Proxy notification/callback on restart

Hello,

as a recent was started on pull request [1], I wanted to move it back to
the mailing list, in order to restart the discussion.

coping from the pull request (with minor formatting changes)

I would like to propose a notification/callback from the proxy to foreman,
initially to address the following needs:

1. a way to invalidate the smart proxy related cache (in 1.11 a lot of data
   is now showed on the smart proxy show page, most of it is being cached to
   avoid multiple API calls to the proxy).
2. a way to detect if new feature are enabled on the proxy.

The user stories i would like to address are:

• as a user, I've restarted my proxy and I see out of date data in the
  UI/API. (covered with 1)
• as a user, I've ran the installer (e.g. added the remote execution
  plugin) yet I have no idea i need to go to the smart proxies and click
  refresh. (covered partly with 2, more below)
• as a user i might want to see older errors from the proxy yet know
  they are from pre-restart (related to 1 and @lzap
  <https://github.com/lzap> work on logs at [2]).

lets break each on a bit down:
for 1. i could see one implementation, by simply keeping a timestamp of
when the proxy was started, and provide that timestamp in one of the api
calls (for example in one of the ping/status calls).
for 2. i think foreman needs to know a restart happened, what it does with
it can be handled differently, for example:
if a new feature was added, i think its fair to simply add it and report it
in the ui.
if a feature was removed, we can probably detect if it was due to
configuration error (via the plugin init loggin [3]) or not, in either case
we don't remove it for the user, rather report it (e.g. in the status icon).

I think the only "allowed" automatic update in this case would be add new
features to the proxy, and I would consider it an improvement, as its the
default process a user usually take.

I do think that over time, the proxy will need to send an event stream back
to foreman, in order to enrich the visibility / management in the
application and enable a rich provisioning state machine.

regarding the implementation details that @witlessbird
<https://github.com/witlessbird> and @GregSutcliffe
<https://github.com/GregSutcliffe> mentioned I fully agree it should not
block the proxy in any level, e.g. using a different thread to reach out to
foreman, do nothing if it fails etc.

I do not think that the usage case of mutlitple foreman hosts using the
same proxy is that common, if we however wish to support it we can simply
provide an array of foreman urls (which we dont afaik support today anyway).

Thanks,
Ohad

[1] https://github.com/theforeman/smart-proxy/pull/363
[2] https://github.com/theforeman/foreman/pull/3098
[3] https://github.com/theforeman/smart-proxy/pull/358

That should already work, the foreman_smartproxy resource should be
refreshed - if not, it's probably a bug.

I think the main benefit of using a call-back would be an ability to
execute an action in response (update smart-proxy configuration,
notify users about changes, etc). I don’t think automatic updates of
proxy configuration/features are a good idea: a feature's
disappearance can be transient (misconfiguration, etc), it can have
impact on provisioning, etc; the bottom line is that smart-proxy
changes are better handled by a human being.

However, I don’t see anything in the stories about notifying users
about the changes in the proxy configuration (prompting them to check
the changes). Moreover, I think notifications shouldn’t be only for
restarts (smart-proxy may fail do deliver a single notification, or it
crashed and is no longer available, etc), but periodic, something like
a heartbeat. Yet another thing to keep in mind is that presence of a
heartbeat if it is maintained by the proxy may not mean that http api
is available (it only means that the proxy process is alive), probably
a minor thing, but I thought it should be mentioned.

• as a user, I've restarted my proxy and I see out of date data in the UI/API.
  This should handle a situation when proxy is down/unresponsive, I
  think a simple binary change/no change would be too confusing.
  However, without periodic updates from the proxy, the UI should do the
  polling to detect unresponsive proxy, which renders smart-proxy
  updates redundant.

• as a user i [might] want to see older errors from the proxy yet know
  they are from pre-restart.
  It’s possible to insert a “startup finished” notification, which will
  end up in the logs. What kind of api are you looking for? Depending on
  the answer to the last question we can go anywhere from an rss feed
  for errors to persisting events in a database…

-d

> Hello,
>
> as a recent was started on pull request [1], I wanted to move it back to
> the mailing list, in order to restart the discussion.
>

Thanks, I think it's much easier to discuss things here

> I would like to propose a notification/callback from the proxy to foreman,
> initially to address the following needs:
>
> 1. a way to invalidate the smart proxy related cache (in 1.11 a lot of
> data is now showed on the smart proxy show page, most of it is being cached
> to avoid multiple API calls to the proxy).
> 2. a way to detect if new feature are enabled on the proxy.
>
> The user stories i would like to address are:
>
> - as a user, I've restarted my proxy and I see out of date data in the
> UI/API. (covered with 1)
> - as a user, I've ran the installer (e.g. added the remote execution
> plugin) yet I have no idea i need to go to the smart proxies and click
> refresh. (covered partly with 2, more below)
> - as a user i might want to see older errors from the proxy yet know
> they are from pre-restart (related to 1 and @lzap
> <https://github.com/lzap> work on logs at [2]).
>
> lets break each on a bit down:
> for 1. i could see one implementation, by simply keeping a timestamp of
> when the proxy was started, and provide that timestamp in one of the api
> calls (for example in one of the ping/status calls).
>
When it was started? Surely you want a timestamp of when the cache was last
refreshed? This is what we've done for years on the certificates page, and
I see no harm in using that mechanism again. I do think a button to clear
the cache would be good - today you can clear it by appending a parameter
to the URL, but it's a hidden feature.

> for 2. i think foreman needs to know a restart happened, what it does with
> it can be handled differently, for example:
> if a new feature was added, i think its fair to simply add it and report
> it in the ui.
> if a feature was removed, we can probably detect if it was due to
> configuration error (via the plugin init loggin [3]) or not, in either case
> we don't remove it for the user, rather report it (e.g. in the status icon).
>
I still disagree with any kind of automatic update here, the potential for
affecting users networks is huge. If you're going to the effort of adding
some kind of notification or status report for the user about removed
features, you may as well do it for added features too. This leads to
consistent behaviour, and the user can choose to refresh features at that
point.

As an extension, perhaps we should re-use the puppetclass import page, and
allow the user to select which features are added/removed when refreshing
the features?

On the subject of restarts, firstly, knowing about a restart isn't enough -
it assumes the proxy came back up successfully. Dmitri suggests a heartbeat
instead, this seems much better, and could be driven from the UI side
easily (see network topology, below). Even if we have just some basic ping
(absolute worst - hit /features once per minute) it still could scale to
hundreds of proxies without impact on the UI. So I agree with Dmitri here,
the UI should drive this, the proxy should just have an API to retrieve
events.

> I think the only "allowed" automatic update in this case would be add new
> features to the proxy, and I would consider it an improvement, as its the
> default process a user usually take.
>
As stated, I would consider that dangerous, especially in large networks.
The combination of new features, taxonomies, multiple subnets/domains, and
the various ways in which we query the proxies make me unsure that we could
guarantee not having unintended changes. Safer to notify the user of
detected features and then give them the power to update or not.

> I do think that over time, the proxy will need to send an event stream
> back to foreman, in order to enrich the visibility / management in the
> application and enable a rich provisioning state machine.
>
There's no guarantee the proxy has any access to Foreman. Network
segregation may prevent it, and today only the template plugin needs it -
everything else is one-way (although technically a puppetmaster would need
it for reports, thats not actually the proxy making the connection).

I have no issue with being able to read events, but if we stick to our
current erchitecture, then we need to drive it from the Foreman side.

> regarding the implementation details that @witlessbird
> <https://github.com/witlessbird> and @GregSutcliffe
> <https://github.com/GregSutcliffe> mentioned I fully agree it should not
> block the proxy in any level, e.g. using a different thread to reach out to
> foreman, do nothing if it fails etc.
>
> I do not think that the usage case of mutlitple foreman hosts using the
> same proxy is that common, if we however wish to support it we can simply
> provide an array of foreman urls (which we dont afaik support today anyway).
>
Agreed, it was something in my head at the time as I had just been
discussing it on IRC with a user for other reasons. In any case, if the
above stories are solved from the UI side, then this case also works.

TL;DR - no auto-updates in the UI, use notifications, and get the
logs/features/restarts from the UI side.

> > # as a user, I've ran the installer (e.g. added the remote execution
> > plugin) yet I have no idea i need to go to the smart proxies and click
> > refresh. (covered partly with 2, more below)
>
> That should already work, the foreman_smartproxy resource should be
> refreshed - if not, it's probably a bug.
>

I would challenge that default, as this can potentially remove a feature
without the user realizing it.
IMHO we should allow adding features without removing old ones when using
the installer / proxy startup.

> 1. a way to invalidate the smart proxy related cache (in 1.11 a lot of data
> is now showed on the smart proxy show page, most of it is being cached to
> avoid multiple API calls to the proxy).
> 2. a way to detect if new feature are enabled on the proxy.

The both tasks are rather artificial. If we had proper implementation of
getting probes from smart proxy from the day one (stream, messaging),
there was no such a task as no 1.

The other does not make much sense to me. If user plays around with
installer, he should be aware that some steps might be necessary. We
should rather improve this in the installer, in the worst case scenario
fat banner asking the user to refresh the features. As Dom said, this
should work already by the way. But the same applies when user enables a
feature. Let's improve the comment there asking to refresh features
instead!

We committed to this HTTP querying solution as a temporary and limited
functionality, as far as I understand. We should take it "as is" IMHO
and rather invest resources into doing architectural changes to do
things properly. And let's do this the proper way, with enough time for
design, review, testing and discussion.

>
>> Hello,
>>
>> as a recent was started on pull request [1], I wanted to move it back to
>> the mailing list, in order to restart the discussion.
>>
>
> Thanks, I think it's much easier to discuss things here
>
>
>> I would like to propose a notification/callback from the proxy to
>> foreman, initially to address the following needs:
>>
>> 1. a way to invalidate the smart proxy related cache (in 1.11 a lot of
>> data is now showed on the smart proxy show page, most of it is being cached
>> to avoid multiple API calls to the proxy).
>> 2. a way to detect if new feature are enabled on the proxy.
>>
>> The user stories i would like to address are:
>>
>> - as a user, I've restarted my proxy and I see out of date data in
>> the UI/API. (covered with 1)
>> - as a user, I've ran the installer (e.g. added the remote execution
>> plugin) yet I have no idea i need to go to the smart proxies and click
>> refresh. (covered partly with 2, more below)
>> - as a user i might want to see older errors from the proxy yet know
>> they are from pre-restart (related to 1 and @lzap
>> <https://github.com/lzap> work on logs at [2]).
>>
>> lets break each on a bit down:
>> for 1. i could see one implementation, by simply keeping a timestamp of
>> when the proxy was started, and provide that timestamp in one of the api
>> calls (for example in one of the ping/status calls).
>>
> When it was started? Surely you want a timestamp of when the cache was
> last refreshed? This is what we've done for years on the certificates page,
> and I see no harm in using that mechanism again. I do think a button to
> clear the cache would be good - today you can clear it by appending a
> parameter to the URL, but it's a hidden feature.
>

no, if the time stamp is newer than the cache => restart happened, cache is
invalidated.

there is no longer a url for it, git pull please
also, the refresh button on the proxy now invalidates the cache as well.

>
>
>> for 2. i think foreman needs to know a restart happened, what it does
>> with it can be handled differently, for example:
>> if a new feature was added, i think its fair to simply add it and report
>> it in the ui.
>> if a feature was removed, we can probably detect if it was due to
>> configuration error (via the plugin init loggin [3]) or not, in either case
>> we don't remove it for the user, rather report it (e.g. in the status icon).
>>
> I still disagree with any kind of automatic update here, the potential for
> affecting users networks is huge. If you're going to the effort of adding
> some kind of notification or status report for the user about removed
> features, you may as well do it for added features too. This leads to
> consistent behaviour, and the user can choose to refresh features at that
> point.
>

I'm not sure I'm following, today we refresh the features for you from the
installer, regardless if you wanted it or not (including removing a
feature).
I think adding a feature to a proxy is a no issue, it allows to report the
feature initalization and provide useful feedback even before its
configured.
we would like to show / indicate that in both the proxy index and show
pages. and later on, potentially via notifications.

>
> As an extension, perhaps we should re-use the puppetclass import page, and
> allow the user to select which features are added/removed when refreshing
> the features?
>
+1, ATM its all or nothing.

>
> On the subject of restarts, firstly, knowing about a restart isn't enough
> - it assumes the proxy came back up successfully. Dmitri suggests a
> heartbeat instead, this seems much better, and could be driven from the UI
> side easily (see network topology, below). Even if we have just some basic
> ping (absolute worst - hit /features once per minute) it still could scale
> to hundreds of proxies without impact on the UI. So I agree with Dmitri
> here, the UI should drive this, the proxy should just have an API to
> retrieve events.
>

Other projects did that, and IMHO it scale poorly, if we are going to
introduce events/streams lets do it right and use a message bus/other
streaming protocol.

> I think the only "allowed" automatic update in this case would be add new
>> features to the proxy, and I would consider it an improvement, as its the
>> default process a user usually take.
>>
> As stated, I would consider that dangerous, especially in large networks.
> The combination of new features, taxonomies, multiple subnets/domains, and
> the various ways in which we query the proxies make me unsure that we could
> guarantee not having unintended changes. Safer to notify the user of
> detected features and then give them the power to update or not.
>

You might have a point there, but the alternative of refresh all is not
great either, IMHO notification that there is a change + a way to accept it
(using your suggestion of accepting per feature) is probably a good way
forward.

> I do think that over time, the proxy will need to send an event stream
>> back to foreman, in order to enrich the visibility / management in the
>> application and enable a rich provisioning state machine.
>>
> There's no guarantee the proxy has any access to Foreman. Network
> segregation may prevent it, and today only the template plugin needs it -
> everything else is one-way (although technically a puppetmaster would need
> it for reports, thats not actually the proxy making the connection).
>
thats not true, it depends on the feature, i could think of the following
features that need to initiate connection from the proxy:

• puppet (facts, enc and reports)
• templates (provisioning templates - kickstart etc)
• scap (similar to puppet - send reports in various formats)
• remote execution (afair there is a proxy -> foreman updates on changes?)

and I'm sure thats only part of the list.

>
> I have no issue with being able to read events, but if we stick to our
> current erchitecture, then we need to drive it from the Foreman side.
>
>> regarding the implementation details that @witlessbird
>> <https://github.com/witlessbird> and @GregSutcliffe
>> <https://github.com/GregSutcliffe> mentioned I fully agree it should not
>> block the proxy in any level, e.g. using a different thread to reach out to
>> foreman, do nothing if it fails etc.
>>
>> I do not think that the usage case of mutlitple foreman hosts using the
>> same proxy is that common, if we however wish to support it we can simply
>> provide an array of foreman urls (which we dont afaik support today anyway).
>>
> Agreed, it was something in my head at the time as I had just been
> discussing it on IRC with a user for other reasons. In any case, if the
> above stories are solved from the UI side, then this case also works.
>
> TL;DR - no auto-updates in the UI, use notifications, and get the
> logs/features/restarts from the UI side.
>

I'm fine with that, as long as the proxy tries to notify us we can decide
how to notify the user from foreman side (and of course, revoke the cache

You do bring up a potential that foreman 1.11 might introduce (or maybe
1.10 already did).

In the past the smart-proxy refused to start if a module was
misconfigured. That meant puppet failed to start the service,
registration never happened and the user received an error when running
the installer clearly indicating something is wrong.

Somewhere smart-proxy changed this to a logged message but otherwise a
normal start up. This means the installer completes without warning the
user their setup is (partially) broken.

I see 2 solutions:

• Revert to only starting if all modules can be loaded
• Introduce verification
  ** Build it into the installer so we can detect problems
  ** Document this change so users can adjust their monitoring

Personally I'd prefer solution 1. That way I can simply tell my
monitoring service to ensure the service is running and I know all is
well.

…

>>
>> On the subject of restarts, firstly, knowing about a restart isn't enough
>> - it assumes the proxy came back up successfully. Dmitri suggests a
>> heartbeat instead, this seems much better, and could be driven from the UI
>> side easily (see network topology, below). Even if we have just some basic
>> ping (absolute worst - hit /features once per minute) it still could scale
>> to hundreds of proxies without impact on the UI. So I agree with Dmitri
>> here, the UI should drive this, the proxy should just have an API to
>> retrieve events.
>
>
> Other projects did that, and IMHO it scale poorly, if we are going to
> introduce events/streams lets do it right and use a message bus/other
> streaming protocol.

Receiving events from the proxy and heartbeat are not mutually
exclusive. In fact, I and Greg are arguing that events alone is most
likely not going to be sufficient:

• if the proxy drives the notifications you may not receive an update
  if there’s a network failure or proxy failed to start. Additionally,
  proxy will need to guarantee the delivery of updates.
• if the foreman side drives the updates by periodically polling the
  proxy, you can use that call as a heartbeat.

I’m not sure re: scaling at this point — either way foreman needs to
either respond to callbacks or handle polling, my guess would be we’ll
start seeing some performance-related issues only when we scale past
hundreds of proxies…

-d

>> When it was started? Surely you want a timestamp of when the cache was
last refreshed? This is what we've done for years on the certificates page,
and I see no harm in using that mechanism again. I do think a button to
clear the cache would be good - today you can clear it by appending a
parameter to the URL, but it's a hidden feature.
>
> no, if the time stamp is newer than the cache => restart happened, cache
is invalidated.

My suggestion works just as well whether there's a restart or not. Why
would you limit yourself to a specific case?

> there is no longer a url for it, git pull please
> also, the refresh button on the proxy now invalidates the cache as well.

Why was it removed? Sounds perfect for your user story. Using the refresh
features button sounds overkill for invalidating a cache.

>>> for 2. i think foreman needs to know a restart happened, what it does
with it can be handled differently, for example:
>>> if a new feature was added, i think its fair to simply add it and
report it in the ui.
>>> if a feature was removed, we can probably detect if it was due to
configuration error (via the plugin init loggin [3]) or not, in either case
we don't remove it for the user, rather report it (e.g. in the status icon).
>>
>> I still disagree with any kind of automatic update here, the potential
for affecting users networks is huge. If you're going to the effort of
adding some kind of notification or status report for the user about
removed features, you may as well do it for added features too. This leads
to consistent behaviour, and the user can choose to refresh features at
that point.
>
> I'm not sure I'm following, today we refresh the features for you from
the installer, regardless if you wanted it or not (including removing a
feature).
> I think adding a feature to a proxy is a no issue, it allows to report
the feature initalization and provide useful feedback even before its
configured.
> we would like to show / indicate that in both the proxy index and show
pages. and later on, potentially via notifications.

I don't really like it in the installer either - all my proxies are
configured with register-in-foreman=false. It's obviously useful when a
proxy is newly created, but for existing proxies, I would be wary.

>> On the subject of restarts, firstly, knowing about a restart isn't
enough - it assumes the proxy came back up successfully. Dmitri suggests a
heartbeat instead, this seems much better, and could be driven from the UI
side easily (see network topology, below). Even if we have just some basic
ping (absolute worst - hit /features once per minute) it still could scale
to hundreds of proxies without impact on the UI. So I agree with Dmitri
here, the UI should drive this, the proxy should just have an API to
retrieve events.
>
> Other projects did that, and IMHO it scale poorly, if we are going to
introduce events/streams lets do it right and use a message bus/other
streaming protocol.

You can't talk about performance without an expectation of the scale. I
don't know of any sites with 100s of proxies. And as Dmitri says, Foreman
will have to reply to these events anyway, so if it doesn't scale, you'll
have an issue anyway. My main concern is not adding a feature that a
proportion of our users would not be able to use (due to network
segregation).

> thats not true, it depends on the feature, i could think of the following
features that need to initiate connection from the proxy:
> - puppet (facts, enc and reports)
Comes from the master, not the proxy
> - templates (provisioning templates - kickstart etc)
Yes, I mentioed that
> - scap (similar to puppet - send reports in various formats)
Plugin, not core.
> - remote execution (afair there is a proxy -> foreman updates on changes?)
Plugin, not core.

I think the point is that some people will have a network structure that
prevents some proxies from communicatiing back to Foreman. Currently
that's OK - the connection is per-feature, as you say, but now you are
talking about making it a requirement for the proxy as a whole, and I don't
think that's good.

> …
>
> >>
> >> On the subject of restarts, firstly, knowing about a restart isn't
> enough
> >> - it assumes the proxy came back up successfully. Dmitri suggests a
> >> heartbeat instead, this seems much better, and could be driven from the
> UI
> >> side easily (see network topology, below). Even if we have just some
> basic
> >> ping (absolute worst - hit /features once per minute) it still could
> scale
> >> to hundreds of proxies without impact on the UI. So I agree with Dmitri
> >> here, the UI should drive this, the proxy should just have an API to
> >> retrieve events.
> >
> >
> > Other projects did that, and IMHO it scale poorly, if we are going to
> > introduce events/streams lets do it right and use a message bus/other
> > streaming protocol.
>
> Receiving events from the proxy and heartbeat are not mutually
> exclusive. In fact, I and Greg are arguing that events alone is most
> likely not going to be sufficient:
> - if the proxy drives the notifications you may not receive an update
> if there’s a network failure or proxy failed to start. Additionally,
> proxy will need to guarantee the delivery of updates.
> - if the foreman side drives the updates by periodically polling the
> proxy, you can use that call as a heartbeat.
>
> I’m not sure re: scaling at this point — either way foreman needs to
> either respond to callbacks or handle polling, my guess would be we’ll
> start seeing some performance-related issues only when we scale past
> hundreds of proxies…
>
> My point is, that if we eventually decide HTTP/REST is not the way to send
notifications, I would rather look into something that could also
encapsulate ping, for example, a message bus can send broadcast to all
known proxies in one event, receiving the reply into a queue.

Ohad

> > As an extension, perhaps we should re-use the puppetclass import page, and
> > allow the user to select which features are added/removed when refreshing
> > the features?
> >
> +1, ATM its all or nothing.

Sorry but I disagree that's of much (any?) value, nor I've ever seen an
issue or anyone complaining about it. You don't have any choice
when you restart the proxy to 'add' features as that's driven by the
configuration files.

Removing them is certainly possible but it's one more thing we have to
maintain when we don't even know if it's something people want. I
certainly never thought 'I want to disable a feature' ever.

> notifications, I would rather look into something that could also
> encapsulate ping, for example, a message bus can send broadcast to all
> known proxies in one event, receiving the reply into a queue.

Once we have messaging bus in place, you need to drop request-reply
thinking immediately, otherwise you are building something very weird