From afd8bf2094f5666aa53cb2b586c55d5f97e69b20 Mon Sep 17 00:00:00 2001 From: Mashhur Date: Thu, 8 Feb 2024 12:10:34 -0800 Subject: [PATCH 01/13] Logstash improvements: auto pipeline reload, enable SSL between LS and agent, remove doc id in pipeline config to cover generic cases. --- internal/stack/_static/docker-compose-stack.yml.tmpl | 1 - internal/stack/_static/serverless-docker-compose.yml.tmpl | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index 15519ee8b8..a9086f57c4 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -179,7 +179,6 @@ services: - "../certs/logstash/cert.pem:/usr/share/logstash/config/certs/cert.pem" - "../certs/logstash/ca-cert.pem:/usr/share/logstash/config/certs/ca-cert.pem" - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" - - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" ports: - "127.0.0.1:5044:5044" - "127.0.0.1:9600:9600" diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl index 2ec85a1577..14ea73dbab 100644 --- a/internal/stack/_static/serverless-docker-compose.yml.tmpl +++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl @@ -38,7 +38,7 @@ services: # logstash expects the key in pkcs8 format. Hence converting the key.pem to pkcs8 format using openssl. # Also logstash-filter-elastic_integration plugin is installed by default to run ingest pipelines in logstash. # elastic-package#1637 made improvements to enable logstash stats through port 9600. - command: bash -c 'openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /usr/share/logstash/config/certs/logstash.pkcs8.key && chmod 777 /usr/share/logstash/config/certs/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) == *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf' + command: bash -c 'openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /usr/share/logstash/config/certs/logstash.pkcs8.key && chmod 777 /usr/share/logstash/config/certs/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) == *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf --config.reload.automatic' volumes: - "../certs/logstash:/usr/share/logstash/config/certs" - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" From caf78b4a3897d9b6af5eb068d753fcf82a375768 Mon Sep 17 00:00:00 2001 From: Mashhur Date: Fri, 9 Feb 2024 10:13:20 -0800 Subject: [PATCH 02/13] Revert SSL changes between agent and Logstash. --- internal/stack/_static/logstash.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/stack/_static/logstash.conf.tmpl b/internal/stack/_static/logstash.conf.tmpl index 2832eb10b5..825488fd05 100644 --- a/internal/stack/_static/logstash.conf.tmpl +++ b/internal/stack/_static/logstash.conf.tmpl @@ -1,7 +1,7 @@ input { elastic_agent { port => 5044 - ssl_enabled => true + ssl_enabled => false ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca-cert.pem"] ssl_certificate => "/usr/share/logstash/config/certs/cert.pem" ssl_key => "/tmp/logstash.pkcs8.key" From cd84490c27ccab5e0ae523e664f815d41c2e29ea Mon Sep 17 00:00:00 2001 From: Mashhur Date: Fri, 9 Feb 2024 15:59:25 -0800 Subject: [PATCH 03/13] Make Logstash pipeline configs changeable. --- internal/stack/_static/docker-compose-stack.yml.tmpl | 1 + internal/stack/_static/serverless-docker-compose.yml.tmpl | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index a9086f57c4..0322e543d5 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -179,6 +179,7 @@ services: - "../certs/logstash/cert.pem:/usr/share/logstash/config/certs/cert.pem" - "../certs/logstash/ca-cert.pem:/usr/share/logstash/config/certs/ca-cert.pem" - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" + - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf" ports: - "127.0.0.1:5044:5044" - "127.0.0.1:9600:9600" diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl index 14ea73dbab..13cace17df 100644 --- a/internal/stack/_static/serverless-docker-compose.yml.tmpl +++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl @@ -41,7 +41,7 @@ services: command: bash -c 'openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /usr/share/logstash/config/certs/logstash.pkcs8.key && chmod 777 /usr/share/logstash/config/certs/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) == *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf --config.reload.automatic' volumes: - "../certs/logstash:/usr/share/logstash/config/certs" - - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" + - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf" ports: - "127.0.0.1:5044:5044" - "127.0.0.1:9600:9600" From dee03dad6e92014ac23d527fd9c5ec1e5e88efe7 Mon Sep 17 00:00:00 2001 From: Mashhur Date: Fri, 9 Feb 2024 16:31:21 -0800 Subject: [PATCH 04/13] Let's focus on Logstash integration plugin and avoid connection failures with ES. --- internal/stack/_static/serverless-logstash.conf.tmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/stack/_static/serverless-logstash.conf.tmpl b/internal/stack/_static/serverless-logstash.conf.tmpl index d42f1d493e..d8c96d691a 100644 --- a/internal/stack/_static/serverless-logstash.conf.tmpl +++ b/internal/stack/_static/serverless-logstash.conf.tmpl @@ -27,6 +27,7 @@ output { user => '{{ fact "username" }}' password => '{{ fact "password" }}' ssl_enabled => true + ssl_verification_mode => "none" data_stream => "true" } } From 75d9e6e02ae45f3d87b6672fcf9147fdc18345c5 Mon Sep 17 00:00:00 2001 From: Mashhur Date: Mon, 12 Feb 2024 15:37:42 -0800 Subject: [PATCH 05/13] Put back config changes and make overwritable config separating from Docker volumes which will be busy during the Logstash run. --- internal/stack/_static/docker-compose-stack.yml.tmpl | 2 +- internal/stack/_static/serverless-docker-compose.yml.tmpl | 5 +++-- internal/stack/_static/serverless-logstash.conf.tmpl | 1 - 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index 0322e543d5..f864ae532b 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -179,7 +179,7 @@ services: - "../certs/logstash/cert.pem:/usr/share/logstash/config/certs/cert.pem" - "../certs/logstash/ca-cert.pem:/usr/share/logstash/config/certs/ca-cert.pem" - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" - - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf" + - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" ports: - "127.0.0.1:5044:5044" - "127.0.0.1:9600:9600" diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl index 13cace17df..38aba4d715 100644 --- a/internal/stack/_static/serverless-docker-compose.yml.tmpl +++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl @@ -38,10 +38,11 @@ services: # logstash expects the key in pkcs8 format. Hence converting the key.pem to pkcs8 format using openssl. # Also logstash-filter-elastic_integration plugin is installed by default to run ingest pipelines in logstash. # elastic-package#1637 made improvements to enable logstash stats through port 9600. - command: bash -c 'openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /usr/share/logstash/config/certs/logstash.pkcs8.key && chmod 777 /usr/share/logstash/config/certs/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) == *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf --config.reload.automatic' + # config copy is intentional that mounted volumes will be busy and cannot be overwritten + command: bash -c 'yes | cp /usr/share/logstash/pipeline/generated_logstash.conf /usr/share/logstash/pipeline/logstash.conf && openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /usr/share/logstash/config/certs/logstash.pkcs8.key && chmod 777 /usr/share/logstash/config/certs/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) == *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf --config.reload.automatic' volumes: - "../certs/logstash:/usr/share/logstash/config/certs" - - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf" + - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" ports: - "127.0.0.1:5044:5044" - "127.0.0.1:9600:9600" diff --git a/internal/stack/_static/serverless-logstash.conf.tmpl b/internal/stack/_static/serverless-logstash.conf.tmpl index d8c96d691a..d42f1d493e 100644 --- a/internal/stack/_static/serverless-logstash.conf.tmpl +++ b/internal/stack/_static/serverless-logstash.conf.tmpl @@ -27,7 +27,6 @@ output { user => '{{ fact "username" }}' password => '{{ fact "password" }}' ssl_enabled => true - ssl_verification_mode => "none" data_stream => "true" } } From 1209dda69a61f01ecb940fcb8406eb98ab1da05d Mon Sep 17 00:00:00 2001 From: Mashhur Date: Tue, 13 Feb 2024 12:42:30 -0800 Subject: [PATCH 06/13] Separate Logstash initialization script and define it as a resource. --- .../_static/docker-compose-stack.yml.tmpl | 10 ++--- internal/stack/_static/logstash_startup.sh | 38 +++++++++++++++++++ .../serverless-docker-compose.yml.tmpl | 7 +--- internal/stack/resources.go | 5 +++ internal/stack/serverlessresources.go | 5 +++ 5 files changed, 53 insertions(+), 12 deletions(-) create mode 100644 internal/stack/_static/logstash_startup.sh diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index f864ae532b..3c090e17ca 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -170,16 +170,12 @@ services: interval: 60s timeout: 50s retries: 5 - # logstash expects the key in pkcs8 format. Hence converting the key.pem to pkcs8 format using openssl. - # Also logstash-filter-elastic_integration plugin is installed by default to run ingest pipelines in logstash. - # elastic-package#1637 made improvements to enable logstash stats through port 9600. - command: bash -c 'openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /tmp/logstash.pkcs8.key && chmod +x /tmp/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) == *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf' + command: bash -c 'chmod +x /usr/share/logstash/startup.sh && /usr/share/logstash/startup.sh' volumes: - - "../certs/logstash/key.pem:/usr/share/logstash/config/certs/key.pem" - - "../certs/logstash/cert.pem:/usr/share/logstash/config/certs/cert.pem" - - "../certs/logstash/ca-cert.pem:/usr/share/logstash/config/certs/ca-cert.pem" + - "../certs/logstash:/usr/share/logstash/config/certs" - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" + - "./logstash_startup.sh:/usr/share/logstash/startup.sh" ports: - "127.0.0.1:5044:5044" - "127.0.0.1:9600:9600" diff --git a/internal/stack/_static/logstash_startup.sh b/internal/stack/_static/logstash_startup.sh new file mode 100644 index 0000000000..8a293783f1 --- /dev/null +++ b/internal/stack/_static/logstash_startup.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +set -euo pipefail + +LOGSTASH_HOME="/usr/share/logstash/" + +# logstash expects the key in pkcs8 format. +# Hence converting the key.pem to pkcs8 format using openssl. +create_cert() { + ls_cert_path="$LOGSTASH_HOME/config/certs" + openssl pkcs8 -inform PEM -in "$ls_cert_path/key.pem" -topk8 -nocrypt -outform PEM -out "$ls_cert_path/logstash.pkcs8.key" + chmod 777 $ls_cert_path/logstash.pkcs8.key +} + +# config copy is intentional that mounted volumes will be busy and cannot be overwritten +overwrite_pipeline_config() { + ls_pipeline_config_path="$LOGSTASH_HOME/pipeline/" + cat "$ls_pipeline_config_path/generated_logstash.conf" > "$ls_pipeline_config_path/logstash.conf" +} + +# installs the `elastic_integration` plugin if not bundled +install_plugin_if_missing() { + plugin_name=$1 + if [[ ! $(bin/logstash-plugin list) == *"$plugin_name"* ]]; then + echo "Missing plugin $plugin_name, installing now" + bin/logstash-plugin install "$plugin_name" + fi +} + +# runs Logstash +run() { + bin/logstash -f "$LOGSTASH_HOME/pipeline/logstash.conf" --config.reload.automatic +} + +create_cert +overwrite_pipeline_config +install_plugin_if_missing "logstash-filter-elastic_integration" +run diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl index 38aba4d715..767c2dd26b 100644 --- a/internal/stack/_static/serverless-docker-compose.yml.tmpl +++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl @@ -35,14 +35,11 @@ services: interval: 60s timeout: 50s retries: 5 - # logstash expects the key in pkcs8 format. Hence converting the key.pem to pkcs8 format using openssl. - # Also logstash-filter-elastic_integration plugin is installed by default to run ingest pipelines in logstash. - # elastic-package#1637 made improvements to enable logstash stats through port 9600. - # config copy is intentional that mounted volumes will be busy and cannot be overwritten - command: bash -c 'yes | cp /usr/share/logstash/pipeline/generated_logstash.conf /usr/share/logstash/pipeline/logstash.conf && openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /usr/share/logstash/config/certs/logstash.pkcs8.key && chmod 777 /usr/share/logstash/config/certs/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) == *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf --config.reload.automatic' + command: bash -c 'chmod +x /usr/share/logstash/startup.sh && /usr/share/logstash/startup.sh' volumes: - "../certs/logstash:/usr/share/logstash/config/certs" - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" + - "./logstash_startup.sh:/usr/share/logstash/startup.sh" ports: - "127.0.0.1:5044:5044" - "127.0.0.1:9600:9600" diff --git a/internal/stack/resources.go b/internal/stack/resources.go index 885b464e32..fa305f8737 100644 --- a/internal/stack/resources.go +++ b/internal/stack/resources.go @@ -121,6 +121,11 @@ var ( Path: ElasticAgentEnvFile, Content: staticSource.Template("_static/elastic-agent.env.tmpl"), }, + &resource.File{ + Path: "logstash_startup.sh", + CreateParent: true, + Content: staticSource.Template("_static/logstash_startup.sh"), + }, } ) diff --git a/internal/stack/serverlessresources.go b/internal/stack/serverlessresources.go index 8eb9b1896a..641da5cb87 100644 --- a/internal/stack/serverlessresources.go +++ b/internal/stack/serverlessresources.go @@ -32,6 +32,11 @@ var ( Path: LogstashConfigFile, Content: staticSource.Template("_static/serverless-logstash.conf.tmpl"), }, + &resource.File{ + Path: "logstash_startup.sh", + CreateParent: true, + Content: staticSource.Template("_static/logstash_startup.sh"), + }, } ) From f8294df1427fbd7d1aae710eca8b4e13f54f6d0e Mon Sep 17 00:00:00 2001 From: Mashhur Date: Tue, 13 Feb 2024 15:43:59 -0800 Subject: [PATCH 07/13] Revise the comment to make the generic statement. --- internal/stack/_static/logstash_startup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/stack/_static/logstash_startup.sh b/internal/stack/_static/logstash_startup.sh index 8a293783f1..8e9b6c0bae 100644 --- a/internal/stack/_static/logstash_startup.sh +++ b/internal/stack/_static/logstash_startup.sh @@ -18,7 +18,7 @@ overwrite_pipeline_config() { cat "$ls_pipeline_config_path/generated_logstash.conf" > "$ls_pipeline_config_path/logstash.conf" } -# installs the `elastic_integration` plugin if not bundled +# installs the given plugin if it is not installed install_plugin_if_missing() { plugin_name=$1 if [[ ! $(bin/logstash-plugin list) == *"$plugin_name"* ]]; then From 0159be73089a18adbc2a4fc07019cc493d94bbf5 Mon Sep 17 00:00:00 2001 From: Mashhur Date: Tue, 13 Feb 2024 18:26:04 -0800 Subject: [PATCH 08/13] Test if permissions inherited on mounted fs. --- internal/stack/_static/logstash_startup.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 internal/stack/_static/logstash_startup.sh diff --git a/internal/stack/_static/logstash_startup.sh b/internal/stack/_static/logstash_startup.sh old mode 100644 new mode 100755 From 94258b8917be8d881ec48b3978c88d587523bc4e Mon Sep 17 00:00:00 2001 From: Mashhur <99575341+mashhurs@users.noreply.github.com> Date: Wed, 14 Feb 2024 07:42:27 -0800 Subject: [PATCH 09/13] Apply suggestions from code review Read-only mounted certificates, set proper permission to a Logstash startup shell script. Co-authored-by: Jaime Soriano Pastor --- internal/stack/_static/docker-compose-stack.yml.tmpl | 6 +++--- internal/stack/resources.go | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index 3c090e17ca..678065eff8 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -170,10 +170,10 @@ services: interval: 60s timeout: 50s retries: 5 - command: bash -c 'chmod +x /usr/share/logstash/startup.sh && /usr/share/logstash/startup.sh' + command: bash /usr/share/logstash/startup.sh volumes: - - "../certs/logstash:/usr/share/logstash/config/certs" - - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" + - "../certs/logstash:/usr/share/logstash/config/certs:ro" + - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem:ro" - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" - "./logstash_startup.sh:/usr/share/logstash/startup.sh" ports: diff --git a/internal/stack/resources.go b/internal/stack/resources.go index fa305f8737..2b066e0e1e 100644 --- a/internal/stack/resources.go +++ b/internal/stack/resources.go @@ -125,6 +125,7 @@ var ( Path: "logstash_startup.sh", CreateParent: true, Content: staticSource.Template("_static/logstash_startup.sh"), + Mode: resource.FileMode(0755), }, } ) From eaed0b569454943c351847a31b577c732f3fb6b9 Mon Sep 17 00:00:00 2001 From: Mashhur Date: Wed, 14 Feb 2024 07:46:51 -0800 Subject: [PATCH 10/13] Refining the logics applied by code review: same apply on serverless. --- internal/stack/_static/logstash_startup.sh | 4 ++-- internal/stack/_static/serverless-docker-compose.yml.tmpl | 4 ++-- internal/stack/resources.go | 2 +- internal/stack/serverlessresources.go | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/internal/stack/_static/logstash_startup.sh b/internal/stack/_static/logstash_startup.sh index 8e9b6c0bae..ee74bd709b 100755 --- a/internal/stack/_static/logstash_startup.sh +++ b/internal/stack/_static/logstash_startup.sh @@ -8,8 +8,8 @@ LOGSTASH_HOME="/usr/share/logstash/" # Hence converting the key.pem to pkcs8 format using openssl. create_cert() { ls_cert_path="$LOGSTASH_HOME/config/certs" - openssl pkcs8 -inform PEM -in "$ls_cert_path/key.pem" -topk8 -nocrypt -outform PEM -out "$ls_cert_path/logstash.pkcs8.key" - chmod 777 $ls_cert_path/logstash.pkcs8.key + openssl pkcs8 -inform PEM -in "$ls_cert_path/key.pem" -topk8 -nocrypt -outform PEM -out "/tmp/logstash.pkcs8.key" + chmod 777 "/tmp/logstash.pkcs8.key" } # config copy is intentional that mounted volumes will be busy and cannot be overwritten diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl index 767c2dd26b..05a5a40130 100644 --- a/internal/stack/_static/serverless-docker-compose.yml.tmpl +++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl @@ -35,9 +35,9 @@ services: interval: 60s timeout: 50s retries: 5 - command: bash -c 'chmod +x /usr/share/logstash/startup.sh && /usr/share/logstash/startup.sh' + command: bash /usr/share/logstash/startup.sh volumes: - - "../certs/logstash:/usr/share/logstash/config/certs" + - "../certs/logstash:/usr/share/logstash/config/certs:ro" - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" - "./logstash_startup.sh:/usr/share/logstash/startup.sh" ports: diff --git a/internal/stack/resources.go b/internal/stack/resources.go index 2b066e0e1e..a57e44905f 100644 --- a/internal/stack/resources.go +++ b/internal/stack/resources.go @@ -125,7 +125,7 @@ var ( Path: "logstash_startup.sh", CreateParent: true, Content: staticSource.Template("_static/logstash_startup.sh"), - Mode: resource.FileMode(0755), + Mode: resource.FileMode(0755), }, } ) diff --git a/internal/stack/serverlessresources.go b/internal/stack/serverlessresources.go index 641da5cb87..1191f7742e 100644 --- a/internal/stack/serverlessresources.go +++ b/internal/stack/serverlessresources.go @@ -36,6 +36,7 @@ var ( Path: "logstash_startup.sh", CreateParent: true, Content: staticSource.Template("_static/logstash_startup.sh"), + Mode: resource.FileMode(0755), }, } ) From 0fb0711f501fb725ba534577257abcb5811779c0 Mon Sep 17 00:00:00 2001 From: Mashhur Date: Wed, 14 Feb 2024 11:45:39 -0800 Subject: [PATCH 11/13] Revert the read-only mounting since it is failing on BK agent. --- internal/stack/_static/docker-compose-stack.yml.tmpl | 6 +++--- internal/stack/_static/serverless-docker-compose.yml.tmpl | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index 678065eff8..5d72ee575b 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -172,9 +172,9 @@ services: retries: 5 command: bash /usr/share/logstash/startup.sh volumes: - - "../certs/logstash:/usr/share/logstash/config/certs:ro" - - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem:ro" - - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" + - "../certs/logstash:/usr/share/logstash/config/certs" + - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" + - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf" - "./logstash_startup.sh:/usr/share/logstash/startup.sh" ports: - "127.0.0.1:5044:5044" diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl index 05a5a40130..72652f3a4c 100644 --- a/internal/stack/_static/serverless-docker-compose.yml.tmpl +++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl @@ -37,8 +37,8 @@ services: retries: 5 command: bash /usr/share/logstash/startup.sh volumes: - - "../certs/logstash:/usr/share/logstash/config/certs:ro" - - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" + - "../certs/logstash:/usr/share/logstash/config/certs" + - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf" - "./logstash_startup.sh:/usr/share/logstash/startup.sh" ports: - "127.0.0.1:5044:5044" From a9cac4925e59278e861454ba6ad73f51dd46beac Mon Sep 17 00:00:00 2001 From: Mashhur Date: Wed, 14 Feb 2024 12:14:46 -0800 Subject: [PATCH 12/13] Enable SSL between LS and agent. --- internal/stack/_static/logstash.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/stack/_static/logstash.conf.tmpl b/internal/stack/_static/logstash.conf.tmpl index 825488fd05..2832eb10b5 100644 --- a/internal/stack/_static/logstash.conf.tmpl +++ b/internal/stack/_static/logstash.conf.tmpl @@ -1,7 +1,7 @@ input { elastic_agent { port => 5044 - ssl_enabled => false + ssl_enabled => true ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca-cert.pem"] ssl_certificate => "/usr/share/logstash/config/certs/cert.pem" ssl_key => "/tmp/logstash.pkcs8.key" From cea200c9fc26baf1c8206106d50cf410e2691d83 Mon Sep 17 00:00:00 2001 From: Mashhur Date: Wed, 14 Feb 2024 15:39:05 -0800 Subject: [PATCH 13/13] Make mounted files read-only except certs folder. --- internal/stack/_static/docker-compose-stack.yml.tmpl | 4 ++-- internal/stack/_static/serverless-docker-compose.yml.tmpl | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl index 5d72ee575b..19af7e6adc 100644 --- a/internal/stack/_static/docker-compose-stack.yml.tmpl +++ b/internal/stack/_static/docker-compose-stack.yml.tmpl @@ -173,8 +173,8 @@ services: command: bash /usr/share/logstash/startup.sh volumes: - "../certs/logstash:/usr/share/logstash/config/certs" - - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem" - - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf" + - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem:ro" + - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" - "./logstash_startup.sh:/usr/share/logstash/startup.sh" ports: - "127.0.0.1:5044:5044" diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl index 72652f3a4c..4069869111 100644 --- a/internal/stack/_static/serverless-docker-compose.yml.tmpl +++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl @@ -38,7 +38,7 @@ services: command: bash /usr/share/logstash/startup.sh volumes: - "../certs/logstash:/usr/share/logstash/config/certs" - - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf" + - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro" - "./logstash_startup.sh:/usr/share/logstash/startup.sh" ports: - "127.0.0.1:5044:5044"