[MIR] prometheus

[Availability]

The package is already in universe since Xenial and it builds fine in all supported architectures but riscv64. In Debian it builds fine on riscv64, needs some investigation on why it fails in Ubuntu.

[Rationale]

Prometheus is a systems and services monitoring system and time series database, and also one of the key packages in the LMA (Logging, Monitoring, Alerting) stack nowadays. It has been widely adopted by the community, it has many exporters/plugins which allow one to to hook up many different tools.

[Security]

Searching for prometheus in the National Vulnerability Database we have 8 entries:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=prometheus

Only 2 of them are affecting Prometheus itself, the others are vulnerabilities in other tools when exposing data to Prometheus. One from 2002 which allowed arbitrary PHP code execution, and a cross-site scripting flaw from 2019.

Searching for prometheus in the OSS security mailing list I got one entry:

https://www.openwall.com/lists/oss-security/2019/08/09/1

It is a security issue from 2019 in kube-state-metrics, not in Prometheus itself.

Nothing was found int the Ubuntu CVE tracker.

Some comments about the package content:

- All the binaries are placed in /usr/bin
  -> /usr/bin/{prometheus,promtool,tsdb}
- suid and sgid are not set
- It ships a sysvinit and systemd service files
  -> /etc/init.d/prometheus and /lib/systemd/system/prometheus.service
- It binds to port 9090 and 9100 by default

There is a patch submitted to Debian to harden systemd configuration here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950759

I am willing to work on it and get it applied in Debian.

[Quality assurance]

After installing the package the service starts automatically based on the default config placed in /etc/prometheus/prometheus.yml. Since it recommends prometheus-node-exporter when the package is installed it already starts to collect data from the host. There is one bug reported in Debian which could improve the user experience:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855145

The DEP8 test is defined by the autodep8 package, it basically runs the upstream test suite against the installed version. It is passing in all architectures at the moment.

When installing the package there is no debconf question prompted to the user. A debconf dialog will pop up only if it is upgrading from version 1.x to 2.x to migrate the data (there are some breaking changes), not the case in Groovy.

Bugs:

- Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=prometheus
  -> 8 bugs in total, 4 bugs closed
  -> Nothing critical, 2 bugs which could improve the quality of the package already mentioned above
- Ubuntu: https://bugs.launchpad.net/ubuntu/+source/prometheus/
  -> 2 bugs in total: not buildable in Focal, and user requesting a newer version in Bionic
- Upstream: https://github.com/prometheus/prometheus/issues
  -> 3275 bugs closed and 253 opened
  -> Upstream is quite active and there is no critical issue AFAIK

There is no involvement of exotic hardware.

The upstream test suite is executed during build time in all architectures, the same is done for DEP8 tests (autodep8 implementation gor Golang packages). No other kind of smoke test is done while executing autopkgtest. However, upstream tests are quite good and have catched up some bugs recently.

The Prometheus source package provides a debian/watch file which works fine. Yet it is not used by the package maintainers, most of the Golang packages do not use it. The regular workflow to import a new version is to add a reference to the upstream remote git repository and merge tags/commits manually, that's also better to analyze the vendor code.

$ uscan --verbose
uscan info: uscan (version 2.20.2ubuntu2) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="prometheus" version="2.20.0+ds-1" (as seen in debian/changelog)
uscan info: package="prometheus" version="2.20.0+ds" (no epoch/revision)
uscan info: ./debian/changelog sets package="prometheus" version="2.20.0+ds"
uscan info: Process watch file at: debian/watch
    package = prometheus
    version = 2.20.0+ds
    pkg_dir = .
uscan info: opts: filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/prometheus-\$1\.tar\.gz/,uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/,dversionmangle=s/\+ds\d*$//,
uscan info: line: https://github.com/prometheus/prometheus/tags .*/v?(\d\S*)\.tar\.gz
uscan info: Parsing filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/prometheus-\$1\.tar\.gz/
uscan info: Parsing uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/
uscan info: Parsing dversionmangle=s/\+ds\d*$//
uscan info: line: https://github.com/prometheus/prometheus/tags .*/v?(\d\S*)\.tar\.gz
uscan info: Last orig.tar.* tarball version (from debian/changelog): 2.20.0+ds
uscan info: Last orig.tar.* tarball version (dversionmangled): 2.20.0
uscan info: Requesting URL:
   https://github.com/prometheus/prometheus/tags
uscan info: Matching pattern:
   (?:(?:https://github.com)?\/prometheus\/prometheus\/tags)?.*/v?(\d\S*)\.tar\.gz
uscan info: Found the following matching hrefs on the web page (newest first):
   /prometheus/prometheus/archive/v2.20.0.tar.gz (2.20.0) index=2.20.0-1
   /prometheus/prometheus/archive/v2.20.0-rc.1.tar.gz (2.20.0~rc1) index=2.20.0~rc1-1
   /prometheus/prometheus/archive/v2.20.0-rc.0.tar.gz (2.20.0~rc0) index=2.20.0~rc0-1
   /prometheus/prometheus/archive/v2.19.3.tar.gz (2.19.3) index=2.19.3-1
   /prometheus/prometheus/archive/v2.19.2.tar.gz (2.19.2) index=2.19.2-1
   /prometheus/prometheus/archive/v2.19.1.tar.gz (2.19.1) index=2.19.1-1
   /prometheus/prometheus/archive/v2.19.0.tar.gz (2.19.0) index=2.19.0-1
   /prometheus/prometheus/archive/v2.19.0-rc.0.tar.gz (2.19.0~rc0) index=2.19.0~rc0-1
   /prometheus/prometheus/archive/v2.18.2.tar.gz (2.18.2) index=2.18.2-1
   /prometheus/prometheus/archive/v2.18.1.tar.gz (2.18.1) index=2.18.1-1
uscan info: Looking at $base = https://github.com/prometheus/prometheus/tags with
    $filepattern = .*/v?(\d\S*)\.tar\.gz found
    $newfile = /prometheus/prometheus/archive/v2.20.0.tar.gz
    $newversion = 2.20.0
    $lastversion = 2.20.0+ds
uscan info: Matching target for downloadurlmangle: https://github.com/prometheus/prometheus/archive/v2.20.0.tar.gz
uscan info: Upstream URL(+tag) to download is identified as https://github.com/prometheus/prometheus/archive/v2.20.0.tar.gz
uscan info: Matching target for filenamemangle: /prometheus/prometheus/archive/v2.20.0.tar.gz
uscan info: Filename (filenamemangled) for downloaded file: prometheus-2.20.0.tar.gz
uscan info: Newest version of prometheus on remote site is 2.20.0, local version is 2.20.0+ds
 (mangled local version is 2.20.0)
uscan info: => Package is up to date for from
      https://github.com/prometheus/prometheus/archive/v2.20.0.tar.gz
uscan info: Scan finished

Lintian output:

$ lintian -I --pedantic ../build-area/prometheus_2.20.0+ds-1_amd64.changes
E: prometheus changes: bad-distribution-in-changes-file groovy
E: prometheus source: source-is-missing web/ui/static/vendor/js/jquery-3.5.1.min.js
W: prometheus: changelog-distribution-does-not-match-changes-file (unstable != groovy)
W: prometheus: embedded-javascript-library usr/share/prometheus/web/static/vendor/js/jquery-3.5.1.min.js please use libjs-jquery
I: prometheus source: no-dh-sequencer
I: prometheus: spelling-error-in-binary usr/bin/prometheus containe contained
P: prometheus source: package-uses-experimental-debhelper-compat-version 13
P: prometheus source: source-contains-prebuilt-javascript-object web/ui/static/vendor/js/jquery-3.5.1.min.js
N: 1 tag overridden (1 info)

I rebuilt the package in Groovy to run lintian, so please ignore the bad-distribution-in-changes-file error and the changelog-distribution-does-not-match-changes-file warning. As you can see there is an issue with jquery which should be addressed (making it use the jquery installed from the system - it's already a runtime dependency - or at least provide the source of the vendored jquery). Apart from that we have just small packaging issues, nothing to worry about.

Prometheus also do not rely on obsolete or about to be demoted packages like python2 and GTK2 packages.

[UI stantards]

Prometheus is not a desktop application, no desktop file provided. Its package description is internationalized and that's all.

[Dependencies]

Summary: 7 packages in main and 51 packages in universe

## build dependencies: 4 packages in main and 41 packages in universe

debhelper-compat | main |
dh-golang | main |
gogoprotobuf | universe |
golang-github-aws-aws-sdk-go-dev | universe |
golang-github-cespare-xxhash-dev | universe |
golang-github-cockroachdb-cmux-dev | universe |
golang-github-digitalocean-godo-dev | universe |
golang-github-docker-docker-dev | universe |
golang-github-edsrzf-mmap-go-dev | universe |
golang-github-fsnotify-fsnotify-dev | universe |
golang-github-go-kit-kit-dev | universe |
golang-github-go-openapi-strfmt-dev | universe |
golang-github-gogo-protobuf-dev | universe |
golang-github-golang-snappy-dev | universe |
golang-github-google-pprof-dev | universe |
golang-github-gophercloud-gophercloud-dev | universe |
golang-github-grpc-ecosystem-grpc-gateway-dev | universe |
golang-github-hashicorp-consul-dev | universe |
golang-github-json-iterator-go-dev | universe |
golang-github-miekg-dns-dev | universe |
golang-github-mwitkow-go-conntrack-dev | universe |
golang-github-oklog-run-dev | universe |
golang-github-oklog-ulid-dev | universe |
golang-github-opentracing-contrib-go-stdlib-dev | universe |
golang-github-opentracing-opentracing-go-dev | universe |
golang-github-pkg-errors-dev | universe |
golang-github-prometheus-alertmanager-dev | universe |
golang-github-prometheus-client-golang-dev | universe |
golang-github-prometheus-client-model-dev | universe |
golang-github-prometheus-common-dev | universe |
golang-github-samuel-go-zookeeper-dev | universe |
golang-go | main |
golang-golang-x-net-dev | universe |
golang-golang-x-oauth2-google-dev | universe |
golang-golang-x-sync-dev | universe |
golang-golang-x-sys-dev | universe |
golang-golang-x-time-dev | universe |
golang-google-api-dev | universe |
golang-google-genproto-dev | universe |
golang-google-grpc-dev | universe |
golang-gopkg-alecthomas-kingpin.v2-dev | universe |
golang-gopkg-yaml.v2-dev | universe |
golang-gopkg-yaml.v3-dev | universe |
golang-grpc-gateway | universe |
po-debconf | main |

## runtime dependencies: 3 packages in main and 10 packages in universe

adduser | main |
daemon | systemd-sysv | universe | main |
fonts-glyphicons-halflings | universe |
libjs-bootstrap4 | universe |
libjs-eonasdan-bootstrap-datetimepicker | universe |
libjs-jquery | main |
libjs-jquery-hotkeys | universe |
libjs-moment | universe |
libjs-moment-timezone | universe |
libjs-mustache | universe |
libjs-popper.js | universe |
libjs-rickshaw | universe |
prometheus-node-exporter | universe |

All the 51 dependencies in universe mentioned above will be MIR'ed.

[Standards compliance]

Prometheus source package declares compliance with Debian Policy 4.5.0. The only issue I can spot was reported by lintian above: it has a vendor version of jquery and no source is provided.

Checking the binary package content I see no violation of FHS:

https://packages.debian.org/sid/amd64/prometheus/filelist

IMO the source package is easy to understand and maintain, no tricks or non-sense workarounds.

[Maintenance]

This package will be maintained under the umbrella of the Canonical Server team. Moreover, I am now one of the uploaders of prometheus in Debian.

I am already subscribed to Prometheus bugs in Launchpad but as soon as we move this forward the Canonical Server team will be subscribed as well.

[Background information]

The package description is good enough IMO. Prometheus source package provides a single binary also called prometheus which matches the upstream name.