From 16f7122d314658de889c64898f0bd0f6b467254e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Lima?= Date: Thu, 14 Dec 2023 12:15:27 +0000 Subject: [PATCH] Add mitigation information to the linux vulnerabilities collector (#2806) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While the CPU vulnerabilities collector has been added in https://github.com/prometheus/node_exporter/pull/2721 , it's currently not including information regarding the mitigation strategy used for a given vulnerability. This information can be quite valuable, as often times different mitigation strategies come with a different performance impact. This commit adds a third label to the cpu_vulnerabilities_info metric, to include the "mitigation" used for a given vulnerability - if a given vulnerability is not affecting a node or the node is still vulnerable, the mitigation is expected to be empty. Signed-off-by: João Lima --- collector/cpu_vulnerabilities_linux.go | 3 ++- collector/fixtures/e2e-64k-page-output.txt | 10 +++++----- collector/fixtures/e2e-output.txt | 10 +++++----- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/collector/cpu_vulnerabilities_linux.go b/collector/cpu_vulnerabilities_linux.go index 1875488b..69a2c587 100644 --- a/collector/cpu_vulnerabilities_linux.go +++ b/collector/cpu_vulnerabilities_linux.go @@ -29,7 +29,7 @@ var ( vulnerabilityDesc = prometheus.NewDesc( prometheus.BuildFQName(namespace, cpuVulerabilitiesCollector, "info"), "Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label", - []string{"codename", "state"}, + []string{"codename", "state", "mitigation"}, nil, ) ) @@ -62,6 +62,7 @@ func (v *cpuVulnerabilitiesCollector) Update(ch chan<- prometheus.Metric) error 1.0, vulnerability.CodeName, sysfs.VulnerabilityHumanEncoding[vulnerability.State], + vulnerability.Mitigation, ) } return nil diff --git a/collector/fixtures/e2e-64k-page-output.txt b/collector/fixtures/e2e-64k-page-output.txt index a8440bdc..5b0ac8db 100644 --- a/collector/fixtures/e2e-64k-page-output.txt +++ b/collector/fixtures/e2e-64k-page-output.txt @@ -404,11 +404,11 @@ node_cpu_seconds_total{cpu="7",mode="system"} 101.64 node_cpu_seconds_total{cpu="7",mode="user"} 290.98 # HELP node_cpu_vulnerabilities_info Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label # TYPE node_cpu_vulnerabilities_info gauge -node_cpu_vulnerabilities_info{codename="itlb_multihit",state="not affected"} 1 -node_cpu_vulnerabilities_info{codename="mds",state="vulnerable"} 1 -node_cpu_vulnerabilities_info{codename="retbleed",state="mitigation"} 1 -node_cpu_vulnerabilities_info{codename="spectre_v1",state="mitigation"} 1 -node_cpu_vulnerabilities_info{codename="spectre_v2",state="mitigation"} 1 +node_cpu_vulnerabilities_info{codename="itlb_multihit",mitigation="",state="not affected"} 1 +node_cpu_vulnerabilities_info{codename="mds",mitigation="",state="vulnerable"} 1 +node_cpu_vulnerabilities_info{codename="retbleed",mitigation="untrained return thunk; SMT enabled with STIBP protection",state="mitigation"} 1 +node_cpu_vulnerabilities_info{codename="spectre_v1",mitigation="usercopy/swapgs barriers and __user pointer sanitization",state="mitigation"} 1 +node_cpu_vulnerabilities_info{codename="spectre_v2",mitigation="Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected",state="mitigation"} 1 # HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs). # TYPE node_disk_ata_rotation_rate_rpm gauge node_disk_ata_rotation_rate_rpm{device="sda"} 7200 diff --git a/collector/fixtures/e2e-output.txt b/collector/fixtures/e2e-output.txt index 1d2a2af0..8920e562 100644 --- a/collector/fixtures/e2e-output.txt +++ b/collector/fixtures/e2e-output.txt @@ -426,11 +426,11 @@ node_cpu_seconds_total{cpu="7",mode="system"} 101.64 node_cpu_seconds_total{cpu="7",mode="user"} 290.98 # HELP node_cpu_vulnerabilities_info Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label # TYPE node_cpu_vulnerabilities_info gauge -node_cpu_vulnerabilities_info{codename="itlb_multihit",state="not affected"} 1 -node_cpu_vulnerabilities_info{codename="mds",state="vulnerable"} 1 -node_cpu_vulnerabilities_info{codename="retbleed",state="mitigation"} 1 -node_cpu_vulnerabilities_info{codename="spectre_v1",state="mitigation"} 1 -node_cpu_vulnerabilities_info{codename="spectre_v2",state="mitigation"} 1 +node_cpu_vulnerabilities_info{codename="itlb_multihit",mitigation="",state="not affected"} 1 +node_cpu_vulnerabilities_info{codename="mds",mitigation="",state="vulnerable"} 1 +node_cpu_vulnerabilities_info{codename="retbleed",mitigation="untrained return thunk; SMT enabled with STIBP protection",state="mitigation"} 1 +node_cpu_vulnerabilities_info{codename="spectre_v1",mitigation="usercopy/swapgs barriers and __user pointer sanitization",state="mitigation"} 1 +node_cpu_vulnerabilities_info{codename="spectre_v2",mitigation="Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected",state="mitigation"} 1 # HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs). # TYPE node_disk_ata_rotation_rate_rpm gauge node_disk_ata_rotation_rate_rpm{device="sda"} 7200