ipn/ipnlocal: add c2n /debug/pprof/allocs endpoint

This behaves the same as typical debug/pprof/allocs. Updates tailscale/corp#18514 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-08-11 21:27:31 +00:00 · 2024-03-22 08:58:09 -05:00
parent f45594d2c9
commit 8c88853db6
6 changed files with 43 additions and 390 deletions
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"runtime"
 	"sort"
@@ -48,8 +49,13 @@ var c2nHandlers = map[methodAndPath]c2nHandler{
 	req("/debug/metrics"):           handleC2NDebugMetrics,
 	req("/debug/component-logging"): handleC2NDebugComponentLogging,
 	req("/debug/logheap"):           handleC2NDebugLogHeap,
-	req("POST /logtail/flush"):      handleC2NLogtailFlush,
-	req("POST /sockstats"):          handleC2NSockStats,
+
+	// PPROF - We only expose a subset of typical pprof endpoints for security.
+	req("/debug/pprof/heap"):   handleC2NPprof,
+	req("/debug/pprof/allocs"): handleC2NPprof,
+
+	req("POST /logtail/flush"): handleC2NLogtailFlush,
+	req("POST /sockstats"):     handleC2NSockStats,

 	// Check TLS certificate status.
 	req("GET /tls-cert-status"): handleC2NTLSCertStatus,
@@ -178,6 +184,19 @@ func handleC2NDebugLogHeap(b *LocalBackend, w http.ResponseWriter, r *http.Reque
 	c2nLogHeap(w, r)
 }

+var c2nPprof func(http.ResponseWriter, *http.Request, string) // non-nil on most platforms (c2n_pprof.go)
+
+func handleC2NPprof(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
+	if c2nPprof == nil {
+		// Not implemented on platforms trying to optimize for binary size or
+		// reduced memory usage.
+		http.Error(w, "not implemented", http.StatusNotImplemented)
+		return
+	}
+	_, profile := path.Split(r.URL.Path)
+	c2nPprof(w, r, profile)
+}
+
 func handleC2NSSHUsernames(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
 	var req tailcfg.C2NSSHUsernamesRequest
 	if r.Method == "POST" {
--- a/ipn/ipnlocal/c2n_pprof.go
+++ b/ipn/ipnlocal/c2n_pprof.go
@@ -6,6 +6,7 @@
 package ipnlocal

 import (
+	"fmt"
 	"net/http"
 	"runtime"
 	"runtime/pprof"
@@ -20,4 +21,25 @@ func init() {
 		}
 		pprof.WriteHeapProfile(w)
 	}
+
+	c2nPprof = func(w http.ResponseWriter, r *http.Request, profile string) {
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		p := pprof.Lookup(string(profile))
+		if p == nil {
+			http.Error(w, "Unknown profile", http.StatusNotFound)
+			return
+		}
+		gc, _ := strconv.Atoi(r.FormValue("gc"))
+		if profile == "heap" && gc > 0 {
+			runtime.GC()
+		}
+		debug, _ := strconv.Atoi(r.FormValue("debug"))
+		if debug != 0 {
+			w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		} else {
+			w.Header().Set("Content-Type", "application/octet-stream")
+			w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, profile))
+		}
+		p.WriteTo(w, debug)
+	}
 }