Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] Support Fleet server system indices #89372

Merged
merged 20 commits into from
Feb 7, 2021

Conversation

nchaulet
Copy link
Member

@nchaulet nchaulet commented Jan 26, 2021

Summary

Related to #87372
Follow #86179

To support Fleet Server we need to use .fleet* system indices instead of saved object for agents enrollment keys and agents, this PR add this.

What to expect/test

with the feature flag xpack.fleet.agents.fleetServerEnabled: false

Kibana should use the SO and all the features should work as expected, you should be able to enroll an agent through Kibana, endpoint should work.

with the feature flag xpack.fleet.agents.fleetServerEnabled: true without Fleet Server

Kibana should use the .fleet indices and all the features should work as expected, you should be able to enroll an agent through Kibana, endpoint should work.

with the feature flag xpack.fleet.agents.fleetServerEnabled: true and Fleet Server

Kibana should use the .fleet indices and all the features should work as expected,

  • you should be able to enroll an agent through Kibana, endpoint should work, if you change the kibana url in the fleet settings to fleet server the agent should continue to work but talk to Fleet server instead of kibana
  • You should be able to enroll an agent directly throught Fleet server (need to change the kibana url to Fleet server http://localhost:8000 by default)

What is not yet working

  • The suggest bar in the UI is still using the saved object for autocompletion.
  • with Fleet server the endpoint download manifest is not working

@nchaulet nchaulet force-pushed the feature-fleet-server-agent-routes branch from 599fe99 to 9e777e5 Compare January 27, 2021 20:36
@nchaulet nchaulet force-pushed the feature-fleet-server-agent-routes branch from 331435f to 71b1942 Compare January 28, 2021 01:18
@nchaulet nchaulet marked this pull request as ready for review January 28, 2021 18:22
@nchaulet nchaulet requested a review from a team as a code owner January 28, 2021 18:22
@nchaulet nchaulet requested a review from a team January 28, 2021 18:22
@nchaulet nchaulet requested a review from a team as a code owner January 28, 2021 18:22
@nchaulet nchaulet added release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v7.12.0 v8.0.0 labels Jan 28, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest-management (Team:Ingest Management)

@jen-huang jen-huang self-requested a review February 5, 2021 00:20
Copy link
Contributor

@jen-huang jen-huang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nchaulet Did you get a chance to review my notes in this comment? The ES errors still occur: #89372 (comment) If this is just a known limitation right now that Fleet server needs to be started after Fleet setup is done, then that's fine, but let's make sure we confirm that.

I'm now seeing this Kibana error being logged when Fleet server is enabled, this is preventing the agent list from appearing:

server    log   [17:35:09.610] [error][fleet][plugins] TypeError: kuery.replace is not a function
    at removeSOAttributes (/Users/jen/Projects/kibana/x-pack/plugins/fleet/server/services/agents/crud_fleet_server.ts:35:16)
    at Object.listAgents (/Users/jen/Projects/kibana/x-pack/plugins/fleet/server/services/agents/crud_fleet_server.ts:61:18)
    at listAgents (/Users/jen/Projects/kibana/x-pack/plugins/fleet/server/services/agents/crud.ts:29:30)
    at concurrency (/Users/jen/Projects/kibana/x-pack/plugins/fleet/server/services/agents/status.ts:67:7)
    at /Users/jen/Projects/kibana/node_modules/p-map/index.js:57:28
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
server   error  [17:35:09.583]  Error: Internal Server Error
    at HapiResponseAdapter.toError (/Users/jen/Projects/kibana/src/core/server/http/router/response_adapter.ts:122:19)
    at HapiResponseAdapter.toHapiResponse (/Users/jen/Projects/kibana/src/core/server/http/router/response_adapter.ts:72:19)
    at HapiResponseAdapter.handle (/Users/jen/Projects/kibana/src/core/server/http/router/response_adapter.ts:67:17)
    at Router.handle (/Users/jen/Projects/kibana/src/core/server/http/router/router.ts:273:34)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at handler (/Users/jen/Projects/kibana/src/core/server/http/router/router.ts:227:11)
    at exports.Manager.execute (/Users/jen/Projects/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at Object.internals.handler (/Users/jen/Projects/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
    at exports.execute (/Users/jen/Projects/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
    at Request._lifecycle (/Users/jen/Projects/kibana/node_modules/@hapi/hapi/lib/request.js:370:32)
    at Request._execute (/Users/jen/Projects/kibana/node_modules/@hapi/hapi/lib/request.js:279:9)

image

I did some testing on when Fleet server is not enabled, and things look good. I know we don't expect Fleet server integration to be perfect yet, but the above error is blocking for me for this PR. I'm happy to give a 👍🏻 once that's resolved and I get another round of successful non-Fleet server testing.

@@ -78,6 +80,7 @@ async function createAction(
) {
const body: FleetServerAgentAction = {
'@timestamp': new Date().toISOString(),
expiration: new Date(Date.now() + ONE_MONTH_IN_MS).toISOString(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wow that's a long expiration! 😄 what does tell fleet server to do?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's mandatory for Fleet server actions to have an expiration, it just say if the agent connect after more than 1 month to fleet server the agent will not get the action.

@nchaulet
Copy link
Member Author

nchaulet commented Feb 5, 2021

@jen-huang thanks for testing this again and again.

I missed the kuery.replace error when I merged master, it should be fixed.

For the error in the logs, the way Fleet server check for the indice to be present, is by trying to search this indices so the error in the logs is "okay" and should not affect how Fleet Server works we could probably improve that by checking if the index is present and ready.

@nchaulet
Copy link
Member Author

nchaulet commented Feb 5, 2021

@kevinlog I would love a review from endpoint on that one, I tested with the flagged turn off and nothing looks broken on your end.

@jen-huang jen-huang self-requested a review February 5, 2021 20:22
Copy link
Contributor

@jen-huang jen-huang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally again today and am not seeing any issues when feature flag is disabled. I tested with feature flag enabled too (which also did a light test of the SO->indices migrations) and found that the kuery error is resolved and I didn't see any major issues apart from known ones while we continue to work on supporting Fleet server.

Thanks for iterating on this with my testing @nchaulet and great work!!

@kevinlog
Copy link
Contributor

kevinlog commented Feb 5, 2021

@nchaulet my testing steps:

  • Add Agent with Endpoint
  • Update policy
  • Remove Policy, see Endpoint gets uninstalled

The above worked with the feature flag both ON and OFF.
Artifacts not working with Fleet server is a known issue - I just created this to keep track of it. We'll fix it in 7.13.
#90513

Other than that, looks good!

@@ -54,7 +54,11 @@ export function registerDownloadExceptionListRoute(
// The ApiKey must be associated with an enrolled Fleet agent
try {
scopedSOClient = endpointContext.service.getScopedSavedObjectsClient(req);
await authenticateAgentWithAccessToken(scopedSOClient, req);
await authenticateAgentWithAccessToken(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paul-tavares FYI

with the feature flag OFF artifacts were still being downloaded

@nchaulet nchaulet requested a review from paul-tavares February 5, 2021 21:27
@patrykkopycinski
Copy link
Contributor

patrykkopycinski commented Feb 6, 2021

Hi @nchaulet @jen-huang

I've found one more issue I think, I've had a case where my agents were assigned to the policy that was removed and when I tried to reassign agents to the new policy I was getting an error that saved object with old policy id doesn't exist
https://github.com/elastic/kibana/pull/89372/files#diff-11bcc5bb1eaf5ddae753f9ee690233bef988d13ddbf6baf71c4c8edd0d6a4933L186-L189

I've had to wrap this line into try/catch block to make sure that saved object error is not being thrown

let agentPolicySO;

try {
  agentPolicySO = await soClient.get<AgentPolicySOAttributes>(SAVED_OBJECT_TYPE, id);
  // eslint-disable-next-line no-empty
} catch (e) {}

if (!agentPolicySO) {
  return null;
}

@nchaulet
Copy link
Member Author

nchaulet commented Feb 7, 2021

@elasticmachine merge upstream

@nchaulet
Copy link
Member Author

nchaulet commented Feb 7, 2021

I've found one more issue I think, I've had a case where my agents were assigned to the policy that was removed and when I tried to reassign agents to the new policy I was getting an error that saved object with old policy id doesn't exist

@patrykkopycinski I think the bug existed before that PR, I am wondering how did you remove the policy? normally we cannot delete a policy with active agents, maybe there is a bug here.

I will merge that PR as it is to avoid more conflict, but we should still iterate on that

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@nchaulet nchaulet merged commit 91ffe73 into elastic:master Feb 7, 2021
@nchaulet nchaulet deleted the feature-fleet-server-agent-routes branch February 7, 2021 23:57
gmmorris added a commit to gmmorris/kibana that referenced this pull request Feb 8, 2021
* master: (55 commits)
  [APM-UI][E2E] use githubNotify step (elastic#90514)
  [APM] Export ProcessorEvent type (elastic#90540)
  [Lens] Retain column config (elastic#90048)
  [Data Table] Add unit tests (elastic#90173)
  Migrate most plugins to synchronous lifecycle (elastic#89562)
  skip flaky suite (elastic#90555)
  skip flaky suite (elastic#64473)
  [actions] improve email action doc (elastic#90020)
  [Fleet] Support Fleet server system indices (elastic#89372)
  skip flaky suite (elastic#90552)
  Bump immer dependencies (elastic#90267)
  Unrevert "Migrations v2: don't auto-create indices + FTR/esArchiver support (elastic#85778)" (elastic#89992)
  [Search Sessions] Use sync config (elastic#90138)
  chore(NA): add safe guard to remove bazelisk from yarn global at bootstrap (elastic#90538)
  [test] Await retry.waitFor (elastic#90456)
  chore(NA): integrate build buddy with our bazel setup and remote cache for ci (elastic#90116)
  Skip failing suite (elastic#90526)
  [Fleet] Fix incorrect conversion of string to numeric values in agent YAML (elastic#90371)
  [Docs] Update reporting troubleshooting for arm rhel/centos (elastic#90385)
  chore(NA): build bazel projects all at once in the distributable build process (elastic#90328)
  ...
@jen-huang
Copy link
Contributor

Thanks for reporting @patrykkopycinski, agree with @nchaulet that this is existing behavior. I've opened an issue for that #90625. To be honest I am surprised at the behavior, I thought we had some conditions to not be able to delete a policy if active agents are enrolled into it, but maybe not 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v7.12.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants