Conversation
|
Skipping CI for Draft Pull Request. |
fbed8e1 to
2c22af7
Compare
|
Images are ready for the commit at 74f35f2. To use with deploy scripts, first |
2c22af7 to
a7f756f
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12695 +/- ##
==========================================
+ Coverage 48.10% 48.12% +0.02%
==========================================
Files 2438 2438
Lines 174799 174807 +8
==========================================
+ Hits 84086 84126 +40
+ Misses 83915 83885 -30
+ Partials 6798 6796 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
a7f756f to
9cee02a
Compare
dcaravel
left a comment
There was a problem hiding this comment.
Am curious what the GC is doing when nothing needs cleanup, are those cycles perhaps trying to determine what to clean? Any debt there? (unrelated to this PR)
Yes. We just call Claircore's GC method, so not much we can do from here aside from not calling it so often. The docs say: https://github.com/quay/claircore/blob/v1.5.31/datastore/postgres/gc.go#L56 |
9cee02a to
74f35f2
Compare
Description
When testing VEX support, I noticed Scanner V4 DB's CPU was periodically active. Looking at the Scanner V4 Matcher logs, I realized that the GC is run upon every successful update cycle, even if that means there was nothing updated (success in this case just means there were no errors).
This PR now limits the GC to only run upon update cycles that not only don't error out, but also actually update something.
It's not perfect, as it's still possible a Matcher replica that does nothing towards updating the vulnerabilities runs the GC[1], but that's ok, as it's not nearly as common as this scenario.
[1] Imagine there are two Matcher replicas and there are new vulnerability updates. It is possible (highly unlikely, though) that only one of the Matchers handles all the updates when reading the "multi-bundle". But, if this were to happen and somehow both Matchers were able to get the GC lock without any kind of contention, then both Matchers will run a GC cycle. This is highly unlikely, so it's ok to ignore. We should care more about the way more common case that there are no vulnerability updates, and we still run the GC for no real reason.
I also found we needlessly require a
pgxpoolwhen creating a vuln updater, so I remove that here, tooUser-facing documentation
Testing and quality
Automated testing
How I validated my change
Here is what I saw in my VEX PR testing:
Here is what I see now:
Note the scale of the graph. This shows activity every few hours, instead of every few minutes