patch 5 debuginfod: prometheus metrics
Frank Ch. Eigler
fche@redhat.com
Mon Nov 18 16:48:00 GMT 2019
Hi -
> > > see it is already in a comment in the code. Best to also add it as See
> > > also in the docs.
> >
> > OK.
>
> Thanks, that would be good.
Done.
> > > > +control. The \fI/metrics\fP webapi endpoint is probably not
> > > > +appropriate for disclosure to the public.
> > >
> > > So, should there be an option to turn it off?
> >
> > IMHO not necessary. The security section already advises against
> > exposing an unprotected debuginfod server to the public. A front-end
> > reverse-proxy would easily filter requests to /metrics.
>
> I think defense in depth is not a bad thing.
> You already have local users to which it is exposed.
Local users can already run "ps awux" to see the same semi-sensitive
command line arguments.
> And it would also make the server do slightly less work.
Maybe, but if it's a serious/public enough installation to worry about
configuration privacy, then it's also bound to be important enough to
be be monitored, so its admin would not turn this off.
> Note that the current code defines tid () as syscall(SYS_getpid).
> Should be SYS_gettid.
OK.
- FChE
More information about the Elfutils-devel
mailing list