[Feature flag] Rollout of `global_dependency_scanning_on_advisory_ingestion`
Summary
This issue is to rollout CVS on advisory DB change (GA) on production, that is currently behind the global_dependency_scanning_on_advisory_ingestion
feature flag. For GA, we'll be enabling this feature on all GitLab Ultimate projects so that they receive the latest dependency scanning vulnerability information.
Owners
- Most appropriate Slack channel to reach out to:
#g_secure_composition_analysis
- PM: John Crowley =>
@johncrowley
- DRI: Fabien Catteau =>
@fcatteau
- Team: groupcomposition analysis =>
@gitlab-org/secure/composition-analysis-be
Stakeholders
- groupthreat insights can provide guidance if there is an impact on vulnerability ingestion
Timeline
Timeline is being discussed in #427424 (comment 1651050566).
This starts once we have GLAD advisories to export AND we're ready to enable CVS globally.
We assume that the GitLab Advisory DB gets new advisories every day, which isn't always the case.
- Day 1: Rollout on non-production environments.
- Enable
global_dependency_scanning_on_advisory_ingestion
. - Trigger the
prod advisories exporter v2
pipeline manually. - Start monitoring until the sync and all the scans have completed.
- Enable
- Day 2: Rollout on production.
- Enable
global_dependency_scanning_on_advisory_ingestion
. - Trigger the
prod advisories exporter v2
pipeline manually. - Start monitoring until the sync and all the scans have completed.
- If these go wrong, purge the queue, kill the jobs, and disable the flag.
- If things go well, re-enable
prod advisories exporter v2
(scheduled pipeline) so that it runs daily.
- Enable
- Day 3-7: Monitor on production.
- Monitor CVS GA from the moment
prod advisories exporter v2
runs (8am UTC) until the sync has completed.
- Monitor CVS GA from the moment
- Day 8: Enable the flag by default, merge the doc update and release post.
Expectations
What are we expecting to happen?
When this feature is rolled out,
-
Continuous vulnerability scans will be carried out across all eligible projects (all projects that have GitLab Ultimate). Prior to this change, GitLab Ultimate projects have the option to toggle this feature (part of the experiment phase). This behavior is still in place once we turn on the feature flag, but the toggle is removed from the project settings (#428773 (closed)). - Projects where the opt-in feature has been turned on are scanned by the
AdvisoryScanWorker
. - Once the feature flag is enabled, all compatible projects are scanned by theGlobalAdvisoryScanWorker
, including the ones that opted in.CVS is idempotent and scanning the same project twice doesn't create duplicates.
-
CVS no longer shows up in the security settings of Ultimate projects. See #427424 (comment 1659213233).
We're rolling this out behind a feature flag to minimize the risk of degrading performance when we start to scan all projects.
When is the feature viable?
-
Collect metrics using snowplow. -
Improve performance of vulnerability creation service so that we can create vulnerabilities for multiple projects at once.
What might happen if this goes wrong?
-
If this degrades performance for others (noisy neighbor problem), we should turn off the feature flag. If the feature flag is disabled, the scanning will revert to only occurring on projects with the feature manually enabled.
-
If the previous step does not remove the queued jobs quickly enough, reach out to an SRE to remove the
PackageMetadata::GlobalAdvisoryScan
jobs manually.See the following from the teleport rails console connection guide
It is worth noting that the current access granted is a read-only access, if you need to perform write operations to the production environment, then declare a change in
#production
slack channel using the/change declare
command, after filling the steps and other details, an SRE should be able to execute the change for you.
What can we monitor to detect problems with this?
AdvisoriesSyncWorker
logs- CVS GA (enabled by the flag)
- CVS experiment (still in place)
-
PostgreSQL capacity and saturation
- After enabling the feature flag and ingesting new advisories, we should not see a large drop in transaction per second. If there is a direct correlation with the rollout of the feature flag, we should disable the feature flag to prevent degrading performance for others.
- Sisense graphs (GA and experiment combined)
For staging, see #427424 (comment 1652388966).
What can we check for monitoring production after rollouts?
- Sentry Query:
is:unresolved transaction:Sidekiq/PackageMetadata::AdvisoryScanWorker
- Kibana (adjust query timeframe as needed)
Rollout Steps
Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command.
Rollout on non-production environments
- Verify the MR with the feature flag is merged to
master
and have been deployed to non-production environments with/chatops run auto_deploy status <merge-commit-of-your-feature>
-
Deploy the feature flag at a percentage (recommended percentage: 50%) with /chatops run feature set global_dependency_scanning_on_advisory_ingestion <rollout-percentage> --actors --dev --staging --staging-ref
-
Monitor that the error rates did not increase (repeat with a different percentage as necessary). -
Enable the feature globally on non-production environments with /chatops run feature set global_dependency_scanning_on_advisory_ingestion true --dev --staging --staging-ref
-
Verify that the feature works as expected. The best environment to validate the feature in is staging-canary
as this is the first environment deployed to. Make sure you are configured to use canary. -
If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking deployments.
For assistance with end-to-end test failures, please reach out via the #quality
Slack channel. Note that end-to-end test failures on staging-ref
don't block deployments.
Specific rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
Slack channel and cross-posted (with the command results) to the responsible team's Slack channel (#g_secure_composition-analysis
).
-
Ensure that the feature MRs have been deployed to both production and canary with /chatops run auto_deploy status <merge-commit-of-your-feature>
-
Depending on the type of actor you are using, pick one of these options: - For project-actor:
/chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com global_dependency_scanning_on_advisory_ingestion true
- For group-actor:
/chatops run feature set --group=gitlab-org,gitlab-com global_dependency_scanning_on_advisory_ingestion true
- For user-actor:
/chatops run feature set --user=<your-username> global_dependency_scanning_on_advisory_ingestion true
- For project-actor:
-
Verify that the feature works for the specific actors.
Preparation before global rollout
-
Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable. -
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated. -
Leave a comment on the feature issue announcing estimated time when this feature flag will be enabled on GitLab.com. -
Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware. -
Notify the #support_gitlab-com
Slack channel and your team channel (more guidance when this is necessary in the dev docs). -
Ensure that the feature flag rollout plan is reviewed by another developer familiar with the domain.
Global rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
Slack channel and cross-posted (with the command results) to the responsible team's Slack channel (#g_secure_composition-analysis
).
-
(Optional) Incrementally roll out the feature on production environment. - Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net.
- Perform actor-based rollout:
/chatops run feature set global_dependency_scanning_on_advisory_ingestion <rollout-percentage> --actors
-
Enable the feature globally on production environment: /chatops run feature set global_dependency_scanning_on_advisory_ingestion true
-
Observe appropriate graphs on https://dashboards.gitlab.net and verify that services are not affected. -
Leave a comment on the feature issue announcing that the feature has been globally enabled. -
Wait for at least one day for the verification term.
(Optional) Release the feature with the feature flag
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
See instructions if you're sure about enabling the feature globally through the feature flag definition
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Review what warrants a changelog entry and decide if a changelog entry is needed.
-
-
Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check <merge-request-url> <milestone>
-
Consider cleaning up the feature flag from all environments by running these chatops command in #production
channel. Otherwise these settings may override the default enabled:/chatops run feature delete global_dependency_scanning_on_advisory_ingestion --dev --staging --staging-ref --production
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Set the next milestone to this rollout issue for scheduling the flag removal. -
(Optional) You can create a separate issue for scheduling the steps below to Release the feature. -
Set the title to "[Feature flag] Cleanup global_dependency_scanning_on_advisory_ingestion
". -
Execute the /copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. -
Link this rollout issue as a related issue. -
Close this rollout issue.
-
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.
-
Create a merge request to remove the global_dependency_scanning_on_advisory_ingestion
feature flag. Ask for review/approval/merge as usual. The MR should include the following changes:- Remove all references to the feature flag from the codebase.
- Remove the YAML definitions for the feature from the repository.
- Create a changelog entry.
-
Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check <merge-request-url> <milestone>
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:/chatops run feature delete global_dependency_scanning_on_advisory_ingestion --dev --staging --staging-ref --production
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set global_dependency_scanning_on_advisory_ingestion false
-
If the previous step does not remove the queued jobs quickly enough, reach out to an SRE to remove the PackageMetadata::GlobalAdvisoryScan
jobs manually. See #427424 (closed)
🤖
Auto-Summary Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:
. For example, the following are all valid points:
#### POINT: This is a point
* point: This is a point
+ Point: This is a point
- pOINT: This is a point
point: This is a **point**
Note that any markdown used in the point text will also be propagated into the topic summaries.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:
. For example, the following are all valid topics:
# Topic: Inline discussion topic 1
## TOPIC: **{+A Green, bolded topic+}**
### tOpIc: Another topic
Quick Actions
Action Description /discuss sub-topic TITLE
Create an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINK
Link an issuable as a child of this discussion
Last updated by this job
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.
🤖
Auto-Summary Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:
. For example, the following are all valid points:
#### POINT: This is a point
* point: This is a point
+ Point: This is a point
- pOINT: This is a point
point: This is a **point**
Note that any markdown used in the point text will also be propagated into the topic summaries.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:
. For example, the following are all valid topics:
# Topic: Inline discussion topic 1
## TOPIC: **{+A Green, bolded topic+}**
### tOpIc: Another topic
Quick Actions
Action Description /discuss sub-topic TITLE
Create an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINK
Link an issuable as a child of this discussion
Last updated by this job
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.