What's new in v0.4.6
Container and Linux-release hardening release. The official Docker image and the published Linux binaries now work out of the box on any distribution, they used to fail silently on anything other than the exact glibc version of the CI runner (glibc 2.39), and the daemon was bound to the container's loopback by default, making the published ports unreachable from the host. No library or detection-logic changes; all fixes are in the deployment path.
Added
--listen-address,--listen-port-httpand--listen-port-grpcflags onperf-sentinel watch. Override the corresponding[daemon]config keys without needing a config file, primarily so container and Kubernetes deployments can bind0.0.0.0from the command line while127.0.0.1stays the secure default for local use. CLI overrides are applied afterload_configand the fullConfig::validatepass is re-run, sovalidate_listen_addrstill emits the non-loopback security warning when the override binds outside the loopback interface.crates/sentinel-cli/src/main.rs.musl-smokeCI job in.github/workflows/ci.ymlthat builds the release profile againstx86_64-unknown-linux-muslon every PR, asserts the produced binary is fully static viafile | grep -E "statically linked|static-pie linked"and runs--versionto catch runtime-init regressions. Mirrors the amd64 path of the release workflow so a dependency that breaks musl (new C-FFI crate,ringtoolchain change, missingmusl-tools) surfaces at PR time instead of at tag-push time.aarch64-unknown-linux-muslis not duplicated here sincecross 0.2.5is pinned inrelease.ymland the amd64 smoke catches dependency-level regressions.
Changed
Dockerfilesplits ENTRYPOINT from CMD:ENTRYPOINT ["/perf-sentinel"]+CMD ["watch"]instead of the previous combinedENTRYPOINT ["/perf-sentinel", "watch"]. Users can now override the subcommand cleanly (docker run image analyze ...,docker run image query ...) without passing--entrypoint. Also corrects a latent bug in the threeexamples/docker-compose-*.ymlfiles that passcommand: ["watch", ...]: the old ENTRYPOINT resolved those to/perf-sentinel watch watch ...(duplicate subcommand); the new shape resolves them to the expected/perf-sentinel watch ....- Linux release binaries now target musl (
x86_64-unknown-linux-musl,aarch64-unknown-linux-musl) instead of glibc. Binaries are fully statically linked and run on any distribution (Alpine, Debian, RHEL, Ubuntu any version) regardless of the host glibc version, and insideFROM scratchimages. Previously theubuntu-latestrunner's glibc (2.39) was baked into every release artifact, so the binaries refused to start on Debian bookworm (glibc 2.36), Ubuntu 22.04 (2.35), CentOS Stream 9 and inside the officialFROM scratchDocker image itself.release.ymlinstallsmusl-toolson the native amd64 build (needed byring'sbuild.rs); the aarch64 path continues to usecross 0.2.5which ships its own musl toolchain. Artifact names (perf-sentinel-linux-amd64,perf-sentinel-linux-arm64) are unchanged. Benchmark on aarch64: 1.08M events/sec under musl vs. 1.47M under glibc (both well above the documented 100k events/sec target), RSS effectively identical.
Fixed
- Docker quickstart in
README.mdandREADME-FR.mdnow produces a reachable daemon. Previouslydocker run --rm -p 4317:4317 -p 4318:4318 ghcr.io/robintra/perf-sentinel:lateststarted the daemon bound to127.0.0.1inside the container: the mapped ports appeared open on the host but any connection was refused at the app level. The quickstart now readsdocker run ... watch --listen-address 0.0.0.0with a paragraph explaining the default bind and the reverse-proxy / NetworkPolicy recommendation for real deployments. - CI and release workflows install the cross-compile target on the toolchain that actually runs.
rust-toolchain.tomlpins the Rust version, but thedtolnay/rust-toolchainaction withtargets:was adding the requested target to thestablechannel, leaving the pinned toolchain without musl support and failing every Linux musl build witherror[E0463]: can't find crate for core. The musl-smoke job and the release workflow now add the target to the pinned toolchain via an explicitrustup target addstep aftercargo --versiontriggers the install. musl-smokestatic-link verification accepts both phrasings GNUfileuses for fully-static Rust binaries. Rust's musl target emits a Position Independent Executable that modernfileon Ubuntu 24.04 reports as"static-pie linked", while olderfile(Debian bookworm and earlier) reports it as"statically linked". The original smoke-test grep matched only the second wording, producing a false positive on modern runners. The check is now a regex alternation plus an explicit negative assertion against"dynamically linked"to catch any future regression that reintroduces a glibc dependency.
Security
- Official Docker image attack surface reduced. The
FROM scratchimage now contains only a fully static musl binary, so the image carries no libc, nold-linux, no shell and no package manager. Combined with the existingUSER 65534(nobody) directive, the runtime environment is the minimal viable one for an OTLP daemon.
Tests
- 2 new e2e tests in
crates/sentinel-cli/tests/e2e.rs:cli_watch_help_documents_listen_address_override(asserts the three new flags appear inwatch --helpoutput) andcli_watch_listen_address_override_starts_cleanly(asserts the daemon spawns successfully on non-default ports 14317/14318 and stays alive past 500 ms, catching any parse or validation regression).
Install
Prebuilt binaries (Linux amd64 / arm64, macOS arm64, Windows amd64):
curl -LO https://github.com/robintra/perf-sentinel/releases/download/v0.4.6/perf-sentinel-linux-amd64
chmod +x perf-sentinel-linux-amd64
sudo mv perf-sentinel-linux-amd64 /usr/local/bin/perf-sentinelFrom crates.io:
cargo install perf-sentinelDocker:
docker pull robintrassard/perf-sentinel:0.4.6Also available on GHCR: ghcr.io/robintra/perf-sentinel:0.4.6.
Verify the binary against SHA256SUMS.txt:
curl -LO https://github.com/robintra/perf-sentinel/releases/download/v0.4.6/SHA256SUMS.txt
sha256sum -c SHA256SUMS.txt --ignore-missingFull diff: v0.4.5...v0.4.6