https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
d
My previous solution to this was to just run OPA non-embedded. For simplicity for all the teams on my project that will be starting to use OPA(L), though, I would love to be able to use embedded and simplify the charts for them
o
Hi @David Hamilton, you might be able find your previous thread in the archives: https://www.linen.dev/s/permit/c/general
I definitely think we can investigate this and come up with a potential solution. @Asaf Cohen do you have any suspects here?
d
"Ro'e Katz 05/16/2023, 4:01 AM There’s a known issue of long loading times when having a lot of rego files - OPA is currently recompiling everything every time you load a new policy file."
New info: this ONLY occurs if OPA (not OPAL) log level is debug or info
if I set to error everything appears fine
o
Oh - yeah - makes total sense. Seems you should be able to circumnavigate the issue by simply waiting longer on the health-check
d
It's just strange that this only occurs with embedded OPA. I have a separate OPA container running with debug and console decision logs and it behaves just fine
same OPA version and everything
o
This might be a combination of issue coming together; Maybe there’s an additional slow down when the OPA logs are been piped into the OPAL-client process; which ends up creating a race-condition for the healthcheck. We can potentially add an option to use the opa-runner but without piping the OPA logs
It might be best to wait for @Asaf Cohen/ @Shaul Kremer / @Ro'e Katz to chime in (Which should be on Sunday)
@David Hamilton, Maybe in the meanwhile you can test the theory by running inline OPA but with logs sent to file instead of STDERR
d
Thanks, @Or Weis
o
Seems the rest of the team is stumped about this issue as well. Currently I think the option of running OPA with either a different log level, or with with logs piped to a file are is our best course
r
@David Hamilton Just went over the original thread - My quote regarding long loading times seems irrelevant as you mentioned logs indicating all policies were already loaded. I’ll try to have another look at this, see if I can find something wrong
I might have found something. We use 
stream.readline()
for piping OPA logs. If a single line in OPA’s logs is longer than the default 64kb buffer size (64kb of output with no 
\n
), we might get an unhandled exception in the piping task. I can patch that but would like to know that I’m on the right path, @David Hamilton - Can you confirm seeing extremely long logs when running OPA independently?
d
I think you're on the right track for sure. If opa logging is set to debug, it logs the entire policy file with newlines replaced by "\n" so very long lines. When it is in info log mode, it only logs that the request was made
r
Gonna release an RC for you to test soon…
@David Hamilton Pushed image tag 
0.7.4-rc
with a potential fix. Can you please give it a try?
🙏 1
🦜 1
d
sure, I'll get my configs back to the failing scenario and confirm that, then switch the image tag
@Ro'e Katz Thank you! That appears to have fixed it! I have to figure out if there is a way I can get OPA to not log large requests like that in the first place. I want console logs, but not the entire content of the policies OPAL sends to be logged, or the data that OPAL sends! But that's a matter for OPA. Looks like this issue is resolved 😄
r
Great! I would work to merge this and soon release a new OPAL version
Open in Slack
PreviousNext
Powered by