Logstash improvements: auto pipeline reload. #1668
Conversation
There was a problem hiding this comment.
To have ssl enabled between logstash and agent, a client certificate needs to be added to the fleet-logstash-output created in fleet. Similar to https://github.com/elastic/elastic-package/pull/1646/files#diff-16829f0b151b844f24aebc77c8aea194ae3b84fca32debdd296aa22cba7a99bfR36
These certificates are then authorized by logstash
mashhurs
force-pushed
the
logstash-improvements-reload
branch
from
f8d5bb3 to
bd9c877
Compare
Thanks for letting me know. Since I don't have much internal detail knowledge, I will leave this part AS-IS and focus on my current needs. |
mashhurs
force-pushed
the
logstash-improvements-reload
branch
from
edfec7c to
6cdd220
Compare
mashhurs
force-pushed
the
logstash-improvements-reload
branch
from
774fbf1 to
75ca508
Compare
| - "../certs/logstash:/usr/share/logstash/config/certs" | ||
| - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" |
There was a problem hiding this comment.
To ensure that we neither try to write here when running locally.
| - "../certs/logstash:/usr/share/logstash/config/certs" | |
| - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" | |
| - "../certs/logstash:/usr/share/logstash/config/certs:ro" | |
| - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem:ro" |
There was a problem hiding this comment.
It seems making config/certs read-only, mounting elasticsearch.pem is failing?! Removing read-only from certs works fine, we need to mount file one by one if it is strictly required.
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/opt/buildkite-agent/.elastic-package/profiles/logstash/certs/elasticsearch/cert.pem" to rootfs at "/usr/share/logstash/config/certs/elasticsearch.pem": open /var/lib/docker/overlay2/c73fe26af0e42262b9972a5dc32a073d3141e9dee2467ca8ed3bc5d07ce6733b/merged/usr/share/logstash/config/certs/elasticsearch.pem: read-only file system: unknown
…d agent, remove doc id in pipeline config to cover generic cases.
…Docker volumes which will be busy during the Logstash run.
Read-only mounted certificates, set proper permission to a Logstash startup shell script. Co-authored-by: Jaime Soriano Pastor <jaime.soriano@elastic.co>
mashhurs
force-pushed
the
logstash-improvements-reload
branch
from
91972a2 to
eaed0b5
Compare
💚 Build Succeeded
History
cc @mashhurs |
| # Also logstash-filter-elastic_integration plugin is installed by default to run ingest pipelines in logstash. | ||
| # elastic-package#1637 made improvements to enable logstash stats through port 9600. | ||
| command: bash -c 'openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /tmp/logstash.pkcs8.key && chmod +x /tmp/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) == *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf' | ||
| command: bash /usr/share/logstash/startup.sh |
|
|
||
| # runs Logstash | ||
| run() { | ||
| bin/logstash -f "$LOGSTASH_HOME/pipeline/logstash.conf" --config.reload.automatic |
There was a problem hiding this comment.
Nit. Could we use exec to replace the process?
| bin/logstash -f "$LOGSTASH_HOME/pipeline/logstash.conf" --config.reload.automatic | |
| exec bin/logstash -f "$LOGSTASH_HOME/pipeline/logstash.conf" --config.reload.automatic |
| openssl pkcs8 -inform PEM -in "$ls_cert_path/key.pem" -topk8 -nocrypt -outform PEM -out "/tmp/logstash.pkcs8.key" | ||
| chmod 777 "/tmp/logstash.pkcs8.key" |
There was a problem hiding this comment.
Nit. It doesn't use to be a good practice to write a key in /tmp or with 777. But this is a testing scenario, so as you prefer if we don't have another way to do it now.
There was a problem hiding this comment.
Sounds good! Let me follow up Nits with separate PR because this is somehow blocking my another task: elastic/logstash-filter-elastic_integration#122 (comment)
Polish some things in the logstash scenario: * Pre-build logstash image: * It includes the plugin now so it doesn't need to be installed on every run, speeding up startup after first run. * It includes the configuration, so it can be modified with auto-reload, as introduced in #1668. * Use private key without converting it to PKCS8. * Use actual CA instead of elasticsearch certificate as CA in logstash output. * Startup script removed as operations moved to other places or not needed. * Use the same configuration template for serverless and compose providers.
5 participants
Description
This change includes number of Logstash improvements:
--config.reload.automaticwhen running Logstash to avoid extra container restart.elastic-packagegenerated config as it will be mounted file system, cannot be writable while docker container is active. Current approach generates and copies to a writable file where final file can be changed and Logstash automatically reloads pipeline.enable SSL between LS and agent: depends on Refactor New cert to use enum #1664, most users use SSL between agent and Logstash and it is the best practise.remove doc id in pipeline config to cover generic cases: the integrations with time series do not accept the document with ID set (reference)- this will cause integration tests fail and we believe this will be anyway short term solution, we should rather focus on long-term: changeable config, so I am leaving this AS-IS as well.