Adding TLS to node exporter - cleaner version #1277
Conversation
|
@brian-brazil Here's the clearer version of the TLS package |
There was a problem hiding this comment.
Similar to prometheus/common#173, we could use tls.Config.GetConfigForClient to read the key+cert and CAs from disk every time a client connects, allowing for seamless certificate rotations.
There was a problem hiding this comment.
Thanks for opening up a clean pull request @ksherryBAE. I left a couple of comments.
|
@brian-brazil tests have now been added to 92% coverage |
https/testdata/server.crt
Outdated
| Issuer: C=NO, O=Green AS, OU=Green Certificate Authority, CN=Green TLS CA | ||
| Validity | ||
| Not Before: Jul 26 12:47:08 2017 GMT | ||
| Not After : Jul 26 12:47:08 2019 GMT |
There was a problem hiding this comment.
This would break us sooner than later. Please generate a certificate with a very large validity period.
There was a problem hiding this comment.
This was reused from common/config/testdata , might it be worth waiting until this moves into common and then updating them both?
There was a problem hiding this comment.
Certificates from common/config/testdata have been updated so you can copy them again.
https/README.md
Outdated
| # Paths to Cert File & Key file from base directory | ||
| # Both required for valid tls | ||
| # Paths set as string values | ||
| # These are reloaded on initial connection and |
https/README.md
Outdated
| tlsCertPath : <filename> | ||
| tlsKeyPath : <filename> | ||
|
|
||
| # ClientAuth declares the policy the server will follow for client auth |
https/README.md
Outdated
| tlsKeyPath : <filename> | ||
|
|
||
| # ClientAuth declares the policy the server will follow for client auth | ||
| # Accepts the following string values and maps to ClientAuth Policies |
There was a problem hiding this comment.
A link to https://golang.org/pkg/crypto/tls/#ClientAuthType might be useful.
| TLSConfig TLSStruct `yaml:"tlsConfig"` | ||
| } | ||
|
|
||
| type TLSStruct struct { |
https/tls_config.go
Outdated
| func configToTLSConfig(c *Config) (*tls.Config, error) { | ||
| cfg := &tls.Config{} | ||
| if len(c.TLSConfig.TLSCertPath) > 0 && len(c.TLSConfig.TLSKeyPath) > 0 { | ||
| _, err := tls.LoadX509KeyPair(c.TLSConfig.TLSCertPath, c.TLSConfig.TLSKeyPath) |
There was a problem hiding this comment.
Please add a comment explaining that it is only for the initial validation of the certificate and key. You could also call cfg.GetCertificate() after initializing it to avoid code repetition:
cfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
...
}
// Check that certificate and key files are valid.
_, err := cfg.GetCertificate(nil)
if err != nil {
return nil, err
}
https/tls_config.go
Outdated
| case "RequireAndVerifyClientCert": | ||
| cfg.ClientAuth = tls.RequireAndVerifyClientCert | ||
| default: | ||
| return nil, errors.New("Invalid string provided to ClientAuth") |
There was a problem hiding this comment.
The erroneous value should be displayed.
https/testdata/tls_config_junk.yml
Outdated
| @@ -0,0 +1,27 @@ | |||
| I wandered lonely as a cloud | |||
There was a problem hiding this comment.
While this is well out of copyright, it'd be best to use actual junk so companies using this don't have to send lawyers to verify.
|
I'm afraid I can't see why the buildkite/node-exporter build is failing, could anyone offer some insight? I assume it's something to do with the tests? |
|
The buildkite jobs all fail with this: |
| @@ -0,0 +1,8 @@ | |||
| #TLS Config YAML | |||
There was a problem hiding this comment.
(nit) this line can be removed and you could also remove the blank lines. Same remark for the other test configuration files.
https/tls_config_test.go
Outdated
| log.Printf("Running %v tests:", numberOfTests) | ||
| } | ||
|
|
||
| logsDisabled := func(disable bool) { |
There was a problem hiding this comment.
We don't usually customize the logging this way. I'd suggest to just use t.Log()/t.Logf() if needed.
https/tls_config_test.go
Outdated
| var errorMessage error | ||
|
|
||
| var once sync.Once | ||
| recordConnectionResult := func(status bool, err error) { |
There was a problem hiding this comment.
I see that status is true only if err is nil so I think that recording and checking err alone is enough.
https/tls_config_test.go
Outdated
| } | ||
| } | ||
| for _, test := range testTables { | ||
| test.httpClient = test.Client() |
https/tls_config_test.go
Outdated
| func TestListen(t *testing.T) { | ||
| logging := testing.Verbose() | ||
|
|
||
| port := ":9100" |
There was a problem hiding this comment.
This is still using a fixed port number.
There was a problem hiding this comment.
@simonpasquier do you have any suggestions on how to use a random available port? The generally accepted method appears to be to create a Listener independently of the server, get the port with that, and then start the server with s.Serve(Listener), such as in the answer to this StackOverflow question; but due to the way the https.Listen function is being utilised this is not possible.
I have previously tried using a Listener to find an available port, releasing it from the listener and using the port again for the server, but this did not pass the build tests.
https/tls_config_test.go
Outdated
| return | ||
| } | ||
| if string(body) != "Hello World!" { | ||
| recordConnectionResult(false, err) |
There was a problem hiding this comment.
You need to create a custom error here.
|
Hello, has there been any further thoughts on this? I know there was talk of an experimental branch, would a pull request against an experimental branch be of interest? |
https/README.md
Outdated
|
|
||
| ``` | ||
| #TLS CONFIG YAML | ||
| # Main config options for tls |
There was a problem hiding this comment.
Those 2 lines could be removed IMO.
https/README.md
Outdated
| @@ -0,0 +1,42 @@ | |||
| # HTTPS Package for prometheus | |||
https/README.md
Outdated
| @@ -0,0 +1,42 @@ | |||
| # HTTPS Package for prometheus | |||
|
|
|||
| The `https` directory contains files and a template config for the implementation of tls. | |||
https/README.md
Outdated
| The config file should is written in YAML format. | ||
| The layout is outlined below, with optional parameters in brackets. | ||
|
|
||
| For more detail on the clientAuth option: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType) |
There was a problem hiding this comment.
This could be moved to the configuration file example instead.
https/README.md
Outdated
| # RequireAndVerifyClientCert | ||
| [ clientAuth : <string> | default = "NoClientCert" ] | ||
|
|
||
| # ClientCa's accepts a string path to the set of CA's |
https/tls_config_test.go
Outdated
| }() | ||
| err := <-errorChannel | ||
| if test.isCorrectError(err) == false { | ||
| t.Errorf(" *** Failed test: %s *** Returned error: %v *** Expected error: %v", test.Name, err, test.ExpectedError) |
There was a problem hiding this comment.
No need to add the test's name (it will already be reported by the testing package). And the error message should be clear about what is wrong (eg error expected but doesn't match vs. unexpected error):
"Expected error to match regular expression %q, got %q"
"Expected no error, got %q"
https/tls_config_test.go
Outdated
| "errors" | ||
| "fmt" | ||
| "io/ioutil" | ||
| "log" |
There was a problem hiding this comment.
No need to use the log package. The code should either panic (eg getPort()) or use t.Fatal.
https/tls_config_test.go
Outdated
| func TestServerBehaviour(t *testing.T) { | ||
| testTables := []*TestInputs{ | ||
| { | ||
| Name: `nil Server and default client`, |
There was a problem hiding this comment.
By definition, the Listen() function expects that server isn't nil so I wouldn't have this test.
|
any help needed on this? |
https/README.md
Outdated
| # HTTPS Package for Prometheus | ||
|
|
||
| The `https` directory contains files and a template config for the implementation of TLS. | ||
| When running a server with tls use the flag `--web.tls-config` |
https/README.md
Outdated
| @@ -0,0 +1,10 @@ | |||
| # HTTPS Package for Prometheus | |||
|
|
|||
| The `https` directory contains files and a template config for the implementation of TLS. | |||
There was a problem hiding this comment.
Suggestion: "The https directory contains a Go package and a sample configuration file for running node_exporter with HTTPS instead of HTTP."
https/README.md
Outdated
|
|
||
| The `https` directory contains files and a template config for the implementation of TLS. | ||
| When running a server with tls use the flag `--web.tls-config` | ||
| Where the path is from where the exporter was run. |
There was a problem hiding this comment.
I wouldn't mention it since this is the usual way of doing things.
https/README.md
Outdated
| e.g. `./node_exporter --web.tls-config="https/tls-config.yml"` | ||
| If the config is kept within the https directory. | ||
|
|
||
| The config file should is written in YAML format, and is reloaded on each connection to check for new certificates and/or authentication policy. |
There was a problem hiding this comment.
I would include the sample configuration in this page.
https/tls_config.go
Outdated
|
|
||
| // When the listen function is called if the tlsConfigPath is an empty string an HTTP server is started | ||
| // If the tlsConfigPath is a valid config file then an HTTPS server will be started | ||
| // The listen function also sets the GetConfigForClient method of the HTTPS server so that the config and certs are reloaded on new connections |
There was a problem hiding this comment.
I would move this comment right before L107.
https/tls_config.go
Outdated
| // If the tlsConfigPath is a valid config file then an HTTPS server will be started | ||
| // The listen function also sets the GetConfigForClient method of the HTTPS server so that the config and certs are reloaded on new connections | ||
| func Listen(server *http.Server, tlsConfigPath string) error { | ||
| if len(tlsConfigPath) > 0 { |
There was a problem hiding this comment.
I prefer this code flow:
if len(tlsConfigPath) == 0 {
return server.ListenAndServe()
}
...
return server.ListenAndServeTLS("", "")
https/tls_config.go
Outdated
| return cfg, nil | ||
| } | ||
|
|
||
| // When the listen function is called if the tlsConfigPath is an empty string an HTTP server is started |
There was a problem hiding this comment.
Suggestion: "Listen starts the server on the given address. If tlsConfigPath isn't empty the connection will be using TLS."
https/tls_config.go
Outdated
| loadCert := func() (*tls.Certificate, error) { | ||
| cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath) | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
Using errors.Wrap(...) would be interesting as otherwise it might not be obvious what is failing.
https/tls_config.go
Outdated
|
|
||
| func configToTLSConfig(c *TLSConfig) (*tls.Config, error) { | ||
| cfg := &tls.Config{} | ||
| if len(c.TLSCertPath) > 0 && len(c.TLSKeyPath) > 0 { |
There was a problem hiding this comment.
See below too but TLSCertPath and TLSKeyPath are mandatory so YAML umarshaling should have filed.
|
Hello, just checking on this. Any further thoughts about this pr or about possibly moving to an experimental branch? |
|
@ksherryBAE I pushed a few changes on top of the PR and resolve the latest conflicts. It looks good to me at the code level but it would need other reviews from @brian-brazil and @SuperQ. |
https/README.md
Outdated
| The `https` directory contains a Go package and a sample configuration file for running `node_exporter` with HTTPS instead of HTTP. | ||
| When running a server with TLS use the flag `--web.tls-config` | ||
|
|
||
| e.g. `./node_exporter --web.tls-config="https/tls-config.yml"` |
There was a problem hiding this comment.
Aren't we planning on doing basic auth too? A more generic flag name would be better
There was a problem hiding this comment.
https doesn't cover basic auth.
https/tls_config.go
Outdated
| } | ||
|
|
||
| // Listen starts the server on the given address. If tlsConfigPath isn't empty, | ||
| // the connection will be using TLS. |
https/README.md
Outdated
| # HTTPS Package for Prometheus | ||
|
|
||
| The `https` directory contains a Go package and a sample configuration file for running `node_exporter` with HTTPS instead of HTTP. | ||
| When running a server with TLS use the flag `--web.authentication-config` |
There was a problem hiding this comment.
since eventually the file will hold configuration for both TLS and authentication, maybe we should name the flag --web.config?
https/tls_config.go
Outdated
| return nil, errors.New("invalid ClientAuth: " + s) | ||
| } | ||
| } | ||
| if len(c.ClientCAs) > 0 && len(c.ClientAuth) == 0 { |
There was a problem hiding this comment.
For clarity and to match the README file, I would default c.ClientAuth to NoClientCert if unset and change this test to len(c.ClientCAs) > 0 && c.ClientAuth != NoClientCert.
Signed-off-by: KSherry <kieran.sherry@baesystems.com>
Signed-off-by: KSherry <kieran.sherry@baesystems.com>
|
@ksherryBAE you need to sync the |
Signed-off-by: KSherry <kieran.sherry@baesystems.com>
|
@ksherryBAE still not ok. Can you make sure you have Go 1.13.1 installed locally? |
Signed-off-by: Ben RIdley <benridley29@gmail.com>
update vendor/
|
Anything else required on this? |
|
Hello. Sorry for my perseverance. |
|
@ksherryBAE Sorry for the stupid question but, is there an option to validate the client (prometheus server) based on certificate attribute and not just on the signed CA? |
|
We discussed this at our dev summit. I think it's ready to go. I cleaned up most of the un-resolved and outdated comments. Can I get one final thumbs up from @simonpasquier and @brian-brazil |
| When running a server with TLS use the flag `--web.config` | ||
|
|
||
| e.g. `./node_exporter --web.config="web-config.yml"` | ||
| If the config is kept within the https directory. |
There was a problem hiding this comment.
Wouldn't it be https/web-config.yml then?
There was a problem hiding this comment.
I'm going to merge this and we can do more work in additional MRs.
|
Can we get an rc or an alpha release containing this? |
|
There is no release schedule for the node_exporter. Feel free to build your own for testing. |
|
Just so I understand the above, is the plan to have a 0.19.0 release where we can get this (just not scheduled for a particular date yet), or is the next official release going to be 1.0, so we'll have to wait for all the stuff on the 1.0 project board to land? |
|
Milestone 1.0. https://github.com/prometheus/node_exporter/milestone/5 We're pretty close, so I don't think we'll need to do 0.19, as I would want those fixed for 0.19 anyway. |
|
@SuperQ, is 1.0 still coming pretty soon? Or could a release be made to at least include the TLS support? It's currently a blocker for me being able to use node exporter. Thanks! |
* The netdev collector CLI argument `--collector.netdev.ignored-devices` was renamed to `--collector.netdev.device-blacklist` in order to conform with the systemd collector. #1279 * The label named `state` on `node_systemd_service_restart_total` metrics was changed to `name` to better describe the metric. #1393 * Refactoring of the mdadm collector changes several metrics - `node_md_disks_active` is removed - `node_md_disks` now has a `state` label for "fail", "spare", "active" disks. - `node_md_is_active` is replaced by `node_md_state` with a state set of "active", "inactive", "recovering", "resync". * Additional label `mountaddr` added to NFS device metrics to distinguish mounts from the same URL, but different IP addresses. #1417 * Metrics node_cpu_scaling_frequency_min_hrts and node_cpu_scaling_frequency_max_hrts of the cpufreq collector were renamed to node_cpu_scaling_frequency_min_hertz and node_cpu_scaling_frequency_max_hertz. #1510 * Collectors that are enabled, but are unable to find data to collect, now return 0 for `node_scrape_collector_success`. * [CHANGE] Add `--collector.netdev.device-whitelist`. #1279 * [CHANGE] Ignore iso9600 filesystem on Linux #1355 * [CHANGE] Refactor mdadm collector #1403 * [CHANGE] Add `mountaddr` label to NFS metrics. #1417 * [CHANGE] Don't count empty collectors as success. #1613 * [FEATURE] New flag to disable default collectors #1276 * [FEATURE] Add experimental TLS support #1277, #1687, #1695 * [FEATURE] Add collector for Power Supply Class #1280 * [FEATURE] Add new schedstat collector #1389 * [FEATURE] Add FreeBSD zfs support #1394 * [FEATURE] Add uname support for Darwin and OpenBSD #1433 * [FEATURE] Add new metric node_cpu_info #1489 * [FEATURE] Add new thermal_zone collector #1425 * [FEATURE] Add new cooling_device metrics to thermal zone collector #1445 * [FEATURE] Add swap usage on darwin #1508 * [FEATURE] Add Btrfs collector #1512 * [FEATURE] Add RAPL collector #1523 * [FEATURE] Add new softnet collector #1576 * [FEATURE] Add new udp_queues collector #1503 * [FEATURE] Add basic authentication #1673 * [ENHANCEMENT] Log pid when there is a problem reading the process stats #1341 * [ENHANCEMENT] Collect InfiniBand port state and physical state #1357 * [ENHANCEMENT] Include additional XFS runtime statistics. #1423 * [ENHANCEMENT] Report non-fatal collection errors in the exporter metric. #1439 * [ENHANCEMENT] Expose IPVS firewall mark as a label #1455 * [ENHANCEMENT] Add check for systemd version before attempting to query certain metrics. #1413 * [ENHANCEMENT] Add a flag to adjust mount timeout #1486 * [ENHANCEMENT] Add new counters for flush requests in Linux 5.5 #1548 * [ENHANCEMENT] Add metrics and tests for UDP receive and send buffer errors #1534 * [ENHANCEMENT] The sockstat collector now exposes IPv6 statistics in addition to the existing IPv4 support. #1552 * [ENHANCEMENT] Add infiniband info metric #1563 * [ENHANCEMENT] Add unix socket support for supervisord collector #1592 * [ENHANCEMENT] Implement loadavg on all BSDs without cgo #1584 * [ENHANCEMENT] Add model_name and stepping to node_cpu_info metric #1617 * [ENHANCEMENT] Add `--collector.perf.cpus` to allow setting the CPU list for perf stats. #1561 * [ENHANCEMENT] Add metrics for IO errors and retires on Darwin. #1636 * [ENHANCEMENT] Add perf tracepoint collection flag #1664 * [ENHANCEMENT] ZFS: read contents of objset file #1632 * [ENHANCEMENT] Linux CPU: Cache CPU metrics to make them monotonically increasing #1711 * [BUGFIX] Read /proc/net files with a single read syscall #1380 * [BUGFIX] Renamed label `state` to `name` on `node_systemd_service_restart_total`. #1393 * [BUGFIX] Fix netdev nil reference on Darwin #1414 * [BUGFIX] Strip path.rootfs from mountpoint labels #1421 * [BUGFIX] Fix seconds reported by schedstat #1426 * [BUGFIX] Fix empty string in path.rootfs #1464 * [BUGFIX] Fix typo in cpufreq metric names #1510 * [BUGFIX] Read /proc/stat in one syscall #1538 * [BUGFIX] Fix OpenBSD cache memory information #1542 * [BUGFIX] Refactor textfile collector to avoid looping defer #1549 * [BUGFIX] Fix network speed math #1580 * [BUGFIX] collector/systemd: use regexp to extract systemd version #1647 * [BUGFIX] Fix initialization in perf collector when using multiple CPUs #1665 * [BUGFIX] Fix accidentally empty lines in meminfo_linux #1671 Signed-off-by: Ben Kochie <superq@gmail.com>
Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com>
* The netdev collector CLI argument `--collector.netdev.ignored-devices` was renamed to `--collector.netdev.device-blacklist` in order to conform with the systemd collector. prometheus#1279 * The label named `state` on `node_systemd_service_restart_total` metrics was changed to `name` to better describe the metric. prometheus#1393 * Refactoring of the mdadm collector changes several metrics - `node_md_disks_active` is removed - `node_md_disks` now has a `state` label for "fail", "spare", "active" disks. - `node_md_is_active` is replaced by `node_md_state` with a state set of "active", "inactive", "recovering", "resync". * Additional label `mountaddr` added to NFS device metrics to distinguish mounts from the same URL, but different IP addresses. prometheus#1417 * Metrics node_cpu_scaling_frequency_min_hrts and node_cpu_scaling_frequency_max_hrts of the cpufreq collector were renamed to node_cpu_scaling_frequency_min_hertz and node_cpu_scaling_frequency_max_hertz. prometheus#1510 * Collectors that are enabled, but are unable to find data to collect, now return 0 for `node_scrape_collector_success`. * [CHANGE] Add `--collector.netdev.device-whitelist`. prometheus#1279 * [CHANGE] Ignore iso9600 filesystem on Linux prometheus#1355 * [CHANGE] Refactor mdadm collector prometheus#1403 * [CHANGE] Add `mountaddr` label to NFS metrics. prometheus#1417 * [CHANGE] Don't count empty collectors as success. prometheus#1613 * [FEATURE] New flag to disable default collectors prometheus#1276 * [FEATURE] Add experimental TLS support prometheus#1277, prometheus#1687, prometheus#1695 * [FEATURE] Add collector for Power Supply Class prometheus#1280 * [FEATURE] Add new schedstat collector prometheus#1389 * [FEATURE] Add FreeBSD zfs support prometheus#1394 * [FEATURE] Add uname support for Darwin and OpenBSD prometheus#1433 * [FEATURE] Add new metric node_cpu_info prometheus#1489 * [FEATURE] Add new thermal_zone collector prometheus#1425 * [FEATURE] Add new cooling_device metrics to thermal zone collector prometheus#1445 * [FEATURE] Add swap usage on darwin prometheus#1508 * [FEATURE] Add Btrfs collector prometheus#1512 * [FEATURE] Add RAPL collector prometheus#1523 * [FEATURE] Add new softnet collector prometheus#1576 * [FEATURE] Add new udp_queues collector prometheus#1503 * [FEATURE] Add basic authentication prometheus#1673 * [ENHANCEMENT] Log pid when there is a problem reading the process stats prometheus#1341 * [ENHANCEMENT] Collect InfiniBand port state and physical state prometheus#1357 * [ENHANCEMENT] Include additional XFS runtime statistics. prometheus#1423 * [ENHANCEMENT] Report non-fatal collection errors in the exporter metric. prometheus#1439 * [ENHANCEMENT] Expose IPVS firewall mark as a label prometheus#1455 * [ENHANCEMENT] Add check for systemd version before attempting to query certain metrics. prometheus#1413 * [ENHANCEMENT] Add a flag to adjust mount timeout prometheus#1486 * [ENHANCEMENT] Add new counters for flush requests in Linux 5.5 prometheus#1548 * [ENHANCEMENT] Add metrics and tests for UDP receive and send buffer errors prometheus#1534 * [ENHANCEMENT] The sockstat collector now exposes IPv6 statistics in addition to the existing IPv4 support. prometheus#1552 * [ENHANCEMENT] Add infiniband info metric prometheus#1563 * [ENHANCEMENT] Add unix socket support for supervisord collector prometheus#1592 * [ENHANCEMENT] Implement loadavg on all BSDs without cgo prometheus#1584 * [ENHANCEMENT] Add model_name and stepping to node_cpu_info metric prometheus#1617 * [ENHANCEMENT] Add `--collector.perf.cpus` to allow setting the CPU list for perf stats. prometheus#1561 * [ENHANCEMENT] Add metrics for IO errors and retires on Darwin. prometheus#1636 * [ENHANCEMENT] Add perf tracepoint collection flag prometheus#1664 * [ENHANCEMENT] ZFS: read contents of objset file prometheus#1632 * [ENHANCEMENT] Linux CPU: Cache CPU metrics to make them monotonically increasing prometheus#1711 * [BUGFIX] Read /proc/net files with a single read syscall prometheus#1380 * [BUGFIX] Renamed label `state` to `name` on `node_systemd_service_restart_total`. prometheus#1393 * [BUGFIX] Fix netdev nil reference on Darwin prometheus#1414 * [BUGFIX] Strip path.rootfs from mountpoint labels prometheus#1421 * [BUGFIX] Fix seconds reported by schedstat prometheus#1426 * [BUGFIX] Fix empty string in path.rootfs prometheus#1464 * [BUGFIX] Fix typo in cpufreq metric names prometheus#1510 * [BUGFIX] Read /proc/stat in one syscall prometheus#1538 * [BUGFIX] Fix OpenBSD cache memory information prometheus#1542 * [BUGFIX] Refactor textfile collector to avoid looping defer prometheus#1549 * [BUGFIX] Fix network speed math prometheus#1580 * [BUGFIX] collector/systemd: use regexp to extract systemd version prometheus#1647 * [BUGFIX] Fix initialization in perf collector when using multiple CPUs prometheus#1665 * [BUGFIX] Fix accidentally empty lines in meminfo_linux prometheus#1671 Signed-off-by: Ben Kochie <superq@gmail.com>
Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com>
* The netdev collector CLI argument `--collector.netdev.ignored-devices` was renamed to `--collector.netdev.device-blacklist` in order to conform with the systemd collector. prometheus#1279 * The label named `state` on `node_systemd_service_restart_total` metrics was changed to `name` to better describe the metric. prometheus#1393 * Refactoring of the mdadm collector changes several metrics - `node_md_disks_active` is removed - `node_md_disks` now has a `state` label for "fail", "spare", "active" disks. - `node_md_is_active` is replaced by `node_md_state` with a state set of "active", "inactive", "recovering", "resync". * Additional label `mountaddr` added to NFS device metrics to distinguish mounts from the same URL, but different IP addresses. prometheus#1417 * Metrics node_cpu_scaling_frequency_min_hrts and node_cpu_scaling_frequency_max_hrts of the cpufreq collector were renamed to node_cpu_scaling_frequency_min_hertz and node_cpu_scaling_frequency_max_hertz. prometheus#1510 * Collectors that are enabled, but are unable to find data to collect, now return 0 for `node_scrape_collector_success`. * [CHANGE] Add `--collector.netdev.device-whitelist`. prometheus#1279 * [CHANGE] Ignore iso9600 filesystem on Linux prometheus#1355 * [CHANGE] Refactor mdadm collector prometheus#1403 * [CHANGE] Add `mountaddr` label to NFS metrics. prometheus#1417 * [CHANGE] Don't count empty collectors as success. prometheus#1613 * [FEATURE] New flag to disable default collectors prometheus#1276 * [FEATURE] Add experimental TLS support prometheus#1277, prometheus#1687, prometheus#1695 * [FEATURE] Add collector for Power Supply Class prometheus#1280 * [FEATURE] Add new schedstat collector prometheus#1389 * [FEATURE] Add FreeBSD zfs support prometheus#1394 * [FEATURE] Add uname support for Darwin and OpenBSD prometheus#1433 * [FEATURE] Add new metric node_cpu_info prometheus#1489 * [FEATURE] Add new thermal_zone collector prometheus#1425 * [FEATURE] Add new cooling_device metrics to thermal zone collector prometheus#1445 * [FEATURE] Add swap usage on darwin prometheus#1508 * [FEATURE] Add Btrfs collector prometheus#1512 * [FEATURE] Add RAPL collector prometheus#1523 * [FEATURE] Add new softnet collector prometheus#1576 * [FEATURE] Add new udp_queues collector prometheus#1503 * [FEATURE] Add basic authentication prometheus#1673 * [ENHANCEMENT] Log pid when there is a problem reading the process stats prometheus#1341 * [ENHANCEMENT] Collect InfiniBand port state and physical state prometheus#1357 * [ENHANCEMENT] Include additional XFS runtime statistics. prometheus#1423 * [ENHANCEMENT] Report non-fatal collection errors in the exporter metric. prometheus#1439 * [ENHANCEMENT] Expose IPVS firewall mark as a label prometheus#1455 * [ENHANCEMENT] Add check for systemd version before attempting to query certain metrics. prometheus#1413 * [ENHANCEMENT] Add a flag to adjust mount timeout prometheus#1486 * [ENHANCEMENT] Add new counters for flush requests in Linux 5.5 prometheus#1548 * [ENHANCEMENT] Add metrics and tests for UDP receive and send buffer errors prometheus#1534 * [ENHANCEMENT] The sockstat collector now exposes IPv6 statistics in addition to the existing IPv4 support. prometheus#1552 * [ENHANCEMENT] Add infiniband info metric prometheus#1563 * [ENHANCEMENT] Add unix socket support for supervisord collector prometheus#1592 * [ENHANCEMENT] Implement loadavg on all BSDs without cgo prometheus#1584 * [ENHANCEMENT] Add model_name and stepping to node_cpu_info metric prometheus#1617 * [ENHANCEMENT] Add `--collector.perf.cpus` to allow setting the CPU list for perf stats. prometheus#1561 * [ENHANCEMENT] Add metrics for IO errors and retires on Darwin. prometheus#1636 * [ENHANCEMENT] Add perf tracepoint collection flag prometheus#1664 * [ENHANCEMENT] ZFS: read contents of objset file prometheus#1632 * [ENHANCEMENT] Linux CPU: Cache CPU metrics to make them monotonically increasing prometheus#1711 * [BUGFIX] Read /proc/net files with a single read syscall prometheus#1380 * [BUGFIX] Renamed label `state` to `name` on `node_systemd_service_restart_total`. prometheus#1393 * [BUGFIX] Fix netdev nil reference on Darwin prometheus#1414 * [BUGFIX] Strip path.rootfs from mountpoint labels prometheus#1421 * [BUGFIX] Fix seconds reported by schedstat prometheus#1426 * [BUGFIX] Fix empty string in path.rootfs prometheus#1464 * [BUGFIX] Fix typo in cpufreq metric names prometheus#1510 * [BUGFIX] Read /proc/stat in one syscall prometheus#1538 * [BUGFIX] Fix OpenBSD cache memory information prometheus#1542 * [BUGFIX] Refactor textfile collector to avoid looping defer prometheus#1549 * [BUGFIX] Fix network speed math prometheus#1580 * [BUGFIX] collector/systemd: use regexp to extract systemd version prometheus#1647 * [BUGFIX] Fix initialization in perf collector when using multiple CPUs prometheus#1665 * [BUGFIX] Fix accidentally empty lines in meminfo_linux prometheus#1671 Signed-off-by: Ben Kochie <superq@gmail.com>
As discussed in #1198
TLS added in https package.
TLS enabled by config file specified by running with the flag --web.tls-config="/Path-to-Config/"
If no flags passed, http listener starts up as normal.