Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metricbeat fails to index docker metadata #11225

Closed
kuisathaverat opened this issue Mar 13, 2019 · 1 comment
Closed

Metricbeat fails to index docker metadata #11225

kuisathaverat opened this issue Mar 13, 2019 · 1 comment
Assignees
@jsoriano
Labels
bug containers Related to containers use case Metricbeat Metricbeat module Team:Integrations Label for the Integrations team

Comments

@kuisathaverat
Copy link
Contributor

Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.

Please include configurations and logs if available.

For confirmed bugs, please report:

  • Create a k8s cluster
  • Deploy Elastic search 7.1.0-SNAPSHOT
  • Deploy Metricbeat with the configuration above
  • Deploy Auditbeat with the configuration above
  • Check the Elasticsearch logs
{
  [metricbeat - 7.1 .0][_doc][4 ARYWWkBTidYNB1MYom3], source[{
    "@timestamp": "2019-03-07T18:08:00.214Z",
    "docker": {
      "container": {
        "labels": {
          "io_kubernetes_docker_type": "podsandbox",
          "annotation_kubernetes_io/config_seen": "2019-03-07T18:05:52.183452515Z",
          "annotation_kubernetes_io/config_source": "api",
          "io_kubernetes_pod_namespace": "kube-system",
          "pod-template-generation": "1",
          "io_kubernetes_container_name": "POD",
          "io_kubernetes_pod_name": "auditbeat-w7j9j",
          "k8s-app": "auditbeat",
          "controller-revision-hash": "1545459614",
          "io_kubernetes_pod_uid": "a5145dea-4103-11e9-b1d6-42010a8401a4"
        },
        "image": "k8s.gcr.io/pause-amd64:3.1",
        "status": "Up 2 minutes",
        "id": "06e88f74f9455c64af63e503dc85be6ad25c1b8d728b8d230049dee53bc6ff6d",
        "name": "k8s_POD_auditbeat-w7j9j_kube-system_a5145dea-4103-11e9-b1d6-42010a8401a4_0",
        "ip_addresses": [""],
        "size": {
          "rw": 0,
          "root_fs": 0
        },
        "created": "2019-03-07T18:05:52.000Z",
        "command": "/pause"
      }
    },
    "event": {
      "duration": 15917699,
      "dataset": "docker.container",
      "module": "docker"
    },
    "host": {
      "hostname": "gke-XXXXXXXXXX-pool-1-c6a5cd7f-ggzj",
      "architecture": "x86_64",
      "os": {
        "platform": "centos",
        "version": "7 (Core)",
        "family": "redhat",
        "name": "CentOS Linux",
        "kernel": "4.14.65+",
        "codename": "Core"
      },
      "containerized": true,
      "name": "gke-XXXXXXXXXX-pool-1-c6a5cd7f-ggzj"
    },
    "ecs": {
      "version": "1.0.0-beta2"
    },
    "agent": {
      "id": "70b22ecd-18ee-43ff-9bc5-a53433d68d11",
      "version": "7.1.0",
      "type": "metricbeat",
      "ephemeral_id": "81b25b3a-55ac-44cd-b77c-b59872c3dea8",
      "hostname": "gke-XXXXXXXXXX-pool-1-c6a5cd7f-ggzj"
    },
    "cloud": {
      "machine": {
        "type": "projects/XXXXXXXXXX/machineTypes/n1-standard-2"
      },
      "availability_zone": "projects/XXXXXXXXXX/zones/europe-west1-c",
      "instance": {
        "id": "7177843840848088616",
        "name": "gke-XXXXXXXXXX-pool-1-c6a5cd7f-ggzj"
      },
      "project": {
        "id": "XXXXXXXXXX"
      },
      "provider": "gce"
    },
    "metricset": {
      "name": "container"
    },
    "service": {
      "address": "/var/run/docker.sock",
      "type": "docker"
    }
  }]
}

Metricbeat configuration

---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: metricbeat
  namespace: kube-system
  labels:
    k8s-app: metricbeat
spec:
  template:
    metadata:
      labels:
        k8s-app: metricbeat
    spec:
      serviceAccountName: metricbeat
      terminationGracePeriodSeconds: 30
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - name: metricbeat
        image: elastic/metricbeat:7.1.0-SNAPSHOT
        args: [
          "-c", "/etc/metricbeat.yml",
          "-e",
          "-system.hostfs=/hostfs",
          "-d", "autodiscover, add_docker_metadata, add_kubernetes_metadata"
        ]
        env:
        - name: ELASTICSEARCH_USERNAME
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: user
        - name: ELASTICSEARCH_PASSWORD
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: password
        - name: ELASTICSEARCH_PROTO
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: protocol
        - name: ELASTICSEARCH_HOST
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: host
        - name: ELASTICSEARCH_PORT
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: port
        - name: KIBANA_HOST
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: host
        - name: KIBANA_PROTO
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: protocol
        - name: KIBANA_PORT
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: port
        - name: KIBANA_USERNAME
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: user
        - name: KIBANA_PASSWORD
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: password
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql-creds
              key: mysql-root-password
        - name: POSGRESQL_ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: postgresql-creds
              key: postgresql-password
        securityContext:
          runAsUser: 0
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/metricbeat.yml
          readOnly: true
          subPath: metricbeat.yml
        - name: modules
          mountPath: /usr/share/metricbeat/modules.d
          readOnly: true
        - name: dockersock
          mountPath: /var/run/docker.sock
        - name: proc
          mountPath: /hostfs/proc
          readOnly: true
        - name: cgroup
          mountPath: /hostfs/sys/fs/cgroup
          readOnly: true
      volumes:
      - name: proc
        hostPath:
          path: /proc
      - name: cgroup
        hostPath:
          path: /sys/fs/cgroup
      - name: dockersock
        hostPath:
          path: /var/run/docker.sock
      - name: config
        configMap:
          defaultMode: 0600
          name: metricbeat-daemonset-config
      - name: modules
        configMap:
          defaultMode: 0600
          name: metricbeat-daemonset-modules
      - name: data
        hostPath:
          path: /var/lib/metricbeat-data
          type: DirectoryOrCreate
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: metricbeat-daemonset-config
  namespace: kube-system
  labels:
    k8s-app: metricbeat
data:
  metricbeat.yml: |-
    metricbeat.config.modules:
      path: ${path.config}/modules.d/*.yml
      reload.enabled: false
    metricbeat.autodiscover:
      providers:
        - type: kubernetes
          host: ${NODE_NAME}
          templates:
            - condition:
                or:
                  - contains:
                      kubernetes.container.image: nginx
                  - contains:
                      kubernetes.container.image: nginx-ingress-controller
              config:
                - module: nginx
                  period: 10s
                  metricsets: ["stubstatus"]
                  hosts: ["${data.host}:8080"]
                  server_status_path: "server-status"
    processors:
      - add_cloud_metadata:
      - add_docker_metadata:
      - add_kubernetes_metadata:
          in_cluster: true
      - add_host_metadata:
      - drop_fields:
          when:
            has_fields: ['kubernetes.labels.app']
          fields:
            - 'kubernetes.labels.app'

    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_PROTO}://${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
      username: ${ELASTICSEARCH_USERNAME}
      password: ${ELASTICSEARCH_PASSWORD}
      ssl.enabled: true
      ssl.verification_mode: none
    xpack.monitoring.enabled: true
    setup.kibana.host: ${KIBANA_PROTO}://${KIBANA_HOST}:${KIBANA_PORT:5601}
    setup.kibana.username: ${KIBANA_USERNAME}
    setup.kibana.password: ${KIBANA_PASSWORD}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: metricbeat-daemonset-modules
  namespace: kube-system
  labels:
    k8s-app: metricbeat
data:
  system.yml: |-
    - module: system
      period: 10s
      metricsets:
        - cpu
        - load
        - memory
        - network
        - process
        - process_summary
        - uptime
        - core
        - socket
      processes: ['.*']
      processors:
        - add_docker_metadata:
            host: "unix:///var/run/docker.sock"
            match_fields: ["system.process.cgroup.id"]
      process.include_top_n.enabled: false
    - module: system
      period: 1m
      metricsets:
        - filesystem
        - fsstat
      processors:
      - drop_event.when.regexp:
          system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)'
  kubernetes.yml: |-
    - module: kubernetes
      metricsets:
        - node
        - system
        - pod
        - container
        - volume
      period: 10s
      host: ${NODE_NAME}
      hosts: ["localhost:10255"]
  docker.yml: |-
    - module: docker
      metricsets:
        - container
        - cpu
        - healthcheck
        - info
        - memory
        - network
      hosts: ["unix:///var/run/docker.sock"]
      period: 10s

Auditbeat configuration

---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: auditbeat
  namespace: kube-system
  labels:
    k8s-app: auditbeat
spec:
  template:
    metadata:
      labels:
        k8s-app: auditbeat
    spec:
      serviceAccountName: auditbeat
      hostPID: true
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - name: auditbeat
        image: elastic/auditbeat:7.1.0-SNAPSHOT
        securityContext:
          runAsUser: 0
          capabilities:
            add:
            - AUDIT_CONTROL
            - AUDIT_READ
            - NET_ADMIN
        args: [ "-c", "/etc/auditbeat.yml", "-e", "-d", "add_docker_metadata" ]
        env:
        - name: ELASTICSEARCH_USERNAME
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: user
        - name: ELASTICSEARCH_PASSWORD
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: password
        - name: ELASTICSEARCH_PROTO
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: protocol
        - name: ELASTICSEARCH_HOST
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: host
        - name: ELASTICSEARCH_PORT
          valueFrom:
            secretKeyRef:
              name: es-creds
              key: port
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: KIBANA_HOST
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: host
        - name: KIBANA_PROTO
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: protocol
        - name: KIBANA_PORT
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: port
        - name: KIBANA_USERNAME
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: user
        - name: KIBANA_PASSWORD
          valueFrom:
            secretKeyRef:
              name: kibana-creds
              key: password
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/auditbeat.yml
          readOnly: true
          subPath: auditbeat.yml
        - name: dockersock
          mountPath: /var/run/docker.sock
        - name: proc
          mountPath: /hostfs/proc
          readOnly: true
      volumes:
      - name: config
        configMap:
          defaultMode: 0600
          name: auditbeat-config
      - name: data
        hostPath:
          path: /var/lib/auditbeat-data
          type: DirectoryOrCreate
      - name: proc
        hostPath:
          path: /proc
      - name: dockersock
        hostPath:
          path: /var/run/docker.sock
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: auditbeat
subjects:
- kind: ServiceAccount
  name: auditbeat
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: auditbeat
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: auditbeat
  labels:
    k8s-app: auditbeat
rules:
- apiGroups: [""]
  resources:
  - nodes
  - namespaces
  - events
  - pods
  verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
  resources:
  - replicasets
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources:
  - statefulsets
  - deployments
  verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: auditbeat
  namespace: kube-system
  labels:
    k8s-app: auditbeat
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: auditbeat-config
  namespace: kube-system
  labels:
    k8s-app: auditbeat
data:
  auditbeat.yml: |-
    auditbeat.modules:
    - module: auditd
      audit_rules: |
        -a always,exit -F arch=b32 -S all -F key=32bit-abi
        ## Executions.
        -a always,exit -F arch=b64 -S execve,execveat -k exec
        ## External access (warning: these can be expensive to audit).
        -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
        ## Identity changes.
        -w /etc/group -p wa -k identity
        -w /etc/passwd -p wa -k identity
        -w /etc/gshadow -p wa -k identity
        ## Unauthorized access attempts.
        -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
        -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
    setup.template.settings:
      index.number_of_shards: 3
    processors:
      - add_docker_metadata:
         host: "unix:///var/run/docker.sock"
         match_pids: [ "process.pid", "process.ppid" ]
      - add_host_metadata: ~
      - add_cloud_metadata: ~
    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_PROTO:http}://${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
      username: ${ELASTICSEARCH_USERNAME}
      password: ${ELASTICSEARCH_PASSWORD}
      ssl.enabled: true
      ssl.verification_mode: none
    xpack.monitoring.enabled: true
    setup.kibana.host: ${KIBANA_PROTO}://${KIBANA_HOST}:${KIBANA_PORT:5601}
    setup.kibana.username: ${KIBANA_USERNAME}
    setup.kibana.password: ${KIBANA_PASSWORD}
@jsoriano jsoriano self-assigned this Mar 14, 2019
@jsoriano jsoriano added bug module Metricbeat Metricbeat containers Related to containers use case Team:Integrations Label for the Integrations team labels Mar 14, 2019
@jsoriano jsoriano mentioned this issue Mar 14, 2019
Merged
@jsoriano
Copy link
Member

Good catch, thanks for reporting, I have opened a PR to fix this.

jsoriano added a commit that referenced this issue Mar 18, 2019
@jsoriano
Don't collect empty ip addresses in docker container metricset (#11247)
258c1c8 
Docker containers can have empty ip addresses if they are running in
host network mode or if they are stopped. Collecting lists with empty
addresses can make type mapping to fail when trying to store them as ip
addresses.

Fix #11225
jsoriano added a commit to jsoriano/beats that referenced this issue Mar 18, 2019
@jsoriano
Don't collect empty ip addresses in docker container metricset (elast…
3b8817f 
…ic#11247)

Docker containers can have empty ip addresses if they are running in
host network mode or if they are stopped. Collecting lists with empty
addresses can make type mapping to fail when trying to store them as ip
addresses.

Fix elastic#11225

(cherry picked from commit 258c1c8)
@jsoriano jsoriano mentioned this issue Mar 18, 2019
Merged
jsoriano added a commit that referenced this issue Mar 19, 2019
@jsoriano
Cherry-pick #11247 to 7.0: Don't collect empty ip addresses in docker…
6a0f8ec 
… container metricset (#11293)

Docker containers can have empty ip addresses if they are running in
host network mode or if they are stopped. Collecting lists with empty
addresses can make type mapping to fail when trying to store them as ip
addresses.

Fix #11225

(cherry picked from commit 258c1c8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsoriano jsoriano

Labels
bug containers Related to containers use case Metricbeat Metricbeat module Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsoriano @ruflin @exekias @kuisathaverat