Description

Previously, diagnostic network connectivity checks were hardcoded to use www.google.com over HTTP/HTTPS. In some deployments this can be blocked by firewalls or trigger unwanted security alerts.

This change introduces two new global config options:

• diag.probe.remote.http.endpoint
• diag.probe.remote.https.endpoint

These define the remote endpoints (URL, bare IP is also accepted for HTTP) that EVE will query over HTTP/HTTPS when the controller is unreachable. They are used only for diagnostics (no functional impact) and can be disabled by setting them to an empty string.

Backport of #5258, including also fix #5270

How to test and validate this PR

1. Onboard an edge-node and configure diag.probe.remote.http.endpoint and diag.probe.remote.https.endpoint to point to remote (e.g. from Internet) web servers other than www.google.com.

2. Block connectivity between the edge-node and the controller (e.g., block the controller IP on the firewall).

3. Check the console output (or /run/diag.out) to confirm that the configured endpoints are being queried instead of www.google.com. Example output:

...
ERROR: eth0: ping failed to mydomain.adam:3333; trying http://www.shmu.sk, https://go.dev
INFO: eth0: http://www.shmu.sk StatusOK
WARNING: eth0: Can reach http://www.shmu.sk but not https://mydomain.adam:3333
INFO: eth0: https://go.dev StatusOK
WARNING: eth0: Can reach https://go.dev but not https://mydomain.adam:3333

4. Verify that collected nettraces correspond to the configured endpoints and not to www.google.com.
   On the device, unpack a /persist/netdump/nim-fail-* tarball created during controller connectivity failure:

/persist/netdump$ tar -xvf nim-fail-2025-09-26T11-36-50.tgz
nim-fail-2025-09-26T11-36-50
nim-fail-2025-09-26T11-36-50/eve
nim-fail-2025-09-26T11-36-50/linux
nim-fail-2025-09-26T11-36-50/requests
...
nim-fail-2025-09-26T11-36-50/requests/ping-controller-eth0-0
nim-fail-2025-09-26T11-36-50/requests/ping-controller-eth0-0/nettrace.json
nim-fail-2025-09-26T11-36-50/requests/ping-controller-eth0-0/eth0.pcap
nim-fail-2025-09-26T11-36-50/requests/http-www.shmu.sk-eth0-0
nim-fail-2025-09-26T11-36-50/requests/http-www.shmu.sk-eth0-0/nettrace.json
nim-fail-2025-09-26T11-36-50/requests/http-www.shmu.sk-eth0-0/eth0.pcap
nim-fail-2025-09-26T11-36-50/requests/https-go.dev-eth0-0
nim-fail-2025-09-26T11-36-50/requests/https-go.dev-eth0-0/nettrace.json
nim-fail-2025-09-26T11-36-50/requests/https-go.dev-eth0-0/eth0.pcap

Check the directory names where each nettrace.json is stored. Optionally, inspect the JSON files themselves to confirm the target endpoints.

5. Re-enable connectivity between the edge-node and the controller.

6. Set both configuration properties to empty strings.

7. Block connectivity between the edge-node and the controller again.

8. Repeat the same checks (diag.out + nettrace output) and confirm that there are no connectivity tests beyond the controller /ping request.

9. (Optional) Capture packets on the management ports to confirm that www.google.com (or any previously configured remote endpoints) are no longer queried.
   With both properties empty, there should be no HTTP (port 80) traffic originating from EVE.

Changelog notes

Remote endpoints used to assess connectivity when the controller is unreachable are now configurable via properties diag.probe.remote.http.endpoint and diag.probe.remote.https.endpoint. These probes are used only for diagnostics and can be disabled by setting the properties to an empty string.

Checklist

• I've provided a proper description
• I've added the proper documentation
• I've tested my PR on amd64 device
• I've tested my PR on arm64 device
• I've written the test verification instructions
• I've set the proper labels to this PR
• I've added a reference link to the original PR
• PR's title follows the template
• I've checked the boxes above, or I've provided a good reason why I didn't check them.