ROX-32848: Wire VM relay ACK flow with rate limiting and UMH#19321
Draft
vikin91 wants to merge 1 commit intopiotr/ROX-32316-umh-node-ackfrom
Draft
ROX-32848: Wire VM relay ACK flow with rate limiting and UMH#19321vikin91 wants to merge 1 commit intopiotr/ROX-32316-umh-node-ackfrom
vikin91 wants to merge 1 commit intopiotr/ROX-32316-umh-node-ackfrom
Conversation
Contributor
Author
|
This change is part of the following stack: Change managed by git-spice. |
|
Skipping CI for Draft Pull Request. |
12 tasks
Contributor
|
Images are ready for the commit at 0ad5d24. To use with deploy scripts, first |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## piotr/ROX-32316-umh-node-ack #19321 +/- ##
=============================================================
Coverage 49.58% 49.58%
=============================================================
Files 2690 2690
Lines 202962 203047 +85
=============================================================
+ Hits 100633 100687 +54
- Misses 94834 94862 +28
- Partials 7495 7498 +3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Integrates the VM relay with the per-resource UMH from the previous commit. The relay now rate-limits reports per VSOCK ID (leaky bucket), tracks ACK metadata for stale-ACK detection, and delegates retry responsibility to UMH instead of retrying inline in the sender. The sender is simplified to a single-attempt send. Adds handleVMIndexACK in compliance to forward ComplianceACK messages to the VM relay's UMH. Also fixes type mismatch in relay where handleIncomingReport passed *IndexReport to sender.Send() which expects *VMReport. AI-assisted: code was extracted from the feature branch by AI, with bug fixes applied during the split. Reviewed and verified by the author.
63a45ce to
0ad5d24
Compare
This was referenced Mar 6, 2026
9 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Integrates the VM relay with the per-resource UMH (from the parent PR) and replaces the sender's
inline retry loop with a single-attempt send. Retry responsibility now lives in the UMH, which
tracks ACK state per VSOCK ID.
What changed:
compliance/virtualmachines/relay/relay.go): Added per-VSOCK rate limiting (leakybucket via
golang.org/x/time/rate), UMH integration (ObserveSending/OnACK), and a metadatacache that tracks
updatedAt/lastAckedAtper VM for stale-ACK detection. Reports that exceedthe rate limit are dropped with a metric — the agent will resubmit on its own schedule.
index_report_sender.go): Removed the 10-retryretry.WithRetryloop andisRetryableGRPCErrorhelper. The sender now makes a single gRPC call; failures are reportedback so the UMH can schedule a retry at the appropriate backoff interval. Added per-attempt
latency and result metrics.
compliance.go): AddedumhVMIndexfield dhandleVMIndexACKto forwardComplianceACKmessages forVM_INDEX_REPORTto the relay's UMH. The VM relay startup now readsROX_VM_RELAY_MAX_REPORTS_PER_MINUTEandROX_VM_RELAY_STALE_ACK_THRESHOLDfrom env.relay/metrics/metrics.go): New counters/histograms for send attempts, rate limiting,and ACKs received.
pkg/env/virtualmachine.go):ROX_VM_RELAY_MAX_REPORTS_PER_MINUTE(default1.0)and
ROX_VM_RELAY_STALE_ACK_THRESHOLD(default4h).Bug fix during split: The feature branch passed
*v1.IndexReporttosender.Send()whichexpects
*v1.VMReport. FixedhandleIncomingReportto carry the fullVMReportthrough.Depends on:
piotr/ROX-32316-umh-node-ack(UMH per-resource refactor).AI-assisted: code was extracted and adapted from a larger feature branch by AI,
with a type mismatch bug fix applied during the split. Reviewed and verified by the author.
User-facing documentation
Testing and quality
Automated testing
How I validated my change