Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Buildkite] Fix logic to check which packages are excluded in Kibana (Serverless) #9849

Merged
merged 11 commits into from
May 22, 2024
Merged

[Buildkite] Fix logic to check which packages are excluded in Kibana (Serverless) #9849

merged 11 commits into from
May 22, 2024

Conversation

mrodm
Copy link
Contributor

@mrodm mrodm commented May 13, 2024
edited

Proposed commit message

Add support to exclude some packages by defining a new environment variable.

There are some packages that are trying to be installed in a Observability project in Elastic Serverless, but they cannot be installed.

Example of build: https://buildkite.com/elastic/integrations-serverless/builds/400

Updated Buildkite scripts to check which packages are excluded in the current Kibana configuration of each Serverless project type.

Here in this build it is shown that universal_profiling_agent (profiler_agent) package is skipped because it is added into the excluded list of Kibana.

@mrodm mrodm self-assigned this May 13, 2024
@mrodm mrodm requested a review from a team as a code owner May 13, 2024 15:35
@mrodm mrodm changed the title Filter security packages in Elastic Serverless (Observability) daily job [Buildkite] Filter security packages in Elastic Serverless (Observability) daily job May 13, 2024
@andrewkroh
Copy link
Member

but they cannot be installed

Why can they not be installed? Is this a temporary limitation? Do these packages need to define a capabilities value in their manifest?

@elasticmachine
Copy link

elasticmachine commented May 13, 2024
edited

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@mrodm
Copy link
Contributor Author

mrodm commented May 14, 2024

but they cannot be installed

Why can they not be installed? Is this a temporary limitation? Do these packages need to define a capabilities value in their manifest?

This is the error for security_detection_engine package:

Error: error running package asset tests: could not complete test run: can't install the package: there was an apply error: installation failed: can't install the package: could not zip-install package; API status code = 400; response body = {"statusCode":400,"error":"Bad Request","message":"Encountered 5224 errors creating saved objects: ...

This is the error for universal_profile_agent package:

Error: can't install the package: could not zip-install package; API status code = 403; response body = {"statusCode":403,"error":"Forbidden","message":"profiler_agent installation is not authorized"}

Probably security_detection_engine would require to define capabilities in its manifest, but there are already quite a few versions published with spec version >= 3.0.0. Those versions would be available in Observability projects too.

About universal_profiling_agent not sure what would be needed, but currently that package cannot be installed in Observability projects. In Security projects it works. This package has also a couple of versions using format_version >= 3.0.0.

Do you know if it can be done something else for these packages ? @jsoriano
Should universal_profiling_agent be available in Observability projects too ?

@jsoriano
Copy link
Member

This is the error for security_detection_engine package:

Error: error running package asset tests: could not complete test run: can't install the package: there was an apply error: installation failed: can't install the package: could not zip-install package; API status code = 400; response body = {"statusCode":400,"error":"Bad Request","message":"Encountered 5224 errors creating saved objects: ...

Probably security_detection_engine would require to define capabilities in its manifest, but there are already quite a few versions published with spec version >= 3.0.0. Those versions would be available in Observability projects too.

Do you have the full error message? This is likely complaining about an unsupported saved object type. This package should probably define the security capability.

For packages already published, we may need to end up removing packages from the registry if they cause problems. In any case this package should be included in the exclude list for observability till these issues are handled https://github.com/elastic/kibana/blob/6c7907a2b7aa907ab06db758a7bf01c6c65290aa/config/serverless.oblt.yml#L52

This is the error for universal_profile_agent package:

Error: can't install the package: could not zip-install package; API status code = 403; response body = {"statusCode":403,"error":"Forbidden","message":"profiler_agent installation is not authorized"}

About universal_profiling_agent not sure what would be needed, but currently that package cannot be installed in Observability projects. In Security projects it works. This package has also a couple of versions using format_version >= 3.0.0.

No idea where this error comes from, but looks like this package should also include the security capability. And might be included in the observability exclude list in the meantime.

@mrodm
Copy link
Contributor Author

mrodm commented May 14, 2024

Do you have the full error message? This is likely complaining about an unsupported saved object type. This package should probably define the security capability.

The error message is too long. This is the first saved objects failing:

Error: error running package asset tests: could not complete test run: can't install the package: there was an apply error: installation failed: can't install the package: could not zip-install package; API status code = 400; response body = {"statusCode":400,"error":"Bad Request","message":"Encountered 5224 errors creating saved objects: [{\"type\":\"security-rule\",\"id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"00140285-b827-4aee-aa09-8113f58a08f3_105\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"00140285-b827-4aee-aa09-8113f58a08f3_106\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"00140285-b827-4aee-aa09-8113f58a08f3_107\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"00140285-b827-4aee-aa09-8113f58a08f3_108\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"00140285-b827-4aee-aa09-8113f58a08f3_109\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"00140285-b827-4aee-aa09-8113f58a08f3_110\",\"error\":{\"type\":\"unsupported_type\"}},{\"type\":\"security-rule\",\"id\":\"00140285-b827-4aee-aa09-8113f58a08f3_111\",\"error\":{\"type\":\"unsupported_type\"}}...

Full log can be downloaded from the buildkite step: https://buildkite.com/elastic/integrations-serverless/builds/407#018f74bb-d02c-45e1-95bf-c865ae95f05b

@mrodm
Copy link
Contributor Author

mrodm commented May 14, 2024

About universal_profiling_agent package probably should be available in Observability ?
This is the documentation about it: https://www.elastic.co/guide/en/observability/current/universal-profiling.html

@jsoriano
Copy link
Member

About universal_profiling_agent package probably should be available in Observability ? This is the documentation about it: https://www.elastic.co/guide/en/observability/current/universal-profiling.html

Ah yes, you are right, profiling should work in observability. @elastic/profiling do you know what could be causing the failure mentioned in #9849 (comment): profiler_agent installation is not authorized.

@mrodm
Copy link
Contributor Author

mrodm commented May 21, 2024

About universal_profiling_agent package probably should be available in Observability ? This is the documentation about it: https://www.elastic.co/guide/en/observability/current/universal-profiling.html

Ah yes, you are right, profiling should work in observability. @elastic/profiling do you know what could be causing the failure mentioned in #9849 (comment): profiler_agent installation is not authorized.

@elastic/profiling should the universal_profiling_agent package be available for observability projects in Elastic Serverless? Currently, this package fails with this error:

Error: can't install the package: could not zip-install package; API status code = 403; response body = {"statusCode":403,"error":"Forbidden","message":"profiler_agent installation is not authorized"}

If so, I could update the list of packages to be skipped to just "security_detection_engine" package for now.

@danielmitterdorfer
Copy link
Member

should the universal_profiling_agent package be available for observability projects in Elastic Serverless?

No, Universal Profiling is currently not supported for Observability projects.

@mrodm mrodm mentioned this pull request May 22, 2024
Merged
4 tasks
@mrodm
Copy link
Contributor Author

mrodm commented May 22, 2024

univeral_profiliing_agent should be skipped according to the kibana config, it has been fixed here: f4f41bd

In this test build, it is already shown as skipped: https://buildkite.com/elastic/integrations-serverless/builds/425

For packages already published, we may need to end up removing packages from the registry if they cause problems. In any case this package should be included in the exclude list for observability till these issues are handled https://github.com/elastic/kibana/blob/6c7907a2b7aa907ab06db758a7bf01c6c65290aa/config/serverless.oblt.yml#L52

According to this, I think it would be better to create a PR to update the exclude list to add security_detection_engine there. WDYT? @kpollich @jsoriano

Added security capability in security_detection_engine here: #9938

@jsoriano
Copy link
Member

According to this, I think it would be better to create a PR to update the exclude list to add security_detection_engine there. WDYT? @kpollich @jsoriano

Yes, I think we need to do both things at this point, adding it to the exclude list, and adding the capability for the future.

@mrodm mrodm mentioned this pull request May 22, 2024
Merged
1 task
@elasticmachine
Copy link

elasticmachine commented May 22, 2024
edited

⏳ Build in-progress, with failures

Failed CI Steps

History

cc @mrodm

@mrodm mrodm changed the title [Buildkite] Filter security packages in Elastic Serverless (Observability) daily job [Buildkite] Fix logic to check which packages are excluded in Kibana (Serverless) May 22, 2024
mrodm
mrodm commented May 22, 2024
View reviewed changes
.buildkite/scripts/common.sh
Comment on lines +415 to +418
local package_name=""
package_name=$(package_name_manifest)

if echo "${excluded_packages}" | grep -q -E "\"${package_name}\""; then
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Retrieved the package name from the manifest to compare with the values from Kibana.

@mrodm mrodm requested review from a team and jlind23 May 22, 2024 14:54
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@mrodm
Copy link
Contributor Author

mrodm commented May 22, 2024

CI failures are unrelated to this change, merging it.

@mrodm mrodm merged commit 13f1f6f into elastic:main May 22, 2024
4 of 5 checks passed
@mrodm mrodm deleted the filter-security-packages branch May 22, 2024 17:39
mrodm added a commit to elastic/kibana that referenced this pull request May 23, 2024
@mrodm @kibanamachine
Add security_detection_engine into exclude list for observability pro…
8550c2c 
…jects (#184022)

## Summary

Include [`security_detection_engine`
package](https://github.com/elastic/integrations/tree/d2a74171c8fc32fd8754af0a2dd733669b5f6578/packages/security_detection_engine)
into the list of excluded packages for Observability projects in Elastic
Serverless.

Relates elastic/integrations#9849
Relates elastic/integrations#9938


### For maintainers

- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
rshen91 pushed a commit to rshen91/kibana that referenced this pull request May 30, 2024
@mrodm @kibanamachine @rshen91
Add security_detection_engine into exclude list for observability pro…
1c468e7 
…jects (elastic#184022)

## Summary

Include [`security_detection_engine`
package](https://github.com/elastic/integrations/tree/d2a74171c8fc32fd8754af0a2dd733669b5f6578/packages/security_detection_engine)
into the list of excluded packages for Observability projects in Elastic
Serverless.

Relates elastic/integrations#9849
Relates elastic/integrations#9938


### For maintainers

- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsoriano jsoriano jsoriano approved these changes

@jlind23 jlind23 Awaiting requested review from jlind23

Assignees

@mrodm mrodm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@mrodm @andrewkroh @elasticmachine @jsoriano @danielmitterdorfer @jlind23