diff --git a/SECURITY.md b/SECURITY.md index 76fd9aaa9a..280bd4961d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,42 +1,4 @@ # Security Policy -## Supported Versions +You can find out about our security policy and VictoriaMetrics version support on the [security page](https://docs.victoriametrics.com/victoriametrics/#security) in the documentation. -The following versions of VictoriaMetrics receive regular security fixes: - -| Version | Supported | -|--------------------------------------------------------------------------------|--------------------| -| [Latest release](https://docs.victoriametrics.com/victoriametrics/changelog/) | :white_check_mark: | -| [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-releases/) | :white_check_mark: | -| other releases | :x: | - -See [this page](https://victoriametrics.com/security/) for more details. - -## Software Bill of Materials (SBOM) - -Every VictoriaMetrics container{{% available_from "#" %}} image published to -[Docker Hub](https://hub.docker.com/u/victoriametrics) -and [Quay.io](https://quay.io/organization/victoriametrics) -includes an [SPDX](https://spdx.dev/) SBOM attestation -generated automatically by BuildKit during -`docker buildx build`. - -To inspect the SBOM for an image: - -```sh -docker buildx imagetools inspect \ - docker.io/victoriametrics/victoria-metrics:latest \ - --format "{{ json .SBOM }}" -``` - -To scan an image using its SBOM attestation with -[Trivy](https://github.com/aquasecurity/trivy): - -```sh -trivy image --sbom-sources oci \ - docker.io/victoriametrics/victoria-metrics:latest -``` - -## Reporting a Vulnerability - -Please report any security issues to diff --git a/docs/victoriametrics/FAQ.md b/docs/victoriametrics/FAQ.md index 187ef0b253..d41b5db58c 100644 --- a/docs/victoriametrics/FAQ.md +++ b/docs/victoriametrics/FAQ.md @@ -136,7 +136,8 @@ VictoriaMetrics has no limitation on backfilling of old (historical) or out-of-o the specified [retention period](https://docs.victoriametrics.com/victoriametrics/#retention). See more about [backfilling](https://docs.victoriametrics.com/victoriametrics/#backfilling). -## How does VictoriaMetrics compare to other remote storage solutions for Prometheus such as [M3DB](https://github.com/m3db/m3), [Thanos](https://github.com/thanos-io/thanos), [Cortex](https://github.com/cortexproject/cortex), [Mimir](https://github.com/grafana/mimir), etc.? + +## How does VictoriaMetrics compare to other remote storage solutions for Prometheus such as [M3DB](https://github.com/m3db/m3), [Thanos](https://github.com/thanos-io/thanos), [Cortex](https://github.com/cortexproject/cortex), [Mimir](https://github.com/grafana/mimir), etc.? {#how-does-victoriametrics-compare-to-other-remote-storage-solutions-for-prometheus-such-as-m3db--thanos--cortex--mimir--etc} * VictoriaMetrics is easier to configure and operate than competing solutions. * VictoriaMetrics is more cost-efficient, since it requires less RAM, disk space, disk IO and network IO than competing solutions. @@ -153,7 +154,8 @@ The following articles and talks provide additional details: VictoriaMetrics also [uses less RAM than Thanos components](https://github.com/thanos-io/thanos/issues/448). -## What is the difference between VictoriaMetrics and [QuestDB](https://questdb.io/)? + +## What is the difference between VictoriaMetrics and [QuestDB](https://questdb.io/)? {#what-is-the-difference-between-victoriametrics-and-questdb-} * QuestDB needs 20x more storage space than VictoriaMetrics. This translates to higher storage costs and slower queries over historical data, which must be read from the disk. * QuestDB is significantly more difficult to set up and operate than VictoriaMetrics. Compare [setup instructions for QuestDB](https://questdb.io/docs/get-started/binaries) to [setup instructions for VictoriaMetrics](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#how-to-start-victoriametrics). @@ -164,14 +166,16 @@ VictoriaMetrics also [uses less RAM than Thanos components](https://github.com/t * QuestDB [supports a smaller range of popular data ingestion protocols](https://questdb.io/docs/develop/insert-data) compared to VictoriaMetrics (compare to [the list of supported data ingestion protocols for VictoriaMetrics](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#how-to-import-time-series-data)). * [VictoriaMetrics supports backfilling (e.g. storing historical data) out of the box](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#backfilling), while QuestDB provides [very limited support for backfilling](https://questdb.io/blog/2021/05/10/questdb-release-6-0-tsbs-benchmark#the-problem-with-out-of-order-data). -## What is the difference between VictoriaMetrics and [Grafana Mimir](https://github.com/grafana/mimir)? + +## What is the difference between VictoriaMetrics and [Grafana Mimir](https://github.com/grafana/mimir)? {#what-is-the-difference-between-victoriametrics-and-grafana-mimir-} Grafana Mimir is a [Cortex](https://github.com/cortexproject/cortex) fork, so it has the same differences -as Cortex. See [what is the difference between VictoriaMetrics and Cortex](#what-is-the-difference-between-victoriametrics-and-cortex). +as Cortex. See [what is the difference between VictoriaMetrics and Cortex](https://docs.victoriametrics.com/victoriametrics/faq/#what-is-the-difference-between-victoriametrics-and-cortex-). See also [Grafana Mimir vs VictoriaMetrics benchmark](https://victoriametrics.com/blog/mimir-benchmark/). -## What is the difference between VictoriaMetrics and [Cortex](https://github.com/cortexproject/cortex)? + +## What is the difference between VictoriaMetrics and [Cortex](https://github.com/cortexproject/cortex)? {#what-is-the-difference-between-victoriametrics-and-cortex-} VictoriaMetrics is similar to Cortex in the following aspects: @@ -202,7 +206,8 @@ The main differences between Cortex and VictoriaMetrics: * VictoriaMetrics provides the [MetricsQL](https://docs.victoriametrics.com/victoriametrics/metricsql/) query language, while Cortex provides the [PromQL](https://prometheus.io/docs/prometheus/latest/querying/basics/) query language. * VictoriaMetrics can be queried via [Graphite's API](https://docs.victoriametrics.com/victoriametrics/integrations/graphite/#graphite-api-usage). -## What is the difference between VictoriaMetrics and [Thanos](https://github.com/thanos-io/thanos)? + +## What is the difference between VictoriaMetrics and [Thanos](https://github.com/thanos-io/thanos)? {#what-is-the-difference-between-victoriametrics-and-thanos-} * Thanos reuses Prometheus source code, while VictoriaMetrics is written from scratch. * VictoriaMetrics accepts data via the [standard remote_write API for Prometheus](https://prometheus.io/docs/practices/remote_write/), @@ -224,7 +229,8 @@ The main differences between Cortex and VictoriaMetrics: * VictoriaMetrics provides the [MetricsQL](https://docs.victoriametrics.com/victoriametrics/metricsql/) query language, while Thanos provides the [PromQL](https://prometheus.io/docs/prometheus/latest/querying/basics/) query language. * VictoriaMetrics can be queried via [Graphite's API](https://docs.victoriametrics.com/victoriametrics/integrations/graphite/#graphite-api-usage). -## How does VictoriaMetrics compare to [InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/)? + +## How does VictoriaMetrics compare to [InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/)? {#how-does-victoriametrics-compare-to-influxdb-} * VictoriaMetrics requires [10x less RAM](https://medium.com/@valyala/insert-benchmarks-with-inch-influxdb-vs-victoriametrics-e31a41ae2893) and it [performs faster](https://medium.com/@valyala/measuring-vertical-scalability-for-time-series-databases-in-google-cloud-92550d78d8ae). * VictoriaMetrics uses less storage space than InfluxDB for production data. @@ -235,7 +241,8 @@ The main differences between Cortex and VictoriaMetrics: See [How to migrate from InfluxDB to VictoriaMetrics](https://docs.victoriametrics.com/guides/migrate-from-influx/). -## How does VictoriaMetrics compare to [TimescaleDB](https://www.timescale.com/)? + +## How does VictoriaMetrics compare to [TimescaleDB](https://www.timescale.com/)? {#how-does-victoriametrics-compare-to-timescaledb-} * TimescaleDB insists on using SQL as a query language. While SQL is more powerful than PromQL, this power is rarely required during typical usages of a TSDB. Real-world queries usually [look clearer and simpler when written in PromQL than in SQL](https://medium.com/@valyala/promql-tutorial-for-beginners-9ab455142085). * VictoriaMetrics requires [up to 70x less storage space compared to TimescaleDB](https://medium.com/@valyala/when-size-matters-benchmarking-victoriametrics-vs-timescale-and-influxdb-6035811952d4) for storing the same amount of time series data. The gap in storage space usage can be decreased from 70x to 3x if [compression in TimescaleDB is properly configured](https://docs.timescale.com/use-timescale/latest/compression/) (it isn't an easy task in general :)). @@ -244,7 +251,8 @@ See [How to migrate from InfluxDB to VictoriaMetrics](https://docs.victoriametri * VictoriaMetrics accepts data in multiple popular data ingestion protocols – InfluxDB, OpenTSDB, Graphite, CSV – while TimescaleDB supports only SQL inserts. * VictoriaMetrics can be queried via [Graphite's API](https://docs.victoriametrics.com/victoriametrics/integrations/graphite/#graphite-api-usage). -## Does VictoriaMetrics use Prometheus technologies like other clustered TSDBs built on top of Prometheus such as [Thanos](https://github.com/thanos-io/thanos) or [Cortex](https://github.com/cortexproject/cortex)? + +## Does VictoriaMetrics use Prometheus technologies like other clustered TSDBs built on top of Prometheus such as [Thanos](https://github.com/thanos-io/thanos) or [Cortex](https://github.com/cortexproject/cortex)? {#does-victoriametrics-use-prometheus-technologies-like-other-clustered-tsdbs-built-on-top-of-prometheus-such-as-thanos-or-cortex-} No. VictoriaMetrics core is written in Go from scratch by [fasthttp](https://github.com/valyala/fasthttp)'s [author](https://github.com/valyala). The architecture is [optimized for storing and querying large amounts of time series data with high cardinality](https://medium.com/devopslinks/victoriametrics-creating-the-best-remote-storage-for-prometheus-5d92d66787ac). VictoriaMetrics storage uses [certain ideas from ClickHouse](https://medium.com/@valyala/how-victoriametrics-makes-instant-snapshots-for-multi-terabyte-time-series-data-e1f3fb0e0282). Special thanks to [Alexey Milovidov](https://github.com/alexey-milovidov). @@ -260,7 +268,8 @@ We provide commercial support for both versions. [Contact us](https://victoriame [VictoriaMetrics Cloud](https://console.victoriametrics.cloud/signUp?utm_source=website&utm_campaign=docs_vm_faq) – the most cost-efficient hosted monitoring platform, operated by VictoriaMetrics core team. -## Why doesn't VictoriaMetrics support the [Prometheus remote read API](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#%3Cremote_read%3E)? + +## Why doesn't VictoriaMetrics support the [Prometheus remote read API](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#%3Cremote_read%3E)? {#why-doesnrsquot-victoriametrics-support-the-prometheus-remote-read-api-} The remote read API requires transferring all the raw data for all the requested metrics over the given time range. For instance, if a query covers 1000 metrics with 10K values each, then the remote read API has to return `1000*10K`=10M metric values to Prometheus. diff --git a/docs/victoriametrics/README.md b/docs/victoriametrics/README.md index 775981365f..9676ab8755 100644 --- a/docs/victoriametrics/README.md +++ b/docs/victoriametrics/README.md @@ -1681,7 +1681,41 @@ Additionally, alerting can be set up with the following tools: ## Security -General security recommendations: +### Supported Versions + +The following versions of VictoriaMetrics receive regular security fixes: + +| Version | Supported | +|--------------------------------------------------------------------------------|--------------------| +| [Latest release](https://docs.victoriametrics.com/victoriametrics/changelog/) | ✅ | +| [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-releases/) | ✅ | +| other releases | ❌ | + +### Software Bill of Materials (SBOM) + +Every VictoriaMetrics container{{% available_from "v1.137.0" %}} image published to +[Docker Hub](https://hub.docker.com/u/victoriametrics) and [Quay.io](https://quay.io/organization/victoriametrics) include an [SPDX](https://spdx.dev/) SBOM attestation generated automatically by BuildKit during `docker buildx build`. + +To inspect the SBOM for an image: + +```sh +docker buildx imagetools inspect \ + docker.io/victoriametrics/victoria-metrics:latest \ + --format "{{ json .SBOM }}" +``` + +To scan an image using its SBOM attestation with [Trivy](https://github.com/aquasecurity/trivy): + +```sh +trivy image --sbom-sources oci \ + docker.io/victoriametrics/victoria-metrics:latest +``` + +### Reporting a Vulnerability + +Please report any security issues to + +### General security recommendations: * All the VictoriaMetrics components must run in protected private networks without direct access from untrusted networks such as Internet. The exception is [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/) and [vmgateway](https://docs.victoriametrics.com/victoriametrics/vmgateway/), diff --git a/docs/victoriametrics/changelog/CHANGELOG.md b/docs/victoriametrics/changelog/CHANGELOG.md index dfacd2765f..b3083e984c 100644 --- a/docs/victoriametrics/changelog/CHANGELOG.md +++ b/docs/victoriametrics/changelog/CHANGELOG.md @@ -173,7 +173,7 @@ It enables back `Discovered targets` debug UI by default. * FEATURE: [dashboards/alert-statistics](https://grafana.com/grafana/dashboards/24553): add `job` and `instance` filters to the `VictoriaMetrics - Alert statistics` dashboard. This allows users running multiple independent [vmalert](https://docs.victoriametrics.com/victoriametrics/vmalert/) instances to filter and analyze alerts statistics per specific instance, making it easier to identify issues in a particular vmalert deployment. See [#10549](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10549). * FEATURE: [dashboards/alert-statistics](https://grafana.com/grafana/dashboards/24553): add a link to a specific alerting rule on the table of firing alerts. See [#10508](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10508). Thanks to @sias32 for the contribution. * FEATURE: [alerts](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/deployment/docker/rules): use `$externalURL` instead of `localhost` in the alerting rules. This should improve usability of the rules if `$externalURL` is correctly configured, without need to update rules annotations. See [#10508](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10508). Thanks to @sias32 for the contribution. -* FEATURE: all VictoriaMetrics components: publish [SPDX](https://spdx.dev/) SBOM attestations for container images on `docker.io` and `quay.io`. See [SECURITY.md](https://docs.victoriametrics.com/victoriametrics/security/) and [#10474](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10474). Thanks to @smuda for the contribution. +* FEATURE: all VictoriaMetrics components: publish [SPDX](https://spdx.dev/) SBOM attestations for container images on `docker.io` and `quay.io`. See [security](https://docs.victoriametrics.com/victoriametrics/#security) and [#10474](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10474). Thanks to @smuda for the contribution. * BUGFIX: all VictoriaMetrics components: return gzip-compressed response instead of zstd-compressed response to the client if `Accept-Encoding` request header contains both `gzip` and `zstd`. This is needed because some clients and proxies improperly handle zstd-compressed responses. See [#10535](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10535). * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent/) and [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/): properly check expired client certificate during mTLS requests. See [#10393](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10393). diff --git a/docs/victoriametrics/integrations/zabbixconnector.md b/docs/victoriametrics/integrations/zabbixconnector.md index 328cd9b6e4..87fb981049 100644 --- a/docs/victoriametrics/integrations/zabbixconnector.md +++ b/docs/victoriametrics/integrations/zabbixconnector.md @@ -56,7 +56,7 @@ Let's assume vmagent is running with command line flags: * `-zabbixconnector.addEmptyTagsValue=exists` * `-zabbixconnector.addDuplicateTagsSeparator=,` -Let's fetch the ingested data via [data export API](#how-to-export-data-in-json-line-format): +Let's fetch the ingested data via [data export API](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#how-to-export-data-in-json-line-format): ```sh curl http://localhost:8428/api/v1/export -d 'match={host="Zabbix server"}' diff --git a/docs/victoriametrics/relabeling.md b/docs/victoriametrics/relabeling.md index 7031ef920d..7b5eef6fcf 100644 --- a/docs/victoriametrics/relabeling.md +++ b/docs/victoriametrics/relabeling.md @@ -426,7 +426,7 @@ target. ### Service Discovery Relabeling Cheatsheet **Target-level relabeling** is applied during -[service discovery](https://docs.victoriametrics.com/victoriametrics/sd_configs/#prometheus-service-discovery) +[service discovery](https://docs.victoriametrics.com/victoriametrics/sd_configs/) and affects the targets (which will be scraped), their labels and all the metrics scraped from them: diff --git a/docs/victoriametrics/sd_configs.md b/docs/victoriametrics/sd_configs.md index 77ab22dedf..45a69c831b 100644 --- a/docs/victoriametrics/sd_configs.md +++ b/docs/victoriametrics/sd_configs.md @@ -1184,10 +1184,10 @@ One of the following `role` types can be configured to discover targets: Available meta labels for `role: endpoints` during [relabeling](https://docs.victoriametrics.com/victoriametrics/relabeling/): * `__meta_kubernetes_namespace`: The namespace of the endpoints object. -* `__meta_kubernetes_namespace_annotation_`: Each annotation from the namespace of the endpoints object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_annotationpresent_`: "true" for each annotation from the namespace of the endpoints object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_label_`: Each label from the namespace of the endpoints object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_labelpresent_`: "true" for each label from the namespace of the endpoints object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). +* `__meta_kubernetes_namespace_annotation_`: Each annotation from the namespace of the endpoints object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_annotationpresent_`: "true" for each annotation from the namespace of the endpoints object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_label_`: Each label from the namespace of the endpoints object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_labelpresent_`: "true" for each label from the namespace of the endpoints object when `attach_metadata.namespace` is set to `true`. * `__meta_kubernetes_endpoints_name`: The names of the endpoints object. * `__meta_kubernetes_endpoints_label_`: Each label from the endpoints object. * `__meta_kubernetes_endpoints_labelpresent_`: "true" for each label from the endpoints object. @@ -1217,10 +1217,10 @@ One of the following `role` types can be configured to discover targets: Available meta labels for `role: endpointslice` during [relabeling](https://docs.victoriametrics.com/victoriametrics/relabeling/): * `__meta_kubernetes_namespace`: The namespace of the endpointslice object. -* `__meta_kubernetes_namespace_annotation_`: Each annotation from the namespace of the endpointslice object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_annotationpresent_`: "true" for each annotation from the namespace of the endpointslice object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_label_`: Each label from the namespace of the endpointslice object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_labelpresent_`: "true" for each label from the namespace of the endpointslice object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). +* `__meta_kubernetes_namespace_annotation_`: Each annotation from the namespace of the endpointslice object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_annotationpresent_`: "true" for each annotation from the namespace of the endpointslice object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_label_`: Each label from the namespace of the endpointslice object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_labelpresent_`: "true" for each label from the namespace of the endpointslice object when `attach_metadata.namespace` is set to `true`. * `__meta_kubernetes_endpointslice_name`: The name of endpointslice object. For all targets discovered directly from the endpointslice list (those not additionally inferred from underlying pods), the following labels are attached: @@ -1251,10 +1251,10 @@ One of the following `role` types can be configured to discover targets: Available meta labels for `role: ingress` during [relabeling](https://docs.victoriametrics.com/victoriametrics/relabeling/): * `__meta_kubernetes_namespace`: The namespace of the ingress object. -* `__meta_kubernetes_namespace_annotation_`: Each annotation from the namespace of the ingress object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_annotationpresent_`: "true" for each annotation from the namespace of the ingress object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_label_`: Each label from the namespace of the ingress object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). -* `__meta_kubernetes_namespace_labelpresent_`: "true" for each label from the namespace of the ingress object when `attach_metadata.namespace` is set to `true`. See [attach_metadata](#attach_metadata). +* `__meta_kubernetes_namespace_annotation_`: Each annotation from the namespace of the ingress object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_annotationpresent_`: "true" for each annotation from the namespace of the ingress object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_label_`: Each label from the namespace of the ingress object when `attach_metadata.namespace` is set to `true`. +* `__meta_kubernetes_namespace_labelpresent_`: "true" for each label from the namespace of the ingress object when `attach_metadata.namespace` is set to `true`. * `__meta_kubernetes_ingress_name`: The name of the ingress object. * `__meta_kubernetes_ingress_label_`: Each label from the ingress object. * `__meta_kubernetes_ingress_labelpresent_`: "true" for each label from the ingress object. diff --git a/docs/victoriametrics/vmauth.md b/docs/victoriametrics/vmauth.md index 6639052189..7edbeeded7 100644 --- a/docs/victoriametrics/vmauth.md +++ b/docs/victoriametrics/vmauth.md @@ -55,7 +55,7 @@ Feel free to [contact us](mailto:info@victoriametrics.com) if you need a customi * [Per-tenant authorization](#per-tenant-authorization) * [mTLS-based request routing](#mtls-based-request-routing) * [Enforcing query args](#enforcing-query-args) -* [OIDC authorization](#oidc-authorization) +* [OIDC discovery](#oidc-discovery) ### Simple HTTP proxy