How Prometheus uses go-restful ?

32 views
Skip to first unread message

Gavin

unread,
Feb 10, 2023, 3:59:04 AM2/10/23
to Prometheus Developers

Hello Prometheus team,

May I have a question about how Prometheus uses go-restful ?

We are using Prometheus 2.38.0 and from the binary, we can see go-restful is compiled.

$go version -m prometheus |grep go-restful
      dep   github.com/emicklei/go-restful      v2.16.0+incompatible    h1:rgqiKNjTnFQA6kkhFe16D8epTksy9HQ1MyrbDXSdYhM=

I did grep on Prometheus source code, and failed to find where go-restful is invoked, 'go mod why', 'go mod graph' and 'go list 'don't help much either.

prometheus $ [v2.38.0] [] $ go mod graph |grep go-restful

github.com/prometheus/prometheus github.com/emicklei/go-re...@v2.16.0+incompatible

k8s.io/clie...@v0.24.3 github.com/emicklei/go-re...@v2.9.5+incompatible

k8s.io/kube-o...@v0.0.0-20220328201542-3ee0da9b0b42 github.com/emicklei/go-re...@v0.0.0-20170410110728-ff4f55a20633

It would be highly appreciated if you could pinpoint why/where go-restful is used.

Thanks!

BRs

/Gavin

Matthias Rampke

unread,
Feb 10, 2023, 4:13:42 AM2/10/23
to Gavin, Prometheus Developers
You are on the right track with go mod graph: go-restful is a dependency of k8s.io/client-go and k8s.io/kube-openapi, so colloquially "the Kubernetes client library". Prometheus uses it for service discovery, fetching information about pods, endpoints, and services. From a cursory look through github.com/kubernetes, it seems that it is only actually called on the kube-apiserver side, so Prometheus should not encounter any of it, but don't take my word for it.

I am curious now, can you share why you are interested in go-restful? 😄

Best,
Matthias



--
You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/9c7b9160-b8ce-42cd-bf78-1d0ee48ed638n%40googlegroups.com.

Tristan Colgate

unread,
Feb 10, 2023, 10:10:10 AM2/10/23
to Matthias Rampke, Gavin, Prometheus Developers
This is probably due to GitHub dependabot currently flagging a security issue with go-restful (I hit the same issue yesterday).

To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAMV%3D_gYk7BFQHaHtffU1Ze4ztrd-5O7%2BMKFnXXLdz5V5LJjDvQ%40mail.gmail.com.


--
Tristan Colgate-McFarlane
----

Jian Xue

unread,
Feb 10, 2023, 5:03:09 PM2/10/23
to Tristan Colgate, Matthias Rampke, Prometheus Developers
Thanks Matthias for the input, yes, I was expecting K8S client libraries would need go-restful, but if you look at the go-restful versions client-go and kube-openapi depend on, they are different from what Prometheus’s one, which is v2.16.0. It looks like Prometheus uses it somewhere under the hood, but I could not figure out that dependancy chain yet.

As to the trigger of this question, yeah, Tristan is right, couples of vulnerabilities are reported on go-restful, and I want to know whether Prometheus is affected or not.

Thanks 

BRs
/Gavin



On 11 Feb 2023, at 02:10, Tristan Colgate <tcol...@gmail.com> wrote:



Matthias Rampke

unread,
Feb 11, 2023, 4:13:08 AM2/11/23
to Jian Xue, Tristan Colgate, Prometheus Developers
I couldn't find any other reference except for the "// indirect" dependency in go.mod. I think that line means we are forcing a newer but compatible version of go-restful than we would naturally get through the kube client dependency? I'm not very fluent in Go modules though, so if anyone else knows…?

/MR
Reply all
Reply to author
Forward
0 new messages