DLPX-96312 Add InfluxDB/Telegraf infrastructure for Engine Performance Analytics

PR URL: https://www.github.com/delphix/performance-diagnostics/pull/119

Author: dbshah12

debian/control

@@ -13,6 +13,6 @@ Standards-Version: 4.1.2
 
 Package: performance-diagnostics
 Architecture: any
-Depends: python3-bpfcc, python3-minimal, python3-psutil, telegraf, docker.io
+Depends: python3-bpfcc, python3-minimal, python3-psutil, telegraf, docker.io, influxdb2
 Description: eBPF-based Performance Diagnostic Tools
   A collection of eBPF-based tools for diagnosing performance issues.

debian/rules

@@ -26,3 +26,6 @@ override_dh_auto_install:
 	dh_install telegraf/delphix-telegraf-service telegraf/perf_playbook /usr/bin
 	dh_install telegraf/delphix-telegraf.service /lib/systemd/system
 	dh_install telegraf/telegraf* telegraf/*.sh /etc/telegraf
+	dh_install influxdb/delphix-influxdb-service influxdb/delphix-influxdb-init /usr/bin
+	dh_install influxdb/delphix-influxdb.service /lib/systemd/system
+	dh_install influxdb/influxdb.conf influxdb/influxdb-init.conf /etc/influxdb

influxdb/delphix-influxdb-init

@@ -0,0 +1,213 @@
+#!/bin/bash -eu
+#
+# Copyright (c) 2026 by Delphix. All rights reserved.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# One-time InfluxDB initialization: creates org, bucket, admin token,
+# a read-only token for DCT Smart Proxy, and appends the
+# [[outputs.influxdb_v2]] stanza to /etc/telegraf/telegraf.base.
+# Skips setup if InfluxDB is already initialized.
+#
+
+INFLUXDB_URL="http://127.0.0.1:8086"
+INFLUXDB_CONFIG_DIR="/etc/influxdb"
+INFLUXDB_META_FILE="$INFLUXDB_CONFIG_DIR/influxdb_meta"
+# State file written immediately after /api/v2/setup so the script can resume
+# if it is interrupted before the metadata file is fully written.
+INFLUXDB_SETUP_STATE_FILE="$INFLUXDB_CONFIG_DIR/influxdb_setup_state"
+TELEGRAF_BASE="/etc/telegraf/telegraf.base"
+INFLUXDB_INIT_CONF="$INFLUXDB_CONFIG_DIR/influxdb-init.conf"
+
+# Load tunable configuration (org, bucket, retention, wait parameters).
+# shellcheck source=/etc/influxdb/influxdb-init.conf
+# shellcheck disable=SC1091
+source "$INFLUXDB_INIT_CONF"
+
+INFLUXDB_ADMIN_USER="admin"
+INFLUXDB_ADMIN_PASSWORD="$(openssl rand -hex 16)"
+
+#
+# Log a message to stderr with a timestamp.
+#
+log() {
+	echo "[$(date -u '+%Y-%m-%dT%H:%M:%SZ')] $*" >&2
+}
+
+#
+# Extract a field from a JSON string using python3.
+#
+json_field() {
+	local json="$1"
+	local field="$2"
+	echo "$json" | python3 -c "import json,sys; print(json.loads(sys.stdin.read())$field)" ||
+		{ log "ERROR: Failed to parse field '$field' from JSON response."; return 1; }
+}
+
+#
+# POST to the InfluxDB HTTP API. Exits with an error if the request fails.
+#
+influx_post() {
+	local endpoint="$1"
+	local data="$2"
+	local auth_header="${3:-}"
+
+	local curl_args=(-sf -X POST "$INFLUXDB_URL$endpoint" -H 'Content-Type: application/json' -d "$data")
+	[[ -n "$auth_header" ]] && curl_args+=(-H "Authorization: Token $auth_header")
+
+	local response
+	response=$(curl "${curl_args[@]}") ||
+		{ log "ERROR: HTTP POST to '$endpoint' failed."; return 1; }
+	echo "$response"
+}
+
+mkdir -p "$INFLUXDB_CONFIG_DIR"
+
+# Skip if already fully initialized.
+if [[ -f "$INFLUXDB_META_FILE" ]]; then
+	log "InfluxDB already initialized, skipping."
+	exit 0
+fi
+
+#
+# Wait for InfluxDB to be ready.
+#
+log "Waiting for InfluxDB to be ready..."
+ready=false
+for i in $(seq 1 "$INFLUXDB_WAIT_RETRIES"); do
+	if curl -sf "$INFLUXDB_URL/health" &>/dev/null; then
+		ready=true
+		break
+	fi
+	log "InfluxDB not ready yet (attempt $i/$INFLUXDB_WAIT_RETRIES), retrying in ${INFLUXDB_WAIT_INTERVAL}s..."
+	sleep "$INFLUXDB_WAIT_INTERVAL"
+done
+
+if [[ "$ready" != "true" ]]; then
+	log "ERROR: InfluxDB did not become ready after $((INFLUXDB_WAIT_RETRIES * INFLUXDB_WAIT_INTERVAL))s."
+	exit 1
+fi
+log "InfluxDB is ready."
+
+#
+# Initial setup — creates org, bucket, and returns admin token + IDs.
+# /api/v2/setup is a one-shot operation; if the script is interrupted after
+# this point and re-run, the state file lets us skip setup and reuse the
+# already-created admin token.
+#
+ADMIN_TOKEN=""
+ORG_ID=""
+BUCKET_ID=""
+
+if [[ -f "$INFLUXDB_SETUP_STATE_FILE" ]]; then
+	log "Found existing setup state, loading admin token and IDs..."
+	while IFS= read -r line; do
+		key="${line%%=*}"
+		value="${line#*=}"
+		case "$key" in
+			ADMIN_TOKEN) ADMIN_TOKEN="$value" ;;
+			ORG_ID)      ORG_ID="$value" ;;
+			BUCKET_ID)   BUCKET_ID="$value" ;;
+		esac
+	done <"$INFLUXDB_SETUP_STATE_FILE"
+else
+	log "Running initial InfluxDB setup..."
+	SETUP_RESPONSE=$(influx_post "/api/v2/setup" "{
+		\"username\": \"$INFLUXDB_ADMIN_USER\",
+		\"password\": \"$INFLUXDB_ADMIN_PASSWORD\",
+		\"org\": \"$INFLUXDB_ORG\",
+		\"bucket\": \"$INFLUXDB_BUCKET\",
+		\"retentionPeriodSeconds\": $INFLUXDB_RETENTION_SECONDS
+	}") || exit 1
+
+	ADMIN_TOKEN=$(json_field "$SETUP_RESPONSE" "['auth']['token']") || exit 1
+	ORG_ID=$(json_field "$SETUP_RESPONSE" "['org']['id']") || exit 1
+	BUCKET_ID=$(json_field "$SETUP_RESPONSE" "['bucket']['id']") || exit 1
+
+	# Persist admin token + IDs immediately so a subsequent re-run can resume
+	# without repeating the one-shot setup call.
+	old_umask="$(umask)"
+	umask 077
+	tmp_state="$(mktemp "${INFLUXDB_SETUP_STATE_FILE}.XXXXXX")"
+	printf 'ADMIN_TOKEN=%s\nORG_ID=%s\nBUCKET_ID=%s\n' \
+		"$ADMIN_TOKEN" "$ORG_ID" "$BUCKET_ID" >"$tmp_state"
+	chmod 600 "$tmp_state"
+	mv "$tmp_state" "$INFLUXDB_SETUP_STATE_FILE"
+	umask "$old_umask"
+fi
+
+#
+# Create a write-only token for Telegraf.
+#
+log "Creating Telegraf write token..."
+WRITE_TOKEN_RESPONSE=$(influx_post "/api/v2/authorizations" "{
+	\"orgID\": \"$ORG_ID\",
+	\"description\": \"telegraf-write-token\",
+	\"permissions\": [
+		{\"action\": \"write\", \"resource\": {\"type\": \"buckets\", \"id\": \"$BUCKET_ID\", \"orgID\": \"$ORG_ID\"}}
+	]
+}" "$ADMIN_TOKEN") || exit 1
+WRITE_TOKEN=$(json_field "$WRITE_TOKEN_RESPONSE" "['token']") || exit 1
+
+#
+# Create a read-only token for DCT Smart Proxy.
+#
+log "Creating DCT Smart Proxy read token..."
+READ_TOKEN_RESPONSE=$(influx_post "/api/v2/authorizations" "{
+	\"orgID\": \"$ORG_ID\",
+	\"description\": \"dct-read-token\",
+	\"permissions\": [
+		{\"action\": \"read\", \"resource\": {\"type\": \"buckets\", \"id\": \"$BUCKET_ID\", \"orgID\": \"$ORG_ID\"}}
+	]
+}" "$ADMIN_TOKEN") || exit 1
+READ_TOKEN=$(json_field "$READ_TOKEN_RESPONSE" "['token']") || exit 1
+
+#
+# Append the [[outputs.influxdb_v2]] stanza to telegraf.base so Telegraf
+# knows where to ship metrics. Input stanzas already exist in the file.
+#
+log "Appending InfluxDB output stanza to $TELEGRAF_BASE..."
+if [[ ! -f "$TELEGRAF_BASE" ]]; then
+	log "WARNING: Telegraf base config not found at '$TELEGRAF_BASE'; skipping stanza append." \
+		"Run init_influxdb again once Telegraf is installed to complete Telegraf configuration."
+elif grep -q "^[[:space:]]*#\{0,1\}\[\[outputs\.influxdb_v2\]\]" "$TELEGRAF_BASE"; then
+	log "InfluxDB output stanza already present in $TELEGRAF_BASE, skipping."
+	chmod 640 "$TELEGRAF_BASE"
+else
+	cat >>"$TELEGRAF_BASE" <<EOF
+
+[[outputs.influxdb_v2]]
+  urls = ["http://127.0.0.1:8086"]
+  token = "$WRITE_TOKEN"
+  organization = "$INFLUXDB_ORG"
+  bucket = "$INFLUXDB_BUCKET"
+  namepass = ["cpu", "disk", "diskio", "mem", "net", "procstat", "processes", "swap", "system", "zfs"]
+EOF
+	# Enforce restrictive permissions so the write token is not world-readable.
+	chmod 640 "$TELEGRAF_BASE"
+fi
+
+#
+# Persist org/bucket/admin credentials/tokens so DE APIs can expose them to DCT
+# and so the admin can access the InfluxDB UI. File is chmod 600 (root-only).
+#
+log "Writing InfluxDB metadata to $INFLUXDB_META_FILE..."
+# Use a restrictive umask and a temp file to avoid a window where tokens are
+# readable by non-root users, then atomically move the file into place.
+old_umask="$(umask)"
+umask 077
+tmp_meta="$(mktemp "${INFLUXDB_META_FILE}.XXXXXX")"
+cat >"$tmp_meta" <<EOF
+INFLUXDB_ORG=$INFLUXDB_ORG
+INFLUXDB_BUCKET=$INFLUXDB_BUCKET
+INFLUXDB_ADMIN_USER=$INFLUXDB_ADMIN_USER
+INFLUXDB_ADMIN_PASSWORD=$INFLUXDB_ADMIN_PASSWORD
+INFLUXDB_WRITE_TOKEN=$WRITE_TOKEN
+INFLUXDB_READ_TOKEN=$READ_TOKEN
+EOF
+chmod 600 "$tmp_meta"
+mv "$tmp_meta" "$INFLUXDB_META_FILE"
+umask "$old_umask"
+
+rm -f "$INFLUXDB_SETUP_STATE_FILE"
+log "InfluxDB initialized successfully."

influxdb/delphix-influxdb-service

@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Copyright (c) 2026 by Delphix. All rights reserved.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Wrapper script to start InfluxDB 2.x and run first-time initialization.
+#
+
+INFLUXDB_CONFIG=/etc/influxdb/influxdb.conf
+INFLUXDB_INIT=/usr/bin/delphix-influxdb-init
+
+function log() {
+	echo "[$(date -u '+%Y-%m-%dT%H:%M:%SZ')] delphix-influxdb-service: $*" >&2
+}
+
+# Start influxd in the background
+/usr/bin/influxd --config-path "$INFLUXDB_CONFIG" &
+INFLUXDB_PID=$!
+
+log "Started influxd (PID ${INFLUXDB_PID})"
+
+# Run initialization (the init script handles waiting for InfluxDB to be ready)
+if ! $INFLUXDB_INIT; then
+	log "ERROR: Initialization failed, stopping influxd"
+	kill "$INFLUXDB_PID" 2>/dev/null
+	exit 1
+fi
+
+wait "$INFLUXDB_PID"

influxdb/delphix-influxdb.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Delphix InfluxDB Time Series Database
+Documentation=https://docs.influxdata.com/influxdb/v2/
+PartOf=delphix.target
+After=delphix-platform.service
+PartOf=delphix-platform.service
+
+[Service]
+User=root
+ExecStart=/usr/bin/delphix-influxdb-service
+Restart=on-failure
+RestartForceExitStatus=SIGPIPE
+KillMode=control-group
+
+[Install]
+WantedBy=delphix.target

influxdb/influxdb-init.conf

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2026 by Delphix. All rights reserved.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Configuration for delphix-influxdb-init.
+# Sourced by /usr/bin/delphix-influxdb-init at runtime.
+#
+
+INFLUXDB_ORG="delphix"
+INFLUXDB_BUCKET="default"
+INFLUXDB_RETENTION_SECONDS=2592000 # 30 days (720h)
+INFLUXDB_WAIT_RETRIES=30
+INFLUXDB_WAIT_INTERVAL=2

influxdb/influxdb.conf

@@ -0,0 +1,12 @@
+#
+# Copyright 2024 Delphix. All rights reserved.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# InfluxDB 2.x Configuration
+#
+
+bolt-path = "/var/lib/influxdb2/influxdb.bolt"
+engine-path = "/var/lib/influxdb2/engine"
+http-bind-address = "127.0.0.1:8086"
+log-level = "warn"

telegraf/telegraf.base

@@ -44,12 +44,13 @@
   data_format = "json"
   namepass = ["agg_*"]
 
-# Enable Live Monitoring, intended for internal Delphix use only:
-#[[outputs.influxdb]]
-#  urls = ["http://dbsvr.company.com:8086"]
-#  database = "live_metrics"
-#  skip_database_creation = true
-#  data_format = "influx"
+# Update token from /etc/influxdb/influxdb_meta (INFLUXDB_ADMIN_TOKEN), then uncomment and restart telegraf.
+#[[outputs.influxdb_v2]]
+#  urls = ["http://127.0.0.1:8086"]
+#  token = ""
+#  organization = "delphix"
+#  bucket = "default"
+#  namepass = ["cpu", "disk", "diskio", "mem", "net", "procstat", "processes", "swap", "system", "zfs"]
 
 ###############################################################################
 #                            INPUT PLUGINS                                    #