A·M4 slice: Prometheus /metrics endpoint#94
Merged
Merged
Conversation
Policy.metrics_listen: Option<SocketAddr> from a new independent 'metrics
listen=ip:port' directive; Store::detection_count mirrors session_count/
audit_count. Every Policy{..} literal gains metrics_listen: None. Feeds the
Prometheus endpoint.
…code counters New blackwall-metrics crate: pure render_prometheus (Metric/MetricKind → text exposition 0.0.4, integer-valued floats drop the decimal). blackwall-flow gains CollectorMetrics (datagrams/decode_errors atomics); run_collector takes an optional handle and bumps them per datagram / decode failure (existing callers pass None).
metrics.rs (coverage-excluded thin-IO): a TcpListener GET /metrics server that gathers BGP session-state/reconnects (when rtbh is configured), collector datagram/decode counters, and on-scrape DB gauges (rtbh/flowspec active + pending, detections, sessions, audit) and renders them via blackwall-metrics. u64->f64 without an as-cast (hi/lo 32-bit split). Command::Flow spawns it when policy.metrics_listen is set. Verified end to end: GET serves the exposition, POST -> 405. (Also: unique target + >= assertion in the detection_count test so it can't race the shared detections table.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #93. Operational visibility for the dev-net run — the second of the two pre-deployment hardening increments (after #92).
What
metrics listen=<ip:port>config directive →Policy.metrics_listen.GET /metricsserver (Prometheus text 0.0.4) overtokio::net::TcpListener— no HTTP/metrics framework (per the agreed minimal-deps decision). Newblackwall-metricscrate holds the pure exposition renderer (unit-tested);blackwalld/metrics.rsis the thin-IO server/gather (coverage-excluded).CollectorMetrics(datagrams / decode-errors);run_collectorbumps them.Store::detection_count()added (mirrorssession_count/audit_count).Metrics
bgp_session_state,bgp_reconnects_total(whenrtbhis set),flow_datagrams_total,flow_decode_errors_total,rtbh_active,flowspec_active,{rtbh,flowspec}_requests_pending,detections_total,deception_sessions_total,audit_total. DB-backed gauges read at scrape time — a failing query is logged + its metric omitted, never crashing the endpoint.Verification
clippy --workspace --all-targets --deny warningsclean;cargo test --workspace46 suites; coverage 95.08% (renderer + config covered; server/queries excluded).blackwalld flowwith ametricsblock,curl localhost:9109/metricsreturned the full exposition (integers render clean, BGP metrics correctly omitted with nortbh),POST→ 405.ascasts (u64→f64 via a hi/lo 32-bit split); no bare#[allow].Bind to localhost/trusted mgmt net — no auth/TLS yet (a follow-on), as is a live deception in-flight gauge.
🤖 Generated with Claude Code