Ruby agent release notesRSS

v9.12.0

Version 9.12.0 adds support for the newrelic_security agent, introduces instrumentation for the LogStasher gem, improves instrumentation for the redis-clustering gem, and updates the Elasticsearch instrumentation to only attempt to get the cluster name once per client, even if it fails.

• Feature: Add support for the newrelic_security agent

  New Relic Interactive Application Security Testing (IAST) can help you prevent cyberattacks and breaches on your applications by probing your running code for exploitable vulnerabilities.

  The newrelic_security gem provides this feature for Ruby. It depends on newrelic_rpm. This is the first version of newrelic_rpm compatible with newrelic_security.

  At this time, the security agent is intended for use only within a dedicated security testing environment with data that can tolerate modification or deletion. The security agent is available as a separate Ruby gem, newrelic_security. It is recommended that this separate gem only be introduced to a security testing environment by leveraging Bundler grouping like so:

  # Gemfile
    gem 'newrelic_rpm'               # New Relic APM observability agent
    gem 'newrelic-infinite_tracing'  # New Relic Infinite Tracing
  
    group :security do
      gem 'newrelic_security', require: false        # New Relic security agent
    end

  Copiar

  In order to run the security agent, you need to update your configuration. At a minimum, security.agent.enabled and security.enabled must be set to true. They are false by default. Similar to the gem installation, we recommend you set these configurations for a special security testing environment only.

  Here's an example using newrelic.yml:

  common: &default_settings
      license_key: <%= ENV['NEW_RELIC_LICENSE_KEY'] %>
      app_name: "Example app"
  
    development:
      <<: *default_settings
      app_name: <%= app_name %> (Development)
  
    security:
      <<: *default_settings
      security.enabled: true
      security.agent.enabled: true
  
    production:
      <<: *default_settings

  Copiar

  The following configuration relate to the newrelic_security gem:

  Configuration name	Default	Behavior
  security.agent.enabled	false	If true, the security agent is loaded (a Ruby 'require' is performed)
  security.enabled	false	If true, the security agent is started (the agent runs in its event loop)
  security.mode	'IAST'	Defines the mode for the security agent to operate in. Currently only 'IAST' is supported
  security.validator_service_url	'wss://csec.nr-data.net'	Defines the endpoint URL for posting security related data
  security.detection.rci.enabled	true	If true, enables RCI (remote code injection) detection
  security.detection.rxss.enabled	true	If true, enables RXSS (reflected cross-site scripting) detection
  security.detection.deserialization.enabled	true	If true, enables deserialization detection
  security.application_info.port	nil	An Integer representing the port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default.

• Feature: Add instrumentation for LogStasher

  The agent will now record logs generated by LogStasher. Versions 1.0.0 and above of the LogStasher gem are supported. PR#2559

• Feature: Add instrumentation for redis-clustering

  Version 5.x of the redis gem moved cluster behavior into a different gem, redis-clustering. This gem can access instrumentation registered through RedisClient::Middleware. Previously, the agent only instrumented the call_pipelined method through this approach, but now users of the redis-clustering gem will also have instrumentation registered for connect and call methods. In addition, the way the database_name attribute is set for Redis datastore spans is now compatible with all versions of Redis supported by the New Relic Ruby agent. Thank you, @praveen-ks for bringing this to our attention. Issue#2444 PR#2720

• Bugfix: Update Elasticsearch instrumentation to only attempt to get the cluster name once per client

  Previously, the agent would attempt to get the cluster name every time a call was made if it was not already captured. This could lead to a large number of failures if the cluster name could not be retrieved. Now, the agent will only attempt to get the cluster name once per client, even if it fails. Thank you, @ascoppa for bringing this to our attention. Issue#2730 PR#2743

• Feature: Produce metrics for 4 additional Action Controller Rails notifications

  Four additional Action Controller related Rails notifications are now subscribed to by the agent to produce telemetry. These 4 are exist_fragment?, expire_fragment, read_fragment, and write_fragment. As with instrumentation for Action Controller itself, these notifications are enabled by default and can be disabled by setting :disable_action_controller to true in the agent's newrelic.yml configuration file. PR#2745

v9.11.0

Version 9.11.0 introduces instrumentation for the aws-sdk-sqs gem, fixes a bug related to expected errors not bearing a "true" value for the "expected" attribute if expected as a result of an HTTP status code match and changes the way Stripe instrumentation metrics are named to prevent high-cardinality issues.

• Feature: Add instrumentation for SQS

  The agent has added instrumentation for the aws-sdk-sqs gem. The agent will now record message broker spans for SQS client calls made with the aws-sdk-sqs gem. PR#2679

• Bugfix: HTTP status code based expected errors will now have an "expected" value of "true"

  Previously when an error was treated as expected by the agent as a result of a matching HTTP status code being found in the :'error_collector.expected_status_codes' configuration setting, the error would not appear with an "expected" attribute value of "true" in the errors in the errors inbox. PR#2710

• Bugfix: Stripe metric names will no longer include full request paths to limit the unique name count

  The Stripe instrumentation introduced in agent version v9.5.0 produced instrumentation metric names that used the full Stripe request path. For any significant Stripe usage, this could quickly lead to very large number of distinct metric names. Now only the API version and the category part of the request path are included in the metric name which still includes the "Stripe" opener and method (ex: "get") closer. Thanks to @jdelStrother and @jsneedles for bringing this issue to our attention and providing terrific information explaining the problem and potential paths to resolution. PR#2716

v9.10.2

Version 9.10.2 fixes a bug related to the new DynamoDB instrumentation and removes Rails::Command::RakeCommand from the default list of denylisted constants.

• Bugfix: DynamoDB instrumentation logging errors when trying to get account_id

  When trying to access data needed to add the account_id to the DynamoDB span, the agent encountered an error when certain credentials classes were used. This has been fixed. Thanks to @kichik for bringing this to our attention. PR#2864

• Bugfix: Remove Rails::Command::RakeCommand from the default list of autostart.denylisted_constants

  The default value for the autostart.denylisted_constants configuration was changed in 9.10.0 to include Rails::Command::RunnerCommand and Rails::Command::RakeCommand. The inclusion of Rails::Command::RakeCommand prevented the agent from starting automatically when Solid Queue was started using bin/rails solid_queue:start. We recognize there are many commands nested within Rails::Command::RakeCommand and have decided to remove it from the default list. We encourage users who do not want the agent to run on Rails::Command::RakeCommand to add the constant to their configuration. This can be accomplished by adding the following to your newrelic.yml file:

  autostart.denylisted_constants: "Rails::Command::ConsoleCommand,Rails::Command::CredentialsCommand,Rails::Command::Db::System::ChangeCommand,Rails::Command::DbConsoleCommand,Rails::Command::DestroyCommand,Rails::Command::DevCommand,Rails::Command::EncryptedCommand,Rails::Command::GenerateCommand,Rails::Command::InitializersCommand,Rails::Command::NotesCommand,Rails::Command::RakeCommand,Rails::Command::RoutesCommand,Rails::Command::RunnerCommand,Rails::Command::SecretsCommand,Rails::Console,Rails::DBConsole"

  Copiar

  Thank you, @edariedl, for reporting this issue. Issue#2677 PR#2694

v9.10.1

• Bugfix: Incompatibility with Bootstrap

Version 9.10.1 fixes an incompatibility between the agent and the Bootstrap gem caused by agent v9.10.0's introduction of a lib/bootstrap.rb file. Thank you to @dorner for reporting the bug and identifying the 'bootstrap' name collision as the root cause. BUG#2675 PR#2676

v9.10.0

Version 9.10.0 introduces instrumentation for DynamoDB, adds a new feature to automatically apply nonces from the Rails content security policy, fixes a bug that would cause an expected error to negatively impact a transaction's Apdex, and fixes the agent's autostart logic so that by default rails runner and rails db commands will not cause the agent to start.

• Feature: Add instrumentation for DynamoDB

  The agent has added instrumentation for the aws-sdk-dynamodb gem. The agent will now record datastore spans for DynamoDB client calls made with the aws-sdk-dynamodb gem. PR#2642

• Feature: Automatically apply nonces from the Rails content security policy

  To auto-inject browser monitoring with the New Relic Ruby agent, you either need to set your content security policy to 'unsafe-inline' or provide a nonce. Previously, the only way to provide a nonce was by using the NewRelic::Agent.browser_timing_header API. Now, when a Rails application uses the content security policy configuration to add a nonce, the nonce will be automatically applied to the browser agent. A new configuration option, browser_monitoring.content_security_policy_nonce, toggles this feature. It is on by default. Thank you @baldarn for submitting this feature! PR#2544

• Bugfix: Expected errors related to HTTP status code, class, and message won't impact Apdex

  The agent is supposed to prevent observed application errors from negatively impacting Apdex if the errors are either ignored or expected. There are two ways for the agent to expect an error: via the notice_error API receiving an expected: true argument or via matches made against user-configured lists for expected HTTP status codes (:'error_collector.expected_status_codes'), expected error classes (:'error_collector.expected_classes'), or expected error messages (:'error_collector.expected_messages'). Previously, only errors expected via the notice_error API were correctly prevented from impacting Apdex. Expected errors set by configuration incorrectly impacted Apdex. This behavior has been fixed and now both types of expected errors will correctly not impact Apdex. Thanks very much to @florianpilz for bringing this issue to our attention. PR#2619

• Bugfix: Do not start the agent automatically when rails runner or rails db commands are run

  PR#2239 taught the agent how to recognize bin/rails based contexts that it should not automatically start up in. But bin/rails runner and bin/rails db commands would still see the agent start automatically. Those 2 contexts will now no longer see the agent start automatically. Thank you to @jdelStrother for both bringing the bin/rails context to our attention and for letting us know about the bin/rails runner and bin/rails db outliers that still needed fixing. PR#2623

  Older agent versions that are still supported by New Relic can update to the new list of denylisted constants by having the following line added to the newrelic.yml configuration file:

  autostart.denylisted_constants: "Rails::Command::ConsoleCommand,Rails::Command::CredentialsCommand,Rails::Command::Db::System::ChangeCommand,Rails::Command::DbConsoleCommand,Rails::Command::DestroyCommand,Rails::Command::DevCommand,Rails::Command::EncryptedCommand,Rails::Command::GenerateCommand,Rails::Command::InitializersCommand,Rails::Command::NotesCommand,Rails::Command::RakeCommand,Rails::Command::RoutesCommand,Rails::Command::RunnerCommand,Rails::Command::SecretsCommand,Rails::Console,Rails::DBConsole"

  Copiar

v9.9.0

Version 9.9.0 introduces support for AWS Lambda serverless function observability, adds support for Elasticsearch 8.13.0, and adds the 'request.temperature' attribute to chat completion summaries in ruby-openai instrumentation.

• Feature: Serverless Mode for AWS Lambda

  The Ruby agent is now capable of operating in a quick and light serverless mode suitable for observing AWS Lambda function invocations. For serverless use, the agent is delivered by a New Relic Lambda layer that can be associated with a Lambda function. All reported data will appear in New Relic's dedicated serverless UI views. Only AWS based Lambda functions are supported for now, though support for other cloud hosted serverless offerings may be added in future depending on Ruby customer demand. The serverless functionality is only intended for use with the official New Relic Ruby layers for Lambda. Any existing workflows that involve the manual use of the Ruby agent in an AWS Lambda context without a New Relic layer should not be impacted.

• Feature: Add support for Elasticsearch 8.13.0

  Elasticsearch 8.13.0 increased the number of arguments used in the method the agent instruments, Elastic::Transport::Client#perform_request. Now, the agent supports a variable number of arguments for the instrumented method to prevent future ArgumentErrors.

• Bugfix: Add 'request.temperature' to ruby-openai chat completion summaries

  Previously, the agent was not reporting the request.temperature attribute on LlmChatCompletionSummary events through ruby-openai instrumentation. We are now reporting this attribute.

v9.8.0

Version 9.8.0 introduces instrumentation for ruby-openai, adds the option to store tracer state on the thread-level, hardens the browser agent insertion logic to better proactively anticipate errors, and prevents excpetions from being raised in the Active Support Broadcast logger instrumentation.

• Feature: Add instrumentation for ruby-openai

  Instrumentation has been added for the ruby-openai gem, supporting versions 3.4.0 and higher (PR#2442). While ruby-openai instrumentation is enabled by default, the configuration option ai_monitoring.enabled is disabled by default and controls all AI monitoring. ai_monitoring.enabled must be set to true in order to receive ruby-openai instrumentation. High-Security Mode must be disabled in order to receive AI monitoring.

  Calls to embedding and chat completion endpoints are automatically traced. These events can be enhanced with the introduction of two new APIs. Custom attributes can also be added to LLM events using the API NewRelic::Agent.add_custom_attributes, but they must be prefixed with llm.. For example, NewRelic::Agent.add_custom_attributes({'llm.user_id': user_id}).

• Feature: Add AI monitoring APIs

  This version introduces two new APIs that allow users to record additional information on LLM events:

  • NewRelic::Agent.record_llm_feedback_event - Records user feedback events.
  • NewRelic::Agent.set_llm_token_count_callback - Sets a callback proc for calculating token_count attributes for embedding and chat completion message events.

  Visit RubyDoc for more information on each of these APIs.

• Feature: Store tracer state on thread-level

  A new configuration option, thread_local_tracer_state, stores New Relic's tracer state on the thread-level, as opposed to the default fiber-level storage. This configuration is turned off by default. Our thanks go to community member @markiz who contributed the idea, code, configuration option, and tests for this new feature! PR#2475.

• Bugfix: Harden the browser agent insertion logic

  With Issue#2462, community member @miry explained that it was possible for an HTTP response headers hash to have symbols for values. Not only would these symbols prevent the inclusion of the New Relic browser agent tag in the response body, but more importantly they would cause an exception that would bubble up to the monitored web application itself. With PR#2465 symbol based values are now supported and all other potential future exceptions are now handled. Additionally, the refactor to support symbols has been shown through benchmarking to give the processing of string and mixed type hashes a slight speed boost too.

• Bugfix: Prevent Exception in Active Support Broadcast logger instrumentation

  Previously, in certain situations the agent could cause an exception to be raised when attempting to interact with a broadcast log event. This has been fixed. Thanks to @nathan-appere for reporting this issue and providing a fix! PR#2510

v9.7.1

Version 9.7.1 fixes a ViewComponent instrumentation bug and enforces maximum size limits for custom event attributes.

• Bugfix: Stop suppressing ViewComponent errors

  Previously, the agent suppressed ViewComponent render errors. The agent now reports these errors and allows them to raise. Thank you @mjacobus for reporting this bug and providing a fix! PR#2410

• Bugfix: Enforce maximum size limits for custom event attributes

  Previously, the agent would allow custom event attributes to be any size. This would lead to the New Relic backend dropping attributes larger than the maximum size. Now, the agent will truncate custom event attribute values to 4095 characters, attribute names to 255 characters, and the total count of attributes to 64. PR#2401

v9.7.0

Version 9.7.0 introduces ViewComponent instrumentation, changes the endpoint used to access the cluster name for Elasticsearch instrumentation, removes the creation of the Ruby/Thread and Ruby/Fiber spans, and adds support for Falcon.

• Feature: ViewComponent instrumentation

  ViewComponent is a now an instrumented library. PR#2367

• Feature: Use root path to access Elasticsearch cluster name

  Previously, the agent used the cluster health endpoint (/_cluster/health) to access the cluster name. However, this has been found to make startup unstable for large clusters. Now, the agent uses the more performant root endpoint (/).

  Our thanks go to @erikkessler1, @gremerritt, and @joshbranham for reporting the issue, suggesting solutions, and testing them. Issue#2360 PR#2377

• Feature: Remove base64 dependency, use direct calls to String methods

  In version 9.6.0, the agent required the Ruby base64 gem as a depdendency to prepare for deprecation warnings in Ruby 3.3 and the gem's removal from the Ruby standard libraries in 3.4. Including base64 as a dependency has caused problems with version resolution in some environments.

  To resolve this, the agent now directly calls the String methods used in the base64 library in the new NewRelic::Base64 module.

  Thank you, @Earlopain, for submitting this change. PR#2378

• Feature: Add Falcon support

  The agent now supports the web server Falcon. PR#2383

• Feature: Remove spans with name Ruby/Thread and Ruby/Fiber

  Due to the lack of helpful information and the confusion commonly caused by the spans named Ruby/Thread and Ruby/Fiber, these spans have been removed. However, the agents ability to monitor instrumented code running in a thread or fiber will remain unchanged. PR#2389