Skip to content
This repository has been archived by the owner on Jun 17, 2023. It is now read-only.

Why are UIDs included as a label? #9

Open
pokab opened this issue Dec 22, 2022 · 2 comments
Open

Why are UIDs included as a label? #9

pokab opened this issue Dec 22, 2022 · 2 comments

Comments

@pokab
Copy link

pokab commented Dec 22, 2022

If I understand it correctly, UIDs in libreswan are generated dynamically and are always changing.

If this is true, including UIDs in metrics, like this:

ipsec_child_sa_state{ike_sa_local_host="xxxx",ike_sa_local_id="",ike_sa_name="xxxx",ike_sa_remote_host="xxxx",ike_sa_remote_id="",ike_sa_remote_identity="",ike_sa_uid="2970",ike_sa_version="1",ike_sa_vips="",local_ts="xxxx",mode="TUNNEL",name="xxxx",protocol="ESP",remote_ts="xxxx",reqid="",uid="2961"} 17

ipsec_child_sa_bytes_out{ike_sa_local_host="xxxx",ike_sa_local_id="",ike_sa_name="xxxx",ike_sa_remote_host="xxxx",ike_sa_remote_id="",ike_sa_remote_identity="",ike_sa_uid="2970",ike_sa_version="1",ike_sa_vips="",local_ts="xxxx",mode="TUNNEL",name="xxxx",protocol="ESP",remote_ts="xxxx",reqid="",uid="2961"} 4096

ipsec_ike_sa_state{local_host="xxxx",local_id="",name="xxxx",remote_host="xxxx",remote_id="",remote_identity="",uid="2953",version="1",vips=""} 7

is a bad practice since it will cause an unbounded number of unique prometheus time series, as described in https://prometheus.io/docs/practices/naming/ :

Remember that every unique combination of key-value label pairs represents a new time series, which can dramatically increase the amount of data stored. Do not use labels to store dimensions with high cardinality (many different label values), such as user IDs, email addresses, or other unbounded sets of values.

Because of this, there should be no label where the value of the label does not come from the configuration file, or is not a fixed value.

So the labels I don't really understand are:

  • uid
  • ike_sa_uid
  • ike_sa_local_id
  • ike_sa_remote_id
  • ike_sa_remote_identity
  • reqid
pokab added a commit to idatahu/ipsec_exporter that referenced this issue Jan 4, 2023
@pokab
Remove uid labels, which have high cardinality, fixes sergeymakinen#9
e3480a1
pokab added a commit to idatahu/ipsec_exporter that referenced this issue Jan 10, 2023
@pokab
Revert "Remove uid labels, which have high cardinality, fixes sergeym…
2bd84c4 
…akinen#9"

Revert "fix tests for previous e3480a1"
Revert "fix again"

... because of a new method to try to eliminate high cardinality uids

This reverts commits:
 e3480a1
 5bfc7d3
 1f32235
@sergeymakinen
Copy link
Owner

Hey @pokab, yeah, it looked like a simple idea to get a traffic usage across sessions at that time but it was definitely not a great idea.
On the one hand, it will be nice to sort it out in v2 while keeping an ability to monitor a traffic but on the other hand, I've completely switched to WireGuard and thinking on archiving this because I have too many other things to focus on (and hopefully - to share). At least I hope this repository should be useful to others with a working codebase with unit and integration tests...

@pokab
Copy link
Author

pokab commented Feb 20, 2023

I've got a working solution pushed in my repository, but not yet in the master branch. Will clean it up later.
No problem if you don't want a pull request or maintain this application.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sergeymakinen @pokab