New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring Boot minor upgrade brings major breaking changes to Metrics #30613
Comments
I don't quite follow: Spring Boot 2.5.3 uses Prometheus 0.10.0, like Spring Boot 2.5.12. It's the same version. The update has been done in #27349 and #25250. The only thing which changes from Boot 2.5.3 to 2.5.12 related to prometheus is
Spring Boot 2.4.x uses prometheus You can use the CVE mitigation which updates only |
The issue is that between 2.5.3 and 2.5.12, not exactly sure where that change is made, it starts using There is maybe a way to override that default? |
Ah, so the change isn't the version bump, it's the change of the TextOutputFormat somewhere. I will take a look. |
The format comes from The prometheus server doing the request is the same in both cases |
I can absolutely observe no difference in counter names between 2.4.x, 2.5.3 and 2.5.12. Do you have a sample where this can be reproduced?
|
|
In #28130, there has been a change. When sending Spring boot 2.5.3 answers with
while 2.5.12 answers with
|
Thanks, Moritz. That behavior aligns with Prometheus's own |
@mhalbritter its probably it, i will investigate what our prometheus server is doing and if its that it should be an easy work around while we attempt to migrate metrics to use |
Prometheus afaik does not allow us to define the headers. This way we can still use the Still need to run some other tests to see if there is any impact but seems like it should work |
Thanks, @nandoFromSky. I’ll close this one for now. Please let us know if it doesn’t work as hoped and we can take another look. |
Hi @nandoFromSky and @wilkinsona, would you happen to know of a recommended approach to work around the |
IIRC, you should be able to send a different accept header to get the metrics in a different format. |
While updating our components to the recent
2.5.12
Spring boot version we came across an issue.A "simple" minor update from version
2.5.3
to the new and secure2.5.12
contains a hidden breaking change in the prometheus client version0.10.0
that forces all counters to now have the suffix_total
.Our first approach was to try to force the use of the version
0.9.0
that we used before with no issues, but now, spring boot actuator uses methods that are only available after0.10.0
and so using an older version of the client is no longer possible.There were already complaints on the prometheus client side Issue 640 from people having the same issue.
The thing is, right now, some apps are not affected by the Spring4Shell vulnerability but in the near future there might a new vulnerability or even an extension to Spring4Shell that shows its efective against other types of spring boot apps and a lot of people will face this issue and will be unable to update to fix a serious security issue.
The text was updated successfully, but these errors were encountered: