Foreman 1.24 will drop too many facts

lzap · August 23, 2019, 2:14pm

All,

Foreman no longer imports all facts, structured facts (e.g. networking::interface) and selected root facts:

blockdevice_
ipaddress6?_
macaddress_
mtu_
speed_
auto_negotiation_
duplex_
link_
wol_

are only imported up to 100 elements. If a host reports more, they will be dropped and fact named foreman::dropped_subtree_facts will contain approximate number of facts dropped (e.g. 2 thousands). The maximum amount of facts is configurable via Administer - Settings - Provisioning. This change was implemented for large deployments with many nodes and/or hypervisors or container hosts with many virtual network cards, bridges, mountpoints or volumes.

We believe that limit of 100 is a sane default, Foreman users usually don’t work with hundreds of NICs or mountpoints. If needed, this limit can be increased however severe performance penalties across whole application can be expected as the database and indices grow.

The relevant change is:

github.com/theforeman/foreman

Fixes #26984 - maximum subtree fact filter

theforeman:develop ← lzap:drop-lengthy-hashes-26984

opened 09:15AM - 19 Jun 19 UTC

lzap

+74 -33

Adds filter that drops subtrees (hash or array) of bigger size than defined in …global setting, by default this is 100. Total number of dropped items is stored in newly created `foreman::dropped_subtree_facts` fact. It is rounded and human readable to prevent repetetive changes of this value, usually it will be: * 100 * 1 Thousand * 5 Thousands * 25 Thousands This enables users to easily identify hosts which were dropped some facts so they can investigate them later on. Additionally, we can also report via `foreman-maintain` that these hosts are likely sending too many facts and ask users to filter facts on the client side. The idea introduces brand new `foreman` composite hash for other values as well, we were thinking about introducing `foreman::boot_time` special value in https://github.com/theforeman/foreman/pull/6843 It also puts warning in the log, if you going to ask for debug I am intentionally putting warning here because I believe this is important and one extra line in logs won't hurt we already log about dozens of them. Important thing to consider is that this only handles *structured* facts, there are many hosts reporting via facter 2.x and this filter will not help. The question is, shall I implement the same behavior? How that would work? Only for particular prefixes like `blockdevice_*` or similar? @ekohl can you name those prefixes which are likely be offenders for puppet 2.x? It should be pretty easy to implement similar behavior but I need a decent list of candidates. What puzzles me is that facter can actually send both structured facts and flat-formatted facts in one request. Example: https://github.com/theforeman/foreman_discovery/blob/develop/test/facts/rhel-r730.json Here I see `blockdevice_*` facts which can go out of control as well as structured facts like "partitions" which is the same story. It looks like I might need to implement it also for structured importer. Additional question is if I should go deep, currently I only filter the 1st level.

I filed an upgrade note as well. There is nothing to do during upgrade, old facts will be dropped on the fly as managed nodes will be checking in and filter will take effect. Initial checkins might be little bit slower than usual as there will be some records to delete.

Lang_Jason · August 24, 2019, 1:27am

I like that you write the count of dropped facts to a “fact”

This should make tuning/customization workable too. I can dump the contents of that fact across my environment and determine a percentile that works for overall inclusions vs performance. Something like 95th percentile or something probably.

Should there be a whitelist/override inclusion list and/ or should the attribute controlling the import recursion number be overrideable through the ENC? I personally see no need for it, but I could imagine an environment heavy on docker having many hosts with many network interfaces being a “thing” and to be able to allow only that fact entirely, or a larger recursion limit on a specific hostgroup to be useful features, particularly in a larger environment.

lzap · August 29, 2019, 12:50pm

There is not such thing at the moment. Honestly I tried to design this as simple as possible because we already have NIC and fact name exclude filter. This would need fact name include filter, it’s a mess. Let’s attack this if there is such a request.