[AGENTCFG-154] Adding a new "FIPS Agent" flavor to agents currently with the default flavor that have FIPS enabled #34852
Conversation
Uncompressed package size comparisonComparison with ancestor Diff per package
Decision✅ Passed |
Test changes on VMUse this command from test-infra-definitions to manually test this PR changes on a VM: dda inv aws.create-vm --pipeline-id=58131187 --os-family=ubuntuNote: This applies to commit e0212e9 |
Static quality checks ✅Please find below the results from static quality gates Successful checksInfo
|
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: 5148b02 Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | quality_gate_logs | % cpu utilization | +2.67 | [-0.09, +5.43] | 1 | Logs |
| ➖ | quality_gate_idle_all_features | memory utilization | +0.59 | [+0.53, +0.65] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_idle | memory utilization | +0.48 | [+0.42, +0.54] | 1 | Logs bounds checks dashboard |
| ➖ | file_to_blackhole_1000ms_latency_linear_load | egress throughput | +0.28 | [-0.18, +0.75] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | +0.10 | [-0.68, +0.87] | 1 | Logs |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | +0.04 | [-0.02, +0.10] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | +0.01 | [-0.80, +0.82] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency_http2 | egress throughput | +0.00 | [-0.84, +0.85] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | -0.00 | [-0.31, +0.31] | 1 | Logs |
| ➖ | file_to_blackhole_300ms_latency | egress throughput | -0.00 | [-0.63, +0.62] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | -0.01 | [-0.70, +0.69] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.01 | [-0.03, +0.01] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency_http1 | egress throughput | -0.03 | [-0.87, +0.82] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | -0.09 | [-0.88, +0.71] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | -0.15 | [-1.02, +0.72] | 1 | Logs |
| ➖ | file_tree | memory utilization | -0.16 | [-0.28, -0.05] | 1 | Logs |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | links |
|---|---|---|---|---|
| ✅ | file_to_blackhole_0ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency_http1 | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency_http1 | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency_http2 | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency_http2 | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_1000ms_latency_linear_load | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_100ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_300ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_300ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_500ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | |
| ✅ | quality_gate_idle | intake_connections | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_idle | memory_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | intake_connections | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_logs | intake_connections | 10/10 | |
| ✅ | quality_gate_logs | lost_bytes | 10/10 | |
| ✅ | quality_gate_logs | memory_usage | 10/10 |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
comp/core/workloadmeta/collectors/internal/remote/processcollector/process_collector.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Why not just add one entry in the payload fips_compliant: true/false ?
It's probably more annoying but seems cleaner to me...
Also I think to be coherent you would need FIPSProcessAgent, FIPSTraceAgent, etc in this case 😄
There was a problem hiding this comment.
I had the same thought as you. Refer to the slack thread where we came up with the consensus solution. Basically, product only wants the core agents to be separated by FIPS-enabled and not FIPS-enabled. As such, adding more flavors would be extraneous to this. As for a new entry, again we want a way to see the number of fips-enabled core agents, and not fips-enabled non-core agents, so that isn't the desired solution.
There was a problem hiding this comment.
I don't have access to the thread 😄
we want a way to see the number of fips-enabled core agents, and not fips-enabled non-core agents, so that isn't the desired solution
Only the core agent sends host payloads so I don't see the issue
There was a problem hiding this comment.
If you go to the #agent-fedramp-high channel, and look at the comment on March 4th, that should be the thread. Also, I might be confusing terminology, when I say "core agent", I mean to say "any agent currently being assigned a flavor of 'Default Agent'". Afaik, the relevant dashboard is populated by agent_stats_job, which aggregates host_metadata, which in turn is provided by the host metadata payload, which expects a (not necessarily default) agent. Now that I write this out, I'm realizing that saying "core agent" is definitely bad terminology, so I'll change the PR title/description 😅.
What does this PR do?
We want to be able to monitor the number of agents currently with the default flavor that have FIPS enabled in this dashboard
So we want to check at agent initialization (similar to how it is done here in the security agent) whether an agent is fips-enabled, and assign it the new flavor. However, besides this, we want agents with a fips flavor and ones with a default flavor to be treated the same.
Motivation
Describe how you validated your changes
When I run a FIPS agent now, I can see the metadata being reported in the status command:
and in inventory SQL:
Possible Drawbacks / Trade-offs
Additional Notes