ROX-35013: Replace full-table Walks with targeted WalkByQuery in compliance operator manager#21059
Draft
dashrews78 wants to merge 5 commits into
Draft
ROX-35013: Replace full-table Walks with targeted WalkByQuery in compliance operator manager#21059dashrews78 wants to merge 5 commits into
dashrews78 wants to merge 5 commits into
Conversation
Contributor
Author
|
This change is part of the following stack: Change managed by git-spice. |
9 tasks
|
Skipping CI for Draft Pull Request. |
Contributor
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
🚀 Build Images ReadyImages are ready for commit d668412. To use with deploy scripts: export MAIN_IMAGE_TAG=4.12.x-147-gd668412785 |
dashrews78
changed the title
Central panics on startup with "context deadline exceeded / iterating over rows" when many clusters reconnect simultaneously. Root cause: NewManager did a Walk of all compliance profiles at startup, calling addProfileNoLock for each — which itself did another full Walk. This O(N²) pattern combined with concurrent sensor AddProfile calls created a lock convoy on registryLock that exhausted the cursor timeout. Fix: - Remove the startup Walk in NewManager. Sensors always re-send all compliance operator data on reconnect (V1 compliance types skip deduping), so the registry populates naturally. - Throttle concurrent profile and rule pipeline operations via semaphore (default 5, configurable via ROX_COMPLIANCE_V1_MAX_CONCURRENCY) to prevent DB connection pool exhaustion during mass sensor reconnects. Partially generated by AI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use github.com/stackrox/rox/pkg/sync instead of stdlib sync. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Tests verify the semaphore limits concurrent AddProfile/AddRule calls and that cancelled contexts are respected when the semaphore is full. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…liance operator manager Added search tags to ComplianceOperatorProfile name and cluster_id fields, enabled search category 201 on the profile store, and replaced 3 of 4 full-table Walk calls in the manager with WalkByQuery filtered by profile name or cluster ID. addProfileNoLock: Walk all profiles → WalkByQuery(name = X), filter cluster in callback. Reduces O(N) table scan to indexed query. DeleteProfile: Walk all profiles → WalkByQuery(name = X), same pattern. GetMachineConfigs: Walk all profiles → WalkByQuery(clusterId = X). findProfilesWithRuleNoLock: Unchanged (searches inside repeated field). Benchmark (20 clusters, 200 profiles concurrent): master: 234ms, 316MB, 3.39M allocs WalkByQuery: 103ms, 40MB, 449K allocs Improvement: 2.3x faster, 8x less memory, 7.5x fewer allocations Partially generated by AI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dashrews78
force-pushed
the
dashrews/compliance-v1-startup
branch
from
5cc3639 to
e30417e
Compare
dashrews78
force-pushed
the
dashrews/compliance-v1-query-not-walk
branch
from
bc3fa1d to
d668412
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added search tags to ComplianceOperatorProfile name and cluster_id
fields, enabled search category 201 on the profile store, and replaced
3 of 4 full-table Walk calls in the manager with WalkByQuery filtered
by profile name or cluster ID.
addProfileNoLock: Walk all profiles → WalkByQuery(name = X), filter
cluster in callback. Reduces O(N) table scan to indexed query.
DeleteProfile: Walk all profiles → WalkByQuery(name = X), same pattern.
GetMachineConfigs: Walk all profiles → WalkByQuery(clusterId = X).
findProfilesWithRuleNoLock: Unchanged (searches inside repeated field).
Benchmark (20 clusters, 200 profiles concurrent):
master: 234ms, 316MB, 3.39M allocs
WalkByQuery: 103ms, 40MB, 449K allocs
Improvement: 2.3x faster, 8x less memory, 7.5x fewer allocations
Partially generated by AI.
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com
Description
change me!
User-facing documentation
Testing and quality
Automated testing
How I validated my change
change me!