Prometheus、Alertmanager、Pushgateway、node_export处理pprof漏洞
- 以下步骤为构建docker镜像步骤
- 所需个人镜像仓库(使用阿里云镜像)
- 大部分操作为gitpod操作,可避免国内依赖安装失败
1. 本地依赖安装
1.1 安装环境
yum install -y git
yum install -y wget
yum install -y go # 版本在1.17及以上
yum install -y npm # 版本在7及以上
yum install -y nodejs # 版本在16及以上 官网安装地址:https://nodejs.org/zh-cn/download/package-manager
yum install -y bzip2
1.2 开启\关闭模块支持
1、开启模块支持:export GO111MODULE=on # 执行
2、关闭模块支持:export GO111MODULE=off
1.3 国内代理
1、七牛 CDNgo env -w GOPROXY=https://goproxy.cn,direct
2、阿里云go env -w GOPROXY=https://mirrors.aliyun.com/goproxy/,direct
3、官方go env -w GOPROXY=https://goproxy.io,direct
1.4 下载go环境依赖
go mod download # 1、服务器在国外 2、源代码中有go.mod 和 go.sum文件,所需依赖都在这2个文件中 3、go mod download 是拉取go环境所有的依赖 4、国内服务器拉取依赖和第3方库,要配置代理
说明:
- 以上为本地国内所需依赖安装前提操作
最简单方式为使用gitpod从互联网环境不需要安装依赖环境,可从github直接clone操作以下步骤
2. prometheus源码构建docker镜像
2.1 克隆仓库
gitpod ~ $ git clone https://github.com/prometheus/prometheus.git
Cloning into 'prometheus'...
remote: Enumerating objects: 135723, done.
remote: Counting objects: 100% (229/229), done.
remote: Compressing objects: 100% (166/166), done.
remote: Total 135723 (delta 148), reused 63 (delta 63), pack-reused 135494 (from 4)
Receiving objects: 100% (135723/135723), 253.46 MiB | 40.53 MiB/s, done.
Resolving deltas: 100% (83480/83480), done.2.2 进入目录
gitpod ~ $ cd prometheus/2.3 查询与pprof相关的文件
gitpod ~/prometheus (main) $ grep -r "pprof" ./*
...
./web/web.go: "net/http/pprof"
./web/web.go: if subpath == "/pprof" {
./web/web.go: if !strings.HasPrefix(subpath, "/pprof/") {
./web/web.go: subpath = strings.TrimPrefix(subpath, "/pprof/")
...2.4 修改./web/web.go`(只修改web.go文件)`16 import (17 "bytes"23 "math"24 "net"25 "net/http"26 "net/http/pprof" //删除/注释27 "net/url"
----------------------------------------------------------------------------以下内容全部注释/删除
566 func serveDebug(w http.ResponseWriter, req *http.Request) {
567 ctx := req.Context()
568 subpath := route.Param(ctx, "subpath")
569
570 if subpath == "/pprof" {
571 http.Redirect(w, req, req.URL.Path+"/", http.StatusMovedPermanently)
572 return
573 }
574
575 if !strings.HasPrefix(subpath, "/pprof/") {
576 http.NotFound(w, req)
577 return
578 }
579 subpath = strings.TrimPrefix(subpath, "/pprof/")
580
581 switch subpath {
582 case "cmdline":
583 pprof.Cmdline(w, req)
584 case "profile":
585 pprof.Profile(w, req)
586 case "symbol":
587 pprof.Symbol(w, req)
588 case "trace":
589 pprof.Trace(w, req)
590 default:
591 req.URL.Path = "/debug/pprof/" + subpath
592 pprof.Index(w, req)
593 }
594 }2.5 构建二进制文件
gitpod ~/prometheus (main) $ make build
cd web/ui && npm install
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
...2.6 修改当前Dockerfile内容
原:
COPY .build/${OS}-${ARCH}/prometheus /bin/prometheus
COPY .build/${OS}-${ARCH}/promtool /bin/promtool
修改为:
COPY ./prometheus /bin/prometheus
COPY ./promtool /bin/promtool2.7 构建镜像
gitpod ~/prometheus $ docker build -t registry.cn-hangzhou.aliyuncs.com/xx/xx:prometheus-pprof .2.8 推送到个人仓库本地部署
gitpod ~/prometheus $ docker push registry.cn-hangzhou.aliyuncs.com/xx/xx:prometheus-pprof
3. alertmanager源码构建docker镜像
3.1 克隆仓库
gitpod ~ $ git clone https://github.com/prometheus/alertmanager.git
Cloning into 'alertmanager'...
remote: Enumerating objects: 29705, done.
remote: Counting objects: 100% (133/133), done.
remote: Compressing objects: 100% (106/106), done.
remote: Total 29705 (delta 107), reused 27 (delta 27), pack-reused 29572 (from 4)
Receiving objects: 100% (29705/29705), 42.68 MiB | 38.92 MiB/s, done.
Resolving deltas: 100% (16130/16130), done.3.2 进入目录
gitpod ~ $ cd alertmanager/3.3 查询与pprof相关的文件
gitpod ~/alertmanager (main) $ grep -r "pprof" ./*
./go.sum:github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod
...
./ui/web.go: _ "net/http/pprof" // Comment this line to disable pprof endpoint.3.4 修改./ui/web.go文件
import ("fmt""log/slog""net/http"_ "net/http/pprof" // 删除/注释"path"3.5 构建二进制文件
gitpod ~/alertmanager (main) $ make build
cd ui/react-app && npm install && npm run build
...3.6 修改当前Dockerfile内容
原:
COPY .build/${OS}-${ARCH}/amtool /bin/amtool
COPY .build/${OS}-${ARCH}/alertmanager /bin/alertmanager
修改为:
COPY ./amtool /bin/amtool
COPY ./alertmanager /bin/alertmanager3.7 构建镜像
gitpod ~/alertmanager (main) $ docker build -t registry.cn-hangzhou.aliyuncs.com/xx/xx:alertmanager-pprof .3.8 推送到个人仓库本地部署
gitpod ~/alertmanager (main) $ docker push registry.cn-hangzhou.aliyuncs.com/xx/xx:alertmanager-pprof
4. pushgateway源码构建docker镜像
4.1 克隆仓库
gitpod ~ $ git clone https://github.com/prometheus/pushgateway.git
Cloning into 'pushgateway'...
remote: Enumerating objects: 6348, done.
remote: Counting objects: 100% (2423/2423), done.
remote: Compressing objects: 100% (665/665), done.
remote: Total 6348 (delta 1981), reused 1761 (delta 1756), pack-reused 3925 (from 2)
Receiving objects: 100% (6348/6348), 12.61 MiB | 26.35 MiB/s, done.
Resolving deltas: 100% (3798/3798), done.4.2 进入目录
gitpod ~ $ cd pushgateway/4.3 查询与pprof相关的文件
gitpod ~/pushgateway (master) $ grep -r "pprof" ./*
./CHANGELOG.md:* [BUGFIX] Re-add pprof endpoints.
./main.go: "net/http/pprof"
./main.go: // Re-enable pprof.
./main.go: r.Get(*routePrefix+"/debug/pprof/*pprof", handlePprof)
./main.go: switch route.Param(r.Context(), "pprof") {
./main.go: pprof.Cmdline(w, r)
./main.go: pprof.Profile(w, r)
./main.go: pprof.Symbol(w, r)
./main.go: pprof.Index(w, r)4.4 修改./main.go文件
16 import (17 "compress/gzip"18 "context"19 "fmt"20 "io"21 "log/slog"22 "net/http"23 "net/http/pprof" //删除/注释-----------------------------------------------------------------140 // Re-enable pprof. 141 r.Get(*routePrefix+"/debug/pprof/*pprof", handlePprof) //删除/注释-----------------------------------------------------------------以下内容全部注释/删除233 func handlePprof(w http.ResponseWriter, r *http.Request) {234 switch route.Param(r.Context(), "pprof") {235 case "/cmdline":236 pprof.Cmdline(w, r)237 case "/profile":238 pprof.Profile(w, r)239 case "/symbol":240 pprof.Symbol(w, r)241 default:242 pprof.Index(w, r)243 }244 }4.5 构建二进制文件
gitpod ~/pushgateway (master) $ make build
curl -s -L https://github.com/prometheus/promu/releases/download/v0.17.0/promu-0.17.0.linux-amd64.tar.gz | tar -xvzf - -C /tmp/tmp.wAHta4la8R
...4.6 修改当前Dockerfile内容
原:
COPY --chown=nobody:nobody .build/${OS}-${ARCH}/pushgateway /bin/pushgateway
修改为:
COPY --chown=nobody:nobody ./pushgateway /bin/pushgateway4.7 构建镜像
gitpod ~/pushgateway (master) $ docker build -t registry.cn-hangzhou.aliyuncs.com/xx/xx:pushgateway-pprof .4.8 推送到个人仓库本地部署
gitpod ~/pushgateway (master) $ docker push registry.cn-hangzhou.aliyuncs.com/xx/xx:pushgateway-pprof
5. node_exporter源码构建docker镜像
5.1 克隆仓库
gitpod ~ $ git clone https://github.com/prometheus/node_exporter.git
Cloning into 'node_exporter'...
remote: Enumerating objects: 17203, done.
remote: Counting objects: 100% (56/56), done.
remote: Compressing objects: 100% (37/37), done.
remote: Total 17203 (delta 44), reused 19 (delta 19), pack-reused 17147 (from 5)
Receiving objects: 100% (17203/17203), 12.20 MiB | 28.86 MiB/s, done.
Resolving deltas: 100% (10741/10741), done.5.2 进入目录
gitpod ~ $ cd node_exporter/5.3 查询pprof相关文件
gitpod ~/node_exporter (master) $ grep -r "pprof" ./*
./node_exporter.go: _ "net/http/pprof"5.4 修改./node_exporter.go文件16 import (17 "fmt"18 "log/slog"19 "net/http"20 _ "net/http/pprof" //注释/删除21 "os"5.5 构建二进制文件
gitpod ~/node_exporter (master) $ make build
>> building binaries
/workspace/go/bin/promu --config .promu.yml build --prefix /home/gitpod/node_exporter > node_exporter
go: downloading github.com/beorn7/perks v1.0.1
...5.6 修改当前Dockerfile内容
原:
COPY .build/${OS}-${ARCH}/node_exporter /bin/node_exporter
修改为:
COPY ./node_exporter /bin/node_exporter5.7 构建镜像
gitpod ~/node_exporter (master) $ docker build -t registry.cn-hangzhou.aliyuncs.com/xx/xx:node_exporter-pprof .5.8 推送到个人仓库本地部署
gitpod ~/node_exporter (master) $ docker push registry.cn-hangzhou.aliyuncs.com/xx/xx:node_exporter-pprof
6. 验证效果
