search

prometheus / node_exporter

Exporter for machine metrics
https://prometheus.io/
Apache License 2.0
11.3k stars 2.38k forks source link

Collect nf_conntrack_count from every namespace on host #2264

Open HappyFX opened 2 years ago

HappyFX commented 2 years ago

When running with network namespaces counter in /proc/sys/net/netfilter/nf_conntrack_count showing correct value only for default namespace. Basic logic in linux kernel node_nf_conntrack_entries_limit limit is shared between all namespaces, but with node exporter we can get only nf_conntrack_count from default and we can't see the real sum of all network namespace nf_conntrack_count in kernel

Host operating system: output of uname -a

Any linux host

node_exporter version: output of node_exporter --version

/opt/node_exporter/node_exporter --version
node_exporter, version 0.17.0 (branch: HEAD, revision: f6f6194a436b9a63d0439abc585c76b19a206b21)
  build user:       root@322511e06ced
  build date:       20181130-15:51:33
  go version:       go1.11.2

node_exporter command line flags

/opt/node_exporter/node_exporter --path.procfs /host/proc --path.sysfs /host/sys

Are you running node_exporter in Docker?

Yes

What did you do that produced an error?

Use namespaces in linux:

# ip net
qrouter-9d52c01b-4fbd-4d19-8ac5-f6d0ecd2a1df (id: 0)
qrouter-154d0d5b-18be-409b-bb15-f8f67c23ecb7 (id: 1)

What did you expect to see?

# HELP node_nf_conntrack_entries Number of currently allocated flow entries for connection tracking.
# TYPE node_nf_conntrack_entries gauge
node_nf_conntrack_entries{namespace="default"} 90733
node_nf_conntrack_entries{namespace="qrouter-9d52c01b-4fbd-4d19-8ac5-f6d0ecd2a1df"} 203342
node_nf_conntrack_entries{namespace="qrouter-154d0d5b-18be-409b-bb15-f8f67c23ecb7"} 506541

What did you see instead?

# HELP node_nf_conntrack_entries Number of currently allocated flow entries for connection tracking.
# TYPE node_nf_conntrack_entries gauge
node_nf_conntrack_entries 90733
discordianfish commented 2 years ago

Related: #295

This seems to be a real problem. Whether we expose all metrics per namespace or just sum them up, we need to handle t his somehow.. @SuperQ wdyt?

yusufgungor commented 11 months ago

+1 for @discordianfish

SuperQ commented 11 months ago

This sounds like a job for cAdvisor, not node_exporter.

discordianfish commented 10 months ago

@SuperQ The issue is, as I understand it, that we report the wrong numbers as soon as namespaces are used. While I don't want to get into the cAdvisor space, we can't just ignore that we're "missing" conntrack entries when monitoring reaching the node_nf_conntrack_entries_limit

SuperQ commented 10 months ago

Yes, I see that. But I'm not sure we'll be able to do anything about this in the node_exporter. Since this is done via network namespaces we would need to nsenter each namespace to get the /proc/sys/net/netfilter/nf_conntrack_count. I'm guessing this will require root, which we don't support.

discordianfish commented 10 months ago

@SuperQ Sure this is the only way? If so, I agree this is excessive..