Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Defend Workflows][Main port] Unblock fleet setup when validating thousands of uninstall tokens #174737

Merged
merged 3 commits into from
Jan 15, 2024
Merged

[Defend Workflows][Main port] Unblock fleet setup when validating thousands of uninstall tokens #174737

merged 3 commits into from
Jan 15, 2024

Conversation

gergoabraham
Copy link
Contributor

main port of the following PR merged to 8.12:

the goal of this port is to sync between 8.12 and main, while other changes are expected to the related uninstall token validation

@gergoabraham gergoabraham added release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.13.0 labels Jan 12, 2024
@gergoabraham gergoabraham self-assigned this Jan 12, 2024
@gergoabraham @kibanamachine
[Defend Workflows][8.12] Unblock fleet setup when validating thousand…
288ec10 
…s of uninstall tokens (elastic#174535)

To unblock Fleet setup when dealing with thousands of agent policies,
the query that's used to get decrypted SOs is now performed in batches.

The size of the batch is related to
[`max_clause_count`](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-settings.html),
and it looks like the batch size needs to be smaller than the _half of
the value_.
`max_clause_count` is at least `1024`, so going with `500` should work
on even environments with scarcest resources.

With this modification, Fleet setup is successfully performed. Other
issues (like errors in Uninstall Tokens table) have not arised.

**TODO:** updating/adding tests

- you need to find out the value of
`indices.query.bool.max_clause_count` on your local machine (is there an
easy way?)
- for that, checkout `8.12`,
- add a lot of Agent Policies: so far we experienced the issue with 2.7k
policies on one machine and 3.2k on another. here's a modified version
of @dasansol92 's script for adding Agent Policies (without Defend):
e6f24b2
- restart Kibana
- you should see the `too_many_nested_clauses` error + you should not be
able to open any Fleet pages in Kibana
(if not, add more policies)
- now, switch to this branch without stopping ES
- restart Kibana: you should see that fleet setup is successful + you
should be able to access Fleet pages

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@gergoabraham gergoabraham force-pushed the main-port-unblock-fleet-setup-while-checking-uninstall-tokens-with-thousands-of-policies branch from 9d23e1c to 288ec10 Compare January 12, 2024 09:47
@gergoabraham gergoabraham marked this pull request as ready for review January 12, 2024 09:47
@gergoabraham gergoabraham requested a review from a team as a code owner January 12, 2024 09:47
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@gergoabraham gergoabraham requested review from joeypoon, a team and paul-tavares and removed request for a team January 12, 2024 09:47
@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Merge branch 'main' into main-port-unblock-fleet-setup-while-checking…
d3a8f84 
…-uninstall-tokens-with-thousands-of-policies
@botelastic botelastic bot added the Team:Fleet Team label for Observability Data Collection Fleet team label Jan 12, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Merge branch 'main' into main-port-unblock-fleet-setup-while-checking…
2221213 
…-uninstall-tokens-with-thousands-of-policies
@gergoabraham gergoabraham enabled auto-merge (squash) January 15, 2024 08:10
@gergoabraham gergoabraham merged commit 9aa310e into elastic:main Jan 15, 2024
21 checks passed
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @gergoabraham

@gergoabraham gergoabraham deleted the main-port-unblock-fleet-setup-while-checking-uninstall-tokens-with-thousands-of-policies branch January 15, 2024 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nchaulet nchaulet nchaulet approved these changes

@joeypoon joeypoon Awaiting requested review from joeypoon

@paul-tavares paul-tavares Awaiting requested review from paul-tavares paul-tavares was automatically assigned from elastic/security-defend-workflows

Assignees

@gergoabraham gergoabraham

Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution Team:Fleet Team label for Observability Data Collection Fleet team v8.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gergoabraham @elasticmachine @kibana-ci @nchaulet @kibanamachine