From 5b8095a30a868c33127bcb24681b7f6243b5297c Mon Sep 17 00:00:00 2001 From: Aliaksandr Valialkin Date: Thu, 6 Jul 2023 15:59:56 -0700 Subject: [PATCH] lib/promscrape: disable support for service discovery and metrics scrape via http2 Reasons for disabling http2: - http2 is used very rarely comparing to http for Prometheus metrics exposition and service discovery - http2 is much harder to debug than http - http2 has very bad security record because of its complexity - see https://portswigger.net/research/http2 VictoriaMetrics components are compiled with nethttpomithttp2 tag because of these issues. Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4283 Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4274 This is a follow-up for 72c3cd47eb1120037ceffb2400e54b11c8a0e414 --- lib/promauth/config.go | 11 +++++++++-- lib/promscrape/client.go | 8 -------- lib/promscrape/config.go | 7 ------- lib/promscrape/discovery/azure/api.go | 4 ++-- lib/promscrape/discovery/azure/machine_test.go | 2 +- lib/promscrape/discovery/consul/api.go | 2 +- lib/promscrape/discovery/consulagent/api.go | 2 +- lib/promscrape/discovery/digitalocean/api.go | 2 +- lib/promscrape/discovery/docker/api.go | 2 +- lib/promscrape/discovery/dockerswarm/api.go | 2 +- lib/promscrape/discovery/eureka/api.go | 2 +- lib/promscrape/discovery/http/api.go | 2 +- lib/promscrape/discovery/kuma/api.go | 2 +- lib/promscrape/discovery/nomad/api.go | 2 +- lib/promscrape/discoveryutils/client.go | 10 +--------- lib/promscrape/discoveryutils/client_test.go | 18 +----------------- lib/promscrape/scrapework.go | 15 +++++++++++---- lib/promscrape/testdata/prometheus.yml | 2 -- 18 files changed, 34 insertions(+), 61 deletions(-) diff --git a/lib/promauth/config.go b/lib/promauth/config.go index 602c2b7e0..491fd166e 100644 --- a/lib/promauth/config.go +++ b/lib/promauth/config.go @@ -127,8 +127,15 @@ type HTTPClientConfig struct { // FollowRedirects specifies whether the client should follow HTTP 3xx redirects. FollowRedirects *bool `yaml:"follow_redirects,omitempty"` - // EnableHTTP2 specifies whether the client should configure HTTP2. - EnableHTTP2 *bool `yaml:"enable_http2,omitempty"` + // Do not support enable_http2 option because of the following reasons: + // + // - http2 is used very rarely comparing to http for Prometheus metrics exposition and service discovery + // - http2 is much harder to debug than http + // - http2 has very bad security record because of its complexity - see https://portswigger.net/research/http2 + // + // VictoriaMetrics components are compiled with nethttpomithttp2 tag because of these issues. + // + // EnableHTTP2 bool } // ProxyClientConfig represents proxy client config. diff --git a/lib/promscrape/client.go b/lib/promscrape/client.go index 358528510..420589dd9 100644 --- a/lib/promscrape/client.go +++ b/lib/promscrape/client.go @@ -11,8 +11,6 @@ import ( "strings" "time" - "golang.org/x/net/http2" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil" "github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil" "github.com/VictoriaMetrics/VictoriaMetrics/lib/logger" @@ -162,12 +160,6 @@ func newClient(ctx context.Context, sw *ScrapeWork) *client { // See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1017#issuecomment-767235047 Timeout: 30 * sw.ScrapeTimeout, } - if sw.EnableHTTP2 { - _, err := http2.ConfigureTransports(sc.Transport.(*http.Transport)) - if err != nil { - logger.Errorf("failed to configure HTTP/2 transport: %s", err) - } - } if sw.DenyRedirects { sc.CheckRedirect = func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse diff --git a/lib/promscrape/config.go b/lib/promscrape/config.go index 186747c79..cc1b9529a 100644 --- a/lib/promscrape/config.go +++ b/lib/promscrape/config.go @@ -992,10 +992,6 @@ func getScrapeWorkConfig(sc *ScrapeConfig, baseDir string, globalCfg *GlobalConf if sc.HTTPClientConfig.FollowRedirects != nil { denyRedirects = !*sc.HTTPClientConfig.FollowRedirects } - enableHTTP2 := false - if sc.HTTPClientConfig.EnableHTTP2 != nil { - enableHTTP2 = !*sc.HTTPClientConfig.EnableHTTP2 - } metricsPath := sc.MetricsPath if metricsPath == "" { metricsPath = "/metrics" @@ -1048,7 +1044,6 @@ func getScrapeWorkConfig(sc *ScrapeConfig, baseDir string, globalCfg *GlobalConf honorLabels: honorLabels, honorTimestamps: honorTimestamps, denyRedirects: denyRedirects, - enableHTTP2: enableHTTP2, externalLabels: externalLabels, relabelConfigs: relabelConfigs, metricRelabelConfigs: metricRelabelConfigs, @@ -1079,7 +1074,6 @@ type scrapeWorkConfig struct { honorLabels bool honorTimestamps bool denyRedirects bool - enableHTTP2 bool externalLabels *promutils.Labels relabelConfigs *promrelabel.ParsedConfigs metricRelabelConfigs *promrelabel.ParsedConfigs @@ -1357,7 +1351,6 @@ func (swc *scrapeWorkConfig) getScrapeWork(target string, extraLabels, metaLabel HonorLabels: swc.honorLabels, HonorTimestamps: swc.honorTimestamps, DenyRedirects: swc.denyRedirects, - EnableHTTP2: swc.enableHTTP2, OriginalLabels: originalLabels, Labels: labelsCopy, ExternalLabels: swc.externalLabels, diff --git a/lib/promscrape/discovery/azure/api.go b/lib/promscrape/discovery/azure/api.go index c81758784..90a590e6b 100644 --- a/lib/promscrape/discovery/azure/api.go +++ b/lib/promscrape/discovery/azure/api.go @@ -110,7 +110,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, err } - c, err := discoveryutils.NewClient(env.ResourceManagerEndpoint, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + c, err := discoveryutils.NewClient(env.ResourceManagerEndpoint, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create client for %q: %w", env.ResourceManagerEndpoint, err) } @@ -230,7 +230,7 @@ func getRefreshTokenFunc(sdc *SDConfig, ac, proxyAC *promauth.Config, env *cloud return nil, fmt.Errorf("unsupported `authentication_method: %q` only `OAuth` and `ManagedIdentity` are supported", authenticationMethod) } - authClient, err := discoveryutils.NewClient(tokenEndpoint, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + authClient, err := discoveryutils.NewClient(tokenEndpoint, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot build auth client: %w", err) } diff --git a/lib/promscrape/discovery/azure/machine_test.go b/lib/promscrape/discovery/azure/machine_test.go index 8d778f65e..e323c9202 100644 --- a/lib/promscrape/discovery/azure/machine_test.go +++ b/lib/promscrape/discovery/azure/machine_test.go @@ -67,7 +67,7 @@ func TestGetVirtualMachinesSuccess(t *testing.T) { } })) defer testServer.Close() - c, err := discoveryutils.NewClient(testServer.URL, nil, nil, nil, promauth.HTTPClientConfig{}) + c, err := discoveryutils.NewClient(testServer.URL, nil, nil, nil, &promauth.HTTPClientConfig{}) if err != nil { t.Fatalf("unexpected error at client create: %s", err) } diff --git a/lib/promscrape/discovery/consul/api.go b/lib/promscrape/discovery/consul/api.go index af637999a..630a31d27 100644 --- a/lib/promscrape/discovery/consul/api.go +++ b/lib/promscrape/discovery/consul/api.go @@ -80,7 +80,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", apiServer, err) } diff --git a/lib/promscrape/discovery/consulagent/api.go b/lib/promscrape/discovery/consulagent/api.go index c9c9456df..a859bcf93 100644 --- a/lib/promscrape/discovery/consulagent/api.go +++ b/lib/promscrape/discovery/consulagent/api.go @@ -74,7 +74,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", apiServer, err) } diff --git a/lib/promscrape/discovery/digitalocean/api.go b/lib/promscrape/discovery/digitalocean/api.go index 220fb2b55..69e60b8f9 100644 --- a/lib/promscrape/discovery/digitalocean/api.go +++ b/lib/promscrape/discovery/digitalocean/api.go @@ -36,7 +36,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", apiServer, err) } diff --git a/lib/promscrape/discovery/docker/api.go b/lib/promscrape/discovery/docker/api.go index dd0ff7ed0..4821261dc 100644 --- a/lib/promscrape/discovery/docker/api.go +++ b/lib/promscrape/discovery/docker/api.go @@ -50,7 +50,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(sdc.Host, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(sdc.Host, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", sdc.Host, err) } diff --git a/lib/promscrape/discovery/dockerswarm/api.go b/lib/promscrape/discovery/dockerswarm/api.go index 0a76e644c..15a7ef6e0 100644 --- a/lib/promscrape/discovery/dockerswarm/api.go +++ b/lib/promscrape/discovery/dockerswarm/api.go @@ -49,7 +49,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(sdc.Host, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(sdc.Host, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", sdc.Host, err) } diff --git a/lib/promscrape/discovery/eureka/api.go b/lib/promscrape/discovery/eureka/api.go index 9373e7edb..5c6832c6c 100644 --- a/lib/promscrape/discovery/eureka/api.go +++ b/lib/promscrape/discovery/eureka/api.go @@ -34,7 +34,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", apiServer, err) } diff --git a/lib/promscrape/discovery/http/api.go b/lib/promscrape/discovery/http/api.go index fcccdf929..49f1dde28 100644 --- a/lib/promscrape/discovery/http/api.go +++ b/lib/promscrape/discovery/http/api.go @@ -44,7 +44,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", apiServer, err) } diff --git a/lib/promscrape/discovery/kuma/api.go b/lib/promscrape/discovery/kuma/api.go index 0a30818b8..c2c33359a 100644 --- a/lib/promscrape/discovery/kuma/api.go +++ b/lib/promscrape/discovery/kuma/api.go @@ -60,7 +60,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", apiServer, err) } diff --git a/lib/promscrape/discovery/nomad/api.go b/lib/promscrape/discovery/nomad/api.go index 2b8208ca6..339a5dc0e 100644 --- a/lib/promscrape/discovery/nomad/api.go +++ b/lib/promscrape/discovery/nomad/api.go @@ -68,7 +68,7 @@ func newAPIConfig(sdc *SDConfig, baseDir string) (*apiConfig, error) { if err != nil { return nil, fmt.Errorf("cannot parse proxy auth config: %w", err) } - client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, sdc.HTTPClientConfig) + client, err := discoveryutils.NewClient(apiServer, ac, sdc.ProxyURL, proxyAC, &sdc.HTTPClientConfig) if err != nil { return nil, fmt.Errorf("cannot create HTTP client for %q: %w", apiServer, err) } diff --git a/lib/promscrape/discoveryutils/client.go b/lib/promscrape/discoveryutils/client.go index e5a51dcd6..ad54f3beb 100644 --- a/lib/promscrape/discoveryutils/client.go +++ b/lib/promscrape/discoveryutils/client.go @@ -14,8 +14,6 @@ import ( "sync" "time" - "golang.org/x/net/http2" - "github.com/VictoriaMetrics/VictoriaMetrics/lib/promauth" "github.com/VictoriaMetrics/VictoriaMetrics/lib/proxy" "github.com/VictoriaMetrics/VictoriaMetrics/lib/timerpool" @@ -86,7 +84,7 @@ type HTTPClient struct { var defaultDialer = &net.Dialer{} // NewClient returns new Client for the given args. -func NewClient(apiServer string, ac *promauth.Config, proxyURL *proxy.URL, proxyAC *promauth.Config, httpCfg promauth.HTTPClientConfig) (*Client, error) { +func NewClient(apiServer string, ac *promauth.Config, proxyURL *proxy.URL, proxyAC *promauth.Config, httpCfg *promauth.HTTPClientConfig) (*Client, error) { u, err := url.Parse(apiServer) if err != nil { return nil, fmt.Errorf("cannot parse apiServer=%q: %w", apiServer, err) @@ -155,12 +153,6 @@ func NewClient(apiServer string, ac *promauth.Config, proxyURL *proxy.URL, proxy proxyURL.SetHeaders(proxyAC, req) } } - if httpCfg.EnableHTTP2 != nil && *httpCfg.EnableHTTP2 { - _, err := http2.ConfigureTransports(client.Transport.(*http.Transport)) - if err != nil { - return nil, fmt.Errorf("failed to configure HTTP/2 transport: %s", err) - } - } ctx, cancel := context.WithCancel(context.Background()) c := &Client{ diff --git a/lib/promscrape/discoveryutils/client_test.go b/lib/promscrape/discoveryutils/client_test.go index 5882f2359..860ce124a 100644 --- a/lib/promscrape/discoveryutils/client_test.go +++ b/lib/promscrape/discoveryutils/client_test.go @@ -58,22 +58,6 @@ func TestNewClientFromConfig(t *testing.T) { }, expectedMessage: "I'm before redirect", }, - { - httpCfg: promauth.HTTPClientConfig{ - EnableHTTP2: &allowed, - }, - handler: func(w http.ResponseWriter, r *http.Request) { - switch r.URL.Path { - case "/redirected": - fmt.Fprint(w, "I'm here to serve you!!!") - default: - w.Header().Set("Location", "/redirected") - w.WriteHeader(http.StatusFound) - fmt.Fprint(w, "I'm before redirect") - } - }, - expectedMessage: "I'm here to serve you!!!", - }, } for _, validConfig := range newClientValidConfig { @@ -83,7 +67,7 @@ func TestNewClientFromConfig(t *testing.T) { } defer testServer.Close() - client, err := NewClient("http://0.0.0.0:1234", nil, &proxy.URL{}, nil, validConfig.httpCfg) + client, err := NewClient("http://0.0.0.0:1234", nil, &proxy.URL{}, nil, &validConfig.httpCfg) if err != nil { t.Errorf("Can't create a client from this config: %+v", validConfig.httpCfg) continue diff --git a/lib/promscrape/scrapework.go b/lib/promscrape/scrapework.go index 444805164..3a23c8655 100644 --- a/lib/promscrape/scrapework.go +++ b/lib/promscrape/scrapework.go @@ -66,8 +66,15 @@ type ScrapeWork struct { // Whether to deny redirects during requests to scrape config. DenyRedirects bool - // Whether to configure HTTP2. - EnableHTTP2 bool + // Do not support enable_http2 option because of the following reasons: + // + // - http2 is used very rarely comparing to http for Prometheus metrics exposition and service discovery + // - http2 is much harder to debug than http + // - http2 has very bad security record because of its complexity - see https://portswigger.net/research/http2 + // + // VictoriaMetrics components are compiled with nethttpomithttp2 tag because of these issues. + // + // EnableHTTP2 bool // OriginalLabels contains original labels before relabeling. // @@ -402,8 +409,8 @@ func (sw *scrapeWork) mustSwitchToStreamParseMode(responseSize int) bool { // getTargetResponse() fetches response from sw target in the same way as when scraping the target. func (sw *scrapeWork) getTargetResponse() ([]byte, error) { - // use stream reader when stream mode enabled or http2 enabled - if *streamParse || sw.Config.StreamParse || sw.mustSwitchToStreamParseMode(sw.prevBodyLen) || sw.Config.EnableHTTP2 { + // use stream reader when stream mode enabled + if *streamParse || sw.Config.StreamParse || sw.mustSwitchToStreamParseMode(sw.prevBodyLen) { // Read the response in stream mode. sr, err := sw.GetStreamReader() if err != nil { diff --git a/lib/promscrape/testdata/prometheus.yml b/lib/promscrape/testdata/prometheus.yml index 62e2d76d5..ecae9e7a3 100644 --- a/lib/promscrape/testdata/prometheus.yml +++ b/lib/promscrape/testdata/prometheus.yml @@ -7,7 +7,6 @@ scrape_configs: honor_labels: true honor_timestamps: false follow_redirects: false - enable_http2: true static_configs: - targets: ["foo.bar", "aaa"] labels: @@ -22,7 +21,6 @@ scrape_configs: - role: endpoints api_server: "https://localhost:1234" follow_redirects: true - enable_http2: true tls_config: cert_file: valid_cert_file key_file: valid_key_file