diff --git a/README.md b/README.md index 20abcc69a..08d0e3e64 100644 --- a/README.md +++ b/README.md @@ -2013,8 +2013,10 @@ VictoriaMetrics provides the following security-related command-line flags: with [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). * `-deleteAuthKey` for protecting `/api/v1/admin/tsdb/delete_series` endpoint. See [how to delete time series](#how-to-delete-time-series). * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). +* `-forceFlushAuthKey` for protecting `/internal/force_flush` endpoint. See [these docs](#troubleshooting). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). * `-search.resetCacheAuthKey` for protecting `/internal/resetRollupResultCache` endpoint. See [backfilling](#backfilling) for more details. +* `-reloadAuthKey` for protecting `/-/reload` endpoint, which is used for force reloading of [`-promscrape.config`](#how-to-scrape-prometheus-exporters-such-as-node-exporter). * `-configAuthKey` for protecting `/config` endpoint, since it may contain sensitive information such as passwords. * `-flagsAuthKey` for protecting `/flags` endpoint. * `-pprofAuthKey` for protecting `/debug/pprof/*` endpoints, which can be used for [profiling](#profiling). @@ -2575,8 +2577,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li The number of cache misses before putting the block into cache. Higher values may reduce indexdb/dataBlocks cache size at the cost of higher CPU and disk read usage (default 2) -cacheExpireDuration duration Items are removed from in-memory caches after they aren't accessed for this duration. Lower values may reduce memory usage at the cost of higher CPU usage. See also -prevCacheRemovalPercent (default 30m0s) - -configAuthKey string + -configAuthKey value Authorization key for accessing /config page. It must be passed via authKey query arg + Flag value can be read from the given file when using -configAuthKey=file:///abs/path/to/file or -configAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -configAuthKey=http://host/path or -configAuthKey=https://host/path -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -2586,8 +2589,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Sanitize metric names for the ingested DataDog data to comply with DataDog behaviour described at https://docs.datadoghq.com/metrics/custom_metrics/#naming-custom-metrics (default true) -dedup.minScrapeInterval duration Leave only the last sample in every time series per each discrete interval equal to -dedup.minScrapeInterval > 0. See https://docs.victoriametrics.com/#deduplication and https://docs.victoriametrics.com/#downsampling - -deleteAuthKey string + -deleteAuthKey value authKey for metrics' deletion via /api/v1/admin/tsdb/delete_series and /tags/delSeries + Flag value can be read from the given file when using -deleteAuthKey=file:///abs/path/to/file or -deleteAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -deleteAuthKey=http://host/path or -deleteAuthKey=https://host/path -denyQueriesOutsideRetention Whether to deny queries outside the configured -retentionPeriod. When set, then /api/v1/query_range would return '503 Service Unavailable' error for queries with 'from' value outside -retentionPeriod. This may be useful when multiple data sources with distinct retentions are hidden behind query-tee -denyQueryTracing @@ -2609,12 +2613,15 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU -finalMergeDelay duration The delay before starting final merge for per-month partition after no new data is ingested into it. Final merge may require additional disk IO and CPU resources. Final merge may increase query speed and reduce disk space usage in some cases. Zero value disables final merge - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -forceFlushAuthKey string + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path + -forceFlushAuthKey value authKey, which must be passed in query string to /internal/force_flush pages - -forceMergeAuthKey string + Flag value can be read from the given file when using -forceFlushAuthKey=file:///abs/path/to/file or -forceFlushAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -forceFlushAuthKey=http://host/path or -forceFlushAuthKey=https://host/path + -forceMergeAuthKey value authKey, which must be passed in query string to /internal/force_merge pages + Flag value can be read from the given file when using -forceMergeAuthKey=file:///abs/path/to/file or -forceMergeAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -forceMergeAuthKey=http://host/path or -forceMergeAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -graphiteListenAddr string @@ -2641,8 +2648,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -2724,8 +2732,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path -newrelic.maxInsertRequestSize size The maximum size in bytes of a single NewRelic request to /newrelic/infra/v2/metrics/events/bulk Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864) @@ -2744,8 +2753,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 33554432) -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) - -pprofAuthKey string + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -precisionBits int The number of precision bits to store per each value. Lower precision bits improves data compression at the cost of precision loss (default 64) -prevCacheRemovalPercent float @@ -2860,6 +2870,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Supports an array of values separated by comma or specified via multiple flags. -relabelConfig string Optional path to a file with relabeling rules, which are applied to all the ingested metrics. The path can point either to local file or to http url. See https://docs.victoriametrics.com/#relabeling for details. The config is reloaded on SIGHUP signal + -reloadAuthKey value + Auth key for /-/reload http endpoint. It must be passed as authKey=... + Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -retentionFilter array Retention filter in the format 'filter:retention'. For example, '{env="dev"}:3d' configures the retention for time series with env="dev" label to 3 days. See https://docs.victoriametrics.com/#retention-filters for details. This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/enterprise.html Supports an array of values separated by comma or specified via multiple flags. @@ -2954,8 +2967,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Query stats for /api/v1/status/top_queries is tracked on this number of last queries. Zero value disables query stats tracking (default 20000) -search.queryStats.minQueryDuration duration The minimum duration for queries to track in query stats at /api/v1/status/top_queries. Queries with lower duration are ignored in query stats (default 1ms) - -search.resetCacheAuthKey string + -search.resetCacheAuthKey value Optional authKey for resetting rollup cache via /internal/resetRollupResultCache call + Flag value can be read from the given file when using -search.resetCacheAuthKey=file:///abs/path/to/file or -search.resetCacheAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -search.resetCacheAuthKey=http://host/path or -search.resetCacheAuthKey=https://host/path -search.setLookbackToStep Whether to fix lookback interval to 'step' query arg value. If set to true, the query model becomes closer to InfluxDB data model. If set to true, then -search.maxLookback and -search.maxStalenessInterval are ignored -search.treatDotsAsIsInRegexps @@ -2968,8 +2982,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Value for 'job' label, which is added to self-scraped metrics (default "victoria-metrics") -smallMergeConcurrency int The maximum number of workers for background merges. See https://docs.victoriametrics.com/#storage . It isn't recommended tuning this flag in general case, since this may lead to uncontrolled increase in the number of parts and increased CPU usage during queries - -snapshotAuthKey string + -snapshotAuthKey value authKey, which must be passed in query string to /snapshot* pages + Flag value can be read from the given file when using -snapshotAuthKey=file:///abs/path/to/file or -snapshotAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -snapshotAuthKey=http://host/path or -snapshotAuthKey=https://host/path -snapshotCreateTimeout duration The timeout for creating new snapshot. If set, make sure that timeout is lower than backup period -snapshotsMaxAge value diff --git a/app/vmagent/main.go b/app/vmagent/main.go index 913f832b8..aaf7cf7c8 100644 --- a/app/vmagent/main.go +++ b/app/vmagent/main.go @@ -69,7 +69,8 @@ var ( "See also -opentsdbHTTPListenAddr.useProxyProtocol") opentsdbHTTPUseProxyProtocol = flag.Bool("opentsdbHTTPListenAddr.useProxyProtocol", false, "Whether to use proxy protocol for connections accepted "+ "at -opentsdbHTTPListenAddr . See https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt") - configAuthKey = flag.String("configAuthKey", "", "Authorization key for accessing /config page. It must be passed via authKey query arg") + configAuthKey = flagutil.NewPassword("configAuthKey", "Authorization key for accessing /config page. It must be passed via authKey query arg") + reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") dryRun = flag.Bool("dryRun", false, "Whether to check config files without running vmagent. The following files are checked: "+ "-promscrape.config, -remoteWrite.relabelConfig, -remoteWrite.urlRelabelConfig, -remoteWrite.streamAggr.config . "+ "Unknown config entries aren't allowed in -promscrape.config by default. This can be changed by passing -promscrape.config.strictParse=false command-line flag") @@ -421,7 +422,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool { } return true case "/prometheus/config", "/config": - if !httpserver.CheckAuthFlag(w, r, *configAuthKey, "configAuthKey") { + if !httpserver.CheckAuthFlag(w, r, configAuthKey.Get(), "configAuthKey") { return true } promscrapeConfigRequests.Inc() @@ -430,7 +431,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool { return true case "/prometheus/api/v1/status/config", "/api/v1/status/config": // See https://prometheus.io/docs/prometheus/latest/querying/api/#config - if !httpserver.CheckAuthFlag(w, r, *configAuthKey, "configAuthKey") { + if !httpserver.CheckAuthFlag(w, r, configAuthKey.Get(), "configAuthKey") { return true } promscrapeStatusConfigRequests.Inc() @@ -440,6 +441,9 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool { fmt.Fprintf(w, `{"status":"success","data":{"yaml":%q}}`, bb.B) return true case "/prometheus/-/reload", "/-/reload": + if !httpserver.CheckAuthFlag(w, r, reloadAuthKey.Get(), "reloadAuthKey") { + return true + } promscrapeConfigReloadRequests.Inc() procutil.SelfSIGHUP() w.WriteHeader(http.StatusOK) diff --git a/app/vmalert/web.go b/app/vmalert/web.go index 04004a446..f4c4d2fcb 100644 --- a/app/vmalert/web.go +++ b/app/vmalert/web.go @@ -12,11 +12,14 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/app/vmalert/notifier" "github.com/VictoriaMetrics/VictoriaMetrics/app/vmalert/rule" "github.com/VictoriaMetrics/VictoriaMetrics/app/vmalert/tpl" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil" "github.com/VictoriaMetrics/VictoriaMetrics/lib/httpserver" "github.com/VictoriaMetrics/VictoriaMetrics/lib/logger" "github.com/VictoriaMetrics/VictoriaMetrics/lib/procutil" ) +var reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") + var ( apiLinks = [][2]string{ // api links are relative since they can be used by external clients, @@ -151,6 +154,9 @@ func (rh *requestHandler) handler(w http.ResponseWriter, r *http.Request) bool { w.Write(data) return true case "/-/reload": + if !httpserver.CheckAuthFlag(w, r, reloadAuthKey.Get(), "reloadAuthKey") { + return true + } logger.Infof("api config reload was called, sending sighup") procutil.SelfSIGHUP() w.WriteHeader(http.StatusOK) diff --git a/app/vmauth/auth_config.go b/app/vmauth/auth_config.go index d47f081dd..4403829c6 100644 --- a/app/vmauth/auth_config.go +++ b/app/vmauth/auth_config.go @@ -23,7 +23,7 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/lib/envtemplate" "github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime" "github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore" "github.com/VictoriaMetrics/VictoriaMetrics/lib/logger" "github.com/VictoriaMetrics/VictoriaMetrics/lib/procutil" ) @@ -481,7 +481,7 @@ var ( // The config can be not applied if there is a parsing error // or if there are no changes to the current authConfig. func loadAuthConfig() (bool, error) { - data, err := fs.ReadFileOrHTTP(*authConfigPath) + data, err := fscore.ReadFileOrHTTP(*authConfigPath) if err != nil { return false, fmt.Errorf("failed to read -auth.config=%q: %w", *authConfigPath, err) } diff --git a/app/vmauth/main.go b/app/vmauth/main.go index 2c56ea9c7..c60bb7af9 100644 --- a/app/vmauth/main.go +++ b/app/vmauth/main.go @@ -24,7 +24,7 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/lib/encoding" "github.com/VictoriaMetrics/VictoriaMetrics/lib/envflag" "github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore" "github.com/VictoriaMetrics/VictoriaMetrics/lib/httpserver" "github.com/VictoriaMetrics/VictoriaMetrics/lib/logger" "github.com/VictoriaMetrics/VictoriaMetrics/lib/netutil" @@ -45,7 +45,7 @@ var ( maxConcurrentPerUserRequests = flag.Int("maxConcurrentPerUserRequests", 300, "The maximum number of concurrent requests vmauth can process per each configured user. "+ "Other requests are rejected with '429 Too Many Requests' http status code. See also -maxConcurrentRequests command-line option and max_concurrent_requests option "+ "in per-user config") - reloadAuthKey = flag.String("reloadAuthKey", "", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") + reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") logInvalidAuthTokens = flag.Bool("logInvalidAuthTokens", false, "Whether to log requests with invalid auth tokens. "+ `Such requests are always counted at vmauth_http_request_errors_total{reason="invalid_auth_token"} metric, which is exposed at /metrics page`) failTimeout = flag.Duration("failTimeout", 3*time.Second, "Sets a delay period for load balancing to skip a malfunctioning backend") @@ -89,7 +89,7 @@ func main() { func requestHandler(w http.ResponseWriter, r *http.Request) bool { switch r.URL.Path { case "/-/reload": - if !httpserver.CheckAuthFlag(w, r, *reloadAuthKey, "reloadAuthKey") { + if !httpserver.CheckAuthFlag(w, r, reloadAuthKey.Get(), "reloadAuthKey") { return true } configReloadRequests.Inc() @@ -438,7 +438,7 @@ func newTransport(insecureSkipVerify bool, caFile string) (*http.Transport, erro tlsCfg.ClientSessionCache = tls.NewLRUClientSessionCache(0) tlsCfg.InsecureSkipVerify = insecureSkipVerify if caFile != "" { - data, err := fs.ReadFileOrHTTP(caFile) + data, err := fscore.ReadFileOrHTTP(caFile) if err != nil { return nil, fmt.Errorf("cannot read tls_ca_file: %w", err) } diff --git a/app/vminsert/main.go b/app/vminsert/main.go index c32ea402d..91fe14fa9 100644 --- a/app/vminsert/main.go +++ b/app/vminsert/main.go @@ -29,6 +29,7 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/app/vminsert/vmimport" "github.com/VictoriaMetrics/VictoriaMetrics/lib/auth" "github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil" "github.com/VictoriaMetrics/VictoriaMetrics/lib/httpserver" "github.com/VictoriaMetrics/VictoriaMetrics/lib/influxutils" graphiteserver "github.com/VictoriaMetrics/VictoriaMetrics/lib/ingestserver/graphite" @@ -62,7 +63,8 @@ var ( "See also -opentsdbHTTPListenAddr.useProxyProtocol") opentsdbHTTPUseProxyProtocol = flag.Bool("opentsdbHTTPListenAddr.useProxyProtocol", false, "Whether to use proxy protocol for connections accepted "+ "at -opentsdbHTTPListenAddr . See https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt") - configAuthKey = flag.String("configAuthKey", "", "Authorization key for accessing /config page. It must be passed via authKey query arg") + configAuthKey = flagutil.NewPassword("configAuthKey", "Authorization key for accessing /config page. It must be passed via authKey query arg") + reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") maxLabelsPerTimeseries = flag.Int("maxLabelsPerTimeseries", 30, "The maximum number of labels accepted per time series. Superfluous labels are dropped. In this case the vm_metrics_with_dropped_labels_total metric at /metrics page is incremented") maxLabelValueLen = flag.Int("maxLabelValueLen", 16*1024, "The maximum length of label values in the accepted time series. Longer label values are truncated. In this case the vm_too_long_label_values_total metric at /metrics page is incremented") ) @@ -315,7 +317,7 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { } return true case "/prometheus/config", "/config": - if !httpserver.CheckAuthFlag(w, r, *configAuthKey, "configAuthKey") { + if !httpserver.CheckAuthFlag(w, r, configAuthKey.Get(), "configAuthKey") { return true } promscrapeConfigRequests.Inc() @@ -324,7 +326,7 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { return true case "/prometheus/api/v1/status/config", "/api/v1/status/config": // See https://prometheus.io/docs/prometheus/latest/querying/api/#config - if !httpserver.CheckAuthFlag(w, r, *configAuthKey, "configAuthKey") { + if !httpserver.CheckAuthFlag(w, r, configAuthKey.Get(), "configAuthKey") { return true } promscrapeStatusConfigRequests.Inc() @@ -334,6 +336,9 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { fmt.Fprintf(w, `{"status":"success","data":{"yaml":%q}}`, bb.B) return true case "/prometheus/-/reload", "/-/reload": + if !httpserver.CheckAuthFlag(w, r, reloadAuthKey.Get(), "reloadAuthKey") { + return true + } promscrapeConfigReloadRequests.Inc() procutil.SelfSIGHUP() w.WriteHeader(http.StatusNoContent) diff --git a/app/vmselect/main.go b/app/vmselect/main.go index c239852a4..9a7c187a2 100644 --- a/app/vmselect/main.go +++ b/app/vmselect/main.go @@ -18,6 +18,7 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/app/vmselect/searchutils" "github.com/VictoriaMetrics/VictoriaMetrics/app/vmstorage" "github.com/VictoriaMetrics/VictoriaMetrics/lib/cgroup" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil" "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" "github.com/VictoriaMetrics/VictoriaMetrics/lib/httpserver" "github.com/VictoriaMetrics/VictoriaMetrics/lib/httputils" @@ -29,13 +30,13 @@ import ( ) var ( - deleteAuthKey = flag.String("deleteAuthKey", "", "authKey for metrics' deletion via /api/v1/admin/tsdb/delete_series and /tags/delSeries") + deleteAuthKey = flagutil.NewPassword("deleteAuthKey", "authKey for metrics' deletion via /api/v1/admin/tsdb/delete_series and /tags/delSeries") maxConcurrentRequests = flag.Int("search.maxConcurrentRequests", getDefaultMaxConcurrentRequests(), "The maximum number of concurrent search requests. "+ "It shouldn't be high, since a single request can saturate all the CPU cores, while many concurrently executed requests may require high amounts of memory. "+ "See also -search.maxQueueDuration and -search.maxMemoryPerQuery") maxQueueDuration = flag.Duration("search.maxQueueDuration", 10*time.Second, "The maximum time the request waits for execution when -search.maxConcurrentRequests "+ "limit is reached; see also -search.maxQueryDuration") - resetCacheAuthKey = flag.String("search.resetCacheAuthKey", "", "Optional authKey for resetting rollup cache via /internal/resetRollupResultCache call") + resetCacheAuthKey = flagutil.NewPassword("search.resetCacheAuthKey", "Optional authKey for resetting rollup cache via /internal/resetRollupResultCache call") logSlowQueryDuration = flag.Duration("search.logSlowQueryDuration", 5*time.Second, "Log queries with execution time exceeding this value. Zero disables slow query logging. "+ "See also -search.logQueryMemoryUsage") vmalertProxyURL = flag.String("vmalert.proxyURL", "", "Optional URL for proxying requests to vmalert. For example, if -vmalert.proxyURL=http://vmalert:8880 , then alerting API requests such as /api/v1/rules from Grafana will be proxied to http://vmalert:8880/api/v1/rules") @@ -170,7 +171,7 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { } if path == "/internal/resetRollupResultCache" { - if !httpserver.CheckAuthFlag(w, r, *resetCacheAuthKey, "resetCacheAuthKey") { + if !httpserver.CheckAuthFlag(w, r, resetCacheAuthKey.Get(), "resetCacheAuthKey") { return true } promql.ResetRollupResultCache() @@ -367,7 +368,7 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { } return true case "/tags/delSeries": - if !httpserver.CheckAuthFlag(w, r, *deleteAuthKey, "deleteAuthKey") { + if !httpserver.CheckAuthFlag(w, r, deleteAuthKey.Get(), "deleteAuthKey") { return true } graphiteTagsDelSeriesRequests.Inc() @@ -386,7 +387,7 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { } return true case "/api/v1/admin/tsdb/delete_series": - if !httpserver.CheckAuthFlag(w, r, *deleteAuthKey, "deleteAuthKey") { + if !httpserver.CheckAuthFlag(w, r, deleteAuthKey.Get(), "deleteAuthKey") { return true } deleteRequests.Inc() diff --git a/app/vmstorage/main.go b/app/vmstorage/main.go index 9cbfdfc9c..1c182532d 100644 --- a/app/vmstorage/main.go +++ b/app/vmstorage/main.go @@ -25,9 +25,9 @@ import ( var ( retentionPeriod = flagutil.NewDuration("retentionPeriod", "1", "Data with timestamps outside the retentionPeriod is automatically deleted. The minimum retentionPeriod is 24h or 1d. See also -retentionFilter") - snapshotAuthKey = flag.String("snapshotAuthKey", "", "authKey, which must be passed in query string to /snapshot* pages") - forceMergeAuthKey = flag.String("forceMergeAuthKey", "", "authKey, which must be passed in query string to /internal/force_merge pages") - forceFlushAuthKey = flag.String("forceFlushAuthKey", "", "authKey, which must be passed in query string to /internal/force_flush pages") + snapshotAuthKey = flagutil.NewPassword("snapshotAuthKey", "authKey, which must be passed in query string to /snapshot* pages") + forceMergeAuthKey = flagutil.NewPassword("forceMergeAuthKey", "authKey, which must be passed in query string to /internal/force_merge pages") + forceFlushAuthKey = flagutil.NewPassword("forceFlushAuthKey", "authKey, which must be passed in query string to /internal/force_flush pages") snapshotsMaxAge = flagutil.NewDuration("snapshotsMaxAge", "0", "Automatically delete snapshots older than -snapshotsMaxAge if it is set to non-zero duration. Make sure that backup process has enough time to finish the backup before the corresponding snapshot is automatically deleted") snapshotCreateTimeout = flag.Duration("snapshotCreateTimeout", 0, "The timeout for creating new snapshot. If set, make sure that timeout is lower than backup period") @@ -259,7 +259,7 @@ func Stop() { func RequestHandler(w http.ResponseWriter, r *http.Request) bool { path := r.URL.Path if path == "/internal/force_merge" { - if !httpserver.CheckAuthFlag(w, r, *forceMergeAuthKey, "forceMergeAuthKey") { + if !httpserver.CheckAuthFlag(w, r, forceMergeAuthKey.Get(), "forceMergeAuthKey") { return true } // Run force merge in background @@ -277,7 +277,7 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { return true } if path == "/internal/force_flush" { - if !httpserver.CheckAuthFlag(w, r, *forceFlushAuthKey, "forceFlushAuthKey") { + if !httpserver.CheckAuthFlag(w, r, forceFlushAuthKey.Get(), "forceFlushAuthKey") { return true } logger.Infof("flushing storage to make pending data available for reading") @@ -293,7 +293,7 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { if !strings.HasPrefix(path, "/snapshot") { return false } - if !httpserver.CheckAuthFlag(w, r, *snapshotAuthKey, "snapshotAuthKey") { + if !httpserver.CheckAuthFlag(w, r, snapshotAuthKey.Get(), "snapshotAuthKey") { return true } path = path[len("/snapshot"):] diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 2c3b8be5e..76f1082de 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -46,6 +46,7 @@ The sandbox cluster installation is running under the constant load generated by * FEATURE: all VictoriaMetrics components: break HTTP client connection if an error occurs after the server at `-httpListenAddr` already sent response status code. Previously such an error couldn't be detected at client side. Now the client will get an error about invalid chunked response. The error message is simultaneously written to the server log and in the last line of the response. This should help detecting errors when migrating data between VictoriaMetrics instances by [vmctl](https://docs.victoriametrics.com/vmctl.html). See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5645). * FEATURE: all VictoriaMetrics components: add ability to specify arbitrary HTTP headers to send with every request to `-pushmetrics.url`. See [`push metrics` docs](https://docs.victoriametrics.com/#push-metrics). * FEATURE: all VictoriaMetrics components: add `-metrics.exposeMetadata` command-line flag, which allows displaying `TYPE` and `HELP` metadata at `/metrics` page exposed at `-httpListenAddr`. This may be needed when the `/metrics` page is scraped by collector, which requires the `TYPE` and `HELP` metadata such as [Google Cloud Managed Prometheus](https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type). +* FEATURE: all VictoriaMetrics components: add ability to dynamically re-read auth keys and passwords from files and urls when using `file:///path/to/file` or `http://host/path` syntax for the following command-line flags: `-configAuthKey`, `-deleteAuthKey`, `-flagsAuthKey`, `-forceMergeAuthKey`, `-forceFlushAuthKey`, `-httpAuth.password`, `-metricsAuthKey`, `-pprofAuthKey`, `-reloadAuthKey`, `-search.resetCacheAuthKey`, `-snapshotAuthKey`. For example, `-httpAuth.password=file:///path/to/password`. See [these docs](https://docs.victoriametrics.com/#security) for details. * FEATURE: dashboards/cluster: add panels for detailed visualization of traffic usage between vmstorage, vminsert, vmselect components and their clients. New panels are available in the rows dedicated to specific components. * FEATURE: dashboards/cluster: update "Slow Queries" panel to show percentage of the slow queries to the total number of read queries served by vmselect. The percentage value should make it more clear for users whether there is a service degradation. * FEATURE: dashboards/single: change dashboard title from `VictoriaMetrics` to `VictoriaMetrics - single-node`. The new title should provide better understanding of this dashboard purpose. diff --git a/docs/Cluster-VictoriaMetrics.md b/docs/Cluster-VictoriaMetrics.md index 08ccd4739..9e3bb081f 100644 --- a/docs/Cluster-VictoriaMetrics.md +++ b/docs/Cluster-VictoriaMetrics.md @@ -981,8 +981,9 @@ Below is the output for `/path/to/vminsert -help`: Deprecated, please use -license or -licenseFile flags instead. By specifying this flag, you confirm that you have an enterprise license and accept the ESA https://victoriametrics.com/legal/esa/ . This flag is available only in Enterprise binaries. See https://docs.victoriametrics.com/enterprise.html -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -graphiteListenAddr string @@ -1009,8 +1010,9 @@ Below is the output for `/path/to/vminsert -help`: An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -1088,8 +1090,9 @@ Below is the output for `/path/to/vminsert -help`: Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path -newrelic.maxInsertRequestSize size The maximum size in bytes of a single NewRelic request to /newrelic/infra/v2/metrics/events/bulk Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864) @@ -1108,8 +1111,9 @@ Below is the output for `/path/to/vminsert -help`: Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 33554432) -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) - -pprofAuthKey string + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -prevCacheRemovalPercent float Items in the previous caches are removed when the percent of requests it serves becomes lower than this value. Higher values reduce memory usage at the cost of higher CPU usage. See also -cacheExpireDuration (default 0.1) -pushmetrics.disableCompression @@ -1226,8 +1230,9 @@ Below is the output for `/path/to/vmselect -help`: Deprecated, please use -license or -licenseFile flags instead. By specifying this flag, you confirm that you have an enterprise license and accept the ESA https://victoriametrics.com/legal/esa/ . This flag is available only in Enterprise binaries. See https://docs.victoriametrics.com/enterprise.html -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration @@ -1248,8 +1253,9 @@ Below is the output for `/path/to/vmselect -help`: An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -1293,10 +1299,12 @@ Below is the output for `/path/to/vmselect -help`: Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -pprofAuthKey string + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -prevCacheRemovalPercent float Items in the previous caches are removed when the percent of requests it serves becomes lower than this value. Higher values reduce memory usage at the cost of higher CPU usage. See also -cacheExpireDuration (default 0.1) -pushmetrics.disableCompression @@ -1396,8 +1404,9 @@ Below is the output for `/path/to/vmselect -help`: Query stats for /api/v1/status/top_queries is tracked on this number of last queries. Zero value disables query stats tracking (default 20000) -search.queryStats.minQueryDuration duration The minimum duration for queries to track in query stats at /api/v1/status/top_queries. Queries with lower duration are ignored in query stats (default 1ms) - -search.resetCacheAuthKey string + -search.resetCacheAuthKey value Optional authKey for resetting rollup cache via /internal/resetRollupResultCache call + Flag value can be read from the given file when using -search.resetCacheAuthKey=file:///abs/path/to/file or -search.resetCacheAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -search.resetCacheAuthKey=http://host/path or -search.resetCacheAuthKey=https://host/path -search.setLookbackToStep Whether to fix lookback interval to 'step' query arg value. If set to true, the query model becomes closer to InfluxDB data model. If set to true, then -search.maxLookback and -search.maxStalenessInterval are ignored -search.skipSlowReplicas @@ -1482,12 +1491,15 @@ Below is the output for `/path/to/vmstorage -help`: Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU -finalMergeDelay duration The delay before starting final merge for per-month partition after no new data is ingested into it. Final merge may require additional disk IO and CPU resources. Final merge may increase query speed and reduce disk space usage in some cases. Zero value disables final merge - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -forceFlushAuthKey string + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path + -forceFlushAuthKey value authKey, which must be passed in query string to /internal/force_flush pages - -forceMergeAuthKey string + Flag value can be read from the given file when using -forceFlushAuthKey=file:///abs/path/to/file or -forceFlushAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -forceFlushAuthKey=http://host/path or -forceFlushAuthKey=https://host/path + -forceMergeAuthKey value authKey, which must be passed in query string to /internal/force_merge pages + Flag value can be read from the given file when using -forceMergeAuthKey=file:///abs/path/to/file or -forceMergeAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -forceMergeAuthKey=http://host/path or -forceMergeAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration @@ -1508,8 +1520,9 @@ Below is the output for `/path/to/vmstorage -help`: An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -1561,10 +1574,12 @@ Below is the output for `/path/to/vmstorage -help`: Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -pprofAuthKey string + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -precisionBits int The number of precision bits to store per each value. Lower precision bits improves data compression at the cost of precision loss (default 64) -prevCacheRemovalPercent float @@ -1606,8 +1621,9 @@ Below is the output for `/path/to/vmstorage -help`: The maximum number of unique time series, which can be scanned during every query. This allows protecting against heavy queries, which select unexpectedly high number of series. Zero means 'no limit'. See also -search.max* command-line flags at vmselect -smallMergeConcurrency int The maximum number of workers for background merges. See https://docs.victoriametrics.com/#storage . It isn't recommended tuning this flag in general case, since this may lead to uncontrolled increase in the number of parts and increased CPU usage during queries - -snapshotAuthKey string + -snapshotAuthKey value authKey, which must be passed in query string to /snapshot* pages + Flag value can be read from the given file when using -snapshotAuthKey=file:///abs/path/to/file or -snapshotAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -snapshotAuthKey=http://host/path or -snapshotAuthKey=https://host/path -snapshotCreateTimeout duration The timeout for creating new snapshot. If set, make sure that timeout is lower than backup period -snapshotsMaxAge value diff --git a/docs/README.md b/docs/README.md index a04bf3327..de51b7651 100644 --- a/docs/README.md +++ b/docs/README.md @@ -2016,8 +2016,10 @@ VictoriaMetrics provides the following security-related command-line flags: with [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). * `-deleteAuthKey` for protecting `/api/v1/admin/tsdb/delete_series` endpoint. See [how to delete time series](#how-to-delete-time-series). * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). +* `-forceFlushAuthKey` for protecting `/internal/force_flush` endpoint. See [these docs](#troubleshooting). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). * `-search.resetCacheAuthKey` for protecting `/internal/resetRollupResultCache` endpoint. See [backfilling](#backfilling) for more details. +* `-reloadAuthKey` for protecting `/-/reload` endpoint, which is used for force reloading of [`-promscrape.config`](#how-to-scrape-prometheus-exporters-such-as-node-exporter). * `-configAuthKey` for protecting `/config` endpoint, since it may contain sensitive information such as passwords. * `-flagsAuthKey` for protecting `/flags` endpoint. * `-pprofAuthKey` for protecting `/debug/pprof/*` endpoints, which can be used for [profiling](#profiling). @@ -2578,8 +2580,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li The number of cache misses before putting the block into cache. Higher values may reduce indexdb/dataBlocks cache size at the cost of higher CPU and disk read usage (default 2) -cacheExpireDuration duration Items are removed from in-memory caches after they aren't accessed for this duration. Lower values may reduce memory usage at the cost of higher CPU usage. See also -prevCacheRemovalPercent (default 30m0s) - -configAuthKey string + -configAuthKey value Authorization key for accessing /config page. It must be passed via authKey query arg + Flag value can be read from the given file when using -configAuthKey=file:///abs/path/to/file or -configAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -configAuthKey=http://host/path or -configAuthKey=https://host/path -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -2589,8 +2592,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Sanitize metric names for the ingested DataDog data to comply with DataDog behaviour described at https://docs.datadoghq.com/metrics/custom_metrics/#naming-custom-metrics (default true) -dedup.minScrapeInterval duration Leave only the last sample in every time series per each discrete interval equal to -dedup.minScrapeInterval > 0. See https://docs.victoriametrics.com/#deduplication and https://docs.victoriametrics.com/#downsampling - -deleteAuthKey string + -deleteAuthKey value authKey for metrics' deletion via /api/v1/admin/tsdb/delete_series and /tags/delSeries + Flag value can be read from the given file when using -deleteAuthKey=file:///abs/path/to/file or -deleteAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -deleteAuthKey=http://host/path or -deleteAuthKey=https://host/path -denyQueriesOutsideRetention Whether to deny queries outside the configured -retentionPeriod. When set, then /api/v1/query_range would return '503 Service Unavailable' error for queries with 'from' value outside -retentionPeriod. This may be useful when multiple data sources with distinct retentions are hidden behind query-tee -denyQueryTracing @@ -2612,12 +2616,15 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU -finalMergeDelay duration The delay before starting final merge for per-month partition after no new data is ingested into it. Final merge may require additional disk IO and CPU resources. Final merge may increase query speed and reduce disk space usage in some cases. Zero value disables final merge - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -forceFlushAuthKey string + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path + -forceFlushAuthKey value authKey, which must be passed in query string to /internal/force_flush pages - -forceMergeAuthKey string + Flag value can be read from the given file when using -forceFlushAuthKey=file:///abs/path/to/file or -forceFlushAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -forceFlushAuthKey=http://host/path or -forceFlushAuthKey=https://host/path + -forceMergeAuthKey value authKey, which must be passed in query string to /internal/force_merge pages + Flag value can be read from the given file when using -forceMergeAuthKey=file:///abs/path/to/file or -forceMergeAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -forceMergeAuthKey=http://host/path or -forceMergeAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -graphiteListenAddr string @@ -2644,8 +2651,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -2727,8 +2735,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path -newrelic.maxInsertRequestSize size The maximum size in bytes of a single NewRelic request to /newrelic/infra/v2/metrics/events/bulk Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864) @@ -2747,8 +2756,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 33554432) -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) - -pprofAuthKey string + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -precisionBits int The number of precision bits to store per each value. Lower precision bits improves data compression at the cost of precision loss (default 64) -prevCacheRemovalPercent float @@ -2811,6 +2821,8 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Interval for checking for changes in http endpoint service discovery. This works only if http_sd_configs is configured in '-promscrape.config' file. See https://docs.victoriametrics.com/sd_configs.html#http_sd_configs for details (default 1m0s) -promscrape.kubernetes.apiServerTimeout duration How frequently to reload the full state from Kubernetes API server (default 30m0s) + -promscrape.kubernetes.attachNodeMetadataAll + Whether to set attach_metadata.node=true for all the kubernetes_sd_configs at -promscrape.config . It is possible to set attach_metadata.node=false individually per each kubernetes_sd_configs . See https://docs.victoriametrics.com/sd_configs.html#kubernetes_sd_configs -promscrape.kubernetesSDCheckInterval duration Interval for checking for changes in Kubernetes API server. This works only if kubernetes_sd_configs is configured in '-promscrape.config' file. See https://docs.victoriametrics.com/sd_configs.html#kubernetes_sd_configs for details (default 30s) -promscrape.kumaSDCheckInterval duration @@ -2861,6 +2873,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Supports an array of values separated by comma or specified via multiple flags. -relabelConfig string Optional path to a file with relabeling rules, which are applied to all the ingested metrics. The path can point either to local file or to http url. See https://docs.victoriametrics.com/#relabeling for details. The config is reloaded on SIGHUP signal + -reloadAuthKey value + Auth key for /-/reload http endpoint. It must be passed as authKey=... + Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -retentionFilter array Retention filter in the format 'filter:retention'. For example, '{env="dev"}:3d' configures the retention for time series with env="dev" label to 3 days. See https://docs.victoriametrics.com/#retention-filters for details. This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/enterprise.html Supports an array of values separated by comma or specified via multiple flags. @@ -2955,8 +2970,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Query stats for /api/v1/status/top_queries is tracked on this number of last queries. Zero value disables query stats tracking (default 20000) -search.queryStats.minQueryDuration duration The minimum duration for queries to track in query stats at /api/v1/status/top_queries. Queries with lower duration are ignored in query stats (default 1ms) - -search.resetCacheAuthKey string + -search.resetCacheAuthKey value Optional authKey for resetting rollup cache via /internal/resetRollupResultCache call + Flag value can be read from the given file when using -search.resetCacheAuthKey=file:///abs/path/to/file or -search.resetCacheAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -search.resetCacheAuthKey=http://host/path or -search.resetCacheAuthKey=https://host/path -search.setLookbackToStep Whether to fix lookback interval to 'step' query arg value. If set to true, the query model becomes closer to InfluxDB data model. If set to true, then -search.maxLookback and -search.maxStalenessInterval are ignored -search.treatDotsAsIsInRegexps @@ -2969,8 +2985,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Value for 'job' label, which is added to self-scraped metrics (default "victoria-metrics") -smallMergeConcurrency int The maximum number of workers for background merges. See https://docs.victoriametrics.com/#storage . It isn't recommended tuning this flag in general case, since this may lead to uncontrolled increase in the number of parts and increased CPU usage during queries - -snapshotAuthKey string + -snapshotAuthKey value authKey, which must be passed in query string to /snapshot* pages + Flag value can be read from the given file when using -snapshotAuthKey=file:///abs/path/to/file or -snapshotAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -snapshotAuthKey=http://host/path or -snapshotAuthKey=https://host/path -snapshotCreateTimeout duration The timeout for creating new snapshot. If set, make sure that timeout is lower than backup period -snapshotsMaxAge value diff --git a/docs/Single-server-VictoriaMetrics.md b/docs/Single-server-VictoriaMetrics.md index e8508cd19..be00d490d 100644 --- a/docs/Single-server-VictoriaMetrics.md +++ b/docs/Single-server-VictoriaMetrics.md @@ -2024,8 +2024,10 @@ VictoriaMetrics provides the following security-related command-line flags: with [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). * `-deleteAuthKey` for protecting `/api/v1/admin/tsdb/delete_series` endpoint. See [how to delete time series](#how-to-delete-time-series). * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). +* `-forceFlushAuthKey` for protecting `/internal/force_flush` endpoint. See [these docs](#troubleshooting). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). * `-search.resetCacheAuthKey` for protecting `/internal/resetRollupResultCache` endpoint. See [backfilling](#backfilling) for more details. +* `-reloadAuthKey` for protecting `/-/reload` endpoint, which is used for force reloading of [`-promscrape.config`](#how-to-scrape-prometheus-exporters-such-as-node-exporter). * `-configAuthKey` for protecting `/config` endpoint, since it may contain sensitive information such as passwords. * `-flagsAuthKey` for protecting `/flags` endpoint. * `-pprofAuthKey` for protecting `/debug/pprof/*` endpoints, which can be used for [profiling](#profiling). @@ -2586,8 +2588,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li The number of cache misses before putting the block into cache. Higher values may reduce indexdb/dataBlocks cache size at the cost of higher CPU and disk read usage (default 2) -cacheExpireDuration duration Items are removed from in-memory caches after they aren't accessed for this duration. Lower values may reduce memory usage at the cost of higher CPU usage. See also -prevCacheRemovalPercent (default 30m0s) - -configAuthKey string + -configAuthKey value Authorization key for accessing /config page. It must be passed via authKey query arg + Flag value can be read from the given file when using -configAuthKey=file:///abs/path/to/file or -configAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -configAuthKey=http://host/path or -configAuthKey=https://host/path -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -2597,8 +2600,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Sanitize metric names for the ingested DataDog data to comply with DataDog behaviour described at https://docs.datadoghq.com/metrics/custom_metrics/#naming-custom-metrics (default true) -dedup.minScrapeInterval duration Leave only the last sample in every time series per each discrete interval equal to -dedup.minScrapeInterval > 0. See https://docs.victoriametrics.com/#deduplication and https://docs.victoriametrics.com/#downsampling - -deleteAuthKey string + -deleteAuthKey value authKey for metrics' deletion via /api/v1/admin/tsdb/delete_series and /tags/delSeries + Flag value can be read from the given file when using -deleteAuthKey=file:///abs/path/to/file or -deleteAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -deleteAuthKey=http://host/path or -deleteAuthKey=https://host/path -denyQueriesOutsideRetention Whether to deny queries outside the configured -retentionPeriod. When set, then /api/v1/query_range would return '503 Service Unavailable' error for queries with 'from' value outside -retentionPeriod. This may be useful when multiple data sources with distinct retentions are hidden behind query-tee -denyQueryTracing @@ -2620,12 +2624,15 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU -finalMergeDelay duration The delay before starting final merge for per-month partition after no new data is ingested into it. Final merge may require additional disk IO and CPU resources. Final merge may increase query speed and reduce disk space usage in some cases. Zero value disables final merge - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -forceFlushAuthKey string + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path + -forceFlushAuthKey value authKey, which must be passed in query string to /internal/force_flush pages - -forceMergeAuthKey string + Flag value can be read from the given file when using -forceFlushAuthKey=file:///abs/path/to/file or -forceFlushAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -forceFlushAuthKey=http://host/path or -forceFlushAuthKey=https://host/path + -forceMergeAuthKey value authKey, which must be passed in query string to /internal/force_merge pages + Flag value can be read from the given file when using -forceMergeAuthKey=file:///abs/path/to/file or -forceMergeAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -forceMergeAuthKey=http://host/path or -forceMergeAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -graphiteListenAddr string @@ -2652,8 +2659,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -2735,8 +2743,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path -newrelic.maxInsertRequestSize size The maximum size in bytes of a single NewRelic request to /newrelic/infra/v2/metrics/events/bulk Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864) @@ -2755,8 +2764,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 33554432) -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) - -pprofAuthKey string + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -precisionBits int The number of precision bits to store per each value. Lower precision bits improves data compression at the cost of precision loss (default 64) -prevCacheRemovalPercent float @@ -2819,6 +2829,8 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Interval for checking for changes in http endpoint service discovery. This works only if http_sd_configs is configured in '-promscrape.config' file. See https://docs.victoriametrics.com/sd_configs.html#http_sd_configs for details (default 1m0s) -promscrape.kubernetes.apiServerTimeout duration How frequently to reload the full state from Kubernetes API server (default 30m0s) + -promscrape.kubernetes.attachNodeMetadataAll + Whether to set attach_metadata.node=true for all the kubernetes_sd_configs at -promscrape.config . It is possible to set attach_metadata.node=false individually per each kubernetes_sd_configs . See https://docs.victoriametrics.com/sd_configs.html#kubernetes_sd_configs -promscrape.kubernetesSDCheckInterval duration Interval for checking for changes in Kubernetes API server. This works only if kubernetes_sd_configs is configured in '-promscrape.config' file. See https://docs.victoriametrics.com/sd_configs.html#kubernetes_sd_configs for details (default 30s) -promscrape.kumaSDCheckInterval duration @@ -2869,6 +2881,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Supports an array of values separated by comma or specified via multiple flags. -relabelConfig string Optional path to a file with relabeling rules, which are applied to all the ingested metrics. The path can point either to local file or to http url. See https://docs.victoriametrics.com/#relabeling for details. The config is reloaded on SIGHUP signal + -reloadAuthKey value + Auth key for /-/reload http endpoint. It must be passed as authKey=... + Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -retentionFilter array Retention filter in the format 'filter:retention'. For example, '{env="dev"}:3d' configures the retention for time series with env="dev" label to 3 days. See https://docs.victoriametrics.com/#retention-filters for details. This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/enterprise.html Supports an array of values separated by comma or specified via multiple flags. @@ -2963,8 +2978,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Query stats for /api/v1/status/top_queries is tracked on this number of last queries. Zero value disables query stats tracking (default 20000) -search.queryStats.minQueryDuration duration The minimum duration for queries to track in query stats at /api/v1/status/top_queries. Queries with lower duration are ignored in query stats (default 1ms) - -search.resetCacheAuthKey string + -search.resetCacheAuthKey value Optional authKey for resetting rollup cache via /internal/resetRollupResultCache call + Flag value can be read from the given file when using -search.resetCacheAuthKey=file:///abs/path/to/file or -search.resetCacheAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -search.resetCacheAuthKey=http://host/path or -search.resetCacheAuthKey=https://host/path -search.setLookbackToStep Whether to fix lookback interval to 'step' query arg value. If set to true, the query model becomes closer to InfluxDB data model. If set to true, then -search.maxLookback and -search.maxStalenessInterval are ignored -search.treatDotsAsIsInRegexps @@ -2977,8 +2993,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Value for 'job' label, which is added to self-scraped metrics (default "victoria-metrics") -smallMergeConcurrency int The maximum number of workers for background merges. See https://docs.victoriametrics.com/#storage . It isn't recommended tuning this flag in general case, since this may lead to uncontrolled increase in the number of parts and increased CPU usage during queries - -snapshotAuthKey string + -snapshotAuthKey value authKey, which must be passed in query string to /snapshot* pages + Flag value can be read from the given file when using -snapshotAuthKey=file:///abs/path/to/file or -snapshotAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -snapshotAuthKey=http://host/path or -snapshotAuthKey=https://host/path -snapshotCreateTimeout duration The timeout for creating new snapshot. If set, make sure that timeout is lower than backup period -snapshotsMaxAge value diff --git a/docs/VictoriaLogs/README.md b/docs/VictoriaLogs/README.md index b4b0c97fd..3372e6fc8 100644 --- a/docs/VictoriaLogs/README.md +++ b/docs/VictoriaLogs/README.md @@ -147,8 +147,9 @@ Pass `-help` to VictoriaLogs in order to see the list of supported command-line Whether to enable reading flags from environment variables in addition to the command line. Command line flag values have priority over values from environment vars. Flags are read only from the command line if this flag isn't set. See https://docs.victoriametrics.com/#environment-variables for more details -envflag.prefix string Prefix for environment variables if -envflag.enable is set - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -futureRetention value @@ -174,8 +175,9 @@ Pass `-help` to VictoriaLogs in order to see the list of supported command-line An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -224,10 +226,12 @@ Pass `-help` to VictoriaLogs in order to see the list of supported command-line Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 0) -memory.allowedPercent float Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -pprofAuthKey string + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -prevCacheRemovalPercent float Items in the previous caches are removed when the percent of requests it serves becomes lower than this value. Higher values reduce memory usage at the cost of higher CPU usage. See also -cacheExpireDuration (default 0.1) -pushmetrics.extraLabel array diff --git a/docs/vmagent.md b/docs/vmagent.md index f4dface59..842622224 100644 --- a/docs/vmagent.md +++ b/docs/vmagent.md @@ -1520,8 +1520,9 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . The number of cache misses before putting the block into cache. Higher values may reduce indexdb/dataBlocks cache size at the cost of higher CPU and disk read usage (default 2) -cacheExpireDuration duration Items are removed from in-memory caches after they aren't accessed for this duration. Lower values may reduce memory usage at the cost of higher CPU usage. See also -prevCacheRemovalPercent (default 30m0s) - -configAuthKey string + -configAuthKey value Authorization key for accessing /config page. It must be passed via authKey query arg + Flag value can be read from the given file when using -configAuthKey=file:///abs/path/to/file or -configAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -configAuthKey=http://host/path or -configAuthKey=https://host/path -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -1545,8 +1546,9 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . Deprecated, please use -license or -licenseFile flags instead. By specifying this flag, you confirm that you have an enterprise license and accept the ESA https://victoriametrics.com/legal/esa/ . This flag is available only in Enterprise binaries. See https://docs.victoriametrics.com/enterprise.html -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -gcp.pubsub.publish.byteThreshold int @@ -1605,8 +1607,9 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -1709,8 +1712,9 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path -newrelic.maxInsertRequestSize size The maximum size in bytes of a single NewRelic request to /newrelic/infra/v2/metrics/events/bulk Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864) @@ -1729,8 +1733,9 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 33554432) -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) - -pprofAuthKey string + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -prevCacheRemovalPercent float Items in the previous caches are removed when the percent of requests it serves becomes lower than this value. Higher values reduce memory usage at the cost of higher CPU usage. See also -cacheExpireDuration (default 0.1) -promscrape.azureSDCheckInterval duration @@ -1843,6 +1848,9 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . -pushmetrics.url array Optional URL to push metrics exposed at /metrics page. See https://docs.victoriametrics.com/#push-metrics . By default, metrics exposed at /metrics page aren't pushed to any remote storage Supports an array of values separated by comma or specified via multiple flags. + -reloadAuthKey value + Auth key for /-/reload http endpoint. It must be passed as authKey=... + Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -remoteWrite.aws.accessKey array Optional AWS AccessKey to use for the corresponding -remoteWrite.url if -remoteWrite.aws.useSigv4 is set Supports an array of values separated by comma or specified via multiple flags. diff --git a/docs/vmalert.md b/docs/vmalert.md index b823da597..946926ff8 100644 --- a/docs/vmalert.md +++ b/docs/vmalert.md @@ -1036,8 +1036,9 @@ The shortlist of configuration flags is the following: External URL is used as alert's source for sent alerts to the notifier. By default, hostname is used as address. -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration @@ -1058,8 +1059,9 @@ The shortlist of configuration flags is the following: An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -1103,8 +1105,9 @@ The shortlist of configuration flags is the following: Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path -notifier.basicAuth.password array Optional basic auth password for -notifier.url Supports an array of values separated by comma or specified via multiple flags. @@ -1164,8 +1167,9 @@ The shortlist of configuration flags is the following: -notifier.url array Prometheus Alertmanager URL, e.g. http://127.0.0.1:9093. List all Alertmanager URLs if it runs in the cluster mode to ensure high availability. Supports an array of values separated by comma or specified via multiple flags. - -pprofAuthKey string + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -promscrape.consul.waitTime duration Wait time used by Consul service discovery. Default value is used if not set -promscrape.consulSDCheckInterval duration @@ -1189,6 +1193,9 @@ The shortlist of configuration flags is the following: -pushmetrics.url array Optional URL to push metrics exposed at /metrics page. See https://docs.victoriametrics.com/#push-metrics . By default, metrics exposed at /metrics page aren't pushed to any remote storage Supports an array of values separated by comma or specified via multiple flags. + -reloadAuthKey value + Auth key for /-/reload http endpoint. It must be passed as authKey=... + Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -remoteRead.basicAuth.password string Optional basic auth password for -remoteRead.url -remoteRead.basicAuth.passwordFile string diff --git a/docs/vmauth.md b/docs/vmauth.md index 11bc45b5d..0f06dc572 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -830,8 +830,9 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . Sets a delay period for load balancing to skip a malfunctioning backend (default 3s) -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration @@ -852,8 +853,9 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -910,10 +912,12 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -pprofAuthKey string + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -pushmetrics.disableCompression Whether to disable request body compression when pushing metrics to every -pushmetrics.url -pushmetrics.extraLabel array @@ -927,8 +931,9 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . -pushmetrics.url array Optional URL to push metrics exposed at /metrics page. See https://docs.victoriametrics.com/#push-metrics . By default, metrics exposed at /metrics page aren't pushed to any remote storage Supports an array of values separated by comma or specified via multiple flags. - -reloadAuthKey string + -reloadAuthKey value Auth key for /-/reload http endpoint. It must be passed as authKey=... + Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -responseTimeout duration The timeout for receiving a response from backend (default 5m0s) -retryStatusCodes array diff --git a/docs/vmbackup.md b/docs/vmbackup.md index 58c1028aa..3ae886414 100644 --- a/docs/vmbackup.md +++ b/docs/vmbackup.md @@ -331,8 +331,9 @@ Run `vmbackup -help` in order to see all the available options: Deprecated, please use -license or -licenseFile flags instead. By specifying this flag, you confirm that you have an enterprise license and accept the ESA https://victoriametrics.com/legal/esa/ . This flag is available only in Enterprise binaries. See https://docs.victoriametrics.com/enterprise.html -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration @@ -353,8 +354,9 @@ Run `vmbackup -help` in order to see all the available options: An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -399,12 +401,14 @@ Run `vmbackup -help` in order to see all the available options: Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path -origin string Optional origin directory on the remote storage with old backup for server-side copying when performing full backup. This speeds up full backups - -pprofAuthKey string + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -pushmetrics.disableCompression Whether to disable request body compression when pushing metrics to every -pushmetrics.url -pushmetrics.extraLabel array diff --git a/docs/vmbackupmanager.md b/docs/vmbackupmanager.md index 1b846b398..df44e14cf 100644 --- a/docs/vmbackupmanager.md +++ b/docs/vmbackupmanager.md @@ -460,8 +460,9 @@ command-line flags: Deprecated, please use -license or -licenseFile flags instead. By specifying this flag, you confirm that you have an enterprise license and accept the ESA https://victoriametrics.com/legal/esa/ . This flag is available only in Enterprise binaries. See https://docs.victoriametrics.com/enterprise.html -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration @@ -482,8 +483,9 @@ command-line flags: An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -535,10 +537,12 @@ command-line flags: Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -pprofAuthKey string + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -pushmetrics.disableCompression Whether to disable request body compression when pushing metrics to every -pushmetrics.url -pushmetrics.extraLabel array diff --git a/docs/vmgateway.md b/docs/vmgateway.md index 85bdca6a6..d6e360a1e 100644 --- a/docs/vmgateway.md +++ b/docs/vmgateway.md @@ -356,8 +356,9 @@ The shortlist of configuration flags include the following: Deprecated, please use -license or -licenseFile flags instead. By specifying this flag, you confirm that you have an enterprise license and accept the ESA https://victoriametrics.com/legal/esa/ . This flag is available only in Enterprise binaries. See https://docs.victoriametrics.com/enterprise.html -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration @@ -378,8 +379,9 @@ The shortlist of configuration flags include the following: An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -423,10 +425,12 @@ The shortlist of configuration flags include the following: Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -pprofAuthKey string + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -pushmetrics.disableCompression Whether to disable request body compression when pushing metrics to every -pushmetrics.url -pushmetrics.extraLabel array diff --git a/docs/vmrestore.md b/docs/vmrestore.md index 080e492f7..d059ce8fc 100644 --- a/docs/vmrestore.md +++ b/docs/vmrestore.md @@ -116,8 +116,9 @@ i.e. the end result would be similar to [rsync --delete](https://askubuntu.com/q Deprecated, please use -license or -licenseFile flags instead. By specifying this flag, you confirm that you have an enterprise license and accept the ESA https://victoriametrics.com/legal/esa/ . This flag is available only in Enterprise binaries. See https://docs.victoriametrics.com/enterprise.html -filestream.disableFadvise Whether to disable fadvise() syscall when reading large data files. The fadvise() syscall prevents from eviction of recently accessed data from OS page cache during background merges and backups. In some rare cases it is better to disable the syscall if it uses too much CPU - -flagsAuthKey string + -flagsAuthKey value Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -flagsAuthKey=file:///abs/path/to/file or -flagsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -flagsAuthKey=http://host/path or -flagsAuthKey=https://host/path -fs.disableMmap Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration @@ -138,8 +139,9 @@ i.e. the end result would be similar to [rsync --delete](https://askubuntu.com/q An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers - -httpAuth.password string + -httpAuth.password value Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty + Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path -httpAuth.username string Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password -httpListenAddr string @@ -184,10 +186,12 @@ i.e. the end result would be similar to [rsync --delete](https://askubuntu.com/q Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60) -metrics.exposeMetadata Whether to expose TYPE and HELP metadata at the /metrics page, which is exposed at -httpListenAddr . The metadata may be needed when the /metrics page is consumed by systems, which require this information. For example, Managed Prometheus in Google Cloud - https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type - -metricsAuthKey string + -metricsAuthKey value Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings - -pprofAuthKey string + Flag value can be read from the given file when using -metricsAuthKey=file:///abs/path/to/file or -metricsAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -metricsAuthKey=http://host/path or -metricsAuthKey=https://host/path + -pprofAuthKey value Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings + Flag value can be read from the given file when using -pprofAuthKey=file:///abs/path/to/file or -pprofAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -pprofAuthKey=http://host/path or -pprofAuthKey=https://host/path -pushmetrics.disableCompression Whether to disable request body compression when pushing metrics to every -pushmetrics.url -pushmetrics.extraLabel array diff --git a/lib/flagutil/password.go b/lib/flagutil/password.go new file mode 100644 index 000000000..8aff738f9 --- /dev/null +++ b/lib/flagutil/password.go @@ -0,0 +1,123 @@ +package flagutil + +import ( + "crypto/rand" + "flag" + "fmt" + "io" + "log" + "strings" + "sync/atomic" + + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore" +) + +// NewPassword returns new `password` flag with the given name and description. +// +// The password value is hidden when calling Password.String() for security reasons, +// since the returned value can be put in logs. +// Call Password.Get() for obtaining the real password value. +func NewPassword(name, description string) *Password { + description += fmt.Sprintf("\nFlag value can be read from the given file when using -%s=file:///abs/path/to/file or -%s=file://./relative/path/to/file . "+ + "Flag value can be read from the given http/https url when using -%s=http://host/path or -%s=https://host/path", name, name, name, name) + p := &Password{ + flagname: name, + } + s := "" + p.value.Store(&s) + flag.Var(p, name, description) + return p +} + +// Password is a flag holding a password. +// +// If the flag value is file:///path/to/file or http://host/path , +// then its contents is automatically re-read from the given file or url +type Password struct { + nextRefreshTimestamp uint64 + + value atomic.Pointer[string] + + // flagname is the name of the flag + flagname string + + // sourcePath contains either url or path to file with the password + sourcePath string +} + +// Get returns the current p value. +// +// It re-reads p value from the file:///path/to/file or http://host/path +// if they were passed to Password.Set. +func (p *Password) Get() string { + p.maybeRereadPassword() + sPtr := p.value.Load() + return *sPtr +} + +func (p *Password) maybeRereadPassword() { + if p.sourcePath == "" { + // Fast path - nothing to re-read + return + } + tsCurr := fasttime.UnixTimestamp() + tsNext := atomic.LoadUint64(&p.nextRefreshTimestamp) + if tsCurr < tsNext { + // Fast path - nothing to re-read + return + } + + // Re-read password from p.sourcePath + atomic.StoreUint64(&p.nextRefreshTimestamp, tsCurr+2) + s, err := fscore.ReadPasswordFromFileOrHTTP(p.sourcePath) + if err != nil { + // cannot use lib/logger, since it can be uninitialized yet + log.Printf("flagutil: fall back to the previous password for -%s, since failed to re-read it from %q: %s\n", p.flagname, p.sourcePath, err) + } else { + p.value.Store(&s) + } +} + +// String implements flag.Value interface. +func (p *Password) String() string { + return "secret" +} + +// Set implements flag.Value interface. +func (p *Password) Set(value string) error { + atomic.StoreUint64(&p.nextRefreshTimestamp, 0) + switch { + case strings.HasPrefix(value, "file://"): + p.sourcePath = strings.TrimPrefix(value, "file://") + // Do not attempt to read the password from sourcePath now, since the file may not exist yet. + // The password will be read on the first access via Password.Get. + // Generate a random password for now in order to prevent from unauthorized access to protected resources + // while the sourcePath file doesn't exist. + p.initRandomValue() + return nil + case strings.HasPrefix(value, "http://"), strings.HasPrefix(value, "https://"): + p.sourcePath = value + // Do not attempt to read the password from sourcePath now, since the url may now exist yet. + // The password will be read on the first access via Password.Get. + // Generate a random password for now in order to prevent from unauthorized access to protected resources + // while the sourcePath file doesn't exist. + p.initRandomValue() + return nil + default: + p.sourcePath = "" + p.value.Store(&value) + return nil + } +} + +func (p *Password) initRandomValue() { + var buf [64]byte + _, err := io.ReadFull(rand.Reader, buf[:]) + if err != nil { + // cannot use lib/logger here, since it can be uninitialized yet + panic(fmt.Errorf("FATAL: cannot read random data: %s", err)) + } + s := string(buf[:]) + p.value.Store(&s) +} diff --git a/lib/flagutil/password_test.go b/lib/flagutil/password_test.go new file mode 100644 index 000000000..8a9583406 --- /dev/null +++ b/lib/flagutil/password_test.go @@ -0,0 +1,81 @@ +package flagutil + +import ( + "path/filepath" + "testing" +) + +func TestPassword(t *testing.T) { + p := Password{ + flagname: "foo", + } + + // Verify that String returns "secret" + expectedSecret := "secret" + if s := p.String(); s != expectedSecret { + t.Fatalf("unexpected value returned from Password.String; got %q; want %q", s, expectedSecret) + } + + // set regular password + expectedPassword := "top-secret-password" + if err := p.Set(expectedPassword); err != nil { + t.Fatalf("cannot set password: %s", err) + } + for i := 0; i < 5; i++ { + if s := p.Get(); s != expectedPassword { + t.Fatalf("unexpected password; got %q; want %q", s, expectedPassword) + } + if s := p.String(); s != expectedSecret { + t.Fatalf("unexpected value returned from Password.String; got %q; want %q", s, expectedSecret) + } + } + + // read the password from file by relative path + localPassFile := "testdata/password.txt" + expectedPassword = "foo-bar-baz" + path := "file://" + localPassFile + if err := p.Set(path); err != nil { + t.Fatalf("cannot set password to file: %s", err) + } + for i := 0; i < 5; i++ { + if s := p.Get(); s != expectedPassword { + t.Fatalf("unexpected password; got %q; want %q", s, expectedPassword) + } + if s := p.String(); s != expectedSecret { + t.Fatalf("unexpected value returned from Password.String; got %q; want %q", s, expectedSecret) + } + } + + // read the password from file by absolute path + var err error + localPassFile, err = filepath.Abs("testdata/password.txt") + if err != nil { + t.Fatalf("unexpected error: %s", err) + } + expectedPassword = "foo-bar-baz" + path = "file://" + localPassFile + if err := p.Set(path); err != nil { + t.Fatalf("unexpected error: %s", err) + } + for i := 0; i < 5; i++ { + if s := p.Get(); s != expectedPassword { + t.Fatalf("unexpected password; got %q; want %q", s, expectedPassword) + } + if s := p.String(); s != expectedSecret { + t.Fatalf("unexpected value returned from Password.String; got %q; want %q", s, expectedSecret) + } + } + + // try reading the password from non-existing url + if err := p.Set("http://127.0.0.1:56283/aaa/bb?cc=dd"); err != nil { + t.Fatalf("unexpected error: %s", err) + } + for i := 0; i < 5; i++ { + if s := p.Get(); len(s) != 64 { + t.Fatalf("unexpected password obtained: %q; must be random 64-byte password", s) + } + if s := p.String(); s != expectedSecret { + t.Fatalf("unexpected value returned from Password.String; got %q; want %q", s, expectedSecret) + } + } +} diff --git a/lib/flagutil/testdata/password.txt b/lib/flagutil/testdata/password.txt new file mode 100644 index 000000000..a5aa9d6cb --- /dev/null +++ b/lib/flagutil/testdata/password.txt @@ -0,0 +1,3 @@ +foo-bar-baz + + diff --git a/lib/fs/fs.go b/lib/fs/fs.go index 101a8a868..a3521b051 100644 --- a/lib/fs/fs.go +++ b/lib/fs/fs.go @@ -3,8 +3,6 @@ package fs import ( "fmt" "io" - "net/http" - "net/url" "os" "path/filepath" "regexp" @@ -260,11 +258,6 @@ func MustHardLinkFiles(srcDir, dstDir string) { MustSyncPath(dstDir) } -// IsDirOrSymlink returns true if de is directory or symlink. -func IsDirOrSymlink(de os.DirEntry) bool { - return de.IsDir() || (de.Type()&os.ModeSymlink == os.ModeSymlink) -} - // MustSymlinkRelative creates relative symlink for srcPath in dstPath. func MustSymlinkRelative(srcPath, dstPath string) { baseDir := filepath.Dir(dstPath) @@ -383,50 +376,12 @@ type freeSpaceEntry struct { freeSpace uint64 } -// ReadFileOrHTTP reads path either from local filesystem or from http if path starts with http or https. -func ReadFileOrHTTP(path string) ([]byte, error) { - if isHTTPURL(path) { - // reads remote file via http or https, if url is given - resp, err := http.Get(path) - if err != nil { - return nil, fmt.Errorf("cannot fetch %q: %w", path, err) - } - data, err := io.ReadAll(resp.Body) - _ = resp.Body.Close() - if resp.StatusCode != http.StatusOK { - if len(data) > 4*1024 { - data = data[:4*1024] - } - return nil, fmt.Errorf("unexpected status code when fetching %q: %d, expecting %d; response: %q", path, resp.StatusCode, http.StatusOK, data) - } - if err != nil { - return nil, fmt.Errorf("cannot read %q: %w", path, err) - } - return data, nil - } - data, err := os.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("cannot read %q: %w", path, err) - } - return data, nil -} - -// GetFilepath returns full path to file for the given baseDir and path. -func GetFilepath(baseDir, path string) string { - if filepath.IsAbs(path) || isHTTPURL(path) { - return path - } - return filepath.Join(baseDir, path) -} - -// isHTTPURL checks if a given targetURL is valid and contains a valid http scheme -func isHTTPURL(targetURL string) bool { - parsed, err := url.Parse(targetURL) - return err == nil && (parsed.Scheme == "http" || parsed.Scheme == "https") && parsed.Host != "" - -} - // IsScheduledForRemoval returns true if the filename contains .must-remove. substring func IsScheduledForRemoval(filename string) bool { return strings.Contains(filename, ".must-remove.") } + +// IsDirOrSymlink returns true if de is directory or symlink. +func IsDirOrSymlink(de os.DirEntry) bool { + return de.IsDir() || (de.Type()&os.ModeSymlink == os.ModeSymlink) +} diff --git a/lib/fs/fs_test.go b/lib/fs/fs_test.go index ecd8114d2..394cb4a98 100644 --- a/lib/fs/fs_test.go +++ b/lib/fs/fs_test.go @@ -22,18 +22,3 @@ func TestIsTemporaryFileName(t *testing.T) { f("asdf.sdfds.tmp.dfd", false) f("dfd.sdfds.dfds.1232", false) } - -func TestIsHTTPURLSuccess(t *testing.T) { - f := func(s string, expected bool) { - t.Helper() - res := isHTTPURL(s) - if res != expected { - t.Fatalf("expecting %t, got %t", expected, res) - } - } - f("http://isvalid:8000/filepath", true) // test http - f("https://isvalid:8000/filepath", true) // test https - f("tcp://notvalid:8000/filepath", false) // test tcp - f("0/filepath", false) // something invalid - f("filepath.extension", false) // something invalid -} diff --git a/lib/fs/fscore/fscore.go b/lib/fs/fscore/fscore.go new file mode 100644 index 000000000..b67028203 --- /dev/null +++ b/lib/fs/fscore/fscore.go @@ -0,0 +1,67 @@ +package fscore + +import ( + "fmt" + "io" + "net/http" + "net/url" + "os" + "path/filepath" + "strings" + "unicode" +) + +// ReadPasswordFromFileOrHTTP reads password for the give path. +// +// The path can be an url - then the password is read from url. +func ReadPasswordFromFileOrHTTP(path string) (string, error) { + data, err := ReadFileOrHTTP(path) + if err != nil { + return "", err + } + pass := strings.TrimRightFunc(string(data), unicode.IsSpace) + return pass, nil +} + +// ReadFileOrHTTP reads path either from local filesystem or from http if path starts with http or https. +func ReadFileOrHTTP(path string) ([]byte, error) { + if isHTTPURL(path) { + // reads remote file via http or https, if url is given + resp, err := http.Get(path) + if err != nil { + return nil, fmt.Errorf("cannot fetch %q: %w", path, err) + } + data, err := io.ReadAll(resp.Body) + _ = resp.Body.Close() + if resp.StatusCode != http.StatusOK { + if len(data) > 4*1024 { + data = data[:4*1024] + } + return nil, fmt.Errorf("unexpected status code when fetching %q: %d, expecting %d; response: %q", path, resp.StatusCode, http.StatusOK, data) + } + if err != nil { + return nil, fmt.Errorf("cannot read %q: %w", path, err) + } + return data, nil + } + data, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("cannot read %q: %w", path, err) + } + return data, nil +} + +// GetFilepath returns full path to file for the given baseDir and path. +func GetFilepath(baseDir, path string) string { + if filepath.IsAbs(path) || isHTTPURL(path) { + return path + } + return filepath.Join(baseDir, path) +} + +// isHTTPURL checks if a given targetURL is valid and contains a valid http scheme +func isHTTPURL(targetURL string) bool { + parsed, err := url.Parse(targetURL) + return err == nil && (parsed.Scheme == "http" || parsed.Scheme == "https") && parsed.Host != "" + +} diff --git a/lib/fs/fscore/fscore_test.go b/lib/fs/fscore/fscore_test.go new file mode 100644 index 000000000..de7347143 --- /dev/null +++ b/lib/fs/fscore/fscore_test.go @@ -0,0 +1,20 @@ +package fscore + +import ( + "testing" +) + +func TestIsHTTPURL(t *testing.T) { + f := func(s string, expected bool) { + t.Helper() + res := isHTTPURL(s) + if res != expected { + t.Fatalf("expecting %t, got %t", expected, res) + } + } + f("http://isvalid:8000/filepath", true) // test http + f("https://isvalid:8000/filepath", true) // test https + f("tcp://notvalid:8000/filepath", false) // test tcp + f("0/filepath", false) // something invalid + f("filepath.extension", false) // something invalid +} diff --git a/lib/httpserver/httpserver.go b/lib/httpserver/httpserver.go index b847843c1..c954b8706 100644 --- a/lib/httpserver/httpserver.go +++ b/lib/httpserver/httpserver.go @@ -42,10 +42,10 @@ var ( "then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. "+ "See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus") httpAuthUsername = flag.String("httpAuth.username", "", "Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password") - httpAuthPassword = flag.String("httpAuth.password", "", "Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty") - metricsAuthKey = flag.String("metricsAuthKey", "", "Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings") - flagsAuthKey = flag.String("flagsAuthKey", "", "Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings") - pprofAuthKey = flag.String("pprofAuthKey", "", "Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings") + httpAuthPassword = flagutil.NewPassword("httpAuth.password", "Password for HTTP server's Basic Auth. The authentication is disabled if -httpAuth.username is empty") + metricsAuthKey = flagutil.NewPassword("metricsAuthKey", "Auth key for /metrics endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings") + flagsAuthKey = flagutil.NewPassword("flagsAuthKey", "Auth key for /flags endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings") + pprofAuthKey = flagutil.NewPassword("pprofAuthKey", "Auth key for /debug/pprof/* endpoints. It must be passed via authKey query arg. It overrides httpAuth.* settings") disableResponseCompression = flag.Bool("http.disableResponseCompression", false, "Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth") maxGracefulShutdownDuration = flag.Duration("http.maxGracefulShutdownDuration", 7*time.Second, `The maximum duration for a graceful shutdown of the HTTP server. A highly loaded server may require increased value for a graceful shutdown`) @@ -317,7 +317,7 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques return case "/metrics": metricsRequests.Inc() - if !CheckAuthFlag(w, r, *metricsAuthKey, "metricsAuthKey") { + if !CheckAuthFlag(w, r, metricsAuthKey.Get(), "metricsAuthKey") { return } startTime := time.Now() @@ -326,7 +326,7 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques metricsHandlerDuration.UpdateDuration(startTime) return case "/flags": - if !CheckAuthFlag(w, r, *flagsAuthKey, "flagsAuthKey") { + if !CheckAuthFlag(w, r, flagsAuthKey.Get(), "flagsAuthKey") { return } h.Set("Content-Type", "text/plain; charset=utf-8") @@ -350,7 +350,7 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques default: if strings.HasPrefix(r.URL.Path, "/debug/pprof/") { pprofRequests.Inc() - if !CheckAuthFlag(w, r, *pprofAuthKey, "pprofAuthKey") { + if !CheckAuthFlag(w, r, pprofAuthKey.Get(), "pprofAuthKey") { return } pprofHandler(r.URL.Path[len("/debug/pprof/"):], w, r) @@ -398,7 +398,7 @@ func CheckBasicAuth(w http.ResponseWriter, r *http.Request) bool { } username, password, ok := r.BasicAuth() if ok { - if username == *httpAuthUsername && password == *httpAuthPassword { + if username == *httpAuthUsername && password == httpAuthPassword.Get() { return true } authBasicRequestErrors.Inc() diff --git a/lib/httpserver/httpserver_test.go b/lib/httpserver/httpserver_test.go index e71f92263..5c36e3488 100644 --- a/lib/httpserver/httpserver_test.go +++ b/lib/httpserver/httpserver_test.go @@ -39,9 +39,11 @@ func TestGetQuotedRemoteAddr(t *testing.T) { func TestBasicAuthMetrics(t *testing.T) { origUsername := *httpAuthUsername - origPasswd := *httpAuthPassword + origPasswd := httpAuthPassword.Get() defer func() { - *httpAuthPassword = origPasswd + if err := httpAuthPassword.Set(origPasswd); err != nil { + t.Fatalf("unexpected error: %s", err) + } *httpAuthUsername = origUsername }() @@ -61,14 +63,18 @@ func TestBasicAuthMetrics(t *testing.T) { } *httpAuthUsername = "test" - *httpAuthPassword = "pass" + if err := httpAuthPassword.Set("pass"); err != nil { + t.Fatalf("unexpected error: %s", err) + } f("test", "pass", 200) f("test", "wrong", 401) f("wrong", "pass", 401) f("wrong", "wrong", 401) *httpAuthUsername = "" - *httpAuthPassword = "" + if err := httpAuthPassword.Set(""); err != nil { + t.Fatalf("unexpected error: %s", err) + } f("test", "pass", 200) f("test", "wrong", 200) f("wrong", "pass", 200) @@ -77,9 +83,11 @@ func TestBasicAuthMetrics(t *testing.T) { func TestAuthKeyMetrics(t *testing.T) { origUsername := *httpAuthUsername - origPasswd := *httpAuthPassword + origPasswd := httpAuthPassword.Get() defer func() { - *httpAuthPassword = origPasswd + if err := httpAuthPassword.Set(origPasswd); err != nil { + t.Fatalf("unexpected error: %s", err) + } *httpAuthUsername = origUsername }() @@ -117,7 +125,9 @@ func TestAuthKeyMetrics(t *testing.T) { } *httpAuthUsername = "test" - *httpAuthPassword = "pass" + if err := httpAuthPassword.Set("pass"); err != nil { + t.Fatalf("unexpected error: %s", err) + } tstWithOutAuthKey("test", "pass", 200) tstWithOutAuthKey("test", "wrong", 401) tstWithOutAuthKey("wrong", "pass", 401) diff --git a/lib/promauth/config.go b/lib/promauth/config.go index c47d3f768..a740295f5 100644 --- a/lib/promauth/config.go +++ b/lib/promauth/config.go @@ -12,7 +12,7 @@ import ( "sync" "github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore" "github.com/VictoriaMetrics/VictoriaMetrics/lib/netutil" "github.com/VictoriaMetrics/fasthttp" "github.com/cespare/xxhash/v2" @@ -199,7 +199,7 @@ func newOAuth2ConfigInternal(baseDir string, o *OAuth2Config) (*oauth2ConfigInte }, } if o.ClientSecretFile != "" { - oi.clientSecretFile = fs.GetFilepath(baseDir, o.ClientSecretFile) + oi.clientSecretFile = fscore.GetFilepath(baseDir, o.ClientSecretFile) // There is no need in reading oi.clientSecretFile now, since it may be missing right now. // It is read later before performing oauth2 request to server. } @@ -260,7 +260,7 @@ func (oi *oauth2ConfigInternal) getTokenSource() (oauth2.TokenSource, error) { if oi.clientSecretFile == "" { return oi.tokenSource, nil } - newSecret, err := readPasswordFromFile(oi.clientSecretFile) + newSecret, err := fscore.ReadPasswordFromFileOrHTTP(oi.clientSecretFile) if err != nil { return nil, fmt.Errorf("cannot read OAuth2 secret from %q: %w", oi.clientSecretFile, err) } @@ -649,9 +649,9 @@ func (actx *authContext) initFromAuthorization(baseDir string, az *Authorization if az.Credentials != nil { return fmt.Errorf("both `credentials`=%q and `credentials_file`=%q are set", az.Credentials, az.CredentialsFile) } - filePath := fs.GetFilepath(baseDir, az.CredentialsFile) + filePath := fscore.GetFilepath(baseDir, az.CredentialsFile) actx.getAuthHeader = func() (string, error) { - token, err := readPasswordFromFile(filePath) + token, err := fscore.ReadPasswordFromFileOrHTTP(filePath) if err != nil { return "", fmt.Errorf("cannot read credentials from `credentials_file`=%q: %w", az.CredentialsFile, err) } @@ -679,9 +679,9 @@ func (actx *authContext) initFromBasicAuthConfig(baseDir string, ba *BasicAuthCo if ba.Password != nil { return fmt.Errorf("both `password`=%q and `password_file`=%q are set in `basic_auth` section", ba.Password, ba.PasswordFile) } - filePath := fs.GetFilepath(baseDir, ba.PasswordFile) + filePath := fscore.GetFilepath(baseDir, ba.PasswordFile) actx.getAuthHeader = func() (string, error) { - password, err := readPasswordFromFile(filePath) + password, err := fscore.ReadPasswordFromFileOrHTTP(filePath) if err != nil { return "", fmt.Errorf("cannot read password from `password_file`=%q set in `basic_auth` section: %w", ba.PasswordFile, err) } @@ -695,9 +695,9 @@ func (actx *authContext) initFromBasicAuthConfig(baseDir string, ba *BasicAuthCo } func (actx *authContext) mustInitFromBearerTokenFile(baseDir string, bearerTokenFile string) { - filePath := fs.GetFilepath(baseDir, bearerTokenFile) + filePath := fscore.GetFilepath(baseDir, bearerTokenFile) actx.getAuthHeader = func() (string, error) { - token, err := readPasswordFromFile(filePath) + token, err := fscore.ReadPasswordFromFileOrHTTP(filePath) if err != nil { return "", fmt.Errorf("cannot read bearer token from `bearer_token_file`=%q: %w", bearerTokenFile, err) } @@ -760,15 +760,15 @@ func (tctx *tlsContext) initFromTLSConfig(baseDir string, tc *TLSConfig) error { h := xxhash.Sum64([]byte(tc.Key)) ^ xxhash.Sum64([]byte(tc.Cert)) tctx.tlsCertDigest = fmt.Sprintf("digest(key+cert)=%d", h) } else if tc.CertFile != "" || tc.KeyFile != "" { - certPath := fs.GetFilepath(baseDir, tc.CertFile) - keyPath := fs.GetFilepath(baseDir, tc.KeyFile) + certPath := fscore.GetFilepath(baseDir, tc.CertFile) + keyPath := fscore.GetFilepath(baseDir, tc.KeyFile) tctx.getTLSCert = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { // Re-read TLS certificate from disk. This is needed for https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1420 - certData, err := fs.ReadFileOrHTTP(certPath) + certData, err := fscore.ReadFileOrHTTP(certPath) if err != nil { return nil, fmt.Errorf("cannot read TLS certificate from %q: %w", certPath, err) } - keyData, err := fs.ReadFileOrHTTP(keyPath) + keyData, err := fscore.ReadFileOrHTTP(keyPath) if err != nil { return nil, fmt.Errorf("cannot read TLS key from %q: %w", keyPath, err) } @@ -791,9 +791,9 @@ func (tctx *tlsContext) initFromTLSConfig(baseDir string, tc *TLSConfig) error { h := xxhash.Sum64([]byte(tc.CA)) tctx.tlsRootCADigest = fmt.Sprintf("digest(CA)=%d", h) } else if tc.CAFile != "" { - path := fs.GetFilepath(baseDir, tc.CAFile) + path := fscore.GetFilepath(baseDir, tc.CAFile) tctx.getTLSRootCA = func() (*x509.CertPool, error) { - data, err := fs.ReadFileOrHTTP(path) + data, err := fscore.ReadFileOrHTTP(path) if err != nil { return nil, fmt.Errorf("cannot read `ca_file`: %w", err) } @@ -806,7 +806,7 @@ func (tctx *tlsContext) initFromTLSConfig(baseDir string, tc *TLSConfig) error { // The Config.NewTLSConfig() is called only once per each scrape target initialization. // So, the tlsRootCADigest must contain the hash of CAFile contents additionally to CAFile itself, // in order to properly reload scrape target configs when CAFile contents changes. - data, err := fs.ReadFileOrHTTP(path) + data, err := fscore.ReadFileOrHTTP(path) if err != nil { // Do not return the error to the caller, since this may result in fatal error. // The CAFile contents can become available on the next check of scrape configs. diff --git a/lib/promauth/util.go b/lib/promauth/util.go deleted file mode 100644 index 11a11ea43..000000000 --- a/lib/promauth/util.go +++ /dev/null @@ -1,17 +0,0 @@ -package promauth - -import ( - "strings" - "unicode" - - "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" -) - -func readPasswordFromFile(path string) (string, error) { - data, err := fs.ReadFileOrHTTP(path) - if err != nil { - return "", err - } - pass := strings.TrimRightFunc(string(data), unicode.IsSpace) - return pass, nil -} diff --git a/lib/promrelabel/config.go b/lib/promrelabel/config.go index fdd2f853c..a76bbfc15 100644 --- a/lib/promrelabel/config.go +++ b/lib/promrelabel/config.go @@ -8,7 +8,7 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil" "github.com/VictoriaMetrics/VictoriaMetrics/lib/envtemplate" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore" "github.com/VictoriaMetrics/VictoriaMetrics/lib/logger" "github.com/VictoriaMetrics/VictoriaMetrics/lib/regexutil" "gopkg.in/yaml.v2" @@ -156,7 +156,7 @@ func (pcs *ParsedConfigs) String() string { // LoadRelabelConfigs loads relabel configs from the given path. func LoadRelabelConfigs(path string) (*ParsedConfigs, error) { - data, err := fs.ReadFileOrHTTP(path) + data, err := fscore.ReadFileOrHTTP(path) if err != nil { return nil, fmt.Errorf("cannot read `relabel_configs` from %q: %w", path, err) } diff --git a/lib/promscrape/config.go b/lib/promscrape/config.go index 6da5fc85c..156707de0 100644 --- a/lib/promscrape/config.go +++ b/lib/promscrape/config.go @@ -16,7 +16,7 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil" "github.com/VictoriaMetrics/VictoriaMetrics/lib/cgroup" "github.com/VictoriaMetrics/VictoriaMetrics/lib/envtemplate" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore" "github.com/VictoriaMetrics/VictoriaMetrics/lib/logger" "github.com/VictoriaMetrics/VictoriaMetrics/lib/promauth" "github.com/VictoriaMetrics/VictoriaMetrics/lib/promrelabel" @@ -413,7 +413,7 @@ type StaticConfig struct { } func loadStaticConfigs(path string) ([]StaticConfig, error) { - data, err := fs.ReadFileOrHTTP(path) + data, err := fscore.ReadFileOrHTTP(path) if err != nil { return nil, fmt.Errorf("cannot read `static_configs` from %q: %w", path, err) } @@ -430,7 +430,7 @@ func loadStaticConfigs(path string) ([]StaticConfig, error) { // loadConfig loads Prometheus config from the given path. func loadConfig(path string) (*Config, error) { - data, err := fs.ReadFileOrHTTP(path) + data, err := fscore.ReadFileOrHTTP(path) if err != nil { return nil, fmt.Errorf("cannot read Prometheus config from %q: %w", path, err) } @@ -444,7 +444,7 @@ func loadConfig(path string) (*Config, error) { func loadScrapeConfigFiles(baseDir string, scrapeConfigFiles []string, isStrict bool) ([]*ScrapeConfig, error) { var scrapeConfigs []*ScrapeConfig for _, filePath := range scrapeConfigFiles { - filePath := fs.GetFilepath(baseDir, filePath) + filePath := fscore.GetFilepath(baseDir, filePath) paths := []string{filePath} if strings.Contains(filePath, "*") { ps, err := filepath.Glob(filePath) @@ -456,7 +456,7 @@ func loadScrapeConfigFiles(baseDir string, scrapeConfigFiles []string, isStrict paths = ps } for _, path := range paths { - data, err := fs.ReadFileOrHTTP(path) + data, err := fscore.ReadFileOrHTTP(path) if err != nil { logger.Errorf("skipping %q at `scrape_config_files` because of error: %s", path, err) continue @@ -984,7 +984,7 @@ func (sdc *FileSDConfig) appendScrapeWork(dst []*ScrapeWork, baseDir string, swc metaLabels := promutils.GetLabels() defer promutils.PutLabels(metaLabels) for _, file := range sdc.Files { - pathPattern := fs.GetFilepath(baseDir, file) + pathPattern := fscore.GetFilepath(baseDir, file) paths := []string{pathPattern} if strings.Contains(pathPattern, "*") { var err error diff --git a/lib/promscrape/discovery/kubernetes/kubeconfig.go b/lib/promscrape/discovery/kubernetes/kubeconfig.go index e7afcd449..a37685c49 100644 --- a/lib/promscrape/discovery/kubernetes/kubeconfig.go +++ b/lib/promscrape/discovery/kubernetes/kubeconfig.go @@ -7,7 +7,7 @@ import ( "gopkg.in/yaml.v2" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore" "github.com/VictoriaMetrics/VictoriaMetrics/lib/promauth" "github.com/VictoriaMetrics/VictoriaMetrics/lib/proxy" ) @@ -155,7 +155,7 @@ type kubeConfig struct { } func newKubeConfig(kubeConfigFile string) (*kubeConfig, error) { - data, err := fs.ReadFileOrHTTP(kubeConfigFile) + data, err := fscore.ReadFileOrHTTP(kubeConfigFile) if err != nil { return nil, fmt.Errorf("cannot read %q: %w", kubeConfigFile, err) } diff --git a/lib/streamaggr/streamaggr.go b/lib/streamaggr/streamaggr.go index 2158ae18c..381267021 100644 --- a/lib/streamaggr/streamaggr.go +++ b/lib/streamaggr/streamaggr.go @@ -13,7 +13,7 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil" "github.com/VictoriaMetrics/VictoriaMetrics/lib/cgroup" "github.com/VictoriaMetrics/VictoriaMetrics/lib/encoding" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs" + "github.com/VictoriaMetrics/VictoriaMetrics/lib/fs/fscore" "github.com/VictoriaMetrics/VictoriaMetrics/lib/logger" "github.com/VictoriaMetrics/VictoriaMetrics/lib/prompbmarshal" "github.com/VictoriaMetrics/VictoriaMetrics/lib/promrelabel" @@ -44,7 +44,7 @@ var supportedOutputs = []string{ // // The returned Aggregators must be stopped with MustStop() when no longer needed. func LoadFromFile(path string, pushFunc PushFunc, dedupInterval time.Duration) (*Aggregators, error) { - data, err := fs.ReadFileOrHTTP(path) + data, err := fscore.ReadFileOrHTTP(path) if err != nil { return nil, fmt.Errorf("cannot load aggregators: %w", err) }