Skip to content

feat: Implement aggregator for agent metrics #7259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 46 commits into from
Apr 27, 2023
Merged

feat: Implement aggregator for agent metrics #7259

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
6516216
API contract
mtojek Apr 24, 2023
dc202c4
Send agent metrics
mtojek Apr 24, 2023
7747f2d
Ignore metrics to save bandwidth
mtojek Apr 24, 2023
9fd4ddb
fix lint
mtojek Apr 24, 2023
9af0246
logEntry
mtojek Apr 24, 2023
4207dff
make gen
mtojek Apr 24, 2023
99fe1bf
Use errGroup
mtojek Apr 24, 2023
df80e9b
Use MustNewConstMetric
mtojek Apr 25, 2023
d86496e
PoC works
mtojek Apr 25, 2023
10e6d8d
Metrics aggregator with channels
mtojek Apr 25, 2023
8df9eea
Metrics expiry
mtojek Apr 25, 2023
1f5273b
histograms
mtojek Apr 25, 2023
1b8c486
unit test
mtojek Apr 26, 2023
423420b
fmt
mtojek Apr 26, 2023
23bbe94
test: metrics can expire
mtojek Apr 26, 2023
b7011ae
Aggregator
mtojek Apr 26, 2023
29a8702
Address PR comments
mtojek Apr 26, 2023
7acd113
wrap errors
mtojek Apr 26, 2023
b15c7b7
fix
mtojek Apr 26, 2023
2ae7e4e
Update coderd/prometheusmetrics/aggregator.go
mtojek Apr 27, 2023
b04d232
refactor: PTY & SSH (#7100)
spikecurtis Apr 24, 2023
1d93f66
feat(community-templates): Added vscode-server-template (#7219)
nanospearing Apr 24, 2023
c604633
chore: Proxy health status checks + endpoint (#7233)
Emyrk Apr 24, 2023
7d84745
Revert "feat(UI): add workspace restart button (#7137)" (#7268)
Kira-Pilot Apr 24, 2023
407c332
refactor(site): Group app and agent actions together (#7267)
BrunoQuaresma Apr 24, 2023
49b81df
fix(coderd): ensure that user API keys are deleted when a user is (#7…
johnstcn Apr 24, 2023
44217de
chore(dogfood): remove unnecessary docker host replace (#7269)
coadler Apr 25, 2023
e659c36
Fix macOS pty race with dropped output (#7278)
spikecurtis Apr 25, 2023
6dc8b1f
feat: add regions endpoint for proxies feature (#7277)
deansheather Apr 25, 2023
d2233be
fix(healthcheck): don't allow panics to exit coderd (#7276)
coadler Apr 25, 2023
f3f5bed
chore: add security advisories to docs (#7282)
johnstcn Apr 25, 2023
50f60cb
fix(site): Do not show template params if there is no param to be dis…
BrunoQuaresma Apr 25, 2023
1bf1b06
fix(site): Fix default value for options (#7265)
BrunoQuaresma Apr 25, 2023
5f6b4dc
chore: fix flake in apptest reconnecting-pty test (#7281)
deansheather Apr 26, 2023
9141f7c
Reconnecting PTY waits for command output or EOF (#7279)
spikecurtis Apr 26, 2023
e0879b5
docs(site): Mention template editor in template edit docs (#7261)
BrunoQuaresma Apr 26, 2023
b6322d1
fix(site): Fix secondary buttons with popovers (#7296)
BrunoQuaresma Apr 26, 2023
1e3eb06
chore: change some wording in the dashboard (#7293)
bpmct Apr 26, 2023
366859b
feat(agent): add http debug routes for magicsock (#7287)
coadler Apr 26, 2023
ed8106d
feat: add license expiration warning (#7264)
rodrimaia Apr 26, 2023
5733abc
feat: add license settings UI (#7210)
rodrimaia Apr 26, 2023
4937e75
chore: add envbox documentation (#7198)
sreya Apr 26, 2023
619e470
docs: Fix relay link in HA doc (#7159)
winter0mute Apr 27, 2023
16b5353
Merge branch 'main' into 6724-api-collect-metrics
mtojek Apr 27, 2023
c1bd4d2
Refactor Collect channel
mtojek Apr 27, 2023
8baed98
fix
mtojek Apr 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: add envbox documentation (#7198)
  • Loading branch information
@sreya @mtojek
sreya authored and mtojek committed Apr 27, 2023
commit 4937e750724cac4f12ab41ed679512d75120b137
68 changes: 63 additions & 5 deletions docs/templates/docker-in-workspaces.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@

There are a few ways to run Docker within container-based Coder workspaces.

| Method | Description | Limitations |
| ---------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Sysbox container runtime](#sysbox-container-runtime) | Install the sysbox runtime on your Kubernetes nodes for secure docker-in-docker and systemd-in-docker. Works with GKE, EKS, AKS. | Requires [compatible nodes](https://github.com/nestybox/sysbox#host-requirements). Max of 16 sysbox pods per node. [See all](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/limitations.md) |
| [Rootless Podman](#rootless-podman) | Run podman inside Coder workspaces. Does not require a custom runtime or privileged containers. Works with GKE, EKS, AKS, RKE, OpenShift | Requires smarter-device-manager for FUSE mounts. [See all](https://github.com/containers/podman/blob/main/rootless.md#shortcomings-of-rootless-podman) |
| [Privileged docker sidecar](#privileged-sidecar-container) | Run docker as a privileged sidecar container. | Requires a privileged container. Workspaces can break out to root on the host machine. |
| Method | Description | Limitations |
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Sysbox container runtime](#sysbox-container-runtime) | Install the sysbox runtime on your Kubernetes nodes for secure docker-in-docker and systemd-in-docker. Works with GKE, EKS, AKS. | Requires [compatible nodes](https://github.com/nestybox/sysbox#host-requirements). Max of 16 sysbox pods per node. [See all](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/limitations.md) |
| [Envbox](#envbox) | A container image with all the packages necessary to run an inner sysbox container. Removes the need to setup sysbox-runc on your nodes. Works with GKE, EKS, AKS. | Requires running the outer container as privileged (the inner container that acts as the workspace is locked down). Requires compatible [nodes](https://github.com/nestybox/sysbox/blob/master/docs/distro-compat.md#sysbox-distro-compatibility). |
| [Rootless Podman](#rootless-podman) | Run podman inside Coder workspaces. Does not require a custom runtime or privileged containers. Works with GKE, EKS, AKS, RKE, OpenShift | Requires smarter-device-manager for FUSE mounts. [See all](https://github.com/containers/podman/blob/main/rootless.md#shortcomings-of-rootless-podman) |
| [Privileged docker sidecar](#privileged-sidecar-container) | Run docker as a privileged sidecar container. | Requires a privileged container. Workspaces can break out to root on the host machine. |

## Sysbox container runtime

Expand Down Expand Up @@ -110,6 +111,63 @@ resource "kubernetes_pod" "dev" {

> Sysbox CE (Community Edition) supports a maximum of 16 pods (workspaces) per node on Kubernetes. See the [Sysbox documentation](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/install-k8s.md#limitations) for more details.

## Envbox

[Envbox](https://github.com/coder/envbox) is an image developed and maintained by Coder that bundles the sysbox runtime. It works
by starting an outer container that manages the various sysbox daemons and spawns an unprivileged
inner container that acts as the user's workspace. The inner container is able to run system-level
software similar to a regular virtual machine (e.g. `systemd`, `dockerd`, etc). Envbox offers the
following benefits over running sysbox directly on the nodes:

- No custom runtime installation or management on your Kubernetes nodes.
- No limit to the number of pods that run envbox.

Some drawbacks include:

- The outer container must be run as privileged
- Note: the inner container is _not_ privileged. For more information on the security of sysbox
containers see sysbox's [official documentation](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/security.md).
- Initial workspace startup is slower than running `sysbox-runc` directly on the nodes. This is due
to `envbox` having to pull the image to its own Docker cache on its initial startup. Once the image
is cached in `envbox`, startup performance is similar.

Envbox requires the same kernel requirements as running sysbox directly on the nodes. Refer
to sysbox's [compatibility matrix](https://github.com/nestybox/sysbox/blob/master/docs/distro-compat.md#sysbox-distro-compatibility) to ensure your nodes are compliant.

To get started with `envbox` check out the [starter template](../../examples/templates/envbox) or visit the [repo](https://github.com/coder/envbox).

### Authenticating with a Private Registry

Authenticating with a private container registry can be done by referencing the credentials
via the `CODER_IMAGE_PULL_SECRET` environment variable. It is encouraged to populate this
[environment variable](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data) by using a Kubernetes [secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials).

Refer to your container registry documentation to understand how to best create this secret.

The following shows a minimal example using a the JSON API key from a GCP service account to pull
a private image:

```bash
# Create the secret
$ kubectl create secret docker-registry <name> \
--docker-server=us.gcr.io \
--docker-username=_json_key \
--docker-password="$(cat ./json-key-file.yaml)" \
--docker-email=<service-account-email>
```

```hcl
env {
name = "CODER_IMAGE_PULL_SECRET"
value_from {
secret_key_ref {
name = "<name>"
key = ".dockerconfigjson"
}
}
}
```

## Rootless podman

[Podman](https://docs.podman.io/en/latest/) is Docker alternative that is compatible with OCI containers specification. which can run rootless inside Kubernetes pods. No custom RuntimeClass is required.
Expand Down
32 changes: 32 additions & 0 deletions examples/templates/envbox/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# envbox

## Introduction

`envbox` is an image that enables creating non-privileged containers capable of running system-level software (e.g. `dockerd`, `systemd`, etc) in Kubernetes.

It mainly acts as a wrapper for the excellent [sysbox runtime](https://github.com/nestybox/sysbox/) developed by [Nestybox](https://www.nestybox.com/). For more details on the security of `sysbox` containers see sysbox's [official documentation](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/security.md).

## Envbox Configuration

The following environment variables can be used to configure various aspects of the inner and outer container.

| env | usage | required |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
| `CODER_INNER_IMAGE` | The image to use for the inner container. | True |
| `CODER_INNER_USERNAME` | The username to use for the inner container. | True |
| `CODER_AGENT_TOKEN` | The [Coder Agent](https://coder.com/docs/v2/latest/about/architecture#agents) token to pass to the inner container. | True |
| `CODER_INNER_ENVS` | The environment variables to pass to the inner container. A wildcard can be used to match a prefix. Ex: `CODER_INNER_ENVS=KUBERNETES_*,MY_ENV,MY_OTHER_ENV` | false |
| `CODER_INNER_HOSTNAME` | The hostname to use for the inner container. | false |
| `CODER_IMAGE_PULL_SECRET` | The docker credentials to use when pulling the inner container. The recommended way to do this is to create an [Image Pull Secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials) and then reference the secret using an [environment variable](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data). | false |
| `CODER_DOCKER_BRIDGE_CIDR` | The bridge CIDR to start the Docker daemon with. | false |
| `CODER_MOUNTS` | A list of mounts to mount into the inner container. Mounts default to `rw`. Ex: `CODER_MOUNTS=/home/coder:/home/coder,/var/run/mysecret:/var/run/mysecret:ro` | false |
| `CODER_USR_LIB_DIR` | The mountpoint of the host `/usr/lib` directory. Only required when using GPUs. | false |
| `CODER_ADD_TUN` | If `CODER_ADD_TUN=true` add a TUN device to the inner container. | false |
| `CODER_ADD_FUSE` | If `CODER_ADD_FUSE=true` add a FUSE device to the inner container. | false |
| `CODER_ADD_GPU` | If `CODER_ADD_GPU=true` add detected GPUs and related files to the inner container. Requires setting `CODER_USR_LIB_DIR` and mounting in the hosts `/usr/lib/` directory. | false |
| `CODER_CPUS` | Dictates the number of CPUs to allocate the inner container. It is recommended to set this using the Kubernetes [Downward API](https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-container-fields-as-values-for-environment-variables). | false |
| `CODER_MEMORY` | Dictates the max memory (in bytes) to allocate the inner container. It is recommended to set this using the Kubernetes [Downward API](https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-container-fields-as-values-for-environment-variables). | false |

## Contributions

Contributions are welcome and can be made against the [envbox repo](https://github.com/coder/envbox).
Loading