Merge branch 'master' into fix/store-gateway-series-stream-ctx-cleanup

Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>

Author: friedrichg

CHANGELOG.md

@@ -12,6 +12,7 @@
 * [FEATURE] Querier: Implement Resource Based Throttling in Querier. #7442
 * [ENHANCEMENT] Upgrade prometheus alertmanager version to v0.32.1. #7462
 * [ENHANCEMENT] Tenant Federation: Avoid purging the regex resolver LRU cache on user-sync ticks when the set of known users has not changed. #7489
+* [ENHANCEMENT] Memberlist: Add `-memberlist.packet-read-timeout`, `-memberlist.max-packet-size`, and `-memberlist.max-concurrent-connections` flags to bound inbound gossip TCP connections, preventing slow-read, OOM, and connection-flood attacks on the gossip port. #7518
 * [ENHANCEMENT] Parquet Converter: Add a ring status page to expose the ring status. #7455
 * [ENHANCEMENT] Ingester: Add WAL record metrics to help evaluate the effectiveness of WAL compression type (e.g. snappy, zstd): `cortex_ingester_tsdb_wal_record_part_writes_total`, `cortex_ingester_tsdb_wal_record_parts_bytes_written_total`, and `cortex_ingester_tsdb_wal_record_bytes_saved_total`. #7420
 * [ENHANCEMENT] Distributor: Introduce dynamic `Symbols` slice capacity pooling. #7398 #7401
@@ -26,6 +27,10 @@
 * [ENHANCEMENT] Distributor: Add HMAC-SHA256 stream authentication for `PushStream` via `-distributor.sign-write-requests-keys`. #7475
 * [ENHANCEMENT] Instrument Ingester CPU profile with source for read APIs. #7494
 * [ENHANCEMENT] Ingester: Convert expanded postings cache from FIFO to LRU eviction to retain frequently-queried entries under memory pressure. #7510
+* [ENHANCEMENT] Querier: Detach series label and chunk data from gRPC unmarshal buffers in store-gateway streaming path, allowing the Go GC to reclaim receive buffers. #7519
+* [ENHANCEMENT] Distributor: Added `cortex_distributor_received_histogram_buckets` metric to track number of buckets in received native histogram samples before validation, per user. #7569
+* [ENHANCEMENT] Distributor: Add `WrappedHistogram` with configurable size limit (`-validation.max-native-histogram-size-bytes`) to cap native histogram protobuf size before unmarshalling. #7570
+* [ENHANCEMENT] Ingester: Add lazy regex evaluation on head postings cache miss. Defers expensive regex matchers on high-cardinality labels to per-series filtering when a selective equality matcher already narrows the result set. Configured via `-blocks-storage.expanded_postings_cache.head.lazy-matcher-max-cardinality` (disabled by default). #7553
 * [BUGFIX] Querier: Fix queryWithRetry and labelsWithRetry returning (nil, nil) on cancelled context by propagating ctx.Err(). #7370
 * [BUGFIX] Metrics Helper: Fix non-deterministic bucket order in merged histograms by sorting buckets after map iteration, matching Prometheus client library behavior. #7380
 * [BUGFIX] Distributor: Return HTTP 401 Unauthorized when tenant ID resolution fails in the Prometheus Remote Write 2.0 path. #7389
@@ -38,6 +43,12 @@
 * [BUGFIX] Security: Fix stored XSS vulnerability in Alertmanager and Store Gateway status pages by replacing `text/template` with `html/template`. #7512
 * [BUGFIX] Security: Limit decompressed gzip output in `ParseProtoReader` and OTLP ingestion path. The decompressed body is now capped by `-distributor.otlp-max-recv-msg-size`. #7515
 * [BUGFIX] Querier: Release each store-gateway `Series` gRPC stream's resources as soon as its goroutine returns, instead of holding them until the slowest concurrent store-gateway request in the same query finishes. #7576
+* [BUGFIX] Ingester: Close TSDB when compaction fails during `createTSDB`, preventing resource leaks (file descriptors, mmap handles) that could lead to ingester instability. #7560
+* [BUGFIX] Tenant Federation: Fix regex resolver clearing known users list when user scan fails. #7534
+* [BUGFIX] Ingester: Release the TSDB appender on every early-return path in `Push` (e.g. out-of-order label set) by deferring `Rollback`. Previously such requests leaked TSDB head series references, mmap'd chunks and pending state per request, causing the `cortex_ingester_tsdb_head_active_appenders` gauge to grow unbounded. #7528
+* [BUGFIX] Ring: Fix ring token conflict resolution only applied to updated instance and make constantly token conflict check during instance observe period.
+* [BUGFIX] Distributor: Fix a panic (`slice bounds out of range`) in the stream push path when the context deadline expires while the worker goroutine is still marshalling a `WriteRequest`. #7541
+* [BUGFIX] Query Frontend: Fix native histogram responses not being handled correctly in `minTime()` sort ordering for split_by_interval merge. #7555
 
 ## 1.21.0 2026-04-24
 

MAINTAINERS.md

@@ -16,3 +16,5 @@
 |-----------------|----------------------------|-----------------|---------------------|
 | Anand Rajagopal | anand.rajagopal@icloud.com | @rajagopalanand | Amazon Web Services |
 | Daniel Sabsay   | danielsabsay.sofware@gmail.com          | @dsabsay        | Adobe               |
+| Yuxuan Chen     | sandy19890604@gmail.com    | @sandy2008      | Morgan Stanley      |
+

Makefile

@@ -243,7 +243,7 @@ check-protos: clean-protos protos
 	@git diff --exit-code -- $(PROTO_GOS)
 
 modernize:
-	GOTOOLCHAIN=auto go run golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@v0.21.0 -fix ./...
+	GOTOOLCHAIN=auto go run golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@v0.22.0 -fix ./...
 
 # Generates the config file documentation.
 doc: clean-doc

docs/blocks-storage/querier.md

@@ -1970,6 +1970,25 @@ blocks_storage:
         # CLI flag: -blocks-storage.expanded_postings_cache.block.fetch-timeout
         [fetch_timeout: <duration> | default = 0s]
 
+      # [EXPERIMENTAL] Maximum label cardinality for deferring regex matchers on
+      # the head block. When a regex matcher targets a label with more unique
+      # values than this threshold, it is applied lazily during iteration
+      # instead of postings lookup. 0 disables.
+      # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-max-cardinality
+      [lazy_matcher_max_cardinality: <int> | default = 0]
+
+      # [EXPERIMENTAL] Cardinality:postings ratio above which a simple regex
+      # (prefix-only, single contains) is deferred to lazy iteration. Lower =
+      # more aggressive deferral. Calibrated empirically; defaults to 6.
+      # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-simple-cost-ratio
+      [lazy_matcher_simple_cost_ratio: <int> | default = 6]
+
+      # [EXPERIMENTAL] Cardinality:postings ratio above which a complex regex
+      # (multi-substring, capture groups, character classes) is deferred. Lower
+      # = more aggressive deferral. Calibrated empirically; defaults to 2.
+      # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-complex-cost-ratio
+      [lazy_matcher_complex_cost_ratio: <int> | default = 2]
+
   users_scanner:
     # Strategy to use to scan users. Supported values are: list, user_index.
     # CLI flag: -blocks-storage.users-scanner.strategy

docs/blocks-storage/store-gateway.md

@@ -2028,6 +2028,25 @@ blocks_storage:
         # CLI flag: -blocks-storage.expanded_postings_cache.block.fetch-timeout
         [fetch_timeout: <duration> | default = 0s]
 
+      # [EXPERIMENTAL] Maximum label cardinality for deferring regex matchers on
+      # the head block. When a regex matcher targets a label with more unique
+      # values than this threshold, it is applied lazily during iteration
+      # instead of postings lookup. 0 disables.
+      # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-max-cardinality
+      [lazy_matcher_max_cardinality: <int> | default = 0]
+
+      # [EXPERIMENTAL] Cardinality:postings ratio above which a simple regex
+      # (prefix-only, single contains) is deferred to lazy iteration. Lower =
+      # more aggressive deferral. Calibrated empirically; defaults to 6.
+      # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-simple-cost-ratio
+      [lazy_matcher_simple_cost_ratio: <int> | default = 6]
+
+      # [EXPERIMENTAL] Cardinality:postings ratio above which a complex regex
+      # (multi-substring, capture groups, character classes) is deferred. Lower
+      # = more aggressive deferral. Calibrated empirically; defaults to 2.
+      # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-complex-cost-ratio
+      [lazy_matcher_complex_cost_ratio: <int> | default = 2]
+
   users_scanner:
     # Strategy to use to scan users. Supported values are: list, user_index.
     # CLI flag: -blocks-storage.users-scanner.strategy

docs/configuration/config-file-reference.md

@@ -2650,6 +2650,25 @@ tsdb:
       # CLI flag: -blocks-storage.expanded_postings_cache.block.fetch-timeout
       [fetch_timeout: <duration> | default = 0s]
 
+    # [EXPERIMENTAL] Maximum label cardinality for deferring regex matchers on
+    # the head block. When a regex matcher targets a label with more unique
+    # values than this threshold, it is applied lazily during iteration instead
+    # of postings lookup. 0 disables.
+    # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-max-cardinality
+    [lazy_matcher_max_cardinality: <int> | default = 0]
+
+    # [EXPERIMENTAL] Cardinality:postings ratio above which a simple regex
+    # (prefix-only, single contains) is deferred to lazy iteration. Lower = more
+    # aggressive deferral. Calibrated empirically; defaults to 6.
+    # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-simple-cost-ratio
+    [lazy_matcher_simple_cost_ratio: <int> | default = 6]
+
+    # [EXPERIMENTAL] Cardinality:postings ratio above which a complex regex
+    # (multi-substring, capture groups, character classes) is deferred. Lower =
+    # more aggressive deferral. Calibrated empirically; defaults to 2.
+    # CLI flag: -blocks-storage.expanded_postings_cache.head.lazy-matcher-complex-cost-ratio
+    [lazy_matcher_complex_cost_ratio: <int> | default = 2]
+
 users_scanner:
   # Strategy to use to scan users. Supported values are: list, user_index.
   # CLI flag: -blocks-storage.users-scanner.strategy
@@ -4693,6 +4712,18 @@ The `memberlist_config` configures the Gossip memberlist.
 # CLI flag: -memberlist.packet-write-timeout
 [packet_write_timeout: <duration> | default = 5s]
 
+# Timeout for reading packet data from inbound connections. 0 = no limit.
+# CLI flag: -memberlist.packet-read-timeout
+[packet_read_timeout: <duration> | default = 5s]
+
+# Maximum size in bytes of an inbound gossip packet. 0 = no limit.
+# CLI flag: -memberlist.max-packet-size
+[max_packet_size: <int> | default = 1048576]
+
+# Maximum number of concurrent inbound TCP connections. 0 = no limit.
+# CLI flag: -memberlist.max-concurrent-connections
+[max_concurrent_connections: <int> | default = 100]
+
 # Enable TLS on the memberlist transport layer.
 # CLI flag: -memberlist.tls-enabled
 [tls_enabled: <boolean> | default = false]

docs/configuration/v1-guarantees.md

@@ -133,3 +133,7 @@ Currently experimental features are:
 - Ingester: Active Series Tracker
   - Per-tenant `active_series_trackers` configuration in runtime config overrides
   - Counts active series matching PromQL label matchers and exposes `cortex_ingester_active_series_per_tracker` metric
+- Ingester: Lazy regex evaluation on head postings cache miss
+  - `-blocks-storage.expanded_postings_cache.head.lazy-matcher-max-cardinality` (int) CLI flag
+  - `-blocks-storage.expanded_postings_cache.head.lazy-matcher-simple-cost-ratio` (int) CLI flag
+  - `-blocks-storage.expanded_postings_cache.head.lazy-matcher-complex-cost-ratio` (int) CLI flag

docs/guides/supported-architectures.md

@@ -0,0 +1,35 @@
+---
+title: "Supported architectures"
+linkTitle: "Supported architectures"
+weight: 16
+---
+
+Cortex release artifacts are built for the operating systems and architectures
+listed below. Use these targets when selecting container images, binary
+artifacts, or OS packages for production deployments.
+
+## Supported release targets
+
+| Artifact type | Operating system | Architectures |
+|---------------|------------------|---------------|
+| Container images | Linux | `amd64`, `arm64` |
+| Cortex binary | Linux | `amd64`, `arm64` |
+| Cortex binary | darwin (macOS) | `amd64`, `arm64` |
+| `query-tee` binary | Linux | `amd64`, `arm64` |
+| `query-tee` binary | darwin (macOS) | `amd64`, `arm64` |
+| Debian package | Linux | `amd64`, `arm64` |
+| RPM package | Linux | `amd64`, `arm64` |
+
+The CI and release pipelines build Cortex with `GOOS` and `GOARCH` targets
+matching these rows. Automated tests run against Linux `amd64` and `arm64`
+Cortex images.
+
+## Unsupported targets
+
+Other operating systems or architectures may work when built from source, but
+they are not part of the regular Cortex release artifacts or CI matrix. Treat
+those builds as unsupported unless you validate them in your own environment.
+
+Cortex does not require architecture-specific CPU extensions such as AVX in its
+release build configuration. If you use external services or custom base images
+alongside Cortex, verify their architecture and CPU requirements separately.

integration/e2e/scenario.go

@@ -3,6 +3,7 @@ package e2e
 import (
 	"fmt"
 	"os"
+	"slices"
 	"strings"
 	"sync"
 
@@ -151,14 +152,14 @@ func (s *Scenario) shutdown() {
 	// Kill the services in parallel. We still iterate in reverse order
 	// to respect service dependencies, but we kill them concurrently.
 	var wg sync.WaitGroup
-	for i := len(s.services) - 1; i >= 0; i-- {
+	for _, v := range slices.Backward(s.services) {
 		wg.Add(1)
 		go func(service Service) {
 			defer wg.Done()
 			if err := service.Kill(); err != nil {
 				logger.Log("Unable to kill service", service.Name(), ":", err.Error())
 			}
-		}(s.services[i])
+		}(v)
 	}
 	wg.Wait()
 

integration/parquet_querier_test.go

@@ -5,7 +5,6 @@ package integration
 import (
 	"context"
 	"fmt"
-	"math/rand"
 	"path/filepath"
 	"slices"
 	"strconv"
@@ -89,7 +88,7 @@ func TestParquetFuzz(t *testing.T) {
 	require.NoError(t, writeFileToSharedDir(s, "alertmanager_configs", []byte{}))
 
 	ctx := context.Background()
-	rnd := rand.New(rand.NewSource(time.Now().Unix()))
+	rnd := newFuzzRand(t)
 	dir := filepath.Join(s.SharedDir(), "data")
 	numSeries := 10
 	numSamples := 60
@@ -172,6 +171,7 @@ func TestParquetFuzz(t *testing.T) {
 	opts := []promqlsmith.Option{
 		// @ modifier and offset disabled: known bug in Prometheus (e.g. predict_linear with @/offset can panic).
 		promqlsmith.WithEnabledFunctions(enabledFunctions),
+		promqlsmith.WithEnabledAggrs(enabledAggrs),
 	}
 	ps := promqlsmith.New(rnd, lbls, opts...)
 
@@ -240,7 +240,7 @@ func TestParquetProjectionPushdownFuzz(t *testing.T) {
 	require.NoError(t, writeFileToSharedDir(s, "alertmanager_configs", []byte{}))
 
 	ctx := context.Background()
-	rnd := rand.New(rand.NewSource(time.Now().Unix()))
+	rnd := newFuzzRand(t)
 	dir := filepath.Join(s.SharedDir(), "data")
 	numSeries := 20
 	numSamples := 100