Ensure that bulk CVE ingestion is done at first deployment #368

New issue

Open

opened 2024-11-18 20:26:47 +00:00 by fricklerhandwerk · 2 comments

fricklerhandwerk commented 2024-11-18 20:26:47 +00:00 (Migrated from github.com)

Copy link

Right now operators need to remember to run manage ingest_bulk_cve when setting up the service. This is easy to forget, and there's currently no monitoring for startup errors, so everyone will wonder 24h later why there's no data in the suggestion queue.

This can be solved in multiple ways:

• run the command in PreStart and leave a flag in the database to ensure the command is idempotent
• document it in the operator's manual in a visible place

Right now operators need to remember to run `manage ingest_bulk_cve` when setting up the service. This is easy to forget, and there's currently no monitoring for startup errors, so everyone will wonder 24h later why there's no data in the suggestion queue. This can be solved in multiple ways: - run the command in `PreStart` and leave a flag in the database to ensure the command is idempotent - document it in the operator's manual in a visible place

Erethon commented 2025-04-29 09:44:00 +00:00 (Migrated from github.com)

Copy link

Is this still valid? Aren't ingestions handled automatically via the worker?

Is this still valid? Aren't ingestions handled automatically via the worker?

fricklerhandwerk commented 2025-04-29 11:44:26 +00:00 (Migrated from github.com)

Copy link

Aren't ingestions handled automatically via the worker?

Yes, but it's neither done on startup (but at 03:00 UTC) nor is it documented how to trigger it or that it needs triggering. The problem is therefore that a fresh deployment will simply not do anything useful and there's no indication what to do about it. And as we discussed, reading the code to figure it out is not a particularly pleasant onboarding experience.

> Aren't ingestions handled automatically via the worker? Yes, but it's neither done on startup (but at 03:00 UTC) nor is it documented how to trigger it or that it needs triggering. The problem is therefore that a fresh deployment will simply not do anything useful and there's no indication what to do about it. And as we discussed, reading the code to figure it out is not a particularly pleasant onboarding experience.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

npins-auto-update

No results found.

Labels

Clear labels   

automation

  

backend

something the web server needs to provide the frontend with

  

bug

Something isn't working

  

contributor experience

  

data

something about quality or quantity of ingested data

  

deployment

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

nice to have

Nice to have, but not necessary for the time being

  

notifications

  

package maintainer

user story for package maintainers

  

performance

  

skin

Anything related to the visual presentation

  

tech debt

Activities that reduce tech debt

  

user story

description or implementation of a workflow

No labels

automation

backend

bug

contributor experience

data

deployment

documentation

duplicate

good first issue

help wanted

nice to have

notifications

package maintainer

performance

skin

tech debt

user story

Milestone

Clear milestone

No items

No milestone

Nice to have

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-community/nix-security-tracker#368

No description provided.