Skip to main content

Small change, big effects - MTU setting in Docker overlay network

· One min read

Hi,

Thanks to Pawel who shared me this link: https://github.com/moby/moby/issues/37855, I tried and changed the MTU settings of Spider internal cluster overlay network.

docker network create spider --driver overlay --subnet=10.0.0.0/16 --opt com.docker.network.driver.mtu=8000

It's only like two words to add to the network settings, but it requires you to restart the full cluster (which I don't do anymore very often ;)).

And the effet was immediate:

  • Around 50% faster intra cluster exchanges
    • See graphic on the bottom right
    • Other graphs show that load is the same and quality of parsing the same as well.

  • Around 10% less CPU usages on cluster nodes
    • But not that there is no change in service CPU usage: Docker daemon is using less CPU

Man, small change, big effect !! Why isn't this documented in Docker docs ?!

Thibaut

 

Btw, in the 15min outage, I had time to:

  • Upgrade Docker, and security packages of all servers
  • Upgrade Elasticsearch, Kibana and Metricbeat ;)

Thanks for compatible versions =)

Parsing quality

· 3 min read

I recently added a new feature to Spider timeline:

It now shows the parsing quality of Spider for the selected Whisperer(s).

What do I mean by this?

Explanation​

Spider captures packets, then sends them to the server that rebuilds the network communications. Due to the massive amount of packets received (around 4 000/s on Streetsmart platform, 300 million a day), they are processed in real time with many buffers to absorb the spikes.

However, trouble may get in the way in many places when a spike is too big:

  • On client side:
    • The kernel buffer may get full before pcap process all packets
    • The pcap buffer (network capture) may get full as well
    • Spider server may not be able to absorb the load, and the Whisperer buffer may overflow (by backoff)
    • The same may happen for Tcpsessions tracked on client side... but I never saw this happen.
  • On server side:
    • Under too much load, or infrastructure issue, the parsing may not find all packets (Redis buffer full) and fail to rebuild the communication
    • And there is currently a 'last' bug that happens under high load as well that sometimes packets cannot be found.. although they SHOULD be there (I'm trying to track this one down, but this is not easy)

All in all, there are many places where it may go wrong and that could explain that you don't find the communications you expected!

This information of the goood health or not of the system is available in Spider monitoring, but not so easy to process.

Quality line in timeline​

Thus I designed an enhancement of the timeline so that you know when the missing data MAY be a Spider issue.. or if it is indeed due to the system under monitoring ;)

Below X axis, you may see underlined parts in red. They tell you that there have been parsing issues in the period. The redder the worse. (Timeline is showing PIT1 on november 21st)

You will then find detailed information when hovering on them:

Lots of red !!​

Don't be afraid, the quality is good:

  • The light red is the first threshold. Here, we lost 8 packets out of 2 millions! Looks like there has been a surge of load at this time, and Spider could not absorb.
  • Over the full day, on PIT1, we could not parse 11 communications out of 2,2 Millions. That's 99.9995% quality!

If failures happens too often, the buffers need to be enlarged, or the server scaled up...

 

So now you know, and when it gets really red, call me for support ;-)

 

Hide the line​

You may hide this quality line - and avoid making the queries - in the timeline menu. This settings is saved in your user settings.

Last info​

This is PRM integration platform. It is much redder. Indeed, there are many packets lost by pcap. And this is due to the old Ubuntu version!

Indeed, pcap filters are applied after capture on this Ubuntu version, and not before. Thus, the pcap driver captures all packets of all communication in its buffer before filtering and sending them to the Whisperer.

I enlarged pcap buffer from 20 to 60MB on this server, but it is not enough still. If Yvan, you are missing too many communications, this can be the cause, and we can enlarge the buffer again. It is easy to do, it is done on the UI ;-)

LDAP authentication!

· One min read

Spider now supports delegation of authentication to an external LDAP server :)

Getting ready for the enterprise!

Improved tooltips for Network Map

· 2 min read

What's coming here is the original reason for the rework of Templates. Templates are enriching the tooltips displayed on Nodes and Links, with new filters, more valued added data and other add'ins coming from the work I achieved on my monitoring UI.

See the changes by yourselves, they are live :)

Server nodes​

Before

After

The tooltip include a summary of the Node activity over the selected period:

  • Count of replicas
  • Count and rate of requests in and out
  • Errors listing of there are
    • 4xx
    • 5xx
    • No response
  • Load and speed of data exchanges
  • And, for the 5 more used templates:
    • Count and rate of requests
    • Avergage latency
    • And errors

For errors and template a quick filter icon allows you to filter selection on these communications, or to remove them from selection (if clicked with Ctrl).

It is pretty handy :-)

Client nodes​

Before

After

As for servers, we now see rate of requests, templates of requests called and latency, with the previous information still present.

This makes it much quicker to see what client calls what.

Before

After

The links data has already been much improved, on the same model.

New over the arrow display​

As for the monitoring dashboard, I added over the arrow display on the chart. When overing a link, you quickly see the global request rate and average latency. As seen on the above screenshot.

Pinnable tooltips​

All the above tooltips can be pinned with their top right icon. This allows to quickly compare different time window, by moving the time selection on the timeline and seeing the metrics being updated!

 

Those tooltips may have other quick improvements in the weeks to come, with feedback from usage and from you! :) Tell me if you find this useful! The whole goal is to speed analysis up, more and more.

Cheers

Custom contexts for JSON-LD payloads

· One min read

JSON-LD recompaction​

JSON-LD payloads may be very custom. Between the client context and the server context, there can be many difference that fundamentaly change the JSON representation.

In Streetsmart,

  • This feature is used to uglify and condense payloads from devices.
  • This feature is used by clients that may use different contexts than the server's.

Some payloads become very difficult to read:

You may now define custom contexts to recompact the JSON-LD payload into a more readable JSON:

This payload is the same in JSON-LD sense. But much better in human eyes ;)

Contexts and templates​

In order help you even more, the custom contexts that you defined are saved in your user settings, associated to the template of the request / API endpoint (if a template has been defined).

Thus, you may define different contexts... for different endpoints, and you don't have to keep then anywhere, Spider does it for you :)

Review​

Please tell me how it feels after usage. It is a quick dev. So, suggest me any improvement you need!

Cheers!

Reworked Template feature

· 4 min read

Previous state of URL templates​

Since many months, it was possible to defined URL templates in user settings to perform URL matching in filtering and stats:

Config​

Grid filtering​

Stats​

It worked, but:

  • It was a pain to configure - a regular expression for each URL
  • It was not very explicit - the regular expression as label
  • It was not efficient - the regulare expression were used as filters in Elasticsearch queries, which made Elastic run ALL regular expression on all URIs everytime the filter was selected... :(
  • Templates were associated to a user but not a Whisperer or a team

I then did a major rework of the feature to be more efficient, user friendly and... to allow more features to be built on it :)

The new Request Templates!​

First, you may notice from the name that it is not any more URL templates, but Request templates. Why? Because not only the URL can be analysed, but also the HTTP method, the headers and the body.

You define for each template:

  • A name
  • The fields to parse
  • A regular expression

And Spider associates the HTTP communication to the first matching template while Parsing.

Pros: much faster, flexible, easy to use and extensible. Cons: one time processing only. You cannot change already parsed and templated communications. Testing patterns is complicated, for now.

Look.

Configuration​

The Request templates are part of Whisperer parsing configuration.

  • The regular expression is matched over a combinaison of selected request parts.
  • The template name of the first matching template is saved in req.template field of the HTTP communication
    • The name can be plain text or include values extracted from the match
    • The regular expression is used as a substitution pattern over the name

The regular expressions above are enough to match all (or I believe so) endpoints exposed by Flowbird Streetsmart.

Ex:

For Streetsmart, the configuration is maintained in this Google Sheet. And then I just copy paste to Spider form. Gorgeous :)

Data filtering​

The templates can be filtered in the grid:

Or in the menu:

Detail view​

The template associated to the HTTP communication is visible in the detail view, that encountered a small reorder of fields:

As with any other field, you may add or remove the template from the filter with the small glass nearby.

Stats​

Templates are available as a grouping field in HTTP stats. And they make stats much more readable than previous version:

What's the use of selecting Headers of Body in template configuration?​

In some cases, like XML or JSONRPC, the URI is not enough to 'name' the request. Then, parsing the headers or the body becomes useful.

Example with PRM software configuration:

Which makes PRM exchanges much more readable compared to the URI only :) !!

However, this is to use with caution:

  • Parsing the headers introduce more memory usage on the server, but this is ok
  • Parsing the body implies to decode the body (manipulated as a buffer otherwise) and to uncompress it when it is encoded in Gzip, Deflate or Brotli.
    • As Spider is processing around 400 communications /s right now on Streetsmart, that could mean 400 unzipping every second if we have to analyse the body.
    • So it must be limited to certain conditions.

I'm thinking of splitting body from the other inputs, to limit body parsing to certain URIs... but I have issue on how to make it still easy to configure.

We can even make stats on PRM:​

However... it is difficult to split success and errors when an API always sends 200.

That's when you need Tags in place! They come next!

What's coming next?​

Request templates are allowing us to:

  • Derive the feature to offer a 'tagging' feature (next blog item in row)
  • Enrich the network map display and tooltips (in coming weeks)
  • Implement a regular croned request on production to get regular automated stats

Deprecation​

Existing URL template feature is deprecated and is going to be removed soon. Should you have issues with this, please tell me.

Tagging HTTP communications

· 2 min read

When designing Request Templates, I figured out that the system could be extended to extract Tags from the communications.

With a similar configuration than for templates, you may extract values from the request or the response and add it in indexed fields in the HTTP communication resource.

Then these fields will be available in Grid, in filtering, in the HTTP communication detailed view, and in the Stats grouping.

Configuration​

  • The tag name is used as the field name when storing:
    • req.tags.[name]
    • res.tags.[name]
  • If the pattern matches, the tag is associated to:
    • The extracted values from the capture groups of the regular expression
    • true value if no group is present

Grid​

Tags can be displayed in dedicated columns. The columns are listed in the column list based on the configuration of selected Whisperers.

Detailed view​

Tags are listed in HTTP communication first tab:

Tags field can be use in searches as any others:

And drop down filtering is available next to column headers:

Stats​

Tags can be selected for grouping statistics:

To continue​

PRM​

All below examples come from tags extracted from PRM communications. The configuration is available on PRM Integration whisperer.

This configuration should be completed with Error tags for instance : tag the response as an error when the body says so.

Streetsmart​

  • We may test extraction of park value from response to give statistics by park.
  • Other ideas are welcome

However, we must be careful. Because of the cost of body decompression.

Embedding raw headers in HTTP communications

· One min read

New feature added on request by Flowbird integration team:

It is now possible to save raw headers inside the HTTP communication resource.

  • This is interesting when the packets are not saved.
  • Filtering on headers is not applied on raw headers
  • Raw headers are filtered out (like content) when searching HttpCom resources by default, but they can be included with "withContent": true parameter in search body
  • Raw headers are automatically included when exporting communications

Effect​

The view source link in Headers tab is then working even if packets have not been saved.

Configuration​

On the Parsing Config tab of Whisperer settings.

You may also specify URIs for which you want NOT to save rawHeaders (in case of privacy concerns for instance)

Resource change example​

In req and res field:

"rawHeaders": {
"content": "GET /v1/posEventStatuses?modulo=1&remainder=0&view=content&afterUpdateMarker%5B%5D=85597012&afterUpdateMarker%5B%5D=38696&range=100 HTTP/1.1\\r\\nAuthorization: JWT eyJhbGci...\\r\\nHost: itproduction\_gateway\\r\\nX-Forwarded-Host: itproduction\_gateway\\r\\nX-Forwarded-For: 10.0.0.129\\r\\nX-Forwarded-BasePath: /terminal/devicemonitoring\\r\\nConnection: close\\r\\nCorrelation-Token: 19IRIKnRm68N0Gl1x6AqtyLtNNa-ztCI",
"size": 2990
}

Index Lifecycle Management

· One min read

I recently added index lifecycle management principles in Spider.

The data usage of the cluster has been reduced greatly with index shrinking and merging. Worth it :)