Enable pprof for elastic-agent and beats #28983
Conversation
Enable the /debug/pprof/ endpoints for all beats that the elastic-agent starts. Enable the pprof endpoints on elastic-agent if agent.monitoring.pprof is true (default true). Agent endpoint can be toggled in case it is located on a network and not localhost/unix socket/windows N pipe.
michel-laterman
added
enhancement
backport-v8.0.0
|
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
|
/test |
| @@ -122,6 +122,7 @@ func (b *Monitor) EnrichArgs(spec program.Spec, pipelineID string, args []string | |||
| appendix = append(appendix, | |||
| "-E", "http.enabled=true", | |||
| "-E", "http.host="+endpoint, | |||
| "-E", "http.pprof.enabled=true", | |||
There was a problem hiding this comment.
If monitoring is enabled we always enable also pprof?
There was a problem hiding this comment.
yes.
Also as far as my testing shows, even when the agent is not monitoring its beats the beats will bind to a socket (and pprof will be available)
There was a problem hiding this comment.
I wonder if this might be unexpected from a user perspective. pprof exposes quite a bit more information than monitoring as it exposes some of the internals of the process. At the same time, whoever gets the monitoring data likely already knows about the internals.
@simitt @scunningham Any concerns with this?
There was a problem hiding this comment.
Can you help me understand how the current config options play together:
agent.monitoring:
enabled: false
logs: false
metrics: false
http:
enabled: true
Will metrics be exposed via the http endpoint?
There was a problem hiding this comment.
We should not enable pprof unless customer explicitly turns it on. The HTTP interface is not defended and an attacker would be able to potentially steal secrets from the heap dump.
There was a problem hiding this comment.
http.pprof.enabled is a libbeat setting that we are passing to the beats to expose the pprof options over the http endpoint.
When the agent passes it above, the http interface is bound to a local unix socket (or windows npipe)
@scunningham, when the elastic-agent starts a beat, the beat will bind the interface to a socket even if agent.monitoring.enabled: false, is your request to disable automatically enabling the pprof endpoints for these beats unless explicitly enabled in this case as well?
There was a problem hiding this comment.
Are you saying we automatically enable pprof even if not explicitly enabled? That's not great.
| @@ -107,6 +107,9 @@ inputs: | |||
| # logs: false | |||
| # # enables metrics monitoring | |||
| # metrics: false | |||
| # # exposes /debug/pprof/ endpoints | |||
| # # recommended that these endpoints are only enabled if the monitoring endpoint is set to localhost | |||
| # pprof: true | |||
There was a problem hiding this comment.
Why is pprof: true while logs and metrics are false by default?
There was a problem hiding this comment.
I think that the reference here may be incorrect, the default MonitoringConfig has them set to true
| @@ -122,6 +122,7 @@ func (b *Monitor) EnrichArgs(spec program.Spec, pipelineID string, args []string | |||
| appendix = append(appendix, | |||
| "-E", "http.enabled=true", | |||
| "-E", "http.host="+endpoint, | |||
| "-E", "http.pprof.enabled=true", | |||
There was a problem hiding this comment.
Can you help me understand how the current config options play together:
agent.monitoring:
enabled: false
logs: false
metrics: false
http:
enabled: true
Will metrics be exposed via the http endpoint?
Enable the /debug/pprof/ endpoints for all beats that the elastic-agent starts. Enable the pprof endpoints on elastic-agent if agent.monitoring.pprof is true (default true). Agent endpoint can be toggled in case it is located on a network and not localhost/unix socket/windows N pipe. (cherry picked from commit 6ad6bee)
Enable the /debug/pprof/ endpoints for all beats that the elastic-agent starts. Enable the pprof endpoints on elastic-agent if agent.monitoring.pprof is true (default true). Agent endpoint can be toggled in case it is located on a network and not localhost/unix socket/windows N pipe. (cherry picked from commit 6ad6bee)
Enable the /debug/pprof/ endpoints for all beats that the elastic-agent starts. Enable the pprof endpoints on elastic-agent if agent.monitoring.pprof is true (default true). Agent endpoint can be toggled in case it is located on a network and not localhost/unix socket/windows N pipe. (cherry picked from commit 6ad6bee) Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
Enable the /debug/pprof/ endpoints for all beats that the elastic-agent starts. Enable the pprof endpoints on elastic-agent if agent.monitoring.pprof is true (default true). Agent endpoint can be toggled in case it is located on a network and not localhost/unix socket/windows N pipe. (cherry picked from commit 6ad6bee) Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
|
@michel-laterman For the pprof enabling in Beats by default, we likely should follow up in 8.0 to not have it enabled by default if monitoring is enabled or at least have a discussion. Could you file a Github issue? |
|
On cloud we set |
|
@simitt, we should disable pprof for cloud |
…ws-on-file-changes * upstream/master: override host on statsd metricset (elastic#29103) Skip config check in autodiscover for duplicated configurations (elastic#29048) Change "filebeat.config.modules.enabled" to "true" (elastic#28769) Remove deprecated spool queue from Beats (elastic#28869) Add `beat` field back to beat.stats (elastic#29094) Revert "Move labels and annotations under kubernetes.namespace. (elastic#27917)" (elastic#29069) heartbeat: remove w2008 in the CI (elastic#29093) Remove deprecated `--template` and `--index-policy` flags (elastic#28870) Fix parsing of apache trace log levels (elastic#28717) [Elastic-Agent] IUse itnernal port for local fleet server (elastic#28993) [Heartbeat] Log error on dupe monitor ID instead of strict req (elastic#29041) Enable pprof for elastic-agent and beats (elastic#28983)
What does this PR do?
Enable the /debug/pprof/ endpoints for all beats that the elastic-agent
starts. Enable the pprof endpoints on elastic-agent if
agent.monitoring.pprof is true (default true). Agent endpoint can be
toggled in case it is located on a network and not localhost/unix
socket/windows N pipe.
Why is it important?
pprof endpoint data will be added to the diagnostics bundle
Checklist
I have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Start agent with unaltered config, test
/debug/pprof/with curlRelated issues