in the eBPF flow table or not cached. 
+
+[id="dashboard-and-metrics-integrations_{context}"]
+== Dashboard and metrics integrations
+When this option is enabled, the *Netobserv/Health* dashboard for *eBPF agent statistics* now has the *Filtered flows rate* view. Additionally, in *Observe* -> *Metrics* you can query `netobserv_agent_filtered_flows_total` to observe metrics with the reason in *FlowFilterAcceptCounter*, *FlowFilterNoMatchCounter* or *FlowFilterRecjectCounter*.