software/versions endpoint is RAM-heavy #23679
Comments
iansltx
added
#g-endpoint-ops
|
Timebox 2 points for code review and attempt to make it lighter. |
sharon-fdm
added
:product
sharon-fdm
added
:release
|
The performance issue/memory bloat is due to two issues both stemming from the way we fetch and display vulnerabilities.
Will open a new issue to deal with number 1. |
…ns endpoint (#24246) #23679 In order to improve performance on the software version endpoint the option `without_vulnerability_details` has been added. It can be set to true to decrease the size of the response. On the free tier setting this option to `false` will have no effect. On Fleet Premium setting it to `false` or omitting will include verbose vulnerability details. --------- Co-authored-by: Rachael Shaw <[email protected]>
The software versions endpoint cve details can be truncated using the `without_vulnerability_details` flag. #23679 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Ian Littman <[email protected]>
The software versions endpoint cve details can be truncated using the `without_vulnerability_details` flag. #23679 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Ian Littman <[email protected]>
#23679 Original PR: #24496 Co-authored-by: Ian Littman <[email protected]>
|
Tested in a loadtest environment with ~58k hosts enrolled and ~82k software entries. While hitting the |
|
Looks like a new regression: #24765 Unable to filter on CVE severity on software/versions page |
|
Copying test plan steps from #24765 that were completed. Will add additional info once this is fully tested. fleet free
fleet premium
|
|
QA Notes: Per discussion with @ksykulev and @iansltx this fix + changes from #24765 won't necessarily resolve the whole problem, but this fix allows for a performance improvement on the software/versions page when we are not filtering by Severity or Known exploits. For all scenarios other than when applying Severity or Known exploits filters, the &without_vulnerability_details=true flag will avoid the costly joins on CVE scores for all known vulnerabilities. After understanding the changes implemented and testing for regressions, this change looks good to release. |
Fleet version: 4.58.0
💥 Actual behavior
Running
software/versionswith a large number of hosts (e.g. 10k) with a typical amont of software per host is a heavy operation on RAM usage, spiking customer pod RAM usage and potentially causing the environment to OOM.🧑💻 Steps to reproduce
software/versionsendpoint🕯️ More info
Split from #23078, referenced in #22291. This is a lower priority than the hosts list with software listings enabled as the customer's use case can get by with using just that endpoint per current understanding. This endpoint doesn't appear to be DB-heavy, but generates a large response that we need to store and serialize more efficiently if possible.
🛠️ To fix
TBD, but probably involves deduplicating data structures.
The text was updated successfully, but these errors were encountered: