Features
prompptool persist-headcommand. Added apersist-headcommand that persists a single Prom++ head to TSDB blocks directly by its directory path, without consultinghead.log. Useful for recovering or persisting an individual (e.g. corrupted or orphaned) head during incident investigation.- Skip writing blocks beyond retention. The block writer now skips any block-duration quant whose entire time range already falls outside the retention period, instead of writing blocks that would be deleted on the very next retention pass. This avoids wasted disk writes when persisting shards that span far into the past.
- jemalloc heap profile over HTTP. Added a
/debug/jemallocendpoint that dumps the C++ core's jemalloc heap profile to a temporary file, streams it back as an attachment, and removes the file afterwards. Requires the process to run withMALLOC_CONF="prof:true"(profiling stays off by default). The optionaldirquery parameter (e.g./debug/jemalloc?dir=/prometheus) points the temp file at a writable directory for containers with a read-only root filesystem.
Enhancements
- Local storage observability. The block-manager storage scheme now runs a local storage observer that reports the total size of unknown/unexpected objects in the local storage directory via the new
prompp_localstorage_unknown_bytesgauge, making disk leftovers visible to operators.
Performance
- Lazy block index buffer allocation. Block writers previously allocated a 4 MiB index buffer per block-duration quant up front, including empty quants, which could reach several GiB of allocations on wide or sparse time intervals. The buffer is now allocated lazily on the first write, so empty blocks no longer hold multi-megabyte buffers.
Fixes
- Heap-buffer-overflow in the outdated chunk merger.
merge_outdated_samples_in_finalized_chunkscould keep iterating finalized chunks and dereference an already-exhausted samples span, causing a heap-buffer-overflow (observed on production heads, flagged by ASan). The merger now bails out as soon as the samples span is empty. - Leftover temporary block directories cleaned up on startup. The block
Managernever loaded*.tmp-for-creation/*.tmp-for-deletiondirectories, so leftovers from a crash during compaction or persist leaked on disk forever. Startup now performs a best-effort cleanup of these directories before the initial reload. - Go 1.26.5 security update. Bumped the Go toolchain from 1.26.4 to 1.26.5, picking up standard-library fixes for an Encrypted Client Hello privacy leak in
crypto/tls(GO-2026-5856) and a symlink-based root escape inos(GO-2026-4970). The remaining unfixed advisories are in unused code paths of indirect dependencies — the AWS S3 crypto SDK ingithub.com/aws/aws-sdk-go(GO-2022-0635, GO-2022-0646; only EC2 service discovery is used) and the deprecatedgolang.org/x/crypto/openpgppackage (GO-2026-5932; not used) — and have no upstream fix available.