feat(indexer): Add grafana and alert service to local development #7257
Conversation
roninjin10
commented
Sep 15, 2023
•
roninjin10
commented
- add prometheus to docker-compose
- add grafana to docker-compose
- add new folder for holding grafana provisioning and configuration
- Add alert service
- Configure alert service
- Configure gafana dashboard for api
- Configure grafana dashboard for indexer
- remove gateway/backend service
- make docker-compose run against more networks than just goerli
|
Current dependencies on/for this PR:
This comment was auto-generated by Graphite. |
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| indexer: | ||
| condition: service_healthy | ||
|
|
||
| grafana: |
There was a problem hiding this comment.
Service 'grafana' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.
Ignore this finding from writable-filesystem-service.
| depends_on: | ||
| postgres: | ||
| condition: service_healthy | ||
|
|
||
| ui: | ||
| prometheus: |
There was a problem hiding this comment.
Service 'prometheus' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.
Ignore this finding from writable-filesystem-service.
| indexer: | ||
| condition: service_healthy | ||
|
|
||
| grafana: |
There was a problem hiding this comment.
Service 'grafana' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.
Ignore this finding from no-new-privileges.
| depends_on: | ||
| postgres: | ||
| condition: service_healthy | ||
|
|
||
| ui: | ||
| prometheus: |
There was a problem hiding this comment.
Service 'prometheus' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.
Ignore this finding from no-new-privileges.
| indexer: | ||
| condition: service_healthy | ||
|
|
||
| alertmanager: |
There was a problem hiding this comment.
Service 'alertmanager' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.
Ignore this finding from writable-filesystem-service.
| indexer: | ||
| condition: service_healthy | ||
|
|
||
| alertmanager: |
There was a problem hiding this comment.
Service 'alertmanager' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.
Ignore this finding from no-new-privileges.
roninjin10
changed the title
roninjin10
changed the base branch from
develop
to
09-01-feat_indexer_Add_sql_migrations_file
roninjin10
force-pushed
the
09-14-feat_indexer_Add_grafana_to_local_development
branch
from
0791421 to
07e6b6e
Compare
|
Semgrep found 1
A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM). View Dataflow Graphflowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>indexer/database/db.go</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0("<b>[Line: 49]</b> #quot; password=%s#quot;")
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2("<b>[Line: 49]</b> dsn")
end
%% Sink
subgraph Sink
direction LR
v1("<b>[Line: 51]</b> gorm.Open(postgres.Open(dsn), &gorm.Config{<br> // The indexer will explicitly manage the transactions<br> SkipDefaultTransaction: true,<br> Logger: logger.Default.LogMode(logger.Silent),<br> })")
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
%% Clickable
click v0 href "https://github.com/ethereum-optimism/optimism/blob/07e6b6e53a4988118488d265a5ee7f175a29d351/indexer/database/db.go#L49" "View in source" _blank
click v1 href "https://github.com/ethereum-optimism/optimism/blob/07e6b6e53a4988118488d265a5ee7f175a29d351/indexer/database/db.go#L51" "View in source" _blank
click v2 href "https://github.com/ethereum-optimism/optimism/blob/07e6b6e53a4988118488d265a5ee7f175a29d351/indexer/database/db.go#L49" "View in source" _blank
Semgrep found 1
The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM). View Dataflow Graphflowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>indexer/database/db.go</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0("<b>[Line: 49]</b> #quot; password=%s#quot;")
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2("<b>[Line: 49]</b> dsn")
end
%% Sink
subgraph Sink
direction LR
v1("<b>[Line: 51]</b> gorm.Open(postgres.Open(dsn), &gorm.Config{<br> // The indexer will explicitly manage the transactions<br> SkipDefaultTransaction: true,<br> Logger: logger.Default.LogMode(logger.Silent),<br> })")
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
%% Clickable
click v0 href "https://github.com/ethereum-optimism/optimism/blob/07e6b6e53a4988118488d265a5ee7f175a29d351/indexer/database/db.go#L49" "View in source" _blank
click v1 href "https://github.com/ethereum-optimism/optimism/blob/07e6b6e53a4988118488d265a5ee7f175a29d351/indexer/database/db.go#L51" "View in source" _blank
click v2 href "https://github.com/ethereum-optimism/optimism/blob/07e6b6e53a4988118488d265a5ee7f175a29d351/indexer/database/db.go#L49" "View in source" _blank
|
roninjin10
force-pushed
the
09-14-feat_indexer_Add_grafana_to_local_development
branch
2 times, most recently
from
2cd7f9d to
7f3d0a1
Compare
roninjin10
changed the base branch from
09-01-feat_indexer_Add_sql_migrations_file
to
09-15-fix_Add_migrations_to_dockerfile
roninjin10
force-pushed
the
09-14-feat_indexer_Add_grafana_to_local_development
branch
from
7f3d0a1 to
4c5adcc
Compare
roninjin10
force-pushed
the
09-15-fix_Add_migrations_to_dockerfile
branch
from
d7cfe44 to
0809213
Compare
roninjin10
force-pushed
the
09-14-feat_indexer_Add_grafana_to_local_development
branch
from
4c5adcc to
2d80dd3
Compare
feat: Add alert manager fix: Add chain preset id to docker compose fix: Pass in database env variables in docker compose
roninjin10
force-pushed
the
09-15-fix_Add_migrations_to_dockerfile
branch
from
0809213 to
f25a591
Compare
roninjin10
force-pushed
the
09-14-feat_indexer_Add_grafana_to_local_development
branch
from
2d80dd3 to
e961711
Compare
|
This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
