feat: Collect agent SSH metrics

mtojek · mtojek · commit 092e1d0b7819 · 2023-05-17T14:58:35.000+02:00
diff --git a/agent/agentssh/agentssh.go b/agent/agentssh/agentssh.go
@@ -106,7 +106,8 @@ func NewServer(ctx context.Context, logger slog.Logger, fs afero.Fs, maxTimeout
 			"session":                        ssh.DefaultSessionHandler,
 		},
 		ConnectionFailedCallback: func(_ net.Conn, err error) {
-			s.logger.Info(ctx, "ssh connection ended", slog.Error(err))
+			s.logger.Warn(ctx, "ssh connection failed", slog.Error(err))
+			metricConnectionFailedCallback.Add(1)
 		},
 		Handler:     s.sessionHandler,
 		HostSigners: []ssh.Signer{randomSigner},
@@ -115,16 +116,19 @@ func NewServer(ctx context.Context, logger slog.Logger, fs afero.Fs, maxTimeout
 			s.logger.Debug(ctx, "local port forward",
 				slog.F("destination-host", destinationHost),
 				slog.F("destination-port", destinationPort))
+			metricLocalPortForwardingCallback.Add(1)
 			return true
 		},
 		PtyCallback: func(ctx ssh.Context, pty ssh.Pty) bool {
+			metricPtyCallback.Add(1)
 			return true
 		},
 		ReversePortForwardingCallback: func(ctx ssh.Context, bindHost string, bindPort uint32) bool {
 			// Allow reverse port forwarding all!
 			s.logger.Debug(ctx, "local port forward",
 				slog.F("bind-host", bindHost),
 				slog.F("bind-port", bindPort))
+			metricReversePortForwardingCallback.Add(1)
 			return true
 		},
 		RequestHandlers: map[string]ssh.RequestHandler{
@@ -205,6 +209,7 @@ func (s *Server) sessionHandler(session ssh.Session) {
 		s.logger.Warn(ctx, "ssh session failed", slog.Error(err))
 		// This exit code is designed to be unlikely to be confused for a legit exit code
 		// from the process.
+		metricsSessionError.Add(1)
 		_ = session.Exit(MagicSessionErrorCode)
 		return
 	}
@@ -238,12 +243,14 @@ func (s *Server) sessionStart(session ssh.Session, extraEnv []string) (retErr er
 
 	cmd, err := s.CreateCommand(ctx, session.RawCommand(), env)
 	if err != nil {
+		metricsAgentCreateCommandError.Add(1)
 		return err
 	}
 
 	if ssh.AgentRequested(session) {
 		l, err := ssh.NewAgentListener()
 		if err != nil {
+			metricsAgentListenerError.Add(1)
 			return xerrors.Errorf("new agent listener: %w", err)
 		}
 		defer l.Close()
@@ -259,20 +266,27 @@ func (s *Server) sessionStart(session ssh.Session, extraEnv []string) (retErr er
 }
 
 func startNonPTYSession(session ssh.Session, cmd *exec.Cmd) error {
+	metricsStartNonPTYSession.Add(1)
+
 	cmd.Stdout = session
 	cmd.Stderr = session.Stderr()
 	// This blocks forever until stdin is received if we don't
 	// use StdinPipe. It's unknown what causes this.
 	stdinPipe, err := cmd.StdinPipe()
 	if err != nil {
+		metricsNonPTYStdinPipeError.Add(1)
 		return xerrors.Errorf("create stdin pipe: %w", err)
 	}
 	go func() {
-		_, _ = io.Copy(stdinPipe, session)
+		_, err := io.Copy(stdinPipe, session)
+		if err != nil {
+			metricsNonPTYStdinIoCopyError.Add(1)
+		}
 		_ = stdinPipe.Close()
 	}()
 	err = cmd.Start()
 	if err != nil {
+		metricsNonPTYCmdStartError.Add(1)
 		return xerrors.Errorf("start: %w", err)
 	}
 	return cmd.Wait()
@@ -288,6 +302,8 @@ type ptySession interface {
 }
 
 func (s *Server) startPTYSession(session ptySession, cmd *pty.Cmd, sshPty ssh.Pty, windowSize <-chan ssh.Window) (retErr error) {
+	metricsStartPTYSession.Add(1)
+
 	ctx := session.Context()
 	// Disable minimal PTY emulation set by gliderlabs/ssh (NL-to-CRNL).
 	// See https://github.com/coder/coder/issues/3371.
@@ -299,6 +315,7 @@ func (s *Server) startPTYSession(session ptySession, cmd *pty.Cmd, sshPty ssh.Pt
 			err := showMOTD(session, manifest.MOTDFile)
 			if err != nil {
 				s.logger.Error(ctx, "show MOTD", slog.Error(err))
+				metricsPTYMotdError.Add(1)
 			}
 		} else {
 			s.logger.Warn(ctx, "metadata lookup failed, unable to show MOTD")
@@ -313,12 +330,14 @@ func (s *Server) startPTYSession(session ptySession, cmd *pty.Cmd, sshPty ssh.Pt
 		pty.WithLogger(slog.Stdlib(ctx, s.logger, slog.LevelInfo)),
 	))
 	if err != nil {
+		metricsPTYCmdStartError.Add(1)
 		return xerrors.Errorf("start command: %w", err)
 	}
 	defer func() {
 		closeErr := ptty.Close()
 		if closeErr != nil {
 			s.logger.Warn(ctx, "failed to close tty", slog.Error(closeErr))
+			metricsPTYCloseError.Add(1)
 			if retErr == nil {
 				retErr = closeErr
 			}
@@ -330,12 +349,16 @@ func (s *Server) startPTYSession(session ptySession, cmd *pty.Cmd, sshPty ssh.Pt
 			// If the pty is closed, then command has exited, no need to log.
 			if resizeErr != nil && !errors.Is(resizeErr, pty.ErrClosed) {
 				s.logger.Warn(ctx, "failed to resize tty", slog.Error(resizeErr))
+				metricsPTYResizeError.Add(1)
 			}
 		}
 	}()
 
 	go func() {
-		_, _ = io.Copy(ptty.InputWriter(), session)
+		_, err := io.Copy(ptty.InputWriter(), session)
+		if err != nil {
+			metricsPTYInputIoCopyError.Add(1)
+		}
 	}()
 
 	// We need to wait for the command output to finish copying.  It's safe to
@@ -349,6 +372,7 @@ func (s *Server) startPTYSession(session ptySession, cmd *pty.Cmd, sshPty ssh.Pt
 	n, err := io.Copy(session, ptty.OutputReader())
 	s.logger.Debug(ctx, "copy output done", slog.F("bytes", n), slog.Error(err))
 	if err != nil {
+		metricsPTYOutputIoCopyError.Add(1)
 		return xerrors.Errorf("copy error: %w", err)
 	}
 	// We've gotten all the output, but we need to wait for the process to
@@ -360,6 +384,7 @@ func (s *Server) startPTYSession(session ptySession, cmd *pty.Cmd, sshPty ssh.Pt
 	// and not something to be concerned about.  But, if it's something else, we should log it.
 	if err != nil && !xerrors.As(err, &exitErr) {
 		s.logger.Warn(ctx, "wait error", slog.Error(err))
+		metricsPTYWaitError.Add(1)
 	}
 	if err != nil {
 		return xerrors.Errorf("process wait: %w", err)
@@ -368,6 +393,8 @@ func (s *Server) startPTYSession(session ptySession, cmd *pty.Cmd, sshPty ssh.Pt
 }
 
 func (s *Server) sftpHandler(session ssh.Session) {
+	metricSftpHandler.Add(1)
+
 	ctx := session.Context()
 
 	// Typically sftp sessions don't request a TTY, but if they do,
@@ -407,6 +434,7 @@ func (s *Server) sftpHandler(session ssh.Session) {
 		return
 	}
 	s.logger.Warn(ctx, "sftp server closed with error", slog.Error(err))
+	metricSftpServerError.Add(1)
 	_ = session.Exit(1)
 }
 
diff --git a/agent/agentssh/metrics.go b/agent/agentssh/metrics.go
@@ -0,0 +1,41 @@
+package agentssh
+
+import "tailscale.com/util/clientmetric"
+
+var (
+	// SSH callbacks
+	metricConnectionFailedCallback      = clientmetric.NewCounter("ssh_connection_failed_callback")
+	metricLocalPortForwardingCallback   = clientmetric.NewCounter("ssh_local_port_forwarding_callback")
+	metricPtyCallback                   = clientmetric.NewCounter("ssh_pty_callback")
+	metricReversePortForwardingCallback = clientmetric.NewCounter("ssh_reverse_port_forwarding_callback")
+	metricX11Callback                   = clientmetric.NewCounter("ssh_x11_callback")
+
+	// Agent sessions
+	metricsAgentCreateCommandError = clientmetric.NewCounter("ssh_agent_create_command_error")
+	metricsAgentListenerError      = clientmetric.NewCounter("ssh_agent_listener_error")
+	metricsStartPTYSession         = clientmetric.NewCounter("ssh_agent_start_pty_session")
+	metricsStartNonPTYSession      = clientmetric.NewCounter("ssh_agent_start_non_pty_session")
+	metricsSessionError            = clientmetric.NewCounter("ssh_session_error")
+
+	// Non-PTY sessions
+	metricsNonPTYStdinPipeError   = clientmetric.NewCounter("ssh_non_pty_stdin_pipe_error")
+	metricsNonPTYStdinIoCopyError = clientmetric.NewCounter("ssh_non_pty_stdin_io_copy_error")
+	metricsNonPTYCmdStartError    = clientmetric.NewCounter("ssh_non_pty_cmd_start_error")
+
+	// PTY sessions
+	metricsPTYMotdError         = clientmetric.NewCounter("ssh_pty_motd_error")
+	metricsPTYCmdStartError     = clientmetric.NewCounter("ssh_pty_cmd_start_error")
+	metricsPTYCloseError        = clientmetric.NewCounter("ssh_pty_close_error")
+	metricsPTYResizeError       = clientmetric.NewCounter("ssh_pty_resize_error")
+	metricsPTYInputIoCopyError  = clientmetric.NewCounter("ssh_pty_input_io_copy_error")
+	metricsPTYOutputIoCopyError = clientmetric.NewCounter("ssh_pty_output_io_copy_error")
+	metricsPTYWaitError         = clientmetric.NewCounter("ssh_pty_wait_error")
+
+	// SFTP
+	metricSftpHandler     = clientmetric.NewCounter("ssh_sftp_handler")
+	metricSftpServerError = clientmetric.NewCounter("ssh_sftp_server_error")
+
+	// X11
+	metricX11SocketDirError  = clientmetric.NewCounter("ssh_x11_socket_dir_error")
+	metricX11XauthorityError = clientmetric.NewCounter("ssh_x11_xauthority_error")
+)
diff --git a/agent/agentssh/x11.go b/agent/agentssh/x11.go
@@ -24,6 +24,8 @@ import (
 // x11Callback is called when the client requests X11 forwarding.
 // It adds an Xauthority entry to the Xauthority file.
 func (s *Server) x11Callback(ctx ssh.Context, x11 ssh.X11) bool {
+	metricX11Callback.Add(1)
+
 	hostname, err := os.Hostname()
 	if err != nil {
 		s.logger.Warn(ctx, "failed to get hostname", slog.Error(err))
@@ -33,12 +35,14 @@ func (s *Server) x11Callback(ctx ssh.Context, x11 ssh.X11) bool {
 	err = s.fs.MkdirAll(s.x11SocketDir, 0o700)
 	if err != nil {
 		s.logger.Warn(ctx, "failed to make the x11 socket dir", slog.F("dir", s.x11SocketDir), slog.Error(err))
+		metricX11SocketDirError.Add(1)
 		return false
 	}
 
 	err = addXauthEntry(ctx, s.fs, hostname, strconv.Itoa(int(x11.ScreenNumber)), x11.AuthProtocol, x11.AuthCookie)
 	if err != nil {
 		s.logger.Warn(ctx, "failed to add Xauthority entry", slog.Error(err))
+		metricX11XauthorityError.Add(1)
 		return false
 	}
 	return true
