enrich container id from process id #15947
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
| // specific language governing permissions and limitations | ||
| // under the License. | ||
|
|
||
| package add_process_metadata |
There was a problem hiding this comment.
don't use an underscore in package name
| // specific language governing permissions and limitations | ||
| // under the License. | ||
|
|
||
| package add_process_metadata |
There was a problem hiding this comment.
don't use an underscore in package name
jsoriano
added
Team:Platforms
zube
bot
added
[zube]: Inbox
[zube]: In Review
and removed
[zube]: In Review
[zube]: Inbox
labels
| @@ -35,6 +35,8 @@ import ( | |||
| const ( | |||
| processorName = "add_process_metadata" | |||
| cacheExpiration = time.Second * 30 | |||
| hostPath = "/" | |||
There was a problem hiding this comment.
This needs to be configurable. Let's do it the same way as add_docker_metadata.
| @@ -35,6 +35,8 @@ import ( | |||
| const ( | |||
| processorName = "add_process_metadata" | |||
| cacheExpiration = time.Second * 30 | |||
| hostPath = "/" | |||
| cgroupPrefix = "/kubepods" | |||
There was a problem hiding this comment.
This needs to be configurable too. I'd prefer to have this be search list so that it works out of the box with multiple tools (/kubepods, /docker). I don't know how the other tools name their cgroups, but if we can cover them too this would be great.
| } | ||
|
|
||
| func (p gosigarCidProvider) GetCid(pid int) (result string, err error) { | ||
| cgroups, err := cgroup.ProcessCgroupPaths(p.hostPath, pid) |
There was a problem hiding this comment.
I see there is a mock cidProvider implementation for testing the processor. But that leaves this part untested. I recommend mocking out the cgroup.ProcessCgroupPaths function in order to get test coverage of this provider. add_docker_metadata does this with:
beats/libbeat/processors/add_docker_metadata/add_docker_metadata.go
Lines 49 to 51 in bc71069
|
💚 CLA has been signed |
|
|
|
Also, I signed the CLA, but it still shows not signed |
| gCidProvider = newCidProvider(hostPath, cgroupPrefix) | ||
| processCgroupPaths = cgroup.ProcessCgroupPaths | ||
|
|
||
| // wantContainerID = false |
There was a problem hiding this comment.
| // wantContainerID = false |
| @@ -105,7 +106,7 @@ func newProcessMetadataProcessorWithProvider(cfg *common.Config, provider proces | |||
| p := addProcessMetadata{ | |||
| config: config, | |||
| provider: provider, | |||
| cidProvider: cidProvider, | |||
| cidProvider: newCidProvider(config.HostPath, config.CgroupPrefixes, processCgroupPaths), | |||
There was a problem hiding this comment.
I recommend leaving this as nil when container.id is not in the mappings. Then adjust the enrich function accordingly. This will save it from doing the work when it's disabled.
There was a problem hiding this comment.
Thanks for the suggestion!
Instead of making the cidProvider nil when it is disabled, I passed a dummy function to the cidProvider which also avoids the use of cgroup.ProcessCgroupPaths to see the cgroup of the process.
The reason for that is I felt that the use of nil is a code smell, as we could not extend nil in the future. Also, the extra steps introduced by the dummy function will probably be optimized away by the compiler.
| container id field is not outputed. If `restricted_fields` is `true`, `cid` | ||
| container id can be enriched from cgroup, when running auditbeat on kubernetes. | ||
| `host_path`:: (Optional) By default, the `host_path` field is set to the root | ||
| directory of the host `/`. HostPath is the path where /proc reside. For different |
There was a problem hiding this comment.
| directory of the host `/`. HostPath is the path where /proc reside. For different | |
| directory of the host `/`. This is the path where `/proc` is mounted. For different |
| container id can be enriched from cgroup, when running auditbeat on kubernetes. | ||
| `host_path`:: (Optional) By default, the `host_path` field is set to the root | ||
| directory of the host `/`. HostPath is the path where /proc reside. For different | ||
| runtime configuration of Kubernetes or docker, the host_path can be set to |
There was a problem hiding this comment.
| runtime configuration of Kubernetes or docker, the host_path can be set to | |
| runtime configuration of Kubernetes or Docker the `host_path` can be set to |
| `host_path`:: (Optional) By default, the `host_path` field is set to the root | ||
| directory of the host `/`. HostPath is the path where /proc reside. For different | ||
| runtime configuration of Kubernetes or docker, the host_path can be set to | ||
| overwrite the default `host_path` |
There was a problem hiding this comment.
| overwrite the default `host_path` | |
| overwrite the default. |
| overwrite the default `host_path` | ||
|
|
||
| `cgroup_prefixes`:: (Optional) By default, the `cgroup_prefixes` field is set to | ||
| `/kubepods` and `/docker`. CgroupPrefix is the prefix where the container id is |
There was a problem hiding this comment.
| `/kubepods` and `/docker`. CgroupPrefix is the prefix where the container id is | |
| `/kubepods` and `/docker`. This is the prefix where the container ID is |
|
|
||
| `cgroup_prefixes`:: (Optional) By default, the `cgroup_prefixes` field is set to | ||
| `/kubepods` and `/docker`. CgroupPrefix is the prefix where the container id is | ||
| inside cgroup. or different runtime configuration of Kubernetes or docker, the |
There was a problem hiding this comment.
| inside cgroup. or different runtime configuration of Kubernetes or docker, the | |
| inside cgroup. For different runtime configuration of Kubernetes or Docker the |
| `cgroup_prefixes`:: (Optional) By default, the `cgroup_prefixes` field is set to | ||
| `/kubepods` and `/docker`. CgroupPrefix is the prefix where the container id is | ||
| inside cgroup. or different runtime configuration of Kubernetes or docker, the | ||
| cgroup_prefixes can be set to overwrite the default `cgroup_prefixes` |
There was a problem hiding this comment.
| cgroup_prefixes can be set to overwrite the default `cgroup_prefixes` | |
| `cgroup_prefixes` can be set to overwrite the defaults. |
Thanks for the suggestion! |
| } | ||
| if p.mappings, err = config.getMappings(); err != nil { | ||
| mappings, err := config.getMappings() | ||
|
|
| if ok := containsValue(mappings, "container.id"); ok { | ||
| cidProvider = newCidProvider(config.HostPath, config.CgroupPrefixes, processCgroupPaths) | ||
| } else { | ||
| dummyProcessCgroupPaths := func(_ string, pid int) (map[string]string, error) { |
There was a problem hiding this comment.
| dummyProcessCgroupPaths := func(_ string, pid int) (map[string]string, error) { | |
| dummyProcessCgroupPaths := func(_ string, _ int) (map[string]string, error) { |
| dummyProcessCgroupPaths := func(_ string, pid int) (map[string]string, error) { | ||
| return map[string]string{}, nil | ||
| } | ||
| cidProvider = newCidProvider(config.HostPath, []string{}, dummyProcessCgroupPaths) |
There was a problem hiding this comment.
| cidProvider = newCidProvider(config.HostPath, []string{}, dummyProcessCgroupPaths) | |
| cidProvider = newCidProvider(config.HostPath, nil, dummyProcessCgroupPaths) |
https://github.com/golang/go/wiki/CodeReviewComments#declaring-empty-slices
| return result, nil | ||
| } | ||
|
|
||
| // add container.id into meta for mapping to pickup |
There was a problem hiding this comment.
| // add container.id into meta for mapping to pickup | |
| // enrichContainerID adds container.id into meta for mapping to pickup. |
I like to follow godoc style even for unexported types/methods.
| @@ -35,6 +35,9 @@ type config struct { | |||
| // RestrictedFields make restricted fields available (i.e. env). | |||
| RestrictedFields bool `config:"restricted_fields"` | |||
|
|
|||
| // IncludeCid make cid field available | |||
| IncludeCid bool `config:"include_cid"` | |||
There was a problem hiding this comment.
| IncludeCid bool `config:"include_cid"` |
|
|
||
| func (p gosigarCidProvider) GetCid(pid int) (result string, err error) { | ||
| cgroups, err := p.processCgroupPaths(p.hostPath, pid) | ||
|
|
| } | ||
|
|
||
| func newCidProvider(hostPath string, cgroupPrefixes []string, processCgroupPaths func(string, int) (map[string]string, error)) gosigarCidProvider { | ||
|
|
| // don't use cgroup.ProcessCgroupPaths to save it from doing the work when container id disabled | ||
| if ok := containsValue(mappings, "container.id"); ok { | ||
| cidProvider = newCidProvider(config.HostPath, config.CgroupPrefixes, processCgroupPaths) | ||
| } else { |
There was a problem hiding this comment.
The reason for that is I felt that the use of nil is a code smell, as we could not extend nil in the future. Also, the extra steps introduced by the dummy function will probably be optimized away by the compiler.
I still think that leaving this cidProvider as nil is simpler when the feature is disabled. It doesn't leave anything to chance with compiler optimizations.
I'm not sure what you meant by "as we could not extend nil in the future".
There was a problem hiding this comment.
Just a small style different, I changed it to use nil.
Trying to explain "as we could not extend nil in the future".
- Put the
cidProviderto nil, in the case ofcontainer.idis disabled, Then there has to be a nil check in theenrichfunction. If there is another case, there has to be another type of check for whatcidProvider. - Whereas, by changing the behavior of the
cidProviderso that whencontainer.idis disabled it will not add container id. If there is another case, just pass an instance ofcidProviderwhich behaved differently, then there is not any change required in theenrich. - Furthermore, say if there is any change required in the runtime. It would be possible to pass a different instance of
cidProviderto the processor determined by some conditions.
It is not specifically required in this PR, but just thought it could leave more flexibility
There was a problem hiding this comment.
why not just overwrite/expand existing provider instead of creating another one? Some functionalities might still go for regular provider and e.g. try to read /proc/$some_pid/exe instead $host_path/proc/$some_pid/exe
| return result, nil | ||
| } | ||
|
|
||
| // add container.id into meta for mapping to pickup | ||
| func (p *addProcessMetadata) enrichContainerID(pid int, meta common.MapStr) (common.MapStr, error) { |
There was a problem hiding this comment.
I don't think this needs to pass back the meta reference. Just have it return the error.
|
jenkins, test this please |
libbeat/processors/add_process_metadata/add_process_metadata.go
Outdated
Show resolved
Hide resolved
libbeat/processors/add_process_metadata/add_process_metadata.go
Outdated
Show resolved
Hide resolved
|
jenkins test this please |
|
Thank you so much for your contribution!! |
* enrich container id from process id (cherry picked from commit 3cb957d)
* enrich container id from process id (cherry picked from commit 3cb957d)
* enrich container id from process id (cherry picked from commit 3aaf027) Co-authored-by: Fang He <fangbrookhe@gmail.com>
Type of change
What does this PR do?
This PR enables add process metadata to enrich container id in Kubernetes environment by cgroup using process id.
Why is it important?
Include important metadata of the container id in the Kubernetes environment, which beats don't have this ability yet.
Checklist
Author's Checklist
How to test this PR locally
Deploy Auditbeat in minikube with the include_cid set to true. Deploy an sshd server in minikube. After the Auditbeat is running, ssh into the sshd server, which will trigger an Auditbeat event. See if the event coming from the sshd container is enriched with container id
cidRelated issues
Closes #14967
Use cases
Screenshots
Logs