Improve Ceilometer probes

paramite · paramite · commit e5b28de02213 · 2025-01-29T16:14:18.000+01:00
- increases initial delay for SG probes to avoid restarts during deploy
- adds liveness probes to polling agents
diff --git a/controllers/ceilometer_controller.go b/controllers/ceilometer_controller.go
@@ -1206,12 +1206,16 @@ func (r *CeilometerReconciler) generateServiceConfig(
 	cms := []util.Template{
 		// ScriptsSecrets
 		{
-			Name:               fmt.Sprintf("%s-scripts", ceilometer.ServiceName),
-			Namespace:          instance.Namespace,
-			Type:               util.TemplateTypeScripts,
-			InstanceType:       "ceilometercentral",
-			AdditionalTemplate: map[string]string{"common.sh": "/common/common.sh"},
-			Labels:             cmLabels,
+			Name:         fmt.Sprintf("%s-scripts", ceilometer.ServiceName),
+			Namespace:    instance.Namespace,
+			Type:         util.TemplateTypeScripts,
+			InstanceType: "ceilometercentral",
+			AdditionalTemplate: map[string]string{
+				"common.sh":             "/common/common.sh",
+				"centralhealth.py":      "/ceilometercentral/bin/centralhealth.py",
+				"notificationhealth.py": "/ceilometercentral/bin/notificationhealth.py",
+			},
+			Labels: cmLabels,
 		},
 		// Secrets
 		{
diff --git a/pkg/ceilometer/statefulset.go b/pkg/ceilometer/statefulset.go
@@ -34,7 +34,9 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand       = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	CentralHCScript      = "/var/lib/openstack/bin/centralhealth.py"
+	NotificationHCScript = "/var/lib/openstack/bin/notificationhealth.py"
 )
 
 // StatefulSet func
@@ -45,32 +47,51 @@ func StatefulSet(
 ) (*appsv1.StatefulSet, error) {
 	runAsUser := int64(0)
 
-	// TO-DO Probes
-	livenessProbe := &corev1.Probe{
-		// TODO might need tuning
+	// container probes
+	sgRootEndpointCurl := corev1.HTTPGetAction{
+		Path: "/",
+		Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(CeilometerPrometheusPort)},
+	}
+	sgLivenessProbe := &corev1.Probe{
 		TimeoutSeconds:      30,
 		PeriodSeconds:       30,
-		InitialDelaySeconds: 5,
+		InitialDelaySeconds: 300,
 	}
-	readinessProbe := &corev1.Probe{
-		// TODO might need tuning
+	sgLivenessProbe.HTTPGet = &sgRootEndpointCurl
+
+	sgReadinessProbe := &corev1.Probe{
 		TimeoutSeconds:      30,
 		PeriodSeconds:       30,
-		InitialDelaySeconds: 5,
+		InitialDelaySeconds: 10,
+	}
+	sgReadinessProbe.HTTPGet = &sgRootEndpointCurl
+
+	//NOTE(mmagr): Once we will be sure (OSP19 timeframe) that we have Ceilometer
+	//             running with heartbeat feature, we can make below probes run much
+	//             less often (poll interval is 5 minutes currently). Right now we need
+	//             to execute HC as often as possible to hit times when pollers connect
+	//             to OpenStack API nodes
+	centralLivenessProbe := &corev1.Probe{
+		TimeoutSeconds:      5,
+		PeriodSeconds:       5,
+		InitialDelaySeconds: 300,
+	}
+	centralLivenessProbe.Exec = &corev1.ExecAction{
+		Command: []string{"/usr/bin/python3", CentralHCScript},
 	}
 
-	args := []string{"-c"}
-	args = append(args, ServiceCommand)
-
-	livenessProbe.HTTPGet = &corev1.HTTPGetAction{
-		Path: "/",
-		Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(CeilometerPrometheusPort)},
+	notificationLivenessProbe := &corev1.Probe{
+		TimeoutSeconds:      5,
+		PeriodSeconds:       30,
+		InitialDelaySeconds: 300,
 	}
-	readinessProbe.HTTPGet = &corev1.HTTPGetAction{
-		Path: "/",
-		Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(CeilometerPrometheusPort)},
+	notificationLivenessProbe.Exec = &corev1.ExecAction{
+		Command: []string{"/usr/bin/python3", NotificationHCScript},
 	}
 
+	args := []string{"-c"}
+	args = append(args, ServiceCommand)
+
 	envVarsCentral := map[string]env.Setter{}
 	envVarsCentral["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 	envVarsCentral["CONFIG_HASH"] = env.SetValue(configHash)
@@ -95,8 +116,8 @@ func StatefulSet(
 		svc.CertMount = ptr.To(fmt.Sprintf("/etc/pki/tls/certs/%s", tls.CertKey))
 		svc.KeyMount = ptr.To(fmt.Sprintf("/etc/pki/tls/private/%s", tls.PrivateKey))
 
-		livenessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
-		readinessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
+		sgLivenessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
+		sgReadinessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
 
 		volumes = append(volumes, svc.CreateVolume(ServiceName))
 		httpdVolumeMounts = append(httpdVolumeMounts, svc.CreateVolumeMounts(ServiceName)...)
@@ -123,7 +144,8 @@ func StatefulSet(
 		SecurityContext: &corev1.SecurityContext{
 			RunAsUser: &runAsUser,
 		},
-		VolumeMounts: centralVolumeMounts,
+		VolumeMounts:  centralVolumeMounts,
+		LivenessProbe: centralLivenessProbe,
 	}
 	notificationAgentContainer := corev1.Container{
 		ImagePullPolicy: corev1.PullAlways,
@@ -137,7 +159,8 @@ func StatefulSet(
 		SecurityContext: &corev1.SecurityContext{
 			RunAsUser: &runAsUser,
 		},
-		VolumeMounts: notificationVolumeMounts,
+		VolumeMounts:  notificationVolumeMounts,
+		LivenessProbe: notificationLivenessProbe,
 	}
 	sgCoreContainer := corev1.Container{
 		ImagePullPolicy: corev1.PullAlways,
@@ -156,12 +179,12 @@ func StatefulSet(
 			RunAsUser: &runAsUser,
 		},
 		Ports: []corev1.ContainerPort{{
-			ContainerPort: 3000,
+			ContainerPort: int32(CeilometerPrometheusPort),
 			Name:          "proxy-httpd",
 		}},
 		VolumeMounts:   httpdVolumeMounts,
-		ReadinessProbe: readinessProbe,
-		LivenessProbe:  livenessProbe,
+		ReadinessProbe: sgReadinessProbe,
+		LivenessProbe:  sgLivenessProbe,
 		Command:        []string{"/usr/sbin/httpd"},
 		Args:           []string{"-DFOREGROUND"},
 	}
diff --git a/templates/ceilometercentral/bin/centralhealth.py b/templates/ceilometercentral/bin/centralhealth.py
@@ -0,0 +1,142 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# Copyright 2025 Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import datetime
+import json
+import os
+import psutil
+import socket
+import sys
+
+
+HEARTBEAT_SOCKET = "/var/lib/ceilometer/ceilometer-central.socket"
+POLL_SPREAD = datetime.timedelta(minutes=15)
+
+CONN_SPREAD = datetime.timedelta(hours=1)
+PROCESS_NAME = "ceilometer-polling"
+PROCESS_CONN_CACHE = "/var/lib/ceilometer/tmp/connections"
+# Keystosne 5000
+# Cinder 8776
+# Glance 9292
+# Neutron 9696
+PROCESS_PORTS = [5000, 8776, 9292, 9696]
+
+
+def check_pollsters(socket_path: str) -> tuple[int, str]:
+    """
+    Returns 0 if socket_path content contains all records
+    of polling no older than POLL_SPREAD, otherwise returns 1.
+    """
+    s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+    s.connect(socket_path)
+
+    report = ""
+    try:
+        while True:
+            data = s.recv(2048)
+            if data:
+                report += data.decode('utf-8')
+            else:
+                break
+    finally:
+        s.close()
+
+    limit = datetime.datetime.today() - POLL_SPREAD
+    for line in report.split('\n'):
+        if not line:
+            # Skip empty line, which might occur for cases
+            # when no pollster had polled yet. In such case
+            # we assume agent healthy as at least the socket
+            # has been successfully created.
+            continue
+        pollster, timestr = line.split()
+        timestamp = datetime.datetime.fromisoformat(timestr)
+
+        if timestamp < limit:
+            return 1, f"{pollster}'s timestamp is out of limit"
+    return 0, ""
+
+
+def check_connection(cache_path: str,
+                     process_name: str,
+                     ports: list[int]) -> tuple[int, str]:
+    """
+    Returns 0 if given process is or was recently connected
+    to the given port(s). Otherwise returns 1 or 2 with respective
+    reason of failure.
+    """
+    # NOT(mmagr): process' connections can be empty if we hit the case
+    #             when no pollster was polling from some API during running
+    #             this script. The previous values will be checked from cache.
+    #             Hence to avoid false negatives we need much higher spread
+    #             than in case of heart beat check
+
+    # load connection cache
+    if os.path.isfile(cache_path):
+        with open(cache_path, "r") as cch:
+            conns = json.load(cch)
+    else:
+        conns = dict()
+
+    # update connection cache values
+    processes = [proc for proc in psutil.process_iter()
+                    if process_name in proc.name()]
+    if not processes:
+        return 1, f"Given process {process_name} was not found"
+    ports = set(ports)
+    for p in processes:
+        conn_method = getattr(p, "net_connections", p.connections)
+        for c in conn_method():
+            if c.raddr.port not in ports:
+                continue
+            key = f"{c.raddr.ip}/{c.raddr.port}"
+            conns[key] = dict(ts=datetime.datetime.now().timestamp(),
+                              ip=c.raddr.ip,
+                              port=c.raddr.port)
+    with open(cache_path, "w") as cch:
+        json.dump(conns, cch)
+
+    # check connection timestamps in the cache
+    limit = datetime.datetime.today() - CONN_SPREAD
+    for conn in conns.values():
+        timestamp = datetime.datetime.fromtimestamp(conn["ts"])
+        if timestamp < limit:
+            msg = (f"Timestamp of connection to {conn['ip']}"
+                   f" on port {conn['port']} is out of limit")
+            return 1, msg
+
+    return 0, ""
+
+
+if __name__ == "__main__":
+    try:
+        if os.path.isfile(HEARTBEAT_SOCKET):
+            # verify pollsters' heart beats
+            rc, reason = check_pollsters(HEARTBEAT_SOCKET)
+        else:
+            # mimic heart beats check on process' connections
+            # to various OpenStack APIs when the heart beat feature
+            # is not available
+            rc, reason = check_connection(PROCESS_CONN_CACHE,
+                                          PROCESS_NAME,
+                                          PROCESS_PORTS)
+    except Exception as ex:
+        rc, reason = 2, f"Unkown error: {ex}"
+
+    if rc != 0:
+        print(reason)
+    sys.exit(rc)
diff --git a/templates/ceilometercentral/bin/notificationhealth.py b/templates/ceilometercentral/bin/notificationhealth.py
@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# Copyright 2025 Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import datetime
+import json
+import os
+import psutil
+import sys
+
+
+CONN_SPREAD = datetime.timedelta(minutes=5)
+PROCESS_NAME = "ceilometer-agent-notification"
+PROCESS_CONN_CACHE = "/var/lib/ceilometer/tmp/connections"
+PROCESS_PORTS = [5672]
+
+
+def check_connection(cache_path: str,
+                     process_name: str,
+                     ports: list[int]) -> tuple[int, str]:
+    """
+    Returns 0 if given process is or was recently connected
+    to the given port(s). Otherwise returns 1 or 2 with respective
+    reason of failure.
+    """
+    # load connection cache
+    if os.path.isfile(cache_path):
+        with open(cache_path, "r") as cch:
+            conns = json.load(cch)
+    else:
+        conns = dict()
+
+    # update connection cache values
+    processes = [proc for proc in psutil.process_iter()
+                    if process_name in proc.name()]
+    if not processes:
+        return 1, f"Given process {process_name} was not found"
+    ports = set(ports)
+    for p in processes:
+        conn_method = getattr(p, "net_connections", p.connections)
+        for c in conn_method():
+            if c.raddr.port not in ports:
+                continue
+            key = f"{c.raddr.ip}/{c.raddr.port}"
+            conns[key] = dict(ts=datetime.datetime.now().timestamp(),
+                              ip=c.raddr.ip,
+                              port=c.raddr.port)
+    with open(cache_path, "w") as cch:
+        json.dump(conns, cch)
+
+    # check connection timestamps in the cache
+    limit = datetime.datetime.today() - CONN_SPREAD
+    for conn in conns.values():
+        timestamp = datetime.datetime.fromtimestamp(conn["ts"])
+        if timestamp < limit:
+            msg = (f"Timestamp of connection to {conn['ip']}"
+                   f" on port {conn['port']} is out of limit")
+            return 1, msg
+
+    return 0, ""
+
+
+if __name__ == "__main__":
+    try:
+        rc, reason = check_connection(PROCESS_CONN_CACHE,
+                                      PROCESS_NAME,
+                                      PROCESS_PORTS)
+    except Exception as ex:
+        rc, reason = 2, f"Unkown error: {ex}"
+
+    if rc != 0:
+        print(reason)
+    sys.exit(rc)
