docs(aclk): update ACLK proxy documentation with new log message formats#21806
Open
kanelatechnical wants to merge 2 commits intomasterfrom
Open
docs(aclk): update ACLK proxy documentation with new log message formats#21806kanelatechnical wants to merge 2 commits intomasterfrom
kanelatechnical wants to merge 2 commits intomasterfrom
Conversation
Add troubleshooting section explaining new log formats for ACLK proxy connection messages that will be available starting from nightly build 2026-02-20. - Document proxy resolution messages (no proxy, explicit none, env vars) - Document connection time messages (MQTT WSS, HTTPS, OTP/challenge) - Document error messages (CONNECT failed, proxy response errors) - Document state reporting format changes - Add interpretation guide for common issues - Link to related security documentation These new log formats will help users diagnose ACLK proxy configuration issues more easily by showing exactly which proxy configuration is being used and where it came from. Related to PR #21789 (internal ACLK logging improvements)
Contributor
Author
|
Reopening to update documentation |
Contributor
There was a problem hiding this comment.
2 issues found across 1 file
Confidence score: 4/5
- Documentation inconsistencies in
src/claim/README.mdabout proxy support and env vars could mislead users, but they’re low-severity and not runtime-breaking. - Overall risk is low because the issues are confined to docs and have moderate severity/confidence only.
- Pay close attention to
src/claim/README.md- clarify HTTPS proxy support vs earlier text, and alignhttps_proxyvshttp_proxyusage.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/claim/README.md">
<violation number="1" location="src/claim/README.md:153">
P2: The new log example references `https_proxy`, but the existing proxy configuration docs state only `http_proxy` is used when `proxy = env`. This inconsistency can mislead users about which env var is supported.</violation>
<violation number="2" location="src/claim/README.md:248">
P2: The list of supported proxy types now includes HTTPS proxies, but earlier documentation in this file says secure proxy connections are not supported. This is contradictory and can mislead users into configuring an unsupported proxy type.</violation>
</file>
Architecture diagram
sequenceDiagram
participant Tester as netdata_tester (NEW)
participant Agent as Netdata Agent (ACLK)
participant Configs as Config Sources (Env/Cloud/Netdata.conf)
participant Proxy as Proxy Server (HTTP/SOCKS5)
participant Cloud as Netdata Cloud (API/MQTT)
Note over Tester,Cloud: ACLK Proxy Resolution & Connection Flow
Tester->>Agent: NEW: Run testable claims/verify config
Agent->>Configs: Load proxy settings
Note right of Agent: NEW: Log resolution source<br/>(e.g., "from env", "from cloud.conf")
alt Proxy Configured
Agent->>Proxy: TCP CONNECT (Request tunnel)
alt Success (200 OK)
Proxy-->>Agent: Tunnel Established
else Failure (407/502/503)
Note right of Agent: NEW: Log Error (e.g., "Proxy Auth Required")
Proxy-->>Agent: HTTP Error Code
end
else No Proxy
Note right of Agent: NEW: Log "connect directly"
end
group Connection Sequence
Agent->>Cloud: OTP/Challenge (HTTPS) via Proxy
Cloud-->>Agent: Auth Success
Agent->>Cloud: MQTT WSS Connection via Proxy
Note right of Agent: NEW: Log "connecting to mqtt... via proxy"
Cloud-->>Agent: Stream Established
end
Tester->>Agent: Execute `aclk-state`
Agent-->>Tester: CHANGED: Return status with source info
Note over Tester,Agent: New format includes credentials status & config source
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
There was a problem hiding this comment.
18 issues found across 10 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="netdata_tester/reporters.py">
<violation number="1" location="netdata_tester/reporters.py:94">
P1: JSONFormatter.format returns a dict, but report outputs are written as strings. When `json` is selected, `write(report)` will raise a TypeError. Serialize the dict to JSON before returning.</violation>
<violation number="2" location="netdata_tester/reporters.py:173">
P2: JUnit XML currently adds a `<failure>` element for skipped and error statuses. That makes skipped tests look like failures and loses error semantics. Only FAIL should add `<failure>`, and ERROR should use `<error>`.</violation>
<violation number="3" location="netdata_tester/reporters.py:254">
P2: export_to_file can crash on unknown formats because `FORMATTERS.get(...)` has no default before calling `()`. Provide a fallback formatter to avoid a TypeError.</violation>
</file>
<file name="netdata_tester/source_verifier.py">
<violation number="1" location="netdata_tester/source_verifier.py:143">
P2: The `=` guard makes the Go config option matcher impossible to satisfy, so config options in Go files won’t be indexed. Drop the `=` check so colon-based struct literals are captured.</violation>
</file>
<file name="netdata_tester/managers.py">
<violation number="1" location="netdata_tester/managers.py:204">
P1: Shell command construction interpolates unsanitized key/value into a single-quoted echo and leaves file_path unquoted, allowing command injection or broken writes when values contain quotes/whitespace. Use proper shell escaping (e.g., shlex.quote) or upload the content via a safe channel (scp/sftp).</violation>
<violation number="2" location="netdata_tester/managers.py:424">
P2: Here-doc writes raw content into the SSH command; if the content contains a line equal to `EOF` the write truncates. Use a safer transfer (e.g., base64 encode/decode or SCP/SFTP) instead of embedding raw content in the command.</violation>
</file>
<file name="netdata_tester/github.py">
<violation number="1" location="netdata_tester/github.py:58">
P0: **Security: SSL certificate verification is completely disabled.** This makes all GitHub API requests (which include the Bearer token in the `Authorization` header) vulnerable to man-in-the-middle attacks. An attacker on the network could intercept the GitHub token or tamper with API responses.
Remove the custom SSL context entirely — `urllib.request.urlopen` uses secure defaults. If you need to handle corporate proxy/CA issues, load the appropriate CA bundle instead of disabling verification.</violation>
<violation number="2" location="netdata_tester/github.py:182">
P2: Mutable default argument `[".md", ".mdx"]` is shared across all calls. If the list is ever mutated, subsequent calls will see the modified value. Use `None` and assign inside the function body.</violation>
<violation number="3" location="netdata_tester/github.py:241">
P2: The `break` on `line.startswith("---")` will prematurely stop processing the patch when encountering a deleted line whose content starts with `--` (e.g., a markdown frontmatter `---` delimiter appears as `----` in the diff, and `"----".startswith("---")` is `True`). This truncates the extracted content. Remove this break or use a more precise condition.</violation>
<violation number="4" location="netdata_tester/github.py:279">
P2: `self.client` is reassigned here, permanently changing the instance's GitHub client configuration. After calling `compare_docs_with_source(remote_owner='other')`, subsequent calls like `fetch_pr_documentation()` will unexpectedly target the wrong repository. Use a local variable instead.</violation>
</file>
<file name="netdata_tester/parser.py">
<violation number="1" location="netdata_tester/parser.py:181">
P2: Code-block claims drop the originating file path (`file_path=""`), so downstream consumers cannot trace which document the claim came from. Consider threading the source name into code block extraction and setting file_path accordingly.</violation>
<violation number="2" location="netdata_tester/parser.py:309">
P2: The file-path regex misses the standard "~/.netdata" path because it looks for "~.netdata" (no slash). This prevents path extraction from claims that use the documented format.</violation>
</file>
<file name="netdata_tester/executors.py">
<violation number="1" location="netdata_tester/executors.py:133">
P1: execute_claim returns None for SKIP claims, so callers expecting a TestResult may crash when they access result.status. Return the populated TestResult instead.</violation>
<violation number="2" location="netdata_tester/executors.py:206">
P2: Unreachable return references undefined `results` in _health_degraded. Remove the stray return to avoid dead code and future NameError risks.</violation>
</file>
<file name="netdata_tester/cli.py">
<violation number="1" location="netdata_tester/cli.py:134">
P3: `--parallel` is defined but never used, so it has no effect. Either wire it into the executor’s concurrency handling or remove the option to avoid a misleading CLI flag.</violation>
<violation number="2" location="netdata_tester/cli.py:143">
P2: The --auto-recovery option is documented as enabled by default, but `action="store_true"` makes the default False, disabling crash recovery unless the flag is provided. Align the flag behavior with the documented default (e.g., use a `--no-auto-recovery` flag with `store_false` and default True, or fix the help text).</violation>
</file>
<file name="netdata_tester/utils.py">
<violation number="1" location="netdata_tester/utils.py:36">
P2: Avoid hardcoded default credentials in VMConfig. Defaulting to a real password can leak secrets and encourages running tests with an embedded password. Load from environment/config and require explicit user input instead.</violation>
<violation number="2" location="netdata_tester/utils.py:169">
P1: TLS verification is disabled for all HTTPS requests. This makes test traffic vulnerable to MITM and can hide certificate issues. Keep default verification unless explicitly running in an insecure mode.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
bee2011 to
d1ef8c0
Compare
d1ef8c0 to
a266cbc
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Agent claiming/ACLK documentation to include a dedicated troubleshooting section for proxy-related connection issues, documenting the new/updated ACLK proxy log message formats referenced in PR #21789.
Changes:
- Added a new “Troubleshooting ACLK Proxy Connection Issues” section.
- Documented proxy resolution, connection, error, and
netdatacli aclk-statemessage formats. - Added an interpretation guide and common issues/solutions table.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+169
to
+173
| **SOCKS5 proxy from netdata.conf:** | ||
| ``` | ||
| ACLK: using SOCKS5 proxy socks5://socks.internal:1080 (without credentials, from netdata.conf [cloud]) | ||
| ``` | ||
| The Agent is using a SOCKS5 proxy configured in netdata.conf. |
There was a problem hiding this comment.
This troubleshooting section documents SOCKS5 proxy resolution and aclk-state output examples, but in the current agent code ACLK-NG exits early when a SOCKS5 proxy is configured (netdata_log_error("ACLK: SOCKS5 proxy is not supported by ACLK-NG yet.") in src/aclk/aclk.c:845-850). Either clarify the version/feature flag where SOCKS5 becomes supported, or adjust the examples so they don’t imply SOCKS5 works for ACLK in this release line.
Comment on lines
+219
to
+227
| **Old format:** | ||
| ``` | ||
| ACLK Proxy: socks5://[email protected]:1080 | ||
| ``` | ||
|
|
||
| **New format:** | ||
| ``` | ||
| ACLK Proxy: socks5://socks.internal:1080 (with credentials, from cloud.conf) | ||
| ``` |
There was a problem hiding this comment.
netdatacli aclk-state examples here show SOCKS5 proxy details. Given the current behavior where ACLK-NG doesn’t support SOCKS5 proxies (see src/aclk/aclk.c:845-850), these state-reporting examples may be inaccurate/misleading unless SOCKS5 support landed alongside the referenced logging changes. Please align the examples with actual supported proxy types for the targeted nightly.
8fc8ee3 to
a4a9d58
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| **HTTP proxy from cloud.conf:** | ||
| ``` | ||
| ACLK: using HTTP proxy http://proxy.internal:8080 (with credentials, from cloud.conf) |
There was a problem hiding this comment.
Similar to line 153, this example shows credentials in plain text. The proxy URL should display credentials as "XXXXX" to match the actual censored log output. The example should read: "ACLK: using HTTP proxy http://[email protected]:8080 (with credentials, from cloud.conf)"
Suggested change
| ACLK: using HTTP proxy http://proxy.internal:8080 (with credentials, from cloud.conf) | |
| ACLK: using HTTP proxy http://XXXXX@proxy.internal:8080 (with credentials, from cloud.conf) |
5ec73bb to
f8a4297
Compare
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
f8a4297 to
c663eba
Compare
Member
|
@kanelatechnical, please prefer adding new commits instead of force pushing. Reviewers may have already gone through your PR, and a force push requires them to review everything again since it’s not clear what changed. This makes the review process significantly more difficult and time-consuming. |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ## Manage Connections | ||
| ## Troubleshooting ACLK Proxy Connection Issues | ||
|
|
||
| ### New Log Message Formats (Starting from Nightly Build 2026-02-25) |
There was a problem hiding this comment.
The PR description mentions "nightly build 2026-02-20" but the documentation states "2026-02-25". Please ensure the date is consistent throughout all documentation and matches the actual nightly build date when these changes will be available.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Update ACLK proxy documentation with new log message formats that will be available starting from nightly build 2026-02-20.
Changes
New Log Message Formats
Proxy Resolution Messages
Connection Time Messages
Error Messages
State Reporting
aclk-stateoutputContext
These changes align with PR #21789 (internal ACLK logging improvements) and will help users better understand and diagnose ACLK proxy connection issues by showing which configuration source is being used.
Summary by cubic
Updated ACLK proxy docs with new log message formats (starting nightly 2026-02-25) and a quick troubleshooting guide to diagnose proxy connection issues faster. Clarifies aclk-state output with proxy source and whether credentials are present.
Written for commit 82786b7. Summary will update on new commits.