Kiu/Node_Exporter
Kiu/Node_Exporter
1
0
Fork 0
mirror of https://github.com/prometheus/node_exporter.git synced 2024-11-23 20:36:21 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add mitigation information to the linux vulnerabilities collector (#2806)

Browse Source 
While the CPU vulnerabilities collector has been added in https://github.com/prometheus/node_exporter/pull/2721 , it's currently not including information regarding the mitigation strategy used for a given vulnerability.

This information can be quite valuable, as often times different mitigation strategies come with a different performance impact.

This commit adds a third label to the cpu_vulnerabilities_info metric, to include the "mitigation" used for a given vulnerability - if a given vulnerability is not affecting a node or the node is still vulnerable, the mitigation is expected to be empty.

Signed-off-by: João Lima <jlima@cloudflare.com>
This commit is contained in:
João Pedro Lima 2023-12-14 12:15:27 +00:00 committed by GitHub
parent c2dcc798d5
commit 16f7122d31
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
collector/cpu_vulnerabilities_linux.go
View File

@ -29,7 +29,7 @@ var (
vulnerabilityDesc = prometheus.NewDesc( vulnerabilityDesc = prometheus.NewDesc(
prometheus.BuildFQName(namespace, cpuVulerabilitiesCollector, "info"), prometheus.BuildFQName(namespace, cpuVulerabilitiesCollector, "info"),
"Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label", "Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label",
[]string{"codename", "state"}, []string{"codename", "state", "mitigation"},
nil, nil,
) )
) )
@ -62,6 +62,7 @@ func (v *cpuVulnerabilitiesCollector) Update(ch chan<- prometheus.Metric) error
1.0, 1.0,
vulnerability.CodeName, vulnerability.CodeName,
sysfs.VulnerabilityHumanEncoding[vulnerability.State], sysfs.VulnerabilityHumanEncoding[vulnerability.State],
vulnerability.Mitigation,
) )
} }
return nil return nil

10
collector/fixtures/e2e-64k-page-output.txt
View File

@ -404,11 +404,11 @@ node_cpu_seconds_total{cpu="7",mode="system"} 101.64
node_cpu_seconds_total{cpu="7",mode="user"} 290.98 node_cpu_seconds_total{cpu="7",mode="user"} 290.98
# HELP node_cpu_vulnerabilities_info Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label # HELP node_cpu_vulnerabilities_info Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label
# TYPE node_cpu_vulnerabilities_info gauge # TYPE node_cpu_vulnerabilities_info gauge
node_cpu_vulnerabilities_info{codename="itlb_multihit",state="not affected"} 1 node_cpu_vulnerabilities_info{codename="itlb_multihit",mitigation="",state="not affected"} 1
node_cpu_vulnerabilities_info{codename="mds",state="vulnerable"} 1 node_cpu_vulnerabilities_info{codename="mds",mitigation="",state="vulnerable"} 1
node_cpu_vulnerabilities_info{codename="retbleed",state="mitigation"} 1 node_cpu_vulnerabilities_info{codename="retbleed",mitigation="untrained return thunk; SMT enabled with STIBP protection",state="mitigation"} 1
node_cpu_vulnerabilities_info{codename="spectre_v1",state="mitigation"} 1 node_cpu_vulnerabilities_info{codename="spectre_v1",mitigation="usercopy/swapgs barriers and __user pointer sanitization",state="mitigation"} 1
node_cpu_vulnerabilities_info{codename="spectre_v2",state="mitigation"} 1 node_cpu_vulnerabilities_info{codename="spectre_v2",mitigation="Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected",state="mitigation"} 1
# HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs). # HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs).
# TYPE node_disk_ata_rotation_rate_rpm gauge # TYPE node_disk_ata_rotation_rate_rpm gauge
node_disk_ata_rotation_rate_rpm{device="sda"} 7200 node_disk_ata_rotation_rate_rpm{device="sda"} 7200

10
collector/fixtures/e2e-output.txt
View File

@ -426,11 +426,11 @@ node_cpu_seconds_total{cpu="7",mode="system"} 101.64
node_cpu_seconds_total{cpu="7",mode="user"} 290.98 node_cpu_seconds_total{cpu="7",mode="user"} 290.98
# HELP node_cpu_vulnerabilities_info Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label # HELP node_cpu_vulnerabilities_info Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label
# TYPE node_cpu_vulnerabilities_info gauge # TYPE node_cpu_vulnerabilities_info gauge
node_cpu_vulnerabilities_info{codename="itlb_multihit",state="not affected"} 1 node_cpu_vulnerabilities_info{codename="itlb_multihit",mitigation="",state="not affected"} 1
node_cpu_vulnerabilities_info{codename="mds",state="vulnerable"} 1 node_cpu_vulnerabilities_info{codename="mds",mitigation="",state="vulnerable"} 1
node_cpu_vulnerabilities_info{codename="retbleed",state="mitigation"} 1 node_cpu_vulnerabilities_info{codename="retbleed",mitigation="untrained return thunk; SMT enabled with STIBP protection",state="mitigation"} 1
node_cpu_vulnerabilities_info{codename="spectre_v1",state="mitigation"} 1 node_cpu_vulnerabilities_info{codename="spectre_v1",mitigation="usercopy/swapgs barriers and __user pointer sanitization",state="mitigation"} 1
node_cpu_vulnerabilities_info{codename="spectre_v2",state="mitigation"} 1 node_cpu_vulnerabilities_info{codename="spectre_v2",mitigation="Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected",state="mitigation"} 1
# HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs). # HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs).
# TYPE node_disk_ata_rotation_rate_rpm gauge # TYPE node_disk_ata_rotation_rate_rpm gauge
node_disk_ata_rotation_rate_rpm{device="sda"} 7200 node_disk_ata_rotation_rate_rpm{device="sda"} 7200