Skip to content

ROX-32848: Emit VM index ACK/NACK from Central#19323

Draft
vikin91 wants to merge 1 commit intopiotr/ROX-32316-sensor-vm-ack-forwardingfrom
piotr/ROX-32848-sensor-vm-ack-emit-in-central
Draft

ROX-32848: Emit VM index ACK/NACK from Central#19323
vikin91 wants to merge 1 commit intopiotr/ROX-32316-sensor-vm-ack-forwardingfrom
piotr/ROX-32848-sensor-vm-ack-emit-in-central

Conversation

@vikin91
Copy link
Contributor

@vikin91 vikin91 commented Mar 6, 2026

Description

Completes the end-to-end ACK loop for VM index reports. Previously, Central processed VM index
reports successfully but never sent any acknowledgement back — Sensor's handler had the forwarding
logic but was never triggered, and compliance's UMH kept retrying indefinitely.

Changes in Central (the missing piece):

  • virtualmachineindex/pipeline.go: Sends SensorACK(ACK) after successful vulnerability
    enrichment and DB store. SendSensorACK is gated behind SensorACKSupport capability so
    older Sensors (pre-4.10) are unaffected.
  • connection_impl.go: When the rate limiter drops a VirtualMachineIndexReport, sends
    SensorACK(NACK) with the rate limit reason so Sensor/compliance can act on it.

Changes in Sensor:

  • handler_impl.go: Translates Central's SensorACK into ComplianceACK and forwards it to
    compliance via a new toCompliance channel. Implements ComplianceComponent interface
    (ComplianceC(), Stopped()). Declares SensorACKSupport capability. sensor.go: Registers the VM handler on the compliance multiplexer.

The full ACK flow is now:

Central pipeline → SensorACK → Sensor ProcessMessage → forwardToCompliance → compliance runRecv → handleVMIndexACK → umhVMIndex.HandleACK

Last PR in the ROX-32316 stack. Depends on: piotr/ROX-32316-vm-relay-ack-flow.

AI-assisted: implementation and tests generated by AI based on user requirements
(ACK on success, NACK on rate limit, capability gating). Reviewed and verified by the author.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Ran all affected test suites locally:

go test ./central/sensor/service/pipeline/virtualmachineindex/ -count=1 -v  # 20 cases, all PASS
go test ./sensor/common/virtualmachine/index/... -count=1 -v                # 10 cases, all PASS

Deployed the full stack to a cluster with a single VM. Before the fix, compliance logs showed
[vm-index] Resource 2759316682 has N unacked messages, suggesting retry ... indefinitely.
After the fix, the retry stops after the first ACK from Central.

Verified the rate limiter NACK path by configuring a low ROX_VM_INDEX_REPORT_RATE_LIMIT and
confirming compliance receives NACK messages with the rate limit reason.

@vikin91
Ensure Central emits the new N/ACK for VMs
9192241 
Central's VM index pipeline was missing ACK/NACK responses, breaking the
end-to-end ACK flow. Adds ACK on successful enrichment+store and NACK
when the rate limiter drops a report. ACKs are gated behind the
SensorACKSupport capability so older Sensors are unaffected.
@vikin91
Copy link
Contributor Author

vikin91 commented Mar 6, 2026

This change is part of the following stack:

Change managed by git-spice.

@openshift-ci
Copy link

openshift-ci bot commented Mar 6, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@vikin91 vikin91 changed the title ROX-32848: Ensure Central emits the new N/ACK for VMs ROX-32848: Emit VM index ACK/NACK from Central Mar 6, 2026
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 6, 2026

Images are ready for the commit at 9192241.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-264-g91922412e2.

@codecov
Copy link

codecov bot commented Mar 6, 2026

Codecov Report

❌ Patch coverage is 75.00000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.58%. Comparing base (99d3e6c) to head (9192241).

Files with missing lines Patch % Lines
...ntral/sensor/service/connection/connection_impl.go 0.00% 3 Missing ⚠️
...r/service/pipeline/virtualmachineindex/pipeline.go 85.71% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@                             Coverage Diff                              @@
##           piotr/ROX-32316-sensor-vm-ack-forwarding   #19323      +/-   ##
============================================================================
- Coverage                                     49.58%   49.58%   -0.01%     
============================================================================
  Files                                          2690     2690              
  Lines                                        203065   203088      +23     
============================================================================
+ Hits                                         100699   100703       +4     
- Misses                                        94869    94885      +16     
- Partials                                       7497     7500       +3
Flag Coverage Δ
go-unit-tests 49.58% <75.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/central do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vikin91 @rhacs-bot