Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

packetbeat/beater: don't attempt to install npcap when already installed #30509

Merged
merged 2 commits into from
Feb 22, 2022
Merged

packetbeat/beater: don't attempt to install npcap when already installed #30509

merged 2 commits into from
Feb 22, 2022

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Feb 21, 2022
edited
Loading

What does this PR do?

This makes installation of the OEM Npcap library on windows conditional on its absence or version.

Why is it important?

Without this packetbeat startup fails every second time due to the Npcap removal for installation forcing all applications to be killed (see https://npcap.com/guide/npcap-users-guide.html#npcap-installation-uninstall-options section on \no_kill). The longer term fix required for actual upgrade operations requires that the DLL be unloaded prior to upgrade. That change will come in another PR. Included here.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
    - [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@efd6 efd6 requested review from adriansr and a team February 21, 2022 22:58
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Feb 21, 2022
@mergify mergify bot assigned efd6 Feb 21, 2022
@elasticmachine
Copy link
Collaborator

elasticmachine commented Feb 21, 2022
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-02-21T23:19:57.614+0000

  • Duration: 90 min 4 sec

Test stats 🧪

Test Results
Failed 0
Passed 3328
Skipped 36
Total 3364

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@efd6
Copy link
Contributor Author

efd6 commented Feb 21, 2022
edited
Loading

Note that the behaviour with this change will result in other clients of the Npcap DLL being killed during an upgrade since we have installed using /no_kill=no (default). The alternative, to use yes, will cause the upgrade to fail when there is another client of the DLL, "If /no_kill=yes is specified, then Npcap uninstaller will fail if there are still applications using Npcap driver or DLLs."

Neither option is good. @adriansr WDYT?

The cases are:

  1. not installed: no problem
  2. installed and not used by others: no problem
  3. installed and used by others:
    • /no_kill=yes don't upgrade and warn (needs to figure out how to distinguish this kind of failure from others, or perhaps always warn and then rely on failing out later — I don't like this)
    • /no_kill=no upgrade forcing other applications to be killed. The query here is how frequently this will happen.

@adriansr
Copy link
Contributor

Thanks @efd6, the current solution with the default /no_kill=no makes more sense. I doubt it makes sense to have two different apps using npcap at the same time.

@efd6
Copy link
Contributor Author

efd6 commented Feb 22, 2022

There may be users that are using wireshark or similar, but I would expect it to be quite rare. We can revisit if this becomes an issue.

@efd6 efd6 merged commit d74e7aa into elastic:main Feb 22, 2022
@mergify mergify bot mentioned this pull request Feb 22, 2022
Merged
mergify bot pushed a commit that referenced this pull request Feb 22, 2022
@efd6
packetbeat/beater: don't attempt to install npcap when already instal…
8d52bdb 
…led (#30509)

* don't attempt to install npcap when already installed
* unload DLL during install operation

(cherry picked from commit d74e7aa)
@efd6 efd6 mentioned this pull request Feb 22, 2022
Closed
@efd6 efd6 deleted the conditionalnpcap branch February 22, 2022 00:59
efd6 added a commit that referenced this pull request Feb 22, 2022
@mergify @efd6
packetbeat/beater: don't attempt to install npcap when already instal…
6474837 
…led (#30509) (#30511)

* don't attempt to install npcap when already installed
* unload DLL during install operation

(cherry picked from commit d74e7aa)

Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
v1v added a commit to v1v/beats that referenced this pull request Feb 22, 2022
@v1v
Merge remote-tracking branch 'upstream/main' into feature/refactor-pa…
29471a7 
…ckaging-docker

* upstream/main: (26 commits)
  Update docker/distribution to 2.8.0 (elastic#30462)
  Add `parsers` examples to `filestream` reference configuration (elastic#30529)
  extend documentation about setting orchestrator.cluster fields (elastic#30518)
  Forward-port 8.0.1 changelog to main (elastic#30522)
  Switch skip to use `CI` (elastic#30512)
  packetbeat/beater: don't attempt to install npcap when already installed (elastic#30509)
  Fix Docker module: rename fields on dashboards (elastic#30500)
  fix typos and improve sentences (elastic#30432)
  Add drop and explicit tests to avoid duplicate ingest of elasticsearch logs (elastic#30440)
  {,x-pack/}auditbeat: replace uses of github.com/pkg/errors with stdlib equivalents (elastic#30321)
  Spelling fix (elastic#30439)
  packetbeat/beater: make sure Npcap installation runs before interfaces are needed in all cases (elastic#30438)
  Add BC about Homebrew no longer being available in 8.0 (elastic#30419)
  Install gawk as a replacement for mawk in Docker containers. (elastic#30452)
  Clean up python-related system tests (elastic#30415)
  Fix TestNewModuleRegistry flakiness (elastic#30453)
  [Filebeat] [auditd]: Support EXECVE events with truncated argument list (elastic#30382)
  Set `log.offset` to the start of the reported line in filestream (elastic#30445)
  clarify SelectedPackageTypes meaning and improve its usage (elastic#30142)
  [elasticsearch module] serialize shards properties (elastic#30408)
  ...
v1v added a commit to v1v/beats that referenced this pull request Feb 22, 2022
@v1v
Merge remote-tracking branch 'upstream/main' into feature/use-with-ki…
12a61e7 
…nd-k8s-env

* upstream/main:
  Update docker/distribution to 2.8.0 (elastic#30462)
  Add `parsers` examples to `filestream` reference configuration (elastic#30529)
  extend documentation about setting orchestrator.cluster fields (elastic#30518)
  Forward-port 8.0.1 changelog to main (elastic#30522)
  Switch skip to use `CI` (elastic#30512)
  packetbeat/beater: don't attempt to install npcap when already installed (elastic#30509)
  Fix Docker module: rename fields on dashboards (elastic#30500)
v1v added a commit that referenced this pull request Mar 2, 2022
@v1v
Merge branch '8.1' of github.com:elastic/beats into mergify/bp/8.1/pr…
0112148 
…-29710

* '8.1' of github.com:elastic/beats: (51 commits)
  refactor pushDockerImages (#30414) (#30624)
  ci: add windows-2022 in the extended meta-stage (#30528) (#30630)
  Curate k8s testing versions to only keep the actively maintained (#30619) (#30625)
  [8.1](backport #30355) Add Beats upgrade docs for 8.0 (#30612)
  Remove references to gcp from the Functionbeat docs (#30579) (#30609)
  x-pack/auditbeat/module/system/socket: defend against exec with zero arguments (#30586) (#30597)
  [MySQL Enterprise] Adding default paths values to manifest.yml (#30598) (#30604)
  metricbeat - fix elasticsearch and kibana integration tests failures in 8.0 (#30566) (#30594)
  Install gawk as a replacement for mawk in Docker containers. (#30452) (#30465)
  [Filebeat] Remove RecordedFuture dataset from Threat Intel module (#30564) (#30568)
  Adjust the documentation of `backoff` options in filestream input (#30552) (#30557)
  packetbeat/beater: help the GC clean up the Npcap installer if it's not used (#30513) (#30546)
  Osquerybeat: Add install verification for osquerybeat (#30388) (#30404)
  Update docker/distribution to 2.8.0 (#30462) (#30540)
  Add `parsers` examples to `filestream` reference configuration (#30529) (#30537)
  [8.1](backport #30068) ZooKeeper module: Adapt to ZooKeeper 3.6+ `mntr` response fields' changes. (#30360)
  [8.1](backport #30512) Switch skip to use `CI` (#30525)
  Forward-port 8.0.1 changelog to 8.1 (#30517)
  packetbeat/beater: don't attempt to install npcap when already installed (#30509) (#30511)
  Add drop and explicit tests to avoid duplicate ingest of elasticsearch logs (#30440) (#30488)
  ...
@jamiehynds jamiehynds mentioned this pull request Jan 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees

@efd6 efd6

Labels
8.1-candidate backport-v8.1.0 Automated backport with mergify bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@efd6 @elasticmachine @adriansr