Skip to content

Use embedded GeoIP database #562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 1, 2021
Merged

Use embedded GeoIP database #562

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4ccb22b
Use embedded GeoIP database
Oct 29, 2021
0481bb1
Use IP address with GeoIP records
Oct 29, 2021
783fbe7
Write HOWTO
Oct 29, 2021
4646958
WIP
Oct 29, 2021
881ec2b
Revert "Use IP address with GeoIP records"
Oct 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions docs/howto/ingest_geoip.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# HOWTO: Use MaxMind's GeoIP database in tests

Elasticsearch provides default GeoIP databases that can be downloaded in runtime and which weights ~70 MB. This can be
a root cause of flakiness of package tests, so elastic-package embeds small samples of GeoIP databases, that can identify
accurately only few ranges of IP addresses:

```
1.128.3.4
175.16.199.1
216.160.83.57
216.160.83.61
67.43.156.12
81.2.69.143
81.2.69.144
81.2.69.145
81.2.69.193
89.160.20.112
89.160.20.156
67.43.156.12
67.43.156.13
67.43.156.14
67.43.156.15
2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
```

If you want the ingest pipeline to include a "geo" section in the event, feel free to use one of above IP addresses.
Embedded databases contain information about: cities, countries and ASNs.
Binary file added internal/install/_static/GeoLite2-ASN.mmdb
View file
Open in desktop
Binary file not shown.
Binary file added internal/install/_static/GeoLite2-City.mmdb
View file
Open in desktop
Binary file not shown.
Binary file added internal/install/_static/GeoLite2-Country.mmdb
View file
Open in desktop
Binary file not shown.
42 changes: 37 additions & 5 deletions internal/install/install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,6 @@ func createElasticPackageDirectory(elasticPackagePath *locations.LocationManager
}

func writeStackResources(elasticPackagePath *locations.LocationManager) error {

err := os.MkdirAll(elasticPackagePath.PackagesDir(), 0755)
if err != nil {
return errors.Wrapf(err, "creating directory failed (path: %s)", elasticPackagePath.PackagesDir())
Expand All @@ -158,10 +157,44 @@ func writeStackResources(elasticPackagePath *locations.LocationManager) error {
return errors.Wrapf(err, "creating directory failed (path: %s)", elasticPackagePath.PackagesDir())
}

resourcePath := filepath.Join(elasticPackagePath.StackDir(), "healthcheck.sh")
err = writeStaticResource(err, resourcePath, kibanaHealthcheckSh)
kibanaHealthcheckPath := filepath.Join(elasticPackagePath.StackDir(), "healthcheck.sh")
err = writeStaticResource(err, kibanaHealthcheckPath, kibanaHealthcheckSh)
if err != nil {
return errors.Wrapf(err, "copying healthcheck script failed (%s)", kibanaHealthcheckPath)
}

// Install GeoIP database
ingestGeoIPDir := filepath.Join(elasticPackagePath.StackDir(), "ingest-geoip")

// This directory is intended to be empty as we include GeoIP databases only in the 8x stack family.
ingestGeoIPDefaultDir := filepath.Join(ingestGeoIPDir, "default")
err = os.MkdirAll(ingestGeoIPDefaultDir, 0755)
if err != nil {
return errors.Wrapf(err, "creating directory failed (path: %s)", ingestGeoIPDefaultDir)
}

ingestGeoIP8xDir := filepath.Join(ingestGeoIPDir, "8x")
err = os.MkdirAll(ingestGeoIP8xDir, 0755)
if err != nil {
return errors.Wrapf(err, "creating directory failed (path: %s)", ingestGeoIP8xDir)
}

geoIpAsnMmdbPath := filepath.Join(ingestGeoIP8xDir, "GeoLite2-ASN.mmdb")
err = writeStaticResource(err, geoIpAsnMmdbPath, geoIpAsnMmdb)
if err != nil {
return errors.Wrapf(err, "copying GeoIP ASN database failed (%s)", geoIpAsnMmdbPath)
}

geoIpCityMmdbPath := filepath.Join(ingestGeoIP8xDir, "GeoLite2-City.mmdb")
err = writeStaticResource(err, geoIpCityMmdbPath, geoIpCityMmdb)
if err != nil {
return errors.Wrapf(err, "copying healthcheck script failed (%s)", resourcePath)
return errors.Wrapf(err, "copying GeoIP city database failed (%s)", geoIpCityMmdbPath)
}

geoIpCountryMmdbPath := filepath.Join(ingestGeoIP8xDir, "GeoLite2-Country.mmdb")
err = writeStaticResource(err, geoIpCountryMmdbPath, geoIpCountryMmdb)
if err != nil {
return errors.Wrapf(err, "copying GeoIP country database failed (%s)", geoIpCountryMmdbPath)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These files should be added only when using 8.x versions of the stack, otherwise we will need to regenerate all integrations targeting 7.x.

Copy link
Contributor Author

@mtojek mtojek Oct 29, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering how does it work at the moment.

If you look at the master build: https://beats-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Felastic-package/detail/master/249/pipeline/ , it contains the ingest.geoip.downloader.enabled: false and the output is like this:

�[36melasticsearch_1              |�[0m {"type": "server", "timestamp": "2021-10-29T09:06:56,812Z", "level": "INFO", "component": "o.e.i.g.LocalDatabases", "cluster.name": "elasticsearch", "node.name": "8476f291c554", "message": "initialized default databases [[GeoLite2-Country.mmdb, GeoLite2-City.mmdb, GeoLite2-ASN.mmdb]], config databases [[]] and watching [/usr/share/elasticsearch/config/ingest-geoip] for changes" }
�[36melasticsearch_1              |�[0m {"type": "server", "timestamp": "2021-10-29T09:06:56,813Z", "level": "INFO", "component": "o.e.i.g.DatabaseRegistry", "cluster.name": "elasticsearch", "node.name": "8476f291c554", "message": "initialized database registry, using geoip-databases directory [/tmp/elasticsearch-9816551266999378429/geoip-databases/ygIzHKcVSRSzStUofwIYLA]" }

In 8.0.0 (this PR) it's like this:

�[36melasticsearch_1              |�[0m {"@timestamp":"2021-10-29T11:25:02.948Z", "log.level": "INFO", "message":"initialized config databases [[GeoLite2-Country.mmdb, GeoLite2-ASN.mmdb, GeoLite2-City.mmdb]] and watching [/usr/share/elasticsearch/config/ingest-geoip] for changes", "service.name":"ES_ECS","process.thread.name":"main","log.logger":"org.elasticsearch.ingest.geoip.ConfigDatabases","event.dataset":"elasticsearch.server","elasticsearch.node.name":"b8f554d090ec","elasticsearch.cluster.name":"elasticsearch"}
�[36melasticsearch_1              |�[0m {"@timestamp":"2021-10-29T11:25:02.950Z", "log.level": "INFO", "message":"initialized database registry, using geoip-databases directory [/tmp/elasticsearch-3032188866989068903/geoip-databases/fpV1Mx8bTOmtvFA1rgpDTA]", "service.name":"ES_ECS","process.thread.name":"main","log.logger":"org.elasticsearch.ingest.geoip.DatabaseNodeService","event.dataset":"elasticsearch.server","elasticsearch.node.name":"b8f554d090ec","elasticsearch.cluster.name":"elasticsearch"}

These files should be added only when using 8.x versions of the stack, otherwise we will need to regenerate all integrations targeting 7.x.

It would be a directory hack to make it running as we use the Docker Compose snapshot, so basically:
ingest-geoip-default and ingest-geoip-8x. The first one would be empty. Otherwise it won't be possible without the blocker I linked in the original issue.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering how does it work at the moment.

No idea what these log lines mean 😬

What I have seen is that in 7.x, if the downloader is disabled, then it uses a set of included databases, with the downloader it downloads a new set and uses it. In 8.0 no set of databases are included, so without databases no enrichment is done and a tag is added to indicate the problem.

It would be a directory hack to make it running as we use the Docker Compose snapshot, so basically:
ingest-geoip-default and ingest-geoip-8x. The first one would be empty. Otherwise it won't be possible without the blocker I linked in the original issue.

Ok, if this is too hacky maybe we have to wait for #557.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me try with the hack and we'll decide what to do about it.

}

options := profile.Options{
Expand All @@ -170,7 +203,6 @@ func writeStackResources(elasticPackagePath *locations.LocationManager) error {
OverwriteExisting: false,
}
return profile.CreateProfile(options)

}

func writeTerraformDeployerResources(elasticPackagePath *locations.LocationManager) error {
Expand Down
9 changes: 9 additions & 0 deletions internal/install/static.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,12 @@ var terraformDeployerYml string

//go:embed _static/terraform_deployer_run.sh
var terraformDeployerRun string

//go:embed _static/GeoLite2-ASN.mmdb
var geoIpAsnMmdb string

//go:embed _static/GeoLite2-City.mmdb
var geoIpCityMmdb string

//go:embed _static/GeoLite2-Country.mmdb
var geoIpCountryMmdb string
1 change: 1 addition & 0 deletions internal/profile/_static/docker-compose-stack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ services:
- "ELASTIC_PASSWORD=changeme"
volumes:
- "./elasticsearch.config.${STACK_VERSION_VARIANT}.yml:/usr/share/elasticsearch/config/elasticsearch.yml"
- "../../../stack/ingest-geoip/${STACK_VERSION_VARIANT}/:/usr/share/elasticsearch/config/ingest-geoip"
ports:
- "127.0.0.1:9200:9200"

Expand Down