[rudder-users] Compliance reports

Francois Armand francois.armand at normation.com
Fri Mar 30 11:26:29 CEST 2018 

On 29/03/2018 15:59, Rob Pomeroy wrote:
> Hi,
>
> This probably should be raised as a feature request/issue - but I 
> wanted the views of those on this list first? (Also when I looked in 
> the issue log, there are many pages of issues there, so no point 
> adding another one if it wouldn't be a priority.) :-)
>
> I'd really like to be able to search by the compliant state of nodes. 
> It'd be handy to be able to pull out just those nodes that require 
> attention. I have dozens and dozens of managed nodes now and it's 
> getting harder to find those that need to be fixed.
>
> So two things I'd be interested in:
>
>  1. A search/dynamic group based on whether a not a node is in a
>     compliant state.
>  2. A way of finding nodes based on a period between today's date and
>     the last inventory received. You can of course search based on a
>     fixed date, but I'm not sure what, if any, functions can be used
>     in the search box. Something like last inventory date > now() - 1 day.
>
>
> I couldn't find anything like this in the online documentation or the 
> interface. But perhaps I've overlooked something that already exists?
>
> Cheers,
>
> Rob
>
> -

Hello Rob,

Firstly, just to be sure you didn't miss that: you can sort nodes in the 
"all node" list by compliance (click on the "Compliance" column header 
to do so), so that help put the one with red on top.

Now, for your requests:

1/ This one is interesting, but it's hard to get right in the "group" 
workflow. First, there is the semantic problem about what is the 
"compliance" number you want to match on. Global compliance ? One state 
in particular ? It can be sorted out, but with the current group search 
UI, our tests make it cumbersome.
But then, the real problem is in the feedback loop and 
hysteris/instabilities it may introduce in your system. Imagine you 
build such a group and make a rule on them. Now, the rule depends on its 
outcome, with a propagation travel time to take in account. Node may 
enter and get out fast ("fast" as in "not many tickes", considering a 
"tick" at rudder scale to be 5min). So that will multiply policy 
generation, but the time they reach the nodes, perhaps the dyn group 
already change again...

So. To sum up, it is a not obvious problem to sort out cleanly, and we 
are not yet at the point where we can go there.

So, in the meantime, we are solving the much more easier problem of 
getting nice custom reports on compliance (read-only, no feedback loop, 
nice graphs :). It will be through a "compliance report" plugin that 
allows to build custom reports with history of compliance evolution on 
selected nodes/groups/rules/etc. It will be ready in the very short term 
(coming weeks) and part of a commercial offer for Rudder. If you are 
interested to learn more, I can put you in touch with the relevant person.

And in a hacky-already-work way of doing things, you can use API + jq 
(https://stedolan.github.io/jq) to do what you want. For example, to get 
all nodes with global compliance < 80%, you can do:

    % curl -k -H "X-API-Token: xxxx" -H "Content-Type: application/json"
    -X GET 'https://....rudder/api/latest/compliance/nodes?level=1' |*jq
    '.data.nodes | sort_by(.compliance) | map(select(.compliance < 80))' *
    [
    {
       "id": "717b63d1-01fe-4d4f-a7e5-cfb7c0d47b4f",
       "name": "debian-8-64.labo.normation.com",
       "compliance": 0,
       "mode": "full-compliance",
       "complianceDetails": {
         "unexpectedMissingComponent": 49.14,
         "unexpectedUnknownComponent": 50.86
       }
    }
    {
       "id": "0c846655-cb06-486f-ace4-eaeb11372097",
       "name": "centos-7-64.labo.normation.com",
       "compliance": 69.57,
       "mode": "full-compliance",
       "complianceDetails": {
         "successAlreadyOK": 30.43,
         "successNotApplicable": 34.78,
         "error": 30.43,
         "successRepaired": 4.35
       }
    }
    ...
    ]


2/ There is no particular function in the search box appart from "is:" 
(for rule, node, group, parameter, directive, rule) and "in:" (for 
attributes), as explained in the doc here: 
https://orchestrateur-4.labo.normation.com/rudder-doc/search-nodes.html 
. Having a more complexe search language for the quick search would be 
nice. Perhaps could you mind opening an user story for that?

In the meantime, you can again rely on APIs (yeah, that's our swiss army 
knife ;). It will fullfill what I understand of your need, more or less.
More or less because medling with date format and date difference is a 
nightmare in any language, put it's even worse in the middle of a jq 
directive. So in place of "selected range date", I give you "sorted, and 
select a subsection of the resulting array".

This command will give you the 3 nodes with the oldest last inventory 
date (you can choose any slice in the resulting array, of course):

    % curl -k -H "X-API-Token: dTxvl4eL8p3YqvwefVbaJLdy8DyEt7Vw" -H
    "Content-Type: application/json" -X GET
    'https://orchestrateur-4.labo.normation.com/rudder/api/latest/nodes?include=minimal,lastInventoryDate'
    | *jq '.data.nodes | sort_by(.lastInventoryDate) | .[0:3]'*

    [
       {
         "id": "fc846655-cb06-486f-ace4-eaeb11372097",
         "hostname": "sovma136",
         "status": "accepted",
         "lastInventoryDate": "2016-12-05 15:12"
       },
       {
         "id": "8b168194-c0b4-41ab-b2b5-9571a8906d59",
         "hostname": "debian-5-64.labo.normation.com",
         "status": "accepted",
         "lastInventoryDate": "2017-02-01 17:06"
       },
       {
         "id": "94b6d33d-a23e-46b9-b5f8-971751bebcbb",
         "hostname": "ubuntu-16-04-64",
         "status": "accepted",
         "lastInventoryDate": "2018-03-30 02:02"
       }
    ]


And here come the link toward jq manual: 
https://stedolan.github.io/jq/manual
jq is globally hard, but you can get a lots of things done with it.

Hope it helps,

-- 


------------------------------------------------------------------------
*François ARMAND*
/Co-founder & CTO/
Normation <http://www.normation.com>
------------------------------------------------------------------------
*87 rue de Turbigo, 75003 Paris, France*
Telephone: 	+33 (0)1 83 62 99 23
Mobile: 	+33 (0)6 63 37 60 55
------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.rudder-project.org/pipermail/rudder-users/attachments/20180330/1292c337/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo-square.gif
Type: image/gif
Size: 1036 bytes
Desc: not available
URL: <http://www.rudder-project.org/pipermail/rudder-users/attachments/20180330/1292c337/attachment-0001.gif>

More information about the rudder-users mailing list