nginx-ipng-stats-plugin's ipng_stats_logtail directive buffers many log
lines into a single UDP datagram (default buffer=64k flush=1s). The
listener was treating each datagram as exactly one log line, so any
datagram with N>1 lines failed the v1 field-count check and dropped
silently. In production this showed up as logtail_udp_packets_received_total
roughly 4x logtail_udp_loglines_success_total — matching typical
burst-coalesced 4-lines-per-batch ratios.
Fix: strip trailing CRLF, split the payload on '\n', parse each
non-empty line independently. Counter semantics now match the names:
packets_received — datagrams off the socket (one per recvfrom)
loglines_success — log lines parsed OK (may be many per datagram)
loglines_consumed — log lines forwarded to the store (not dropped)
After the fix, loglines_success ≈ packets_received × avg_lines_per_batch.
Regression test TestUDPListenerBatchedDatagram sends one datagram with
three '\n'-separated v1 lines and asserts all three LogRecords arrive,
plus loglines_success >= 3 * packets_received.
Docs (user-guide.md, design.md) now explain the datagram-vs-line unit
distinction so operators don't misread the ratio.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Rework the Dockerfile to produce a proper multi-arch manifest from a
single `docker buildx build --platform linux/amd64,linux/arm64`. The
builder stage runs on the host's native arch ($BUILDPLATFORM) and Go
cross-compiles to each requested $TARGETARCH via the Makefile's
build-$TARGETARCH targets — no qemu-emulated builder, no per-arch
Dockerfile duplication. VERSION/COMMIT/DATE flow from --build-arg
through to the -ldflags -X injection so images stamp the same metadata
as `make build` on bare metal.
docker-compose.yml gains Docker Compose "profiles" (collector,
aggregator, frontend) and an `env_file: .env`, mirroring vpp-maglev's
pattern. All three services ship from one multi-arch image and select
their binary via `command:`. Collector uses network_mode: host so UDP
from host nginx on 127.0.0.1 actually reaches it; aggregator/frontend
bridge-network with published ports.
.env.example documents every COLLECTOR_*, AGGREGATOR_*, FRONTEND_* env
var with its default plus COMPOSE_PROFILES and notes for Docker-specific
cases (service DNS names, AGGREGATOR_COLLECTORS spelling). .gitignore
excludes /.env so local tunables stay local.
Verified: `docker buildx build --platform linux/amd64,linux/arm64` goes
through cleanly from one invocation; local --load build's four binaries
report version 0.9.1 with the injected commit/date.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
No runtime change — the listener already uses net.ListenUDP +
ReadFromUDP, which is the unconnected-socket pattern that accepts
datagrams from any source. nginx reloads (new workers with fresh
ephemeral source ports) are handled transparently.
- udp.go: expanded comment on Run() explaining the design choice and
contrasting with the `nc -k -u -l` latching quirk (which is an nc
bug, not a kernel behaviour).
- udp_test.go: new TestUDPListenerMultipleSources regresses against
the multi-worker scenario by sending from three independent
ListenPacket sockets (three different ephemeral source ports).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Build and release tooling:
- Makefile with help as default; targets: build/build-amd64/build-arm64,
test, lint, proto, pkg-deb, docker, docker-push, clean, plus
install-deps (+ three sub-targets for apt / Go toolchain / Go tools).
- internal/version package; -ldflags -X injects Version/Commit/Date into
every binary. -version flag on all four binaries (nginx-logtail version
for the CLI).
- Dockerfile takes VERSION/COMMIT/DATE build-args and forwards them.
- .deb output lands in build/; .gitignore ignores /build/.
Debian package:
- debian/build-deb.sh packages all four static binaries into a single
nginx-logtail_<ver>_<arch>.deb using dpkg-deb.
- Binary layout: /usr/sbin/nginx-logtail-{collector,aggregator,frontend}
and /usr/bin/nginx-logtail.
- nginx-logtail(8) manpage.
- Three systemd units (collector, aggregator, frontend) shipped under
/lib/systemd/system/. Installed but never enabled or started — the
operator opts in per host.
- Collector runs as _logtail:www-data (log access); aggregator and
frontend as _logtail:_logtail. postinst creates the system user/group
idempotently.
- Single shared env file /etc/default/nginx-logtail rendered from a
template at first install with %HOSTNAME% substituted. Sensible
defaults for every COLLECTOR_*, AGGREGATOR_*, FRONTEND_* variable;
plus COLLECTOR_ARGS / AGGREGATOR_ARGS / FRONTEND_ARGS escape hatches
appended to ExecStart. Not a dpkg conffile: operator edits survive
upgrades and dpkg --purge removes it.
Versioned UDP wire format:
- ParseUDPLine dispatches on a leading "v<N>\t" tag; v1 routes to the
existing 12-field parser. Unknown/missing versions fail closed so
future v2 parsers can land before emitters are upgraded.
- Tests updated; design.md FR-2.2 rewritten to make the version tag
normative.
Docs:
- README.md gains a Quick Start (Debian / Docker Compose / from source).
- user-guide.md rewritten around Installation and Configuration: full
env-var table, UDP-only default explained, precise file/UDP log_format
layouts, note that operators can emit "0" for unknown \$is_tor / \$asn.
- Drilldown cycle, frontend filter table, and CLI --group-by list all
include source_tag. UDP counters documented in the Prometheus section.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
