1 =======================
2 Ganeti monitoring agent
3 =======================
5 .. contents:: :depth: 4
7 This is a design document detailing the implementation of a Ganeti
8 monitoring agent report system, that can be queried by a monitoring
9 system to calculate health information for a Ganeti cluster.
11 Current state and shortcomings
12 ==============================
14 There is currently no monitoring support in Ganeti. While we don't want
15 to build something like Nagios or Pacemaker as part of Ganeti, it would
16 be useful if such tools could easily extract information from a Ganeti
17 machine in order to take actions (example actions include logging an
18 outage for future reporting or alerting a person or system about it).
23 Each Ganeti node should export a status page that can be queried by a
24 monitoring system. Such status page will be exported on a network port
25 and will be encoded in JSON (simple text) over HTTP.
27 The choice of JSON is obvious as we already depend on it in Ganeti and
28 thus we don't need to add extra libraries to use it, as opposed to what
29 would happen for XML or some other markup format.
31 Location of agent report
32 ------------------------
34 The report will be available from all nodes, and be concerned for all
35 node-local resources. This allows more real-time information to be
36 available, at the cost of querying all nodes.
41 The monitoring agent system will report on the following basic information:
44 - Instance disk status
45 - Status of storage for instances
46 - Ganeti daemons status, CPU usage, memory footprint
47 - Hypervisor resources report (memory, CPU, network interfaces)
48 - Node OS resources report (memory, CPU, network interfaces)
49 - Information from a plugin system
54 The report of the will be in JSON format, and it will present an array
56 Each report object will be produced by a specific data collector.
57 Each report object includes some mandatory fields, to be provided by all
61 The name of the data collector that produced this part of the report.
62 It is supposed to be unique inside a report.
65 The version of the data collector that produces this part of the
66 report. Built-in data collectors (as opposed to those implemented as
67 plugins) should have "B" as the version number.
70 The format of what is represented in the "data" field for each data
71 collector might change over time. Every time this happens, the
72 format_version should be changed, so that who reads the report knows
73 what format to expect, and how to correctly interpret it.
76 The time when the reported data were gathered. Is has to be expressed
77 in nanoseconds since the unix epoch (0:00:00 January 01, 1970). If not
78 enough precision is available (or needed) it can be padded with
79 zeroes. If a report object needs multiple timestamps, it can add more
80 and/or override this one inside its own "data" section.
83 A collector can belong to a given category of collectors (e.g.: storage
84 collectors, daemon collector). This means that it will have to provide a
85 minumum set of prescribed fields, as documented for each category.
86 This field will contain the name of the category the collector belongs to,
87 if any, or just the ``null`` value.
90 Two kinds of collectors are possible:
91 `Performance reporting collectors`_ and `Status reporting collectors`_.
92 The respective paragraphs will describe them and the value of this field.
95 This field contains all the data generated by the specific data collector,
96 in its own independently defined format. The monitoring agent could check
97 this syntactically (according to the JSON specifications) but not
100 Here follows a minimal example of a report::
104 "name" : "TheCollectorIdentifier",
107 "timestamp" : 1351607182000000000,
110 "data" : { "plugin_specific_data" : "go_here" }
113 "name" : "AnotherDataCollector",
116 "timestamp" : 1351609526123854000,
117 "category" : "storage",
119 "data" : { "status" : { "code" : 1,
120 "message" : "Error on disk 2"
122 "plugin_specific" : "data",
123 "some_late_data" : { "timestamp" : 1351609526123942720,
130 Performance reporting collectors
131 ++++++++++++++++++++++++++++++++
133 These collectors only provide data about some component of the system, without
134 giving any interpretation over their meaning.
136 The value of the ``kind`` field of the report will be ``0``.
138 Status reporting collectors
139 +++++++++++++++++++++++++++
141 These collectors will provide information about the status of some
142 component of ganeti, or managed by ganeti.
144 The value of their ``kind`` field will be ``1``.
146 The rationale behind this kind of collectors is that there are some situations
147 where exporting data about the underlying subsystems would expose potential
148 issues. But if Ganeti itself is able (and going) to fix the problem, conflicts
149 might arise between Ganeti and something/somebody else trying to fix the same
151 Also, some external monitoring systems might not be aware of the internals of a
152 particular subsystem (e.g.: DRBD) and might only exploit the high level
153 response of its data collector, alerting an administrator if anything is wrong.
154 Still, completely hiding the underlying data is not a good idea, as they might
155 still be of use in some cases. So status reporting plugins will provide two
156 output modes: one just exporting a high level information about the status,
157 and one also exporting all the data they gathered.
158 The default output mode will be the status-only one. Through a command line
159 parameter (for stand-alone data collectors) or through the HTTP request to the
161 (when collectors are executed as part of it) the verbose output mode providing
162 all the data can be selected.
164 When exporting just the status each status reporting collector will provide,
165 in its ``data`` section, at least the following field:
168 summarizes the status of the component being monitored and consists of two
172 It assumes a numeric value, encoded in such a way to allow using a bitset
173 to easily distinguish which states are currently present in the whole cluster.
174 If the bitwise OR of all the ``status`` fields is 0, the cluster is
176 The status codes are as follows:
179 The collector can determine that everything is working as
183 Something is temporarily wrong but it is being automatically fixed by
185 There is no need of external intervention.
188 The collector can determine that something is wrong and Ganeti has no
189 way to fix it autonomously. External intervention is required.
192 The collector has failed to understand whether the status is good or
193 bad. Further analysis is required. Interpret this status as a
194 potentially dangerous situation.
197 A message to better explain the reason of the status.
198 The exact format of the message string is data collector dependent.
200 The field is mandatory, but the content can be ``null`` if the code is
201 ``0`` (working as intended) or ``1`` (being fixed automatically).
203 If the status code is ``2``, the message should specify what has gone
205 If the status code is ``4``, the message shoud explain why it was not
206 possible to determine a proper status.
208 The ``data`` section will also contain all the fields describing the gathered
209 data, according to a collector-specific format.
214 At the moment each node knows which instances are running on it, which
215 instances it is primary for, but not the cause why an instance might not
216 be running. On the other hand we don't want to distribute full instance
217 "admin" status information to all nodes, because of the performance
218 impact this would have.
220 As such we propose that:
222 - Any operation that can affect instance status will have an optional
223 "reason" attached to it (at opcode level). This can be used for
224 example to distinguish an admin request, from a scheduled maintenance
225 or an automated tool's work. If this reason is not passed, Ganeti will
226 just use the information it has about the source of the request: for
227 example a cli shutdown operation will have "cli:shutdown" as a reason,
228 a cli failover operation will have "cli:failover". Operations coming
229 from the remote API will use "rapi" instead of "cli". Of course
230 setting a real site-specific reason is still preferred.
231 - RPCs that affect the instance status will be changed so that the
232 "reason" and the version of the config object they ran on is passed to
233 them. They will then export the new expected instance status, together
234 with the associated reason and object version to the status report
235 system, which then will export those themselves.
237 Monitoring and auditing systems can then use the reason to understand
238 the cause of an instance status, and they can use the timestamp to
239 understand the freshness of their data even in the absence of an atomic
240 cross-node reporting: for example if they see an instance "up" on a node
241 after seeing it running on a previous one, they can compare these values
242 to understand which data is freshest, and repoll the "older" node. Of
243 course if they keep seeing this status this represents an error (either
244 an instance continuously "flapping" between nodes, or an instance is
245 constantly up on more than one), which should be reported and acted
248 The instance status will be on each node, for the instances it is
249 primary for, and its ``data`` section of the report will contain a list
250 of instances, with at least the following fields for each instance:
253 The name of the instance.
256 The UUID of the instance (stable on name change).
259 The status of the instance (up/down/offline) as requested by the admin.
262 The actual status of the instance. It can be ``up``, ``down``, or
263 ``hung`` if the instance is up but it appears to be completely stuck.
266 The uptime of the instance (if it is up, "null" otherwise).
269 The timestamp of the last known change to the instance state.
272 The last known reason for state change, described according to the
276 Either a user-provided reason (if any), or the name of the command that
277 triggered the state change, as a fallback.
280 The ID of the job that caused the state change.
283 Where the state change was triggered (RAPI, CLI).
286 It represents the status of the instance, and its format is the same as that
287 of the ``status`` field of `Status reporting collectors`_.
289 Each hypervisor should provide its own instance status data collector, possibly
290 with the addition of more, specific, fields.
291 The ``category`` field of all of them will be ``instance``.
292 The ``kind`` field will be ``1``.
294 Note that as soon as a node knows it's not the primary anymore for an
295 instance it will stop reporting status for it: this means the instance
296 will either disappear, if it has been deleted, or appear on another
297 node, if it's been moved.
299 The ``code`` of the ``status`` field of the report of the Instance status data
303 if ``status`` is ``0`` for all the instances it is reporting about.
311 The storage status collectors will be a series of data collectors
312 (drbd, rbd, plain, file) that will gather data about all the storage types
313 for the current node (this is right now hardcoded to the enabled storage
314 types, and in the future tied to the enabled storage pools for the nodegroup).
316 The ``name`` of each of these collector will reflect what storage type each of
319 The ``category`` field of these collector will be ``storage``.
321 The ``kind`` field will be ``1`` (`Status reporting collectors`_).
323 The ``data`` section of the report will provide at least the following fields:
326 The amount of free space (in KBytes).
329 The amount of used space (in KBytes).
332 The total visible space (in KBytes).
334 Each specific storage type might provide more type-specific fields.
336 In case of error, the ``message`` subfield of the ``status`` field of the
337 report of the instance status collector will disclose the nature of the error
338 as a type specific information. Examples of these are "backend pv unavailable"
339 for lvm storage, "unreachable" for network based storage or "filesystem error"
340 for filesystem based implementations.
345 This data collector will run only on nodes where DRBD is actually
346 present and it will gather information about DRBD devices.
348 Its ``kind`` in the report will be ``1`` (`Status reporting collectors`_).
350 Its ``category`` field in the report will contain the value ``storage``.
352 When executed in verbose mode, the ``data`` section of the report of this
353 collector will provide the following fields:
356 Information about the DRBD version number, given by a combination of
357 any (but at least one) of the following fields:
360 The DRBD driver version.
363 The API version number.
366 The protocol version.
369 The version of the source files.
372 Git hash of the source files.
375 Who built the binary, and, optionally, when.
378 A list of structures, each describing a DRBD device (a minor) and containing
379 the following fields:
382 The device minor number.
385 The state of the connection. If it is "Unconfigured", all the following
386 fields are not present.
389 The role of the local resource.
392 The role of the remote resource.
395 The status of the local disk.
398 The status of the remote disk.
400 ``replicationProtocol``
401 The replication protocol being used.
404 The input/output flags.
407 The performance indicators. This field will contain the following
411 KiB of data sent on the network.
414 KiB of data received from the network.
417 KiB of data written on local disk.
420 KiB of date read from the local disk.
423 Number of updates of the activity log.
426 Number of updates to the bitmap area of the metadata.
429 Number of open requests to the local I/O subsystem.
432 Number of requests sent to the partner but not yet answered.
435 Number of requests received by the partner but still to be answered.
437 ``applicationPending``
438 Num of block input/output requests forwarded to DRBD but that have not yet
442 (Optional) Number of epoch objects. Not provided by all DRBD versions.
445 (Optional) Currently used write ordering method. Not provided by all DRBD
449 (Optional) KiB of storage currently out of sync. Not provided by all DRBD
453 (Optional) The status of the synchronization of the disk. This is present
454 only if the disk is being synchronized, and includes the following fields:
457 The percentage of synchronized data.
460 How far the synchronization is. Written as "x/y", where x and y are
461 integer numbers expressed in the measurement unit stated in
465 The measurement unit for the progress indicator.
468 The expected time before finishing the synchronization.
471 The speed of the synchronization.
474 The desiderd speed of the synchronization.
477 The measurement unit of the ``speed`` and ``want`` values. Expressed
481 The name of the Ganeti instance this disk is associated to.
484 Ganeti daemons status
485 +++++++++++++++++++++
487 Ganeti will report what information it has about its own daemons.
488 This should allow identifying possible problems with the Ganeti system itself:
489 for example memory leaks, crashes and high resource utilization should be
490 evident by analyzing this information.
492 The ``kind`` field will be ``1`` (`Status reporting collectors`_).
494 Each daemon will have its own data collector, and each of them will have
495 a ``category`` field valued ``daemon``.
497 When executed in verbose mode, their data section will include at least:
500 The amount of used memory.
503 The measurement unit used for the memory.
506 The uptime of the daemon.
509 How much cpu the daemon is using (percentage).
511 Any other daemon-specific information can be included as well in the ``data``
514 Hypervisor resources report
515 +++++++++++++++++++++++++++
517 Each hypervisor has a view of system resources that sometimes is
518 different than the one the OS sees (for example in Xen the Node OS,
519 running as Dom0, has access to only part of those resources). In this
520 section we'll report all information we can in a "non hypervisor
521 specific" way. Each hypervisor can then add extra specific information
522 that is not generic enough be abstracted.
524 The ``kind`` field will be ``0`` (`Performance reporting collectors`_).
526 Each of the hypervisor data collectory will be of ``category``: ``hypervisor``.
528 Node OS resources report
529 ++++++++++++++++++++++++
531 Since Ganeti assumes it's running on Linux, it's useful to export some
532 basic information as seen by the host system.
534 The ``category`` field of the report will be ``null``.
536 The ``kind`` field will be ``0`` (`Performance reporting collectors`_).
538 The ``data`` section will include:
541 The number of available cpus.
544 A list with one element per cpu, showing its average load.
547 The current view of memory (free, used, cached, etc.)
550 A list with one element per filesystem, showing a summary of the
551 total/available space.
554 A list with one element per network interface, showing the amount of
555 sent/received data, error rate, IP address of the interface, etc.
558 A map using the name of a component Ganeti interacts (Linux, drbd,
559 hypervisor, etc) as the key and its version number as the value.
561 Note that we won't go into any hardware specific details (e.g. querying a
562 node RAID is outside the scope of this, and can be implemented as a
563 plugin) but we can easily just report the information above, since it's
564 standard enough across all systems.
569 The queries to the monitoring agent will be HTTP GET requests on port 1815.
570 The answer will be encoded in JSON format and will depend on the specific
573 If a request is sent to a non-existing resource, a 404 error will be returned by
576 The following paragraphs will present the existing resources supported by the
577 current protocol version, that is version 1.
581 The root resource. It will return the list of the supported protocol version
584 Currently, this will include only version 1.
588 Not an actual resource per-se, it is the root of all the resources of protocol
591 If requested through GET, the null JSON value will be returned.
595 The full report of all the data collectors, as described in the section
596 `Format of the report`_.
598 `Status reporting collectors`_ will provide their output in non-verbose format.
599 The verbose format can be requested by adding the parameter ``verbose=1`` to the
602 ``/[category]/[collector_name]``
603 ++++++++++++++++++++++++++++++++
604 Returns the report of the collector ``[collector_name]`` that belongs to the
605 specified ``[category]``.
607 If a collector does not belong to any category, ``collector`` will be used as
608 the value for ``[category]``.
610 `Status reporting collectors`_ will provide their output in non-verbose format.
611 The verbose format can be requested by adding the parameter ``verbose=1`` to the
614 Instance disk status propagation
615 --------------------------------
617 As for the instance status Ganeti has now only partial information about
618 its instance disks: in particular each node is unaware of the disk to
619 instance mapping, that exists only on the master.
621 For this design doc we plan to fix this by changing all RPCs that create
622 a backend storage or that put an already existing one in use and passing
623 the relevant instance to the node. The node can then export these to the
624 status reporting tool.
626 While we haven't implemented these RPC changes yet, we'll use Confd to
627 fetch this information in the data collectors.
632 The monitoring system will be equipped with a plugin system that can
633 export specific local information through it.
635 The plugin system is expected to be used by local installations to
636 export any installation specific information that they want to be
637 monitored, about either hardware or software on their systems.
639 The plugin system will be in the form of either scripts or binaries whose output
640 will be inserted in the report.
642 Eventually support for other kinds of plugins might be added as well, such as
643 plain text files which will be inserted into the report, or local unix or
644 network sockets from which the information has to be read. This should allow
645 most flexibility for implementing an efficient system, while being able to keep
646 it as simple as possible.
651 In order to ease testing as well as to make it simple to reuse this
652 subsystem it will be possible to run just the "data collectors" on each
653 node without passing through the agent daemon.
655 If a data collector is run independently, it should print on stdout its
656 report, according to the format corresponding to a single data collector
657 report object, as described in the previous paragraphs.
662 In order to be able to report information fast the monitoring agent
663 daemon will keep an in-memory or on-disk cache of the status, which will
664 be returned when queries are made. The status system will then
665 periodically check resources to make sure the status is up to date.
667 Different parts of the report will be queried at different speeds. These
669 - how often they vary (or we expect them to vary)
670 - how fast they are to query
671 - how important their freshness is
673 Of course the last parameter is installation specific, and while we'll
674 try to have defaults, it will be configurable. The first two instead we
675 can use adaptively to query a certain resource faster or slower
676 depending on those two parameters.
678 When run as stand-alone binaries, the data collector will not using any
679 caching system, and just fetch and return the data immediately.
684 The status daemon will be implemented as a standalone Haskell daemon. In
685 the future it should be easy to merge multiple daemons into one with
686 multiple entry points, should we find out it saves resources and doesn't
687 impact functionality.
689 The libekg library should be looked at for easily providing metrics in
696 We will implement the agent system in this order:
698 - initial example data collectors (eg. for drbd and instance status).
699 - initial daemon for exporting data, integrating the existing collectors
701 - RPC updates for instance status reasons and disk to instance mapping
702 - cache layer for the daemon
703 - more data collectors
709 As a future step it can be useful to "centralize" all this reporting
710 data on a single place. This for example can be just the master node, or
711 all the master candidates. We will evaluate doing this after the first
712 node-local version has been developed and tested.
714 Another possible change is replacing the "read-only" RPCs with queries
715 to the agent system, thus having only one way of collecting information
716 from the nodes from a monitoring system and for Ganeti itself.
718 One extra feature we may need is a way to query for only sub-parts of
719 the report (eg. instances status only). This can be done by passing
720 arguments to the HTTP GET, which will be defined when we get to this
723 Finally the :doc:`autorepair system design <design-autorepair>`. system
724 (see its design) can be expanded to use the monitoring agent system as a
725 source of information to decide which repairs it can perform.
727 .. vim: set textwidth=72 :