Add cpu vulnerabilities reporting from sysfs (#2721)

* Add cpu vulnerabilities reporting from sysfs

---------

Signed-off-by: Michal Wasilewski <michal@mwasilewski.net>
pull/2731/head
Michal 1 year ago committed by GitHub
parent 3e3ab1778b
commit c31ebb4359
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -183,6 +183,7 @@ Name | Description | OS
---------|-------------|---- ---------|-------------|----
buddyinfo | Exposes statistics of memory fragments as reported by /proc/buddyinfo. | Linux buddyinfo | Exposes statistics of memory fragments as reported by /proc/buddyinfo. | Linux
cgroups | A summary of the number of active and enabled cgroups | Linux cgroups | A summary of the number of active and enabled cgroups | Linux
cpu\_vulnerabilities | Exposes CPU vulnerability information from sysfs. | Linux
devstat | Exposes device statistics | Dragonfly, FreeBSD devstat | Exposes device statistics | Dragonfly, FreeBSD
drbd | Exposes Distributed Replicated Block Device statistics (to version 8.4) | Linux drbd | Exposes Distributed Replicated Block Device statistics (to version 8.4) | Linux
ethtool | Exposes network interface information and network driver statistics equivalent to `ethtool`, `ethtool -S`, and `ethtool -i`. | Linux ethtool | Exposes network interface information and network driver statistics equivalent to `ethtool`, `ethtool -S`, and `ethtool -i`. | Linux

@ -0,0 +1,68 @@
// Copyright 2023 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package collector
import (
"fmt"
"github.com/go-kit/log"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/procfs/sysfs"
)
const (
cpuVulerabilitiesCollector = "cpu_vulnerabilities"
)
var (
vulnerabilityDesc = prometheus.NewDesc(
prometheus.BuildFQName(namespace, cpuVulerabilitiesCollector, "info"),
"Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label",
[]string{"codename", "state"},
nil,
)
)
type cpuVulnerabilitiesCollector struct{}
func init() {
registerCollector(cpuVulerabilitiesCollector, defaultDisabled, NewVulnerabilitySysfsCollector)
}
func NewVulnerabilitySysfsCollector(logger log.Logger) (Collector, error) {
return &cpuVulnerabilitiesCollector{}, nil
}
func (v *cpuVulnerabilitiesCollector) Update(ch chan<- prometheus.Metric) error {
fs, err := sysfs.NewFS(*sysPath)
if err != nil {
return fmt.Errorf("failed to open sysfs: %w", err)
}
vulnerabilities, err := fs.CPUVulnerabilities()
if err != nil {
return fmt.Errorf("failed to get vulnerabilities: %w", err)
}
for _, vulnerability := range vulnerabilities {
ch <- prometheus.MustNewConstMetric(
vulnerabilityDesc,
prometheus.GaugeValue,
1.0,
vulnerability.CodeName,
sysfs.VulnerabilityHumanEncoding[vulnerability.State],
)
}
return nil
}

@ -402,6 +402,13 @@ node_cpu_seconds_total{cpu="7",mode="softirq"} 0.31
node_cpu_seconds_total{cpu="7",mode="steal"} 0 node_cpu_seconds_total{cpu="7",mode="steal"} 0
node_cpu_seconds_total{cpu="7",mode="system"} 101.64 node_cpu_seconds_total{cpu="7",mode="system"} 101.64
node_cpu_seconds_total{cpu="7",mode="user"} 290.98 node_cpu_seconds_total{cpu="7",mode="user"} 290.98
# HELP node_cpu_vulnerabilities_info Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label
# TYPE node_cpu_vulnerabilities_info gauge
node_cpu_vulnerabilities_info{codename="itlb_multihit",state="not affected"} 1
node_cpu_vulnerabilities_info{codename="mds",state="vulnerable"} 1
node_cpu_vulnerabilities_info{codename="retbleed",state="mitigation"} 1
node_cpu_vulnerabilities_info{codename="spectre_v1",state="mitigation"} 1
node_cpu_vulnerabilities_info{codename="spectre_v2",state="mitigation"} 1
# HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs). # HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs).
# TYPE node_disk_ata_rotation_rate_rpm gauge # TYPE node_disk_ata_rotation_rate_rpm gauge
node_disk_ata_rotation_rate_rpm{device="sda"} 7200 node_disk_ata_rotation_rate_rpm{device="sda"} 7200
@ -2887,6 +2894,7 @@ node_scrape_collector_success{collector="buddyinfo"} 1
node_scrape_collector_success{collector="cgroups"} 1 node_scrape_collector_success{collector="cgroups"} 1
node_scrape_collector_success{collector="conntrack"} 1 node_scrape_collector_success{collector="conntrack"} 1
node_scrape_collector_success{collector="cpu"} 1 node_scrape_collector_success{collector="cpu"} 1
node_scrape_collector_success{collector="cpu_vulnerabilities"} 1
node_scrape_collector_success{collector="cpufreq"} 1 node_scrape_collector_success{collector="cpufreq"} 1
node_scrape_collector_success{collector="diskstats"} 1 node_scrape_collector_success{collector="diskstats"} 1
node_scrape_collector_success{collector="dmi"} 1 node_scrape_collector_success{collector="dmi"} 1

@ -424,6 +424,13 @@ node_cpu_seconds_total{cpu="7",mode="softirq"} 0.31
node_cpu_seconds_total{cpu="7",mode="steal"} 0 node_cpu_seconds_total{cpu="7",mode="steal"} 0
node_cpu_seconds_total{cpu="7",mode="system"} 101.64 node_cpu_seconds_total{cpu="7",mode="system"} 101.64
node_cpu_seconds_total{cpu="7",mode="user"} 290.98 node_cpu_seconds_total{cpu="7",mode="user"} 290.98
# HELP node_cpu_vulnerabilities_info Details of each CPU vulnerability reported by sysfs. The value of the series is an int encoded state of the vulnerability. The same state is stored as a string in the label
# TYPE node_cpu_vulnerabilities_info gauge
node_cpu_vulnerabilities_info{codename="itlb_multihit",state="not affected"} 1
node_cpu_vulnerabilities_info{codename="mds",state="vulnerable"} 1
node_cpu_vulnerabilities_info{codename="retbleed",state="mitigation"} 1
node_cpu_vulnerabilities_info{codename="spectre_v1",state="mitigation"} 1
node_cpu_vulnerabilities_info{codename="spectre_v2",state="mitigation"} 1
# HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs). # HELP node_disk_ata_rotation_rate_rpm ATA disk rotation rate in RPMs (0 for SSDs).
# TYPE node_disk_ata_rotation_rate_rpm gauge # TYPE node_disk_ata_rotation_rate_rpm gauge
node_disk_ata_rotation_rate_rpm{device="sda"} 7200 node_disk_ata_rotation_rate_rpm{device="sda"} 7200
@ -2909,6 +2916,7 @@ node_scrape_collector_success{collector="buddyinfo"} 1
node_scrape_collector_success{collector="cgroups"} 1 node_scrape_collector_success{collector="cgroups"} 1
node_scrape_collector_success{collector="conntrack"} 1 node_scrape_collector_success{collector="conntrack"} 1
node_scrape_collector_success{collector="cpu"} 1 node_scrape_collector_success{collector="cpu"} 1
node_scrape_collector_success{collector="cpu_vulnerabilities"} 1
node_scrape_collector_success{collector="cpufreq"} 1 node_scrape_collector_success{collector="cpufreq"} 1
node_scrape_collector_success{collector="diskstats"} 1 node_scrape_collector_success{collector="diskstats"} 1
node_scrape_collector_success{collector="dmi"} 1 node_scrape_collector_success{collector="dmi"} 1

@ -3555,6 +3555,34 @@ Lines: 1
0-3 0-3
Mode: 664 Mode: 664
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Directory: sys/devices/system/cpu/vulnerabilities
Mode: 755
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: sys/devices/system/cpu/vulnerabilities/itlb_multihit
Lines: 1
Not affected
Mode: 644
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: sys/devices/system/cpu/vulnerabilities/mds
Lines: 1
Vulnerable
Mode: 644
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: sys/devices/system/cpu/vulnerabilities/retbleed
Lines: 1
Mitigation: untrained return thunk; SMT enabled with STIBP protection
Mode: 644
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: sys/devices/system/cpu/vulnerabilities/spectre_v1
Lines: 1
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Mode: 644
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Path: sys/devices/system/cpu/vulnerabilities/spectre_v2
Lines: 1
Mitigation: Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected
Mode: 644
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Directory: sys/devices/system/edac Directory: sys/devices/system/edac
Mode: 755 Mode: 755
# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

@ -12,6 +12,7 @@ enabled_collectors=$(cat << COLLECTORS
conntrack conntrack
cpu cpu
cpufreq cpufreq
cpu_vulnerabilities
diskstats diskstats
dmi dmi
drbd drbd

@ -26,7 +26,7 @@ require (
github.com/prometheus/client_model v0.4.0 github.com/prometheus/client_model v0.4.0
github.com/prometheus/common v0.44.0 github.com/prometheus/common v0.44.0
github.com/prometheus/exporter-toolkit v0.10.0 github.com/prometheus/exporter-toolkit v0.10.0
github.com/prometheus/procfs v0.10.1 github.com/prometheus/procfs v0.11.0
github.com/safchain/ethtool v0.3.0 github.com/safchain/ethtool v0.3.0
golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
golang.org/x/sys v0.9.0 golang.org/x/sys v0.9.0

@ -84,8 +84,8 @@ github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdO
github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
github.com/prometheus/exporter-toolkit v0.10.0 h1:yOAzZTi4M22ZzVxD+fhy1URTuNRj/36uQJJ5S8IPza8= github.com/prometheus/exporter-toolkit v0.10.0 h1:yOAzZTi4M22ZzVxD+fhy1URTuNRj/36uQJJ5S8IPza8=
github.com/prometheus/exporter-toolkit v0.10.0/go.mod h1:+sVFzuvV5JDyw+Ih6p3zFxZNVnKQa3x5qPmDSiPu4ZY= github.com/prometheus/exporter-toolkit v0.10.0/go.mod h1:+sVFzuvV5JDyw+Ih6p3zFxZNVnKQa3x5qPmDSiPu4ZY=
github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= github.com/prometheus/procfs v0.11.0 h1:5EAgkfkMl659uZPbe9AS2N68a7Cc1TJbPEuGzFuRbyk=
github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= github.com/prometheus/procfs v0.11.0/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP0= github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP0=
github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs= github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=

Loading…
Cancel
Save