Merge branch 'main' into main

.github/workflows/deploy-pr-preview.yml

@@ -0,0 +1,24 @@
+name: Deploy pr preview
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - closed
+    paths:
+      - "docs/sources/**"
+
+jobs:
+  deploy-pr-preview:
+    if: github.repository == 'grafana/alloy'
+    uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main
+    with:
+      sha: ${{ github.event.pull_request.head.sha }}
+      branch: ${{ github.head_ref }}
+      event_number: ${{ github.event.number }}
+      title: ${{ github.event.pull_request.title }}
+      repo: alloy
+      website_directory: content/docs/alloy/latest
+      relative_prefix: /docs/alloy/latest/
+      index_file: true

CHANGELOG.md

@@ -48,16 +48,21 @@ Main (unreleased)
   - Change processlist query to support ONLY_FULL_GROUP_BY sql_mode
   - Add perf_schema quantile columns to collector
 
+- Live Debugging button should appear in UI only for supported components (@ravishankar15)
 - Add three new stdlib functions to_base64, from_URLbase64 and to_URLbase64 (@ravishankar15)
+- Add `ignore_older_than` option for local.file_match (@ravishankar15)
+- Add livedebugging support for `discover.relabel` (@ravishankar15)
 
-- Use a forked `github.com/goccy/go-json` module which reduces the memory consumption of an Alloy instance by 20MB.
+- Upgrade `github.com/goccy/go-json` to v0.10.4, which reduces the memory consumption of an Alloy instance by 20MB.
   If Alloy is running certain otelcol components, this reduction will not apply. (@ptodev)
 - improve performance in regexp component: call fmt only if debug is enabled (@r0ka)
 - Update `prometheus.write.queue` library for performance increases in cpu. (@mattdurham)
 
 
 ### Bugfixes
 
+- Fixed issue with automemlimit logging bad messages and trying to access cgroup on non-linux builds (@dehaansa)
+
 - Fixed issue with reloading configuration and prometheus metrics duplication in `prometheus.write.queue`. (@mattdurham)
 
 - Updated `prometheus.write.queue` to fix issue with TTL comparing different scales of time. (@mattdurham)
@@ -102,7 +107,7 @@ v1.5.1
 
 - Fixed a crash when updating the configuration of `remote.http`. (@kinolaev)
 
-- Fixed an issue in the `otelcol.processor.attribute` component where the actions `delete` and `hash` could not be used with the `pattern` argument. (@wildum) 
+- Fixed an issue in the `otelcol.processor.attribute` component where the actions `delete` and `hash` could not be used with the `pattern` argument. (@wildum)
 
 - Fixed an issue in the `prometheus.exporter.postgres` component that would leak goroutines when the target was not reachable (@dehaansa)
 
@@ -302,7 +307,7 @@ v1.4.0
 
 - Add the label `alloy_cluster` in the metric `alloy_config_hash` when the flag `cluster.name` is set to help differentiate between
   configs from the same alloy cluster or different alloy clusters. (@wildum)
-  
+
 - Add support for discovering the cgroup path(s) of a process in `process.discovery`. (@mahendrapaipuri)
 
 ### Bugfixes

CODEOWNERS

@@ -9,6 +9,7 @@
 * @grafana/grafana-alloy-maintainers
 
 #`make docs` procedure and related workflows are owned by @jdbaldry.
+/.github/workflows/deploy-pr-preview.yml                       @jdbaldry
 /.github/workflows/publish-technical-documentation-next.yml    @jdbaldry
 /.github/workflows/publish-technical-documentation-release.yml @jdbaldry
 /.github/workflows/update-make-docs.yml                        @jdbaldry

docs/sources/reference/cli/environment-variables.md

@@ -20,6 +20,7 @@ The following environment variables are supported:
 * `PPROF_BLOCK_PROFILING_RATE`
 * `GOMEMLIMIT`
 * `AUTOMEMLIMIT`
+* `AUTOMEMLIMIT_EXPERIMENT`
 * `GOGC`
 * `GOMAXPROCS`
 * `GOTRACEBACK`
@@ -80,6 +81,7 @@ For example, if you want to keep memory usage below `10GiB`, use `GOMEMLIMIT=9Gi
 The `GOMEMLIMIT` environment variable is either automatically set to 90% of an available `cgroup` value using the [`automemlimit`][automemlimit] module, or you can explicitly set the `GOMEMLIMIT` environment variable before you run {{< param "PRODUCT_NAME" >}}.
 You can also change the 90% ratio by setting the `AUTOMEMLIMIT` environment variable to a float value between `0` and `1.0`.
 No changes occur if the limit can't be determined and you didn't explicitly define a  `GOMEMLIMIT` value.
+The `AUTOMEMLIMIT_EXPERIMENT` variable can be set to `system` to use the [`automemlimit`][automemlimit] module's System provider, which sets `GOMEMLIMIT` based on the same ratio applied to the total system memory. As `cgroup` is a Linux specific concept, this is the only way to use the `automemlimit` module to automatically set `GOMEMLIMIT` on non-Linux OSes.
 
 ## GOGC
 

docs/sources/reference/components/local/local.file_match.md

@@ -24,16 +24,19 @@ local.file_match "LABEL" {
 
 The following arguments are supported:
 
-Name            | Type                | Description                                                                                | Default | Required
---------------- | ------------------- | ------------------------------------------------------------------------------------------ |---------| --------
-`path_targets`  | `list(map(string))` | Targets to expand; looks for glob patterns on the  `__path__` and `__path_exclude__` keys. |         | yes
-`sync_period`   | `duration`          | How often to sync filesystem and targets.                                                  | `"10s"` | no
+Name                | Type                | Description                                                                                | Default | Required
+---------------     | ------------------- | ------------------------------------------------------------------------------------------ |---------| --------
+`path_targets`      | `list(map(string))` | Targets to expand; looks for glob patterns on the  `__path__` and `__path_exclude__` keys. |         | yes
+`sync_period`       | `duration`          | How often to sync filesystem and targets.                                                  | `"10s"` | no
+`ignore_older_than` | `duration`          | Ignores files which are modified before this duration.                                     |  `"0s"` | no
 
 `path_targets` uses [doublestar][] style paths.
 * `/tmp/**/*.log` will match all subfolders of `tmp` and include any files that end in `*.log`.
 * `/tmp/apache/*.log` will match only files in `/tmp/apache/` that end in `*.log`.
 * `/tmp/**` will match all subfolders of `tmp`, `tmp` itself, and all files.
 
+`local.file_match` doesn't ignore files when `ignore_older_than` is set to the default, `0s`.
+
 
 ## Exported fields
 

docs/sources/set-up/install/openshift.md

@@ -0,0 +1,165 @@
+---
+canonical: https://grafana.com/docs/alloy/latest/set-up/install/openshift/
+description: Learn how to deploy Grafana Alloy on OpenShift
+menuTitle: OpenShift
+title: Deploy Grafana Alloy on OpenShift
+weight: 530
+---
+
+# Deploy {{% param "FULL_PRODUCT_NAME" %}} on OpenShift
+
+You can deploy {{< param "PRODUCT_NAME" >}} on the Red Hat OpenShift Container Platform (OCP).
+
+## Before you begin
+
+* These steps assume you have a working OCP environment.
+* You can adapt the suggested policies and configuration to meet your specific needs and security policies.
+
+## Configure RBAC
+
+You must configure Role-Based Access Control (RBAC) to allow secure access to Kubernetes and OCP resources.
+
+1. Download the [rbac.yaml][] configuration file. This configuration file defines the OCP verbs and permissions for {{< param "PRODUCT_NAME" >}}.
+1. Review the `rbac.yaml` file and adapt as needed for your local environment. Refer to [Managing Role-based Access Control (RBAC)][rbac] topic in the OCP documentation for more information about updating and managing your RBAC configurations.
+
+## Run {{% param "PRODUCT_NAME" %}} as a non-root user
+
+You must configure {{< param "PRODUCT_NAME" >}} to [run as a non-root user][nonroot].
+This ensures that {{< param "PRODUCT_NAME" >}} complies with your OCP security policies.
+
+## Apply security context constraints
+
+OCP uses Security Context Constraints (SCC) to control Pod permissions.
+Refer to [Managing security context constraints][scc] for more information about how you can define and enforce these permissions.
+This ensures that the pods running {{< param "PRODUCT_NAME" >}} comply with OCP security policies.
+
+{{< admonition type="note" >}}
+The security context is only configured at the container level, not at the container and deployment level.
+{{< /admonition >}}
+
+You can apply the following SCCs when you deploy {{< param "PRODUCT_NAME" >}}.
+
+{{< admonition type="note" >}}
+Not all of these SCCs are required for each use case.
+You can adapt the SCCs to meet your local requirements and needs.
+{{< /admonition >}}
+
+* `RunAsUser`: Specifies the user ID under which {{< param "PRODUCT_NAME" >}} runs.
+  You must configure this constraint to allow a non-root user ID.
+* `SELinuxContext`: Configures the SELinux context for containers.
+  If you run {{< param "PRODUCT_NAME" >}} as root, you must configure this constraint to make sure that SELinux policies don't block {{< param "PRODUCT_NAME" >}}.
+  This SCC is generally not required to deploy {{< param "PRODUCT_NAME" >}} as a non-root user.
+* `FSGroup`: Specifies the fsGroup IDs for file system access.
+  You must configure this constraint to give {{< param "PRODUCT_NAME" >}} group access to the files it needs.
+* `Volumes`: Specifies the persistent volumes used for storage.
+  You must configure this constraint to give {{< param "PRODUCT_NAME" >}} access to the volumes it needs.
+
+## Example DaemonSet configuration
+
+The following example shows a DaemonSet configuration that deploys {{< param "PRODUCT_NAME" >}} as a non-root user:
+
+```yaml
+apiVersion: aapps/v1
+kind: DaemonSet
+metadata:
+  name: alloy-logs
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      app: alloy-logs
+   template:
+     metadata:
+       labels:
+         app: alloy-logs
+      spec:
+        containers:
+        - name: alloy-logs
+          image: grafana/alloy:<ALLOY_VERSION>
+          ports:
+          - containerPort: 12345
+          # The security context configuration
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsUser: 473
+            runAsGroup: 473
+            fsGroup: 1000
+         volumes:
+         - name: log-volume
+           emptyDir: {}
+```
+
+Replace the following:
+
+* _`<ALLOY_VERSION>`_: Set to the specific {{< param "PRODUCT_NAME" >}} version you are deploying. For example, `1.5.1`.
+
+{{< admonition type="note" >}}
+This example uses the simplest volume type, `emptyDir`. In this example configuration, if your node restarts, your data will be lost. Make sure you set the volume type to a persistent storage location for production environments. Refer to [Using volumes to persist container data](https://docs.openshift.com/container-platform/latest/nodes/containers/nodes-containers-volumes.html) in the OpenShift documentation for more information.
+{{< /admonition >}}
+
+## Example SSC definition
+
+The following example shows an SSC definition that deploys {{< param "PRODUCT_NAME" >}} as a non-root user:
+
+```yaml
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: scc-alloy
+runAsUser:
+  type: MustRunAs
+  uid: 473
+fsGroup:
+  type: MustRunAs
+  uid: 1000
+volumes: 
+- '*'
+users:
+- my-admin-user
+groups:
+- my-admin-group
+seLinuxContext:
+  type: MustRunAs
+  user: <SYSTEM_USER>
+  role: <SYSTEM_ROLE>
+  type: <CONTAINER_TYPE>
+  level: <LEVEL>
+```
+
+Replace the following:
+
+* _`<SYSTEM_USER>`_: The user for your SELinux context.
+* _`<SYSTEM_ROLE>`_: The role for your SELinux context.
+* _`<CONTAINER_TYPE>`_: The container type for your SELinux context.
+* _`<LEVEL>`_: The level  for your SELinux context.
+
+Refer to [SELinux Contexts][selinux] in the RedHat documentation for more information on the SELinux context configuration.
+
+{{< admonition type="note" >}}
+This example sets `volumes:` to `*`. In a production environment, you should set `volumes:` to only the volumes that are necessary for the deployment. For example:
+
+```yaml
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - secret 
+```
+
+{{< /admonition >}}
+
+Refer to [Deploy {{< param "FULL_PRODUCT_NAME" >}}][deploy] for more information about deploying {{< param "PRODUCT_NAME" >}} in your environment.
+
+## Next steps
+
+* [Configure {{< param "PRODUCT_NAME" >}}][Configure]
+
+[rbac.yaml]: https://github.com/grafana/alloy/blob/main/operations/helm/charts/alloy/templates/rbac.yaml
+[rbac]: https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html
+[nonroot]: ../../../configure/nonroot/
+[scc]: https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html
+[Configure]: ../../../configure/linux/
+[deploy]: ../../deploy/
+[selinux]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts#chap-Security-Enhanced_Linux-SELinux_Contexts

docs/sources/troubleshoot/debug.md

@@ -111,6 +111,7 @@ Supported components:
 * `otelcol.receiver.*`
 * `prometheus.relabel`
 {{< /admonition >}}
+* `discovery.relabel`
 
 ## Debug using the UI
 

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/Azure/go-autorest/autorest v0.11.29
 	github.com/DATA-DOG/go-sqlmock v1.5.2
 	github.com/IBM/sarama v1.43.3
-	github.com/KimMachineGun/automemlimit v0.6.0
+	github.com/KimMachineGun/automemlimit v0.6.1
 	github.com/Lusitaniae/apache_exporter v0.11.1-0.20220518131644-f9522724dab4
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/PuerkitoBio/rehttp v1.4.0
@@ -248,13 +248,13 @@ require (
 	go.uber.org/goleak v1.3.0
 	go.uber.org/multierr v1.11.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.29.0
+	golang.org/x/crypto v0.31.0
 	golang.org/x/crypto/x509roots/fallback v0.0.0-20240208163226-62c9f1799c91
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0
 	golang.org/x/net v0.31.0
 	golang.org/x/oauth2 v0.23.0
-	golang.org/x/sys v0.27.0
-	golang.org/x/text v0.20.0
+	golang.org/x/sys v0.28.0
+	golang.org/x/text v0.21.0
 	golang.org/x/time v0.6.0
 	golang.org/x/tools v0.25.0
 	google.golang.org/api v0.188.0
@@ -518,7 +518,7 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/go-zookeeper/zk v1.0.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/googleapis v1.4.1 // indirect
@@ -803,8 +803,8 @@ require (
 	go4.org/netipx v0.0.0-20230125063823-8449b0a6169f // indirect
 	golang.org/x/arch v0.7.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
-	golang.org/x/sync v0.9.0
-	golang.org/x/term v0.26.0 // indirect
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	gonum.org/v1/gonum v0.15.1 // indirect
@@ -945,6 +945,3 @@ exclude (
 )
 
 replace github.com/prometheus/procfs => github.com/prometheus/procfs v0.12.0
-
-// TODO(ptodev): Remove when this PR has been merged: https://github.com/goccy/go-json/pull/490
-replace github.com/goccy/go-json => github.com/grafana/go-json v0.0.0-20241106155216-71a03f133f5c