Filebeat: Makes registry_file_permission configurable

[dolftax]

This supports use-cases where the registry file is read
by some other external service/component.

Signed-off-by: Jaipradeesh jaipradeesh@gmail.com

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[houndci-bot]

exported function New should have comment or be unexported

[dolftax]

FYI, yet to update docs, configuration reference, etc,..

[ruflin]

Not sure if we really should update the file permission here. I would rather suggest to change in on line 262 so we already write it with the correct permission.

[dolftax]

Grep for registry_file in filebeat dir returns the following. make update isn't updating all the below files. Should it be done manually?

./filebeat.reference.yml:557:#filebeat.registry_file: ${path.data}/registry
./filebeat.reference.yml:560:#filebeat.registry_file_permission: 0600
./_meta/common.reference.p2.yml:262:#filebeat.registry_file: ${path.data}/registry
./_meta/common.reference.p2.yml:265:#filebeat.registry_file_permission: 0600
./_meta/beat.reference.yml:557:#filebeat.registry_file: ${path.data}/registry
./_meta/beat.reference.yml:560:#filebeat.registry_file_permission: 0600
./docs/filebeat-general-options.asciidoc:20:==== `registry_file`
./docs/filebeat-general-options.asciidoc:27:filebeat.registry_file: registry
./docs/filebeat-general-options.asciidoc:42:options, such as `registry_file`, are ignored.
./docs/faq.asciidoc:56:Filebeat keeps the state of each file and persists the state to disk in the `registry_file`. The file state is used to continue file reading at a previous position when Filebeat is restarted. If a large number of new files are produced every day, the registry file might grow to be too large. To reduce the size of the registry file, there are two configuration options available: <<clean-removed,`clean_removed`>> and <<clean-inactive,`clean_inactive`>>.
./tests/load/filebeat.yml:17:  registry_file: registry
./tests/load/filebeat.yml:18:  registry_file_permission: 0600
./tests/system/test_registrar.py:141:    def test_custom_registry_file_location(self):
./tests/system/test_registrar.py:918:        registry_file = self.working_dir + "/registry"
./tests/system/test_registrar.py:924:        registry_file_path = self.working_dir + "/registry"
./tests/system/test_registrar.py:925:        with open(registry_file_path, 'w') as registry_file:
./tests/system/test_registrar.py:927:            registry_file.write("Hello World")
./tests/system/config/filebeat_modules.yml.j2:1:filebeat.registry_file: {{ beat.working_dir + '/' }}{{ registryFile|default("registry")}}
./tests/system/config/filebeat.yml.j2:94:filebeat.registry_file: {{ beat.working_dir + '/' }}{{ registryFile|default("registry")}}
./tests/system/config/filebeat_inputs.yml.j2:8:filebeat.registry_file: {{ beat.working_dir + '/' }}{{ registryFile|default("registry")}}
./config/config.go:26:	RegistryFile           string               `config:"registry_file"`
./config/config.go:27:	RegistryFilePermission os.FileMode          `config:"registry_file_permission"`

@ruflin

[ruflin]

@jaipradeesh Not sure what part you want to update in all these files? I think it's important to the permission settings in the reference file and the docs.

[dolftax]

No problem @ruflin. I've updated the docs. Please do a review :-) . I've also added some verification steps below.

Permission config test

➜  filebeat git:(filebeat-configurable-registry-file-perm) cat filebeat.yml | grep "registry_file_permission"

➜  filebeat git:(filebeat-configurable-registry-file-perm) ls -la data | grep "registry"                     
-rw-------.  1 dolftax dolftax    3 Mar  2 09:00 registry

➜  filebeat git:(filebeat-configurable-registry-file-perm) ./filebeat -c filebeat.yml
^C%                      

➜ filebeat git:(filebeat-configurable-registry-file-perm) ls -la data | grep "registry"                     
-rw-------.  1 dolftax dolftax    3 Mar  2 09:27 registry

➜  filebeat git:(filebeat-configurable-registry-file-perm) cat filebeat.yml | grep "registry_file_permission"
filebeat.registry_file_permission: 0644

➜  filebeat git:(filebeat-configurable-registry-file-perm) ./filebeat -c filebeat.yml                        
^C%                                 

➜  filebeat git:(filebeat-configurable-registry-file-perm) ls -la data | grep "registry"                     
-rw-r--r--.  1 dolftax dolftax    3 Mar  2 09:27 registry

[ruflin]

This just triggered an idea on my end. It would be really great to have a system test that checks if the permission of the registry file is actually changed in case this is set differently. Can you add one?

[dolftax]

Alright.

[dolftax]

Will add tests for 0644, 0600 and 0664. IMO, that should suffice.

[ruflin]

Great to hear. Please ping us when you pushed a new commit. This will also show if it causes any problems on windows.

[ruflin]

@urso @andrewkroh Do you see any issue adding this feature?

[andrewkroh]

One issue is that we use a plural (permissions) in naming the option for other areas. I think the name should be changed.

• https://www.elastic.co/guide/en/beats/filebeat/6.2/configuration-logging.html#_literal_logging_files_permissions_literal
• https://www.elastic.co/guide/en/beats/filebeat/current/file-output.html#_literal_permissions_literal

[wk8]

Could this please be merged and shipped with the next release? Much needed here too :) Thanks!

[dolftax]

Test that filebeat registry permission is set as per configuration ... ok (0.3507s)
Test that filebeat default registry permission is set ... ok (0.3478s)
Test that filebeat registry permission is updated along with configuration ... ok (1.5567s)

[ruflin]

jenkins, test it

[ruflin]

Normally this can become flaky on slow tests machines. But we can still fix it if the build starts to break.

[ruflin]

@jaipradeesh Thanks, LGTM. Can you revert the Makefile change, just to be sure. Afterwards we should be good to go in case Jenkins agrees :-)

[dolftax]

Makefile, reverted.
System test log - https://dpaste.de/qGTb/raw

[ruflin]

jenkins, test it

[dolftax]

Weirdly, update config test is passing locally (Fedora 27) - https://dpaste.de/qGTb/#L127 but failing in travis (both OS X and Ubuntu Trusty) - https://travis-ci.org/elastic/beats/jobs/352789249#L352

Checking why. Any pointers appreciated.

[ruflin]

Could it be a timing issue related to the 1s? Travis is pretty slow.

[ruflin]

@jaipradeesh I assume you deleted the comment about pep8 and discovered make fmt.

[dolftax]

@ruflin Used https://pypi.python.org/pypi/flake8 // make fmt helps. Yeah, deleted the comment as I didn't want to bother you.

[ruflin]

Seems like you used a different pep setting then what we have in make fmt for the line length. It's not a big deal but in general would be nice to only have the changes related to the PR in.

[dolftax]

Noted. From next PR.

[dolftax]

Modified PEP8 config as per beats' requirements.

[ruflin]

jenkins, test it

[ruflin]

PR LGTM. Now waiting on Jenkins to go green.

[ruflin]

It would be nice if you could do a follow up PR that does not use time.Sleep but for example watches the registry file for the file permission changes. Otherwise this increases our CI time by at least 5 seconds. If we have this in many tests this is not nice.

[dolftax]

I should be able to work on another filebeat bug over the weekend. Will push it along with that.

[ruflin]

Great, but please make it 2 different PR's to sepearate concerns.

[dolftax]

Build fails on windows. Looks like Windows ACL have to be modified. Two ways to it.

• This option isn't supported on Windows
• Implement something like https://github.com/hectane/go-acl

[ruflin]

For the first version I suggest we not support it on Windows but states this very clearly in the docs. Can you update the docs and tests accordingly, please also add a note to the reference config file. There are some other system tests which are skipped on windows, you can copy the checks from there.

@andrewkroh WDYT?

[andrewkroh]

Currently we don't do any Windows ACL management anywhere in the project. So I would just say this option isn't supported on Windows.

[ruflin]

jenkins, test it

[ruflin]

@jaipradeesh Merged. Thanks a lot for following through with this.