[ws-manager-mk2] redact log #18906
[ws-manager-mk2] redact log #18906
Conversation
iQQBot
force-pushed
the
pd/ws-man-2-redact-log
branch
from
74894c7 to
6666333
Compare
iQQBot
force-pushed
the
pd/ws-man-2-redact-log
branch
3 times, most recently
from
9812d55 to
a64322f
Compare
iQQBot
force-pushed
the
pd/ws-man-2-redact-log
branch
from
f4b3b79 to
32450c0
Compare
|
Thanks - do you have examples of how e.g. the workspace status/pod status fields show now in the logs? Which fields are included and which are redacted? |
the pod status behavior same as before, if you need an example, I need to wait for the preview environment. |
|
@WVerlaek see example below Logs example{
"Workspace": {
"name": "3a6affd2-e7bd-4a78-861c-5d85d90a9b06",
"namespace": "default"
},
"controller": "workspace",
"controllerGroup": "workspace.gitpod.io",
"controllerKind": "Workspace",
"level": "info",
"message": "updating workspace status",
"name": "3a6affd2-e7bd-4a78-861c-5d85d90a9b06",
"namespace": "default",
"podStatus": {
"phase": "Pending",
"conditions": [
{
"type": "Initialized",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2023-10-12T16:21:37Z"
},
{
"type": "Ready",
"status": "False",
"lastProbeTime": null,
"lastTransitionTime": "2023-10-12T16:21:37Z",
"reason": "ContainersNotReady",
"message": "containers with unready status: [workspace]"
},
{
"type": "ContainersReady",
"status": "False",
"lastProbeTime": null,
"lastTransitionTime": "2023-10-12T16:21:37Z",
"reason": "ContainersNotReady",
"message": "containers with unready status: [workspace]"
},
{
"type": "PodScheduled",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2023-10-12T16:21:37Z"
}
],
"hostIP": "10.128.0.80",
"startTime": "2023-10-12T16:21:37Z",
"containerStatuses": [
{
"name": "workspace",
"state": {
"waiting": {
"reason": "ContainerCreating"
}
},
"lastState": {},
"ready": false,
"restartCount": 0,
"image": "reg.pd-ws-man-5c0d6febc1.preview.gitpod-dev.com:31750/remote/3a6affd2-e7bd-4a78-861c-5d85d90a9b06",
"imageID": "",
"started": false
}
],
"qosClass": "Burstable"
},
"reconcileID": "db55667b-b3bb-4c44-a9d6-bea57007ce26",
"serviceContext": {
"service": "ws-manager-mk2",
"version": "commit-32450c07bf23c12a5a999aab6f2aa40527ce8552"
},
"severity": "INFO",
"status": {
"podStarts": 1,
"url": "https://iqqbot-gofuse-05xczdztvll.ws-dev.pd-ws-man-5c0d6febc1.preview.gitpod-dev.com",
"ownerToken": "[redacted]",
"phase": "Creating",
"conditions": [
{
"type": "Deployed",
"status": "True",
"lastTransitionTime": "2023-10-12T16:21:37Z",
"reason": "Unknown",
"message": ""
},
{
"type": "Refresh",
"status": "True",
"lastTransitionTime": "2023-10-12T16:21:37Z",
"reason": "Unknown",
"message": ""
},
{
"type": "ContentReady",
"status": "True",
"lastTransitionTime": "2023-10-12T16:21:49Z",
"reason": "InitializationSuccess",
"message": ""
}
],
"runtime": {
"nodeName": "preview-pd-ws-man-5c0d6febc1",
"podName": "ws-3a6affd2-e7bd-4a78-861c-5d85d90a9b06",
"hostIP": "10.128.0.80"
}
},
"time": "2023-10-12T16:21:49.19141569Z"
}
{
"Workspace": {
"name": "3a6affd2-e7bd-4a78-861c-5d85d90a9b06",
"namespace": "default"
},
"controller": "workspace",
"controllerGroup": "workspace.gitpod.io",
"controllerKind": "Workspace",
"level": "info",
"message": "updating workspace status",
"name": "3a6affd2-e7bd-4a78-861c-5d85d90a9b06",
"namespace": "default",
"podStatus": {
"phase": "Running",
"conditions": [
{
"type": "Initialized",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2023-10-12T16:21:37Z"
},
{
"type": "Ready",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2023-10-12T16:23:07Z"
},
{
"type": "ContainersReady",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2023-10-12T16:23:07Z"
},
{
"type": "PodScheduled",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2023-10-12T16:21:37Z"
}
],
"hostIP": "10.128.0.80",
"podIP": "192.168.2.44",
"podIPs": [
{
"ip": "192.168.2.44"
}
],
"startTime": "2023-10-12T16:21:37Z",
"containerStatuses": [
{
"name": "workspace",
"state": {
"running": {
"startedAt": "2023-10-12T16:23:02Z"
}
},
"lastState": {},
"ready": true,
"restartCount": 0,
"image": "reg.pd-ws-man-5c0d6febc1.preview.gitpod-dev.com:31750/remote/3a6affd2-e7bd-4a78-861c-5d85d90a9b06:latest",
"imageID": "reg.pd-ws-man-5c0d6febc1.preview.gitpod-dev.com:[redacted:email]:82966070187b644e4a214db1c0c6cdf4a7d23091d57995215775b1c7118dfdfe",
"containerID": "containerd://c1826ee417cf681629a679e4b3304112fb724c4eddeee1e9cfd7b07a2bb87a6d",
"started": true
}
],
"qosClass": "Burstable"
},
"reconcileID": "491e10c0-c1c2-4122-af72-ae974bbbce87",
"serviceContext": {
"service": "ws-manager-mk2",
"version": "commit-32450c07bf23c12a5a999aab6f2aa40527ce8552"
},
"severity": "INFO",
"status": {
"podStarts": 1,
"url": "https://iqqbot-gofuse-05xczdztvll.ws-dev.pd-ws-man-5c0d6febc1.preview.gitpod-dev.com",
"ownerToken": "[redacted]",
"phase": "Running",
"conditions": [
{
"type": "Deployed",
"status": "True",
"lastTransitionTime": "2023-10-12T16:21:37Z",
"reason": "Unknown",
"message": ""
},
{
"type": "Refresh",
"status": "True",
"lastTransitionTime": "2023-10-12T16:21:37Z",
"reason": "Unknown",
"message": ""
},
{
"type": "ContentReady",
"status": "True",
"lastTransitionTime": "2023-10-12T16:21:49Z",
"reason": "InitializationSuccess",
"message": ""
},
{
"type": "EverReady",
"status": "True",
"lastTransitionTime": "2023-10-12T16:23:07Z",
"reason": "Unknown",
"message": ""
},
{
"type": "FirstUserActivity",
"status": "True",
"lastTransitionTime": "2023-10-12T16:23:07Z",
"reason": "MarkActiveRequest",
"message": ""
}
],
"runtime": {
"nodeName": "preview-pd-ws-man-5c0d6febc1",
"podName": "ws-3a6affd2-e7bd-4a78-861c-5d85d90a9b06",
"podIP": "192.168.2.44",
"hostIP": "10.128.0.80"
},
"lastActivity": "2023-10-12T16:23:07Z"
},
"time": "2023-10-12T16:23:07.922931558Z"
} |
actually, this url contains workspace id, but the scriber don't have rule to redact it |
components/ws-manager-mk2/main.go
Outdated
| l := log.WithFields(logrus.Fields{}) | ||
| l.Logger.SetReportCaller(false) | ||
| baseLogger := logrusr.New(l, logrusr.WithFormatter(func(i interface{}) interface{} { | ||
| return &scrubber.TrustedValueWrap{Value: scrubber.Default.DeepCopyStruct(i)} |
There was a problem hiding this comment.
What is the perf implication of doing a deep copy? If I remember correctly, @akosyakov was running into perf issues when we performed deep scrubbing and the call we made is we'd only scrub a fixed depth and redact anything below.
There was a problem hiding this comment.
On complex and deep structures it was considerably slow, but in golang is still was negligible.
Our concern though was that we introduce it generically and don't want to make some hot path even slower by mistake, so decided to go with enforcing rather flat primitive properties. If this code is not on such path I would think it should be alright.
There was a problem hiding this comment.
I mean the point is that delivery of updates now will be slowed down by deep scrubbing of workspace status, you need to decide how acceptable it is.
There was a problem hiding this comment.
The workspace status used to be deep copied and then logged, so it has a relatively small impact on it.
Printing logs is not a hot path, and printing logs itself is also slow. Whether it's printing to stdout or to a file, it consumes I/O.
@iQQBot I'm not sure it is good idea to scrub each URL string, since regex is very expensive. If you know the structure maybe just scrub this property specifically on the top? |
iQQBot
force-pushed
the
pd/ws-man-2-redact-log
branch
from
32450c0 to
68e87af
Compare
|
@iQQBot changes lgtm but still see the URL unscrubbed, do you want to do that in a follow-up pr? |
It seems that we can only enable regex for each field called url to clear the workspace id (maybe it's make sense), other than that we may need to make big changes to scrubber |
|
Could you clarify which URLs? Also do you really want to log the entire workspace status? e.g. are you interested in ports? if you are interested only let's say in phase and conditions log only them? You don't need even deep scrubbing then? It could be good idea rather start small and add more info as you find it useful. In the past we over logged because of using deep structures. |
Personally, the pod status update would be debug level, but the cc @WVerlaek |
|
for status.url my understanding was
Alternatively we add gitpod/components/scrubber/config.go Line 33 in 20a6d13 url actually sounds better. It should not have perf impact.
|
if possible yes - it's been useful to debug workspace issues by having the full status. Lets you reconstruct a timeline of the workspace and its status changes |
|
Is it possible to add a |
only if it's our control struct |
I checked, we can do this |
iQQBot
force-pushed
the
pd/ws-man-2-redact-log
branch
from
68e87af to
c5c7c5c
Compare
|
updated |
Description
This PR introduces a new function
DeepCopyStructinscrubber, it can copy a struct and do scrub.Summary generated by Copilot
🤖 Generated by Copilot at dbc828e
This pull request enhances the logging and scrubbing features of the
ws-manager-mk2component. It adds a new feature to thescrubberpackage to deep copy and scrub struct values, and uses it to log values securely with thelogrusrpackage. It also refactors the logging logic in the workspace controller and removes some unused code.Related Issue(s)
Fixes ENG-872
How to test
Documentation
Preview status
Gitpod was successfully deployed to your preview environment.
Build Options
Build
Run the build with werft instead of GHA
Run Leeway with
--dont-testPublish
Installer
Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh. If enabled,with-previewandwith-large-vmwill be enabled./hold