Fimeg/Redflag
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add resilience and reliability features for agent subsystems

Browse Source 
Added circuit breakers with configurable timeouts for all subsystems (APT, DNF, Docker, Windows, Winget, Storage). Replaces cron-based scheduler with priority queue that should scale beyond 1000+ agents if your homelab is that big.

Command acknowledgment system ensures results aren't lost on network failures or restarts. Agent tracks pending acknowledgments with persistent state and automatic retry.

- Circuit breakers: 3 failures in 1min opens circuit, 30s cooldown
- Per-subsystem timeouts: 30s-10min depending on scanner
- Priority queue scheduler: O(log n), worker pool, jitter, backpressure
- Acknowledgments: at-least-once delivery, max 10 retries over 24h
- All tests passing (26/26)
This commit is contained in:
Fimeg
2025-11-01 18:42:41 -04:00
parent 528848f476
commit bf4d46529f
26 changed files with 2733 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
aggregator-agent/agent Executable file
View File

Binary file not shown.

BIN
aggregator-agent/agent-test Executable file
View File

Binary file not shown.

236
aggregator-agent/cmd/agent/main.go
View File

@@ -1,6 +1,7 @@
package main
import (
"context"
"flag"
"fmt"
"log"
@@ -11,7 +12,9 @@ import (
"strings"
"time"
"github.com/Fimeg/RedFlag/aggregator-agent/internal/acknowledgment"
"github.com/Fimeg/RedFlag/aggregator-agent/internal/cache"
"github.com/Fimeg/RedFlag/aggregator-agent/internal/circuitbreaker"
"github.com/Fimeg/RedFlag/aggregator-agent/internal/client"
"github.com/Fimeg/RedFlag/aggregator-agent/internal/config"
"github.com/Fimeg/RedFlag/aggregator-agent/internal/display"
@@ -23,7 +26,7 @@ import (
)
const (
AgentVersion = "0.1.18" // Enhanced disk detection with comprehensive partition reporting
AgentVersion = "0.1.19" // Phase 0: Circuit breakers, timeouts, and subsystem resilience
)
// getConfigPath returns the platform-specific config path
@@ -34,6 +37,34 @@ func getConfigPath() string {
return "/etc/aggregator/config.json"
}
// getStatePath returns the platform-specific state directory path
func getStatePath() string {
if runtime.GOOS == "windows" {
return "C:\\ProgramData\\RedFlag\\state"
}
return "/var/lib/aggregator"
}
// reportLogWithAck reports a command log to the server and tracks it for acknowledgment
func reportLogWithAck(apiClient *client.Client, cfg *config.Config, ackTracker *acknowledgment.Tracker, logReport client.LogReport) error {
// Track this command result as pending acknowledgment
ackTracker.Add(logReport.CommandID)
// Save acknowledgment state immediately
if err := ackTracker.Save(); err != nil {
log.Printf("Warning: Failed to save acknowledgment for command %s: %v", logReport.CommandID, err)
}
// Report the log to the server
if err := reportLogWithAck(apiClient, cfg, ackTracker, logReport); err != nil {
// If reporting failed, increment retry count but don't remove from pending
ackTracker.IncrementRetry(logReport.CommandID)
return err
}
return nil
}
// getCurrentPollingInterval returns the appropriate polling interval based on rapid mode
func getCurrentPollingInterval(cfg *config.Config) int {
// Check if rapid polling mode is active and not expired
@@ -403,6 +434,64 @@ func runAgent(cfg *config.Config) error {
windowsUpdateScanner := scanner.NewWindowsUpdateScanner()
wingetScanner := scanner.NewWingetScanner()
// Initialize circuit breakers for each subsystem
aptCB := circuitbreaker.New("APT", circuitbreaker.Config{
FailureThreshold: cfg.Subsystems.APT.CircuitBreaker.FailureThreshold,
FailureWindow: cfg.Subsystems.APT.CircuitBreaker.FailureWindow,
OpenDuration: cfg.Subsystems.APT.CircuitBreaker.OpenDuration,
HalfOpenAttempts: cfg.Subsystems.APT.CircuitBreaker.HalfOpenAttempts,
})
dnfCB := circuitbreaker.New("DNF", circuitbreaker.Config{
FailureThreshold: cfg.Subsystems.DNF.CircuitBreaker.FailureThreshold,
FailureWindow: cfg.Subsystems.DNF.CircuitBreaker.FailureWindow,
OpenDuration: cfg.Subsystems.DNF.CircuitBreaker.OpenDuration,
HalfOpenAttempts: cfg.Subsystems.DNF.CircuitBreaker.HalfOpenAttempts,
})
dockerCB := circuitbreaker.New("Docker", circuitbreaker.Config{
FailureThreshold: cfg.Subsystems.Docker.CircuitBreaker.FailureThreshold,
FailureWindow: cfg.Subsystems.Docker.CircuitBreaker.FailureWindow,
OpenDuration: cfg.Subsystems.Docker.CircuitBreaker.OpenDuration,
HalfOpenAttempts: cfg.Subsystems.Docker.CircuitBreaker.HalfOpenAttempts,
})
windowsCB := circuitbreaker.New("Windows Update", circuitbreaker.Config{
FailureThreshold: cfg.Subsystems.Windows.CircuitBreaker.FailureThreshold,
FailureWindow: cfg.Subsystems.Windows.CircuitBreaker.FailureWindow,
OpenDuration: cfg.Subsystems.Windows.CircuitBreaker.OpenDuration,
HalfOpenAttempts: cfg.Subsystems.Windows.CircuitBreaker.HalfOpenAttempts,
})
wingetCB := circuitbreaker.New("Winget", circuitbreaker.Config{
FailureThreshold: cfg.Subsystems.Winget.CircuitBreaker.FailureThreshold,
FailureWindow: cfg.Subsystems.Winget.CircuitBreaker.FailureWindow,
OpenDuration: cfg.Subsystems.Winget.CircuitBreaker.OpenDuration,
HalfOpenAttempts: cfg.Subsystems.Winget.CircuitBreaker.HalfOpenAttempts,
})
// Initialize acknowledgment tracker for command result reliability
ackTracker := acknowledgment.NewTracker(getStatePath())
if err := ackTracker.Load(); err != nil {
log.Printf("Warning: Failed to load pending acknowledgments: %v", err)
} else {
pendingCount := len(ackTracker.GetPending())
if pendingCount > 0 {
log.Printf("Loaded %d pending command acknowledgments from previous session", pendingCount)
}
}
// Periodic cleanup of old/stale acknowledgments
go func() {
cleanupTicker := time.NewTicker(1 * time.Hour)
defer cleanupTicker.Stop()
for range cleanupTicker.C {
removed := ackTracker.Cleanup()
if removed > 0 {
log.Printf("Cleaned up %d stale acknowledgments", removed)
if err := ackTracker.Save(); err != nil {
log.Printf("Warning: Failed to save acknowledgments after cleanup: %v", err)
}
}
}
}()
// System info tracking
var lastSystemInfoUpdate time.Time
const systemInfoUpdateInterval = 1 * time.Hour // Update detailed system info every hour
@@ -461,8 +550,16 @@ func runAgent(cfg *config.Config) error {
}
}
// Add pending acknowledgments to metrics for reliability
if metrics != nil {
pendingAcks := ackTracker.GetPending()
if len(pendingAcks) > 0 {
metrics.PendingAcknowledgments = pendingAcks
}
}
// Get commands from server (with optional metrics)
commands, err := apiClient.GetCommands(cfg.AgentID, metrics)
response, err := apiClient.GetCommands(cfg.AgentID, metrics)
if err != nil {
// Try to renew token if we got a 401 error
newClient, renewErr := renewTokenIfNeeded(apiClient, cfg, err)
@@ -476,7 +573,7 @@ func runAgent(cfg *config.Config) error {
if newClient != apiClient {
log.Printf("🔄 Retrying check-in with renewed token...")
apiClient = newClient
commands, err = apiClient.GetCommands(cfg.AgentID, metrics)
response, err = apiClient.GetCommands(cfg.AgentID, metrics)
if err != nil {
log.Printf("Check-in unsuccessful even after token renewal: %v\n", err)
time.Sleep(time.Duration(getCurrentPollingInterval(cfg)) * time.Second)
@@ -489,6 +586,18 @@ func runAgent(cfg *config.Config) error {
}
}
// Process acknowledged command results
if response != nil && len(response.AcknowledgedIDs) > 0 {
ackTracker.Acknowledge(response.AcknowledgedIDs)
log.Printf("Server acknowledged %d command result(s)", len(response.AcknowledgedIDs))
// Save acknowledgment state
if err := ackTracker.Save(); err != nil {
log.Printf("Warning: Failed to save acknowledgment state: %v", err)
}
}
commands := response.Commands
if len(commands) == 0 {
log.Printf("Check-in successful - no new commands")
} else {
@@ -501,7 +610,7 @@ func runAgent(cfg *config.Config) error {
switch cmd.Type {
case "scan_updates":
if err := handleScanUpdates(apiClient, cfg, aptScanner, dnfScanner, dockerScanner, windowsUpdateScanner, wingetScanner, cmd.ID); err != nil {
if err := handleScanUpdates(apiClient, cfg, ackTracker, aptScanner, dnfScanner, dockerScanner, windowsUpdateScanner, wingetScanner, aptCB, dnfCB, dockerCB, windowsCB, wingetCB, cmd.ID); err != nil {
log.Printf("Error scanning updates: %v\n", err)
}
@@ -509,33 +618,33 @@ func runAgent(cfg *config.Config) error {
log.Println("Spec collection not yet implemented")
case "dry_run_update":
if err := handleDryRunUpdate(apiClient, cfg, cmd.ID, cmd.Params); err != nil {
if err := handleDryRunUpdate(apiClient, cfg, ackTracker, cmd.ID, cmd.Params); err != nil {
log.Printf("Error dry running update: %v\n", err)
}
case "install_updates":
if err := handleInstallUpdates(apiClient, cfg, cmd.ID, cmd.Params); err != nil {
if err := handleInstallUpdates(apiClient, cfg, ackTracker, cmd.ID, cmd.Params); err != nil {
log.Printf("Error installing updates: %v\n", err)
}
case "confirm_dependencies":
if err := handleConfirmDependencies(apiClient, cfg, cmd.ID, cmd.Params); err != nil {
if err := handleConfirmDependencies(apiClient, cfg, ackTracker, cmd.ID, cmd.Params); err != nil {
log.Printf("Error confirming dependencies: %v\n", err)
}
case "enable_heartbeat":
if err := handleEnableHeartbeat(apiClient, cfg, cmd.ID, cmd.Params); err != nil {
if err := handleEnableHeartbeat(apiClient, cfg, ackTracker, cmd.ID, cmd.Params); err != nil {
log.Printf("[Heartbeat] Error enabling heartbeat: %v\n", err)
}
case "disable_heartbeat":
if err := handleDisableHeartbeat(apiClient, cfg, cmd.ID); err != nil {
if err := handleDisableHeartbeat(apiClient, cfg, ackTracker, cmd.ID); err != nil {
log.Printf("[Heartbeat] Error disabling heartbeat: %v\n", err)
}
case "reboot":
if err := handleReboot(apiClient, cfg, cmd.ID, cmd.Params); err != nil {
if err := handleReboot(apiClient, cfg, ackTracker, cmd.ID, cmd.Params); err != nil {
log.Printf("[Reboot] Error processing reboot command: %v\n", err)
}
default:
@@ -548,7 +657,46 @@ func runAgent(cfg *config.Config) error {
}
}
func handleScanUpdates(apiClient *client.Client, cfg *config.Config, aptScanner *scanner.APTScanner, dnfScanner *scanner.DNFScanner, dockerScanner *scanner.DockerScanner, windowsUpdateScanner *scanner.WindowsUpdateScanner, wingetScanner *scanner.WingetScanner, commandID string) error {
// subsystemScan executes a scanner function with circuit breaker and timeout protection
func subsystemScan(name string, cb *circuitbreaker.CircuitBreaker, timeout time.Duration, scanFn func() ([]client.UpdateReportItem, error)) ([]client.UpdateReportItem, error) {
var updates []client.UpdateReportItem
var scanErr error
err := cb.Call(func() error {
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
type result struct {
updates []client.UpdateReportItem
err error
}
resultChan := make(chan result, 1)
go func() {
u, e := scanFn()
resultChan <- result{u, e}
}()
select {
case <-ctx.Done():
return fmt.Errorf("%s scan timeout after %v", name, timeout)
case res := <-resultChan:
if res.err != nil {
return res.err
}
updates = res.updates
return nil
}
})
if err != nil {
scanErr = err
}
return updates, scanErr
}
func handleScanUpdates(apiClient *client.Client, cfg *config.Config, ackTracker *acknowledgment.Tracker, aptScanner *scanner.APTScanner, dnfScanner *scanner.DNFScanner, dockerScanner *scanner.DockerScanner, windowsUpdateScanner *scanner.WindowsUpdateScanner, wingetScanner *scanner.WingetScanner, aptCB, dnfCB, dockerCB, windowsCB, wingetCB *circuitbreaker.CircuitBreaker, commandID string) error {
log.Println("Scanning for updates...")
var allUpdates []client.UpdateReportItem
@@ -556,9 +704,9 @@ func handleScanUpdates(apiClient *client.Client, cfg *config.Config, aptScanner
var scanResults []string
// Scan APT updates
if aptScanner.IsAvailable() {
if aptScanner.IsAvailable() && cfg.Subsystems.APT.Enabled {
log.Println(" - Scanning APT packages...")
updates, err := aptScanner.Scan()
updates, err := subsystemScan("APT", aptCB, cfg.Subsystems.APT.Timeout, aptScanner.Scan)
if err != nil {
errorMsg := fmt.Sprintf("APT scan failed: %v", err)
log.Printf(" %s\n", errorMsg)
@@ -569,14 +717,16 @@ func handleScanUpdates(apiClient *client.Client, cfg *config.Config, aptScanner
scanResults = append(scanResults, resultMsg)
allUpdates = append(allUpdates, updates...)
}
} else if !cfg.Subsystems.APT.Enabled {
scanResults = append(scanResults, "APT scanner disabled")
} else {
scanResults = append(scanResults, "APT scanner not available")
}
// Scan DNF updates
if dnfScanner.IsAvailable() {
if dnfScanner.IsAvailable() && cfg.Subsystems.DNF.Enabled {
log.Println(" - Scanning DNF packages...")
updates, err := dnfScanner.Scan()
updates, err := subsystemScan("DNF", dnfCB, cfg.Subsystems.DNF.Timeout, dnfScanner.Scan)
if err != nil {
errorMsg := fmt.Sprintf("DNF scan failed: %v", err)
log.Printf(" %s\n", errorMsg)
@@ -587,14 +737,16 @@ func handleScanUpdates(apiClient *client.Client, cfg *config.Config, aptScanner
scanResults = append(scanResults, resultMsg)
allUpdates = append(allUpdates, updates...)
}
} else if !cfg.Subsystems.DNF.Enabled {
scanResults = append(scanResults, "DNF scanner disabled")
} else {
scanResults = append(scanResults, "DNF scanner not available")
}
// Scan Docker updates
if dockerScanner != nil && dockerScanner.IsAvailable() {
if dockerScanner != nil && dockerScanner.IsAvailable() && cfg.Subsystems.Docker.Enabled {
log.Println(" - Scanning Docker images...")
updates, err := dockerScanner.Scan()
updates, err := subsystemScan("Docker", dockerCB, cfg.Subsystems.Docker.Timeout, dockerScanner.Scan)
if err != nil {
errorMsg := fmt.Sprintf("Docker scan failed: %v", err)
log.Printf(" %s\n", errorMsg)
@@ -605,14 +757,16 @@ func handleScanUpdates(apiClient *client.Client, cfg *config.Config, aptScanner
scanResults = append(scanResults, resultMsg)
allUpdates = append(allUpdates, updates...)
}
} else if !cfg.Subsystems.Docker.Enabled {
scanResults = append(scanResults, "Docker scanner disabled")
} else {
scanResults = append(scanResults, "Docker scanner not available")
}
// Scan Windows updates
if windowsUpdateScanner.IsAvailable() {
if windowsUpdateScanner.IsAvailable() && cfg.Subsystems.Windows.Enabled {
log.Println(" - Scanning Windows updates...")
updates, err := windowsUpdateScanner.Scan()
updates, err := subsystemScan("Windows Update", windowsCB, cfg.Subsystems.Windows.Timeout, windowsUpdateScanner.Scan)
if err != nil {
errorMsg := fmt.Sprintf("Windows Update scan failed: %v", err)
log.Printf(" %s\n", errorMsg)
@@ -623,14 +777,16 @@ func handleScanUpdates(apiClient *client.Client, cfg *config.Config, aptScanner
scanResults = append(scanResults, resultMsg)
allUpdates = append(allUpdates, updates...)
}
} else if !cfg.Subsystems.Windows.Enabled {
scanResults = append(scanResults, "Windows Update scanner disabled")
} else {
scanResults = append(scanResults, "Windows Update scanner not available")
}
// Scan Winget packages
if wingetScanner.IsAvailable() {
if wingetScanner.IsAvailable() && cfg.Subsystems.Winget.Enabled {
log.Println(" - Scanning Winget packages...")
updates, err := wingetScanner.Scan()
updates, err := subsystemScan("Winget", wingetCB, cfg.Subsystems.Winget.Timeout, wingetScanner.Scan)
if err != nil {
errorMsg := fmt.Sprintf("Winget scan failed: %v", err)
log.Printf(" %s\n", errorMsg)
@@ -641,6 +797,8 @@ func handleScanUpdates(apiClient *client.Client, cfg *config.Config, aptScanner
scanResults = append(scanResults, resultMsg)
allUpdates = append(allUpdates, updates...)
}
} else if !cfg.Subsystems.Winget.Enabled {
scanResults = append(scanResults, "Winget scanner disabled")
} else {
scanResults = append(scanResults, "Winget scanner not available")
}
@@ -678,7 +836,7 @@ func handleScanUpdates(apiClient *client.Client, cfg *config.Config, aptScanner
}
// Report the scan log
if err := apiClient.ReportLog(cfg.AgentID, logReport); err != nil {
if err := reportLogWithAck(apiClient, cfg, ackTracker, logReport); err != nil {
log.Printf("Failed to report scan log: %v\n", err)
// Continue anyway - updates are more important
}
@@ -871,7 +1029,7 @@ func handleListUpdatesCommand(cfg *config.Config, exportFormat string) error {
}
// handleInstallUpdates handles install_updates command
func handleInstallUpdates(apiClient *client.Client, cfg *config.Config, commandID string, params map[string]interface{}) error {
func handleInstallUpdates(apiClient *client.Client, cfg *config.Config, ackTracker *acknowledgment.Tracker, commandID string, params map[string]interface{}) error {
log.Println("Installing updates...")
// Parse parameters
@@ -948,7 +1106,7 @@ func handleInstallUpdates(apiClient *client.Client, cfg *config.Config, commandI
DurationSeconds: result.DurationSeconds,
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("Failed to report installation failure: %v\n", reportErr)
}
@@ -971,7 +1129,7 @@ func handleInstallUpdates(apiClient *client.Client, cfg *config.Config, commandI
logReport.Stdout += fmt.Sprintf("\nPackages installed: %v", result.PackagesInstalled)
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("Failed to report installation success: %v\n", reportErr)
}
@@ -989,7 +1147,7 @@ func handleInstallUpdates(apiClient *client.Client, cfg *config.Config, commandI
}
// handleDryRunUpdate handles dry_run_update command
func handleDryRunUpdate(apiClient *client.Client, cfg *config.Config, commandID string, params map[string]interface{}) error {
func handleDryRunUpdate(apiClient *client.Client, cfg *config.Config, ackTracker *acknowledgment.Tracker, commandID string, params map[string]interface{}) error {
log.Println("Performing dry run update...")
// Parse parameters
@@ -1034,7 +1192,7 @@ func handleDryRunUpdate(apiClient *client.Client, cfg *config.Config, commandID
DurationSeconds: 0,
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("Failed to report dry run failure: %v\n", reportErr)
}
@@ -1085,7 +1243,7 @@ func handleDryRunUpdate(apiClient *client.Client, cfg *config.Config, commandID
logReport.Stdout += fmt.Sprintf("\nDependencies found: %v", result.Dependencies)
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("Failed to report dry run success: %v\n", reportErr)
}
@@ -1105,7 +1263,7 @@ func handleDryRunUpdate(apiClient *client.Client, cfg *config.Config, commandID
}
// handleConfirmDependencies handles confirm_dependencies command
func handleConfirmDependencies(apiClient *client.Client, cfg *config.Config, commandID string, params map[string]interface{}) error {
func handleConfirmDependencies(apiClient *client.Client, cfg *config.Config, ackTracker *acknowledgment.Tracker, commandID string, params map[string]interface{}) error {
log.Println("Installing update with confirmed dependencies...")
// Parse parameters
@@ -1172,7 +1330,7 @@ func handleConfirmDependencies(apiClient *client.Client, cfg *config.Config, com
DurationSeconds: result.DurationSeconds,
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("Failed to report installation failure: %v\n", reportErr)
}
@@ -1198,7 +1356,7 @@ func handleConfirmDependencies(apiClient *client.Client, cfg *config.Config, com
logReport.Stdout += fmt.Sprintf("\nDependencies included: %v", dependencies)
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("Failed to report installation success: %v\n", reportErr)
}
@@ -1216,7 +1374,7 @@ func handleConfirmDependencies(apiClient *client.Client, cfg *config.Config, com
}
// handleEnableHeartbeat handles enable_heartbeat command
func handleEnableHeartbeat(apiClient *client.Client, cfg *config.Config, commandID string, params map[string]interface{}) error {
func handleEnableHeartbeat(apiClient *client.Client, cfg *config.Config, ackTracker *acknowledgment.Tracker, commandID string, params map[string]interface{}) error {
// Parse duration parameter (default to 10 minutes)
durationMinutes := 10
if duration, ok := params["duration_minutes"]; ok {
@@ -1250,7 +1408,7 @@ func handleEnableHeartbeat(apiClient *client.Client, cfg *config.Config, command
DurationSeconds: 0,
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("[Heartbeat] Failed to report heartbeat enable: %v", reportErr)
}
@@ -1291,7 +1449,7 @@ func handleEnableHeartbeat(apiClient *client.Client, cfg *config.Config, command
}
// handleDisableHeartbeat handles disable_heartbeat command
func handleDisableHeartbeat(apiClient *client.Client, cfg *config.Config, commandID string) error {
func handleDisableHeartbeat(apiClient *client.Client, cfg *config.Config, ackTracker *acknowledgment.Tracker, commandID string) error {
log.Printf("[Heartbeat] Disabling rapid polling")
// Update agent config to disable rapid polling
@@ -1314,7 +1472,7 @@ func handleDisableHeartbeat(apiClient *client.Client, cfg *config.Config, comman
DurationSeconds: 0,
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("[Heartbeat] Failed to report heartbeat disable: %v", reportErr)
}
@@ -1407,7 +1565,7 @@ func reportSystemInfo(apiClient *client.Client, cfg *config.Config) error {
}
// handleReboot handles reboot command
func handleReboot(apiClient *client.Client, cfg *config.Config, commandID string, params map[string]interface{}) error {
func handleReboot(apiClient *client.Client, cfg *config.Config, ackTracker *acknowledgment.Tracker, commandID string, params map[string]interface{}) error {
log.Println("[Reboot] Processing reboot request...")
// Parse parameters
@@ -1449,7 +1607,7 @@ func handleReboot(apiClient *client.Client, cfg *config.Config, commandID string
ExitCode: 1,
DurationSeconds: 0,
}
apiClient.ReportLog(cfg.AgentID, logReport)
reportLogWithAck(apiClient, cfg, ackTracker, logReport)
return err
}
@@ -1469,7 +1627,7 @@ func handleReboot(apiClient *client.Client, cfg *config.Config, commandID string
ExitCode: 1,
DurationSeconds: 0,
}
apiClient.ReportLog(cfg.AgentID, logReport)
reportLogWithAck(apiClient, cfg, ackTracker, logReport)
return err
}
@@ -1487,7 +1645,7 @@ func handleReboot(apiClient *client.Client, cfg *config.Config, commandID string
DurationSeconds: 0,
}
if reportErr := apiClient.ReportLog(cfg.AgentID, logReport); reportErr != nil {
if reportErr := reportLogWithAck(apiClient, cfg, ackTracker, logReport); reportErr != nil {
log.Printf("[Reboot] Failed to report reboot command result: %v", reportErr)
}

193
aggregator-agent/internal/acknowledgment/tracker.go Normal file
View File

@@ -0,0 +1,193 @@
package acknowledgment
import (
"encoding/json"
"fmt"
"os"
"path/filepath"
"sync"
"time"
)
// PendingResult represents a command result awaiting acknowledgment
type PendingResult struct {
CommandID string `json:"command_id"`
SentAt time.Time `json:"sent_at"`
RetryCount int `json:"retry_count"`
}
// Tracker manages pending acknowledgments for command results
type Tracker struct {
pending map[string]*PendingResult
mu sync.RWMutex
filePath string
maxAge time.Duration // Max time to keep pending (default 24h)
maxRetries int // Max retries before giving up (default 10)
}
// NewTracker creates a new acknowledgment tracker
func NewTracker(statePath string) *Tracker {
return &Tracker{
pending: make(map[string]*PendingResult),
filePath: filepath.Join(statePath, "pending_acks.json"),
maxAge: 24 * time.Hour,
maxRetries: 10,
}
}
// Load restores pending acknowledgments from disk
func (t *Tracker) Load() error {
t.mu.Lock()
defer t.mu.Unlock()
// If file doesn't exist, that's fine (fresh start)
if _, err := os.Stat(t.filePath); os.IsNotExist(err) {
return nil
}
data, err := os.ReadFile(t.filePath)
if err != nil {
return fmt.Errorf("failed to read pending acks: %w", err)
}
if len(data) == 0 {
return nil // Empty file
}
var pending map[string]*PendingResult
if err := json.Unmarshal(data, &pending); err != nil {
return fmt.Errorf("failed to parse pending acks: %w", err)
}
t.pending = pending
return nil
}
// Save persists pending acknowledgments to disk
func (t *Tracker) Save() error {
t.mu.RLock()
defer t.mu.RUnlock()
// Ensure directory exists
dir := filepath.Dir(t.filePath)
if err := os.MkdirAll(dir, 0755); err != nil {
return fmt.Errorf("failed to create ack directory: %w", err)
}
data, err := json.MarshalIndent(t.pending, "", " ")
if err != nil {
return fmt.Errorf("failed to marshal pending acks: %w", err)
}
if err := os.WriteFile(t.filePath, data, 0600); err != nil {
return fmt.Errorf("failed to write pending acks: %w", err)
}
return nil
}
// Add marks a command result as pending acknowledgment
func (t *Tracker) Add(commandID string) {
t.mu.Lock()
defer t.mu.Unlock()
t.pending[commandID] = &PendingResult{
CommandID: commandID,
SentAt: time.Now(),
RetryCount: 0,
}
}
// Acknowledge marks command results as acknowledged and removes them
func (t *Tracker) Acknowledge(commandIDs []string) {
t.mu.Lock()
defer t.mu.Unlock()
for _, id := range commandIDs {
delete(t.pending, id)
}
}
// GetPending returns list of command IDs awaiting acknowledgment
func (t *Tracker) GetPending() []string {
t.mu.RLock()
defer t.mu.RUnlock()
ids := make([]string, 0, len(t.pending))
for id := range t.pending {
ids = append(ids, id)
}
return ids
}
// IncrementRetry increments retry count for a command
func (t *Tracker) IncrementRetry(commandID string) {
t.mu.Lock()
defer t.mu.Unlock()
if result, exists := t.pending[commandID]; exists {
result.RetryCount++
}
}
// Cleanup removes old or over-retried pending results
func (t *Tracker) Cleanup() int {
t.mu.Lock()
defer t.mu.Unlock()
now := time.Now()
removed := 0
for id, result := range t.pending {
// Remove if too old
if now.Sub(result.SentAt) > t.maxAge {
delete(t.pending, id)
removed++
continue
}
// Remove if retried too many times
if result.RetryCount >= t.maxRetries {
delete(t.pending, id)
removed++
continue
}
}
return removed
}
// Stats returns statistics about pending acknowledgments
func (t *Tracker) Stats() Stats {
t.mu.RLock()
defer t.mu.RUnlock()
stats := Stats{
Total: len(t.pending),
}
now := time.Now()
for _, result := range t.pending {
age := now.Sub(result.SentAt)
if age > 1*time.Hour {
stats.OlderThan1Hour++
}
if result.RetryCount > 0 {
stats.WithRetries++
}
if result.RetryCount >= 5 {
stats.HighRetries++
}
}
return stats
}
// Stats holds statistics about pending acknowledgments
type Stats struct {
Total int
OlderThan1Hour int
WithRetries int
HighRetries int
}

233
aggregator-agent/internal/circuitbreaker/circuitbreaker.go Normal file
View File

@@ -0,0 +1,233 @@
package circuitbreaker
import (
"fmt"
"sync"
"time"
)
// State represents the circuit breaker state
type State int
const (
StateClosed State = iota // Normal operation
StateOpen // Circuit is open, failing fast
StateHalfOpen // Testing if service recovered
)
func (s State) String() string {
switch s {
case StateClosed:
return "closed"
case StateOpen:
return "open"
case StateHalfOpen:
return "half-open"
default:
return "unknown"
}
}
// Config holds circuit breaker configuration
type Config struct {
FailureThreshold int // Number of failures before opening
FailureWindow time.Duration // Time window to track failures
OpenDuration time.Duration // How long circuit stays open
HalfOpenAttempts int // Successful attempts needed to close from half-open
}
// CircuitBreaker implements the circuit breaker pattern for subsystems
type CircuitBreaker struct {
name string
config Config
mu sync.RWMutex
state State
failures []time.Time // Timestamps of recent failures
consecutiveSuccess int // Consecutive successes in half-open state
openedAt time.Time // When circuit was opened
}
// New creates a new circuit breaker
func New(name string, config Config) *CircuitBreaker {
return &CircuitBreaker{
name: name,
config: config,
state: StateClosed,
failures: make([]time.Time, 0),
}
}
// Call executes the given function with circuit breaker protection
func (cb *CircuitBreaker) Call(fn func() error) error {
// Check if we can execute
if err := cb.beforeCall(); err != nil {
return err
}
// Execute the function
err := fn()
// Record the result
cb.afterCall(err)
return err
}
// beforeCall checks if the call should be allowed
func (cb *CircuitBreaker) beforeCall() error {
cb.mu.Lock()
defer cb.mu.Unlock()
switch cb.state {
case StateClosed:
// Normal operation, allow call
return nil
case StateOpen:
// Check if enough time has passed to try half-open
if time.Since(cb.openedAt) >= cb.config.OpenDuration {
cb.state = StateHalfOpen
cb.consecutiveSuccess = 0
return nil
}
// Circuit is still open, fail fast
return fmt.Errorf("circuit breaker [%s] is OPEN (will retry at %s)",
cb.name, cb.openedAt.Add(cb.config.OpenDuration).Format("15:04:05"))
case StateHalfOpen:
// In half-open state, allow limited attempts
return nil
default:
return fmt.Errorf("unknown circuit breaker state")
}
}
// afterCall records the result and updates state
func (cb *CircuitBreaker) afterCall(err error) {
cb.mu.Lock()
defer cb.mu.Unlock()
now := time.Now()
if err != nil {
// Record failure
cb.recordFailure(now)
// If in half-open, go back to open on any failure
if cb.state == StateHalfOpen {
cb.state = StateOpen
cb.openedAt = now
cb.consecutiveSuccess = 0
return
}
// Check if we should open the circuit
if cb.shouldOpen(now) {
cb.state = StateOpen
cb.openedAt = now
cb.consecutiveSuccess = 0
}
} else {
// Success
switch cb.state {
case StateHalfOpen:
// Count consecutive successes
cb.consecutiveSuccess++
if cb.consecutiveSuccess >= cb.config.HalfOpenAttempts {
// Enough successes, close the circuit
cb.state = StateClosed
cb.failures = make([]time.Time, 0)
cb.consecutiveSuccess = 0
}
case StateClosed:
// Clean up old failures on success
cb.cleanupOldFailures(now)
}
}
}
// recordFailure adds a failure timestamp
func (cb *CircuitBreaker) recordFailure(now time.Time) {
cb.failures = append(cb.failures, now)
cb.cleanupOldFailures(now)
}
// cleanupOldFailures removes failures outside the window
func (cb *CircuitBreaker) cleanupOldFailures(now time.Time) {
cutoff := now.Add(-cb.config.FailureWindow)
validFailures := make([]time.Time, 0)
for _, failTime := range cb.failures {
if failTime.After(cutoff) {
validFailures = append(validFailures, failTime)
}
}
cb.failures = validFailures
}
// shouldOpen determines if circuit should open based on failures
func (cb *CircuitBreaker) shouldOpen(now time.Time) bool {
cb.cleanupOldFailures(now)
return len(cb.failures) >= cb.config.FailureThreshold
}
// State returns the current circuit breaker state (thread-safe)
func (cb *CircuitBreaker) State() State {
cb.mu.RLock()
defer cb.mu.RUnlock()
return cb.state
}
// GetStats returns current circuit breaker statistics
func (cb *CircuitBreaker) GetStats() Stats {
cb.mu.RLock()
defer cb.mu.RUnlock()
stats := Stats{
Name: cb.name,
State: cb.state.String(),
RecentFailures: len(cb.failures),
ConsecutiveSuccess: cb.consecutiveSuccess,
}
if cb.state == StateOpen && !cb.openedAt.IsZero() {
nextAttempt := cb.openedAt.Add(cb.config.OpenDuration)
stats.NextAttempt = &nextAttempt
}
return stats
}
// Reset manually resets the circuit breaker to closed state
func (cb *CircuitBreaker) Reset() {
cb.mu.Lock()
defer cb.mu.Unlock()
cb.state = StateClosed
cb.failures = make([]time.Time, 0)
cb.consecutiveSuccess = 0
cb.openedAt = time.Time{}
}
// Stats holds circuit breaker statistics
type Stats struct {
Name string
State string
RecentFailures int
ConsecutiveSuccess int
NextAttempt *time.Time
}
// String returns a human-readable representation of the stats
func (s Stats) String() string {
if s.NextAttempt != nil {
return fmt.Sprintf("[%s] state=%s, failures=%d, next_attempt=%s",
s.Name, s.State, s.RecentFailures, s.NextAttempt.Format("15:04:05"))
}
return fmt.Sprintf("[%s] state=%s, failures=%d, success=%d",
s.Name, s.State, s.RecentFailures, s.ConsecutiveSuccess)
}

138
aggregator-agent/internal/circuitbreaker/circuitbreaker_test.go Normal file
View File

@@ -0,0 +1,138 @@
package circuitbreaker
import (
"errors"
"testing"
"time"
)
func TestCircuitBreaker_NormalOperation(t *testing.T) {
cb := New("test", Config{
FailureThreshold: 3,
FailureWindow: 1 * time.Minute,
OpenDuration: 1 * time.Minute,
HalfOpenAttempts: 2,
})
// Should allow calls in closed state
err := cb.Call(func() error { return nil })
if err != nil {
t.Fatalf("expected no error, got %v", err)
}
if cb.State() != StateClosed {
t.Fatalf("expected state closed, got %v", cb.State())
}
}
func TestCircuitBreaker_OpensAfterFailures(t *testing.T) {
cb := New("test", Config{
FailureThreshold: 3,
FailureWindow: 1 * time.Minute,
OpenDuration: 100 * time.Millisecond,
HalfOpenAttempts: 2,
})
testErr := errors.New("test error")
// Record 3 failures
for i := 0; i < 3; i++ {
cb.Call(func() error { return testErr })
}
// Should now be open
if cb.State() != StateOpen {
t.Fatalf("expected state open after %d failures, got %v", 3, cb.State())
}
// Next call should fail fast
err := cb.Call(func() error { return nil })
if err == nil {
t.Fatal("expected circuit breaker to reject call, but it succeeded")
}
}
func TestCircuitBreaker_HalfOpenRecovery(t *testing.T) {
cb := New("test", Config{
FailureThreshold: 2,
FailureWindow: 1 * time.Minute,
OpenDuration: 50 * time.Millisecond,
HalfOpenAttempts: 2,
})
testErr := errors.New("test error")
// Open the circuit
cb.Call(func() error { return testErr })
cb.Call(func() error { return testErr })
if cb.State() != StateOpen {
t.Fatal("circuit should be open")
}
// Wait for open duration
time.Sleep(60 * time.Millisecond)
// Should transition to half-open and allow call
err := cb.Call(func() error { return nil })
if err != nil {
t.Fatalf("expected call to succeed in half-open state, got %v", err)
}
if cb.State() != StateHalfOpen {
t.Fatalf("expected half-open state, got %v", cb.State())
}
// One more success should close it
cb.Call(func() error { return nil })
if cb.State() != StateClosed {
t.Fatalf("expected closed state after %d successes, got %v", 2, cb.State())
}
}
func TestCircuitBreaker_HalfOpenFailure(t *testing.T) {
cb := New("test", Config{
FailureThreshold: 2,
FailureWindow: 1 * time.Minute,
OpenDuration: 50 * time.Millisecond,
HalfOpenAttempts: 2,
})
testErr := errors.New("test error")
// Open the circuit
cb.Call(func() error { return testErr })
cb.Call(func() error { return testErr })
// Wait and attempt in half-open
time.Sleep(60 * time.Millisecond)
cb.Call(func() error { return nil }) // Half-open
// Fail in half-open - should go back to open
cb.Call(func() error { return testErr })
if cb.State() != StateOpen {
t.Fatalf("expected open state after half-open failure, got %v", cb.State())
}
}
func TestCircuitBreaker_Stats(t *testing.T) {
cb := New("test-subsystem", Config{
FailureThreshold: 3,
FailureWindow: 1 * time.Minute,
OpenDuration: 1 * time.Minute,
HalfOpenAttempts: 2,
})
stats := cb.GetStats()
if stats.Name != "test-subsystem" {
t.Fatalf("expected name 'test-subsystem', got %s", stats.Name)
}
if stats.State != "closed" {
t.Fatalf("expected state 'closed', got %s", stats.State)
}
if stats.RecentFailures != 0 {
t.Fatalf("expected 0 failures, got %d", stats.RecentFailures)
}
}

13
aggregator-agent/internal/client/client.go
View File

@@ -174,8 +174,9 @@ type Command struct {
// CommandsResponse contains pending commands
type CommandsResponse struct {
Commands []Command `json:"commands"`
RapidPolling *RapidPollingConfig `json:"rapid_polling,omitempty"`
Commands []Command `json:"commands"`
RapidPolling *RapidPollingConfig `json:"rapid_polling,omitempty"`
AcknowledgedIDs []string `json:"acknowledged_ids,omitempty"` // IDs server has received
}
// RapidPollingConfig contains rapid polling configuration from server
@@ -196,11 +197,15 @@ type SystemMetrics struct {
Uptime string `json:"uptime,omitempty"`
Version string `json:"version,omitempty"` // Agent version
Metadata map[string]interface{} `json:"metadata,omitempty"` // Additional metadata
// Command acknowledgment tracking
PendingAcknowledgments []string `json:"pending_acknowledgments,omitempty"` // Command IDs awaiting ACK
}
// GetCommands retrieves pending commands from the server
// Optionally sends lightweight system metrics in the request
func (c *Client) GetCommands(agentID uuid.UUID, metrics *SystemMetrics) ([]Command, error) {
// Returns the full response including commands and acknowledged IDs
func (c *Client) GetCommands(agentID uuid.UUID, metrics *SystemMetrics) (*CommandsResponse, error) {
url := fmt.Sprintf("%s/api/v1/agents/%s/commands", c.baseURL, agentID)
var req *http.Request
@@ -252,7 +257,7 @@ func (c *Client) GetCommands(agentID uuid.UUID, metrics *SystemMetrics) ([]Comma
}
}
return result.Commands, nil
return &result, nil
}
// UpdateReport represents discovered updates

13
aggregator-agent/internal/config/config.go
View File

@@ -80,6 +80,9 @@ type Config struct {
Metadata map[string]string `json:"metadata,omitempty"` // Custom metadata
DisplayName string `json:"display_name,omitempty"` // Human-readable name
Organization string `json:"organization,omitempty"` // Organization/group
// Subsystem Configuration
Subsystems SubsystemsConfig `json:"subsystems,omitempty"` // Scanner subsystem configs
}
// Load reads configuration from multiple sources with priority order:
@@ -144,8 +147,9 @@ func getDefaultConfig() *Config {
MaxBackups: 3,
MaxAge: 28, // 28 days
},
Tags: []string{},
Metadata: make(map[string]string),
Subsystems: GetDefaultSubsystemsConfig(),
Tags: []string{},
Metadata: make(map[string]string),
}
}
@@ -311,6 +315,11 @@ func mergeConfig(target, source *Config) {
if !source.RapidPollingUntil.IsZero() {
target.RapidPollingUntil = source.RapidPollingUntil
}
// Merge subsystems config
if source.Subsystems != (SubsystemsConfig{}) {
target.Subsystems = source.Subsystems
}
}
// validateConfig validates configuration values

95
aggregator-agent/internal/config/subsystems.go Normal file
View File

@@ -0,0 +1,95 @@
package config
import "time"
// SubsystemConfig holds configuration for individual subsystems
type SubsystemConfig struct {
// Execution settings
Enabled bool `json:"enabled"`
Timeout time.Duration `json:"timeout"` // Timeout for this subsystem
// Circuit breaker settings
CircuitBreaker CircuitBreakerConfig `json:"circuit_breaker"`
}
// CircuitBreakerConfig holds circuit breaker settings for subsystems
type CircuitBreakerConfig struct {
// Enabled controls whether circuit breaker is active
Enabled bool `json:"enabled"`
// FailureThreshold is the number of consecutive failures before opening the circuit
FailureThreshold int `json:"failure_threshold"`
// FailureWindow is the time window to track failures (e.g., 3 failures in 10 minutes)
FailureWindow time.Duration `json:"failure_window"`
// OpenDuration is how long the circuit stays open before attempting recovery
OpenDuration time.Duration `json:"open_duration"`
// HalfOpenAttempts is the number of test attempts in half-open state before fully closing
HalfOpenAttempts int `json:"half_open_attempts"`
}
// SubsystemsConfig holds all subsystem configurations
type SubsystemsConfig struct {
APT SubsystemConfig `json:"apt"`
DNF SubsystemConfig `json:"dnf"`
Docker SubsystemConfig `json:"docker"`
Windows SubsystemConfig `json:"windows"`
Winget SubsystemConfig `json:"winget"`
Storage SubsystemConfig `json:"storage"`
}
// GetDefaultSubsystemsConfig returns default subsystem configurations
func GetDefaultSubsystemsConfig() SubsystemsConfig {
// Default circuit breaker config
defaultCB := CircuitBreakerConfig{
Enabled: true,
FailureThreshold: 3, // 3 consecutive failures
FailureWindow: 10 * time.Minute, // within 10 minutes
OpenDuration: 30 * time.Minute, // circuit open for 30 min
HalfOpenAttempts: 2, // 2 successful attempts to close circuit
}
// Aggressive circuit breaker for Windows Update (known to be slow/problematic)
windowsCB := CircuitBreakerConfig{
Enabled: true,
FailureThreshold: 2, // Only 2 failures
FailureWindow: 15 * time.Minute,
OpenDuration: 60 * time.Minute, // Open for 1 hour
HalfOpenAttempts: 3,
}
return SubsystemsConfig{
APT: SubsystemConfig{
Enabled: true,
Timeout: 30 * time.Second,
CircuitBreaker: defaultCB,
},
DNF: SubsystemConfig{
Enabled: true,
Timeout: 45 * time.Second, // DNF can be slower
CircuitBreaker: defaultCB,
},
Docker: SubsystemConfig{
Enabled: true,
Timeout: 60 * time.Second, // Registry queries can be slow
CircuitBreaker: defaultCB,
},
Windows: SubsystemConfig{
Enabled: true,
Timeout: 10 * time.Minute, // Windows Update can be VERY slow
CircuitBreaker: windowsCB,
},
Winget: SubsystemConfig{
Enabled: true,
Timeout: 2 * time.Minute, // Winget has multiple retry strategies
CircuitBreaker: defaultCB,
},
Storage: SubsystemConfig{
Enabled: true,
Timeout: 10 * time.Second, // Disk info should be fast
CircuitBreaker: defaultCB,
},
}
}

55
aggregator-agent/test_disk.go Normal file
View File

@@ -0,0 +1,55 @@
package main
import (
"encoding/json"
"fmt"
"log"
"github.com/Fimeg/RedFlag/aggregator-agent/internal/system"
)
func main() {
// Test lightweight metrics (most common use case)
fmt.Println("=== Enhanced Lightweight Metrics Test ===")
metrics, err := system.GetLightweightMetrics()
if err != nil {
log.Printf("Error getting lightweight metrics: %v", err)
} else {
// Pretty print the JSON
jsonData, _ := json.MarshalIndent(metrics, "", " ")
fmt.Printf("LightweightMetrics:\n%s\n\n", jsonData)
// Show key findings
fmt.Printf("Root Disk: %.1fGB used / %.1fGB total (%.1f%%)\n",
metrics.DiskUsedGB, metrics.DiskTotalGB, metrics.DiskPercent)
if metrics.LargestDiskTotalGB > 0 {
fmt.Printf("Largest Disk (%s): %.1fGB used / %.1fGB total (%.1f%%)\n",
metrics.LargestDiskMount, metrics.LargestDiskUsedGB, metrics.LargestDiskTotalGB, metrics.LargestDiskPercent)
} else {
fmt.Printf("No largest disk detected (this might be the issue!)\n")
}
}
// Test full system info (detailed disk inventory)
fmt.Println("\n=== Enhanced System Info Test ===")
sysInfo, err := system.GetSystemInfo("test-v0.1.5")
if err != nil {
log.Printf("Error getting system info: %v", err)
} else {
fmt.Printf("Found %d disks:\n", len(sysInfo.DiskInfo))
for i, disk := range sysInfo.DiskInfo {
fmt.Printf(" Disk %d: %s (%s) - %s, %.1fGB used / %.1fGB total (%.1f%%)",
i+1, disk.Mountpoint, disk.Filesystem, disk.DiskType,
float64(disk.Used)/(1024*1024*1024), float64(disk.Total)/(1024*1024*1024), disk.UsedPercent)
if disk.IsRoot {
fmt.Printf(" [ROOT]")
}
if disk.IsLargest {
fmt.Printf(" [LARGEST]")
}
fmt.Printf("\n")
}
}
}