Alert somehow when there are cron failures in managed cloud #19930
Comments
roperzh
added
~engineering-initiated
|
@roperzh Thanks for submitting this and good idea and seems necessary. I'm prioritizing to the drafting board for estimation. |
lukeheath
added
#g-mdm
lukeheath
removed
#g-endpoint-ops
|
@georgekarrv I'm prioritizing this for estimation. If it requires assistance from infra please loop in the necessary folks. @sharon-fdm Do y'all have any cron job alerts that should be generating #help-p1 alerts? If so, please add them to this issue description so they can be included. @rfairburn Heads up that you may get some questions about this. My primary goal is just to make sure that any cron alerts that should generate #help-p1 alerts (like SCEP certificate) do generate alerts. Thanks all! |
|
This should be possible, but an entirely different mechanism will need to be added to the terraform monitoring module. I am thinking the pattern would look like this: Cloudwatch subscription filter -> lambda function (to process) -> SNS Topic (alert #help-p1 slack) I'd need to flesh the specifics out, but I think it is definitely possible as long as we have easy-to match patterns that don't have ambiguity in what I am matching. This would be separate from our existing cron monitoring which just checks specific cron jobs for their completed status in the db. |
|
@lukeheath I am not aware of any alerts mechanism for any of our cron jobs. @getvictor @mostlikelee @lucasmrod do you know otherwise? Also, @mostlikelee do we have any failure notification when one of our vuln repos fail to do its job? |
|
@sharon-fdm Yeah, I expect there isn't any hooked up yet. MDM ran into a case where the Fleet server knew the SCEP certificate was expired, but there was no mechanism to alert beyond server logs (from my 50k' view). Since that broke MDM functionality, we would have wanted to know about it in #help-p1. I'm wondering if EO has anything like that, where an error that would otherwise be logged to the server is something that we'd actually like to know about ASAP in #help-p1. There may not be anything like that for EO since y'all don't deal with as many certs as MDM. |
|
@sharon-fdm Normal GitHub actions workflows can do a Slack notification on fail, like: fleet/.github/workflows/test-go.yaml Line 147 in 223e1f2 |
roperzh
changed the title
roperzh
changed the title
|
Hey folks, sorry for not being clear (I created the issue in a hurry) I updated the title now, as Luke mentions, this is to surface cron errors that happen in Cloud, as they currently don't have proper visibility (so we can't use GitHub actions, etc) If you have any crons that are mission critical and want to surface alerts, this is the place to ask for them :) |
I can't think of anything critical in EO, but I think it would be a good metric to monitor cron failure counts. |
|
Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @mna @roperzh @jahzielv |
noahtalerman
removed
the
:product
|
Based on @ksatter in https://fleetdm.slack.com/archives/C051QJU3D0V/p1723414521461399?thread_ts=1723413693.587369&cid=C051QJU3D0V, we need to mark jobs as something other than "completed" (e.g. "failed") when they fail, at which point we can filter on that + If we had had that alerting on the |
lukeheath
changed the title
|
After reading the comments so far and looking at the current implementation, I have a slightly different proposal. I like the idea of a "failed" status for the cron jobs, but instead of trying to correlate a failed job with a log message, how about adding a new field to the |
|
I like the idea of the db table recording the status. It would make processing in the lambda much easier. We should still -also- include failures in the logs for those outside of cloud/aws not running the lambda, however. |
|
From call with @sgress454:
|
lukeheath
changed the title
for #19930 # Checklist for submitter - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] If database migrations are included, checked table schema to confirm autoupdate - [X] Manual QA for all new/changed functionality # Details This PR adds a new feature to the existing monitoring add-on. The add-on will now send an SNS alert whenever a scheduled job like "vulnerabilities" or "apple_mdm_apns_pusher" exits early due to errors. The alert contains the job type and the set of errors (there can be multiple, since jobs can have multiple sub-jobs). By default the SNS topic for this new alert is the same as the one for the existing cron system alerts, but it can be configured to use a separate topic (e.g. dogfood instance will post to a separate slack channel). The actual changes are: **On the server side:** - Add errors field to cron_stats table (json DEFAULT NULL) - Added errors var to `Schedule` struct to collect errors from jobs - In `RunAllJobs`, collect err from job into new errors var - Update `Schedule.updateStats`and `CronStats.UpdateCronStats`to accept errors argument - If provided, update errors field of cron_stats table **On the monitor side:** - Add new SQL query to look for all completed schedules since last run with non-null errors - send SNS with job ID, name, errors # Testing New automated testing was added for the functional code that gathers and stores errors from cron runs in the database. To test the actual Lambda, I added a row in my `cron_stats` table with errors, then compiled and ran the Lambda executable locally, pointing it to my local mysql and localstack instances: ``` 2024/12/03 14:43:54 main.go:258: Lambda execution environment not found. Falling back to local execution. 2024/12/03 14:43:54 main.go:133: Connected to database! 2024/12/03 14:43:54 main.go:161: Row vulnerabilities last updated at 2024-11-27 03:30:03 +0000 UTC 2024/12/03 14:43:54 main.go:163: *** 1h hasn't updated in more than vulnerabilities, alerting! (status completed) 2024/12/03 14:43:54 main.go:70: Sending SNS Message 2024/12/03 14:43:54 main.go:74: Sending 'Environment: dev Message: Fleet cron 'vulnerabilities' hasn't updated in more than 1h. Last status was 'completed' at 2024-11-27 03:30:03 +0000 UTC.' to 'arn:aws:sns:us-east-1:000000000000:topic1' 2024/12/03 14:43:54 main.go:82: { MessageId: "260864ff-4cc9-4951-acea-cef883b2de5f" } 2024/12/03 14:43:54 main.go:198: *** mdm_apple_profile_manager job had errors, alerting! (errors {"something": "wrong"}) 2024/12/03 14:43:54 main.go:70: Sending SNS Message 2024/12/03 14:43:54 main.go:74: Sending 'Environment: dev Message: Fleet cron 'mdm_apple_profile_manager' (last updated 2024-12-03 20:34:14 +0000 UTC) raised errors during its run: {"something": "wrong"}.' to 'arn:aws:sns:us-east-1:000000000000:topic1' 2024/12/03 14:43:54 main.go:82: { MessageId: "5cd085ef-89f6-42c1-8470-d80a22b295f8"
lukeheath
added
#g-orchestration
|
@sgress454 I merged this and put it on the orchestration board for tracking. QA is just validating the alert works before closing the issue out. Thanks! |
|
@sgress454 @rfairburn Just confirming this has been released to dogfood. I haven't seen any job failures reported, have we had any in dogfood? Also, will this be naturally rolled out to all managed cloud instances at the next update? Any additional steps necessary to test this out? |
|
This was on my TODO list for this afternoon. It's very possible that Dogfood doesn't have any failures at this time, but I'm going to look at the db and check manually for any rows with errors recorded.
In order to utilize this feature, instances will have to update to the latest monitoring plugin as we did with Dogfood in #24425. We can roll this out to managed instances as quickly or slowly as we like, but it won't happen automatically. We could start with one of the instances known to have had failures in the past. |
|
I could also probably simulate (stimulate?) a failure on Dogfood in order to test this e2e. |
|
We definitely should simulate a failure in Dogfood in order to validate this end to end before rolling to cloud. |
|
Once we are confident in Dogfood, I would prefer to roll this out to the entire managed cloud at once for consistency sake. The number of unique differences per tenant are too great as-is already. |
Yup, the code worked but the SNS notification failed due to a permissions issue, I missed updating the IAM policies for the Lambda role. See #25268 |
|
Realized we never circled back to this -- we had a successful test of the alert on Dogfood, so I think the only thing required to deploy this to managed cloud customers would be to update their monitoring add-on version to the latest. |
Problem
Cron failures in managed cloud do not report to the #help-p1 or #help-p2 channels, which means we're not aware of them unless issues are reported by the customer.
Solution
High-level: add a new
errorscolumn to thecron_statstable, populate this with any errors that occur during a cron run if they bubble up to the job runner level (i.e. they cause the job to fail) and then use the existing monitor Lambda to report on these errors hourly.Details
On the server side:
errorsfield to cron_stats table (json DEFAULT NULL)errorsvar to Schedule struct to collect errors from jobserrfrom job (same place we currently log) into newerrorsvarerrorsargumenterrorsfield of cron_stats tableOn the monitor side:
errorssend SNS with job ID, name, errors
now - monitor interval(i.e. in the last hour), but ideally we query AWS for last successful run of the Lambda so we don't miss anything if the Lambda stalls or fails for some reason.help-p2since these are not likely to require immediate action.Other notes:
failedstatus for jobs, but now that I know that a schedule can have multiple jobs so that some may error and some not, I don’t think this would be as helpful.The text was updated successfully, but these errors were encountered: