DPDK patches and discussions
 help / color / mirror / Atom feed
From: Stephen Hemminger <stephen@networkplumber.org>
To: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
Cc: dev@dpdk.org
Subject: Re: [RFC] Dynamic log/trace control via telemetry
Date: Wed, 17 Aug 2022 08:34:15 -0700	[thread overview]
Message-ID: <20220817083415.4fce7758@hermes.local> (raw)
In-Reply-To: <20220817181503.323b6230@sovereign>

On Wed, 17 Aug 2022 18:15:03 +0300
Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:

> 2022-08-16 19:08 (UTC-0700), Stephen Hemminger:
> > Not sure if turning telemetry into a do all control api makes sense.  
> 
> I'm sure it doesn't, for "do all".
> Controlling diagnostic collection and output, however,
> is directly related to the telemetry purpose.
> 
> > This seems like a different API.
> > Also, the default would have to be disabled for application safety reasons.  
> 
> This feature would be for collecting additional info
> in case the collection was not planned and a restart is not desired.
> If it is disabled by default, it is likely to be off when it's needed.
> 
> Let's consider how exactly can safety be compromised.
> 
> 1. Securing telemetry socket access is out of scope for DPDK,
>    that is, any successful access is considered trusted.
> 
> 2. Even read-only telemetry still comes at cost, for example,
>    memory telemetry takes a global lock that blocks all allocations,
>    so affecting the app performance is already possible.
> 
> 3. Important logs and traces enabled at startup may be disabled dynamically.
>    If it's an issue, the API can refuse to disable them.
> 
> 4. Bogus logs may flood the output and slow down the app.
>    Bogus traces can exhaust disk space.
>    Logs should be monitored automatically, so flooding is just an annoyance.
>    Disk space can have a quota.
>    Since the user is trusted (item 1), even if they do it by mistake,
>    they can quickly correct themselves using the same API.

There can be security impact to telemetry.
There always is some performance cost to telemetry.

My interest is that we run a performance sensitive application and it gets
lots of security review. If a new version of DPDK magically enabled something
that had impact, you would cause extra effort and confusion.

Developers often have the wrong point of view "my feature is great, everyone wants it"
and also "why should I test with this disabled".  New features should be opt-in not
opt-out.


  reply	other threads:[~2022-08-17 15:34 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-15 23:17 Dmitry Kozlyuk
2022-08-17  1:25 ` fengchengwen
2022-08-17  2:08 ` Stephen Hemminger
2022-08-17 15:15   ` Dmitry Kozlyuk
2022-08-17 15:34     ` Stephen Hemminger [this message]
2022-08-17 15:34     ` Morten Brørup
2022-08-20 15:19       ` Dmitry Kozlyuk
2022-08-22  6:47         ` Morten Brørup

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220817083415.4fce7758@hermes.local \
    --to=stephen@networkplumber.org \
    --cc=dev@dpdk.org \
    --cc=dmitry.kozliuk@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).