Old version of node_exporter (1.6.1)

[avelanarius]

The current version of node_exporter used in ScyllaDB images is 1.6.1 (as of 6bcf3ac). However, this version is flagged by security scanners with HIGH-severity CVE-2023-39325 (it uses old version of golang.org/x/net).

node_exporter should be updated to a later version 1.7.0 that fixed this problem.

[avikivity]

We could backport it, but I'd like a tiny run that proves that node_exporter starts correctly and exports metrics.

[mykaul]

We could backport it, but I'd like a tiny run that proves that node_exporter starts correctly and exports metrics.

Will be part of next sprint - https://github.com/scylladb/qa-tasks/issues/1562

[roydahan]

@avikivity is it still waiting for verification before backports?
If so, I can try doing it now, we want to expedite it so we can release older releases without vulnerabilities

[mykaul]

@avikivity is it still waiting for verification before backports? If so, I can try doing it now, we want to expedite it so we can release older releases without vulnerabilities

Please test.

[roydahan]

Tested with "5.5.0~dev-0.20231122.65e42e4166ce" and node_exporter works fine.

scyllaadm@longevity-parallel-topology-schema--db-node-dac3cbcd-1:/opt/scylladb$ /opt/scylladb/node_exporter/node_exporter --version
node_exporter, version 1.7.0 (branch: HEAD, revision: 7333465abf9efba81876303bb57e6fadb946041b)
  build user:       root@35918982f6d8
  build date:       20231112-23:53:35
  go version:       go1.21.4
  platform:         linux/amd64
  tags:             netgo osusergo static_build

Output Example:
curl http://localhost:9100/metrics

# HELP process_cpu_seconds_total Total user and system CPU time spent in seconds.
# TYPE process_cpu_seconds_total counter
process_cpu_seconds_total 7.93
# HELP process_max_fds Maximum number of open file descriptors.
# TYPE process_max_fds gauge
process_max_fds 524288
# HELP process_open_fds Number of open file descriptors.
# TYPE process_open_fds gauge
process_open_fds 10
# HELP process_resident_memory_bytes Resident memory size in bytes.
# TYPE process_resident_memory_bytes gauge
process_resident_memory_bytes 1.765376e+07
# HELP process_start_time_seconds Start time of the process since unix epoch in seconds.
# TYPE process_start_time_seconds gauge
process_start_time_seconds 1.70073227504e+09
# HELP process_virtual_memory_bytes Virtual memory size in bytes.
# TYPE process_virtual_memory_bytes gauge
process_virtual_memory_bytes 1.271443456e+09
# HELP process_virtual_memory_max_bytes Maximum amount of virtual memory available in bytes.
# TYPE process_virtual_memory_max_bytes gauge
process_virtual_memory_max_bytes 1.8446744073709552e+19
# HELP promhttp_metric_handler_errors_total Total number of internal errors encountered by the promhttp metric handler.
# TYPE promhttp_metric_handler_errors_total counter
promhttp_metric_handler_errors_total{cause="encoding"} 271
promhttp_metric_handler_errors_total{cause="gathering"} 0
# HELP promhttp_metric_handler_requests_in_flight Current number of scrapes being served.
# TYPE promhttp_metric_handler_requests_in_flight gauge
promhttp_metric_handler_requests_in_flight 1
# HELP promhttp_metric_handler_requests_total Total number of scrapes by HTTP status code.
# TYPE promhttp_metric_handler_requests_total counter
promhttp_metric_handler_requests_total{code="200"} 324
promhttp_metric_handler_requests_total{code="500"} 0
promhttp_metric_handler_requests_total{code="503"} 0

[roydahan]

Can we do the backports today?
We would like to have it on branch-2022.1 hopefully by Sunday.

[roydahan]

ping @avikivity

[avikivity]

I'll regenerate now.

[avikivity]

In 5.2 we have node_exporter 1.4.0. Is it vulnerable? Or was the vulnerability introduced later?

[roydahan]

In 5.2 we have node_exporter 1.4.0. Is it vulnerable? Or was the vulnerability introduced later?

@yaronkaikov ?

[avikivity]

Backported to 5.1, 5.2, 5.4.