ipsec_exporter icon indicating copy to clipboard operation
ipsec_exporter copied to clipboard
verified publisher icon sergeymakinen

Why are UIDs included as a label?

Open pokab opened this issue 3 years ago • 2 comments

If I understand it correctly, UIDs in libreswan are generated dynamically and are always changing.

If this is true, including UIDs in metrics, like this:

ipsec_child_sa_state{ike_sa_local_host="xxxx",ike_sa_local_id="",ike_sa_name="xxxx",ike_sa_remote_host="xxxx",ike_sa_remote_id="",ike_sa_remote_identity="",ike_sa_uid="2970",ike_sa_version="1",ike_sa_vips="",local_ts="xxxx",mode="TUNNEL",name="xxxx",protocol="ESP",remote_ts="xxxx",reqid="",uid="2961"} 17

ipsec_child_sa_bytes_out{ike_sa_local_host="xxxx",ike_sa_local_id="",ike_sa_name="xxxx",ike_sa_remote_host="xxxx",ike_sa_remote_id="",ike_sa_remote_identity="",ike_sa_uid="2970",ike_sa_version="1",ike_sa_vips="",local_ts="xxxx",mode="TUNNEL",name="xxxx",protocol="ESP",remote_ts="xxxx",reqid="",uid="2961"} 4096

ipsec_ike_sa_state{local_host="xxxx",local_id="",name="xxxx",remote_host="xxxx",remote_id="",remote_identity="",uid="2953",version="1",vips=""} 7

is a bad practice since it will cause an unbounded number of unique prometheus time series, as described in https://prometheus.io/docs/practices/naming/ :

Remember that every unique combination of key-value label pairs represents a new time series, which can dramatically increase the amount of data stored. Do not use labels to store dimensions with high cardinality (many different label values), such as user IDs, email addresses, or other unbounded sets of values.

Because of this, there should be no label where the value of the label does not come from the configuration file, or is not a fixed value.

So the labels I don't really understand are:

  • uid
  • ike_sa_uid
  • ike_sa_local_id
  • ike_sa_remote_id
  • ike_sa_remote_identity
  • reqid

pokab avatar Dec 22 '22 15:12 pokab

Hey @pokab, yeah, it looked like a simple idea to get a traffic usage across sessions at that time but it was definitely not a great idea. On the one hand, it will be nice to sort it out in v2 while keeping an ability to monitor a traffic but on the other hand, I've completely switched to WireGuard and thinking on archiving this because I have too many other things to focus on (and hopefully - to share). At least I hope this repository should be useful to others with a working codebase with unit and integration tests...

sergeymakinen avatar Feb 15 '23 22:02 sergeymakinen

I've got a working solution pushed in my repository, but not yet in the master branch. Will clean it up later. No problem if you don't want a pull request or maintain this application.

pokab avatar Feb 20 '23 02:02 pokab