Skip to content

Commit

Permalink
Libbeat's HTTP Server can now listen to unix socket. (#13655)
Browse files Browse the repository at this point in the history
* Libbeat's HTTP Server can now listen to unix socket.

Allow to use a socket file using the `unix:///tmp/hello.sock` syntax
to define an HTTP server that will listen HTTP request.
  • Loading branch information
ph authored Oct 11, 2019
1 parent 62c6b26 commit 5d9aeb7
Show file tree
Hide file tree
Showing 43 changed files with 2,010 additions and 257 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Update to Golang 1.12.7. {pull}12931[12931]
- Remove `in_cluster` configuration parameter for Kuberentes, now in-cluster configuration is used only if no other kubeconfig is specified {pull}13051[13051]
- Disable Alibaba Cloud and Tencent Cloud metadata providers by default. {pull}13812[12812]
- Libbeat HTTP's Server can listen to a unix socket using the `unix:///tmp/hello.sock` syntax. {pull}13655[13655]
- Libbeat HTTP's Server can listen to a Windows named pipe using the `npipe:///hello` syntax. {pull}13655[13655]

*Auditbeat*

Expand Down
3 changes: 2 additions & 1 deletion NOTICE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -4044,7 +4044,8 @@ Copyright 2012 Matt T. Proud (matt.proud@gmail.com)

--------------------------------------------------------------------
Dependency: github.com/Microsoft/go-winio
Revision: f533f7a102197536779ea3a8cb881d639e21ec5a
Version: v0.4.14
Revision: 6c72808b55902eae4c5943626030429ff20f3b63
License type (autodetected): MIT
./vendor/github.com/Microsoft/go-winio/LICENSE:
--------------------------------------------------------------------
Expand Down
13 changes: 11 additions & 2 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1070,7 +1070,7 @@ setup.template.settings:
#setup.ilm.enabled: auto

# Set the prefix used in the index lifecycle write alias name. The default alias
# name is 'auditbeat-%{[agent.version]}'.
# name is 'auditbeat-%{[agent.version]}'.
#setup.ilm.rollover_alias: "auditbeat"

# Set the rollover index pattern. The default is "%{now/d}-000001".
Expand Down Expand Up @@ -1333,12 +1333,21 @@ logging.files:
# Defines if the HTTP endpoint is enabled.
#http.enabled: false

# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe.
# When using IP addresses, it is recommended to only use localhost.
#http.host: localhost

# Port on which the HTTP endpoint will bind. Default is 5066.
#http.port: 5066

# Define which user should be owning the named pipe.
#http.named_pipe.user:

# Define which the permissions that should be applied to the named pipe, use the Security
# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
# `http.user`.
#http.named_pipe.security_descriptor:

#============================= Process Security ================================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
13 changes: 11 additions & 2 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1771,7 +1771,7 @@ setup.template.settings:
#setup.ilm.enabled: auto

# Set the prefix used in the index lifecycle write alias name. The default alias
# name is 'filebeat-%{[agent.version]}'.
# name is 'filebeat-%{[agent.version]}'.
#setup.ilm.rollover_alias: "filebeat"

# Set the rollover index pattern. The default is "%{now/d}-000001".
Expand Down Expand Up @@ -2034,12 +2034,21 @@ logging.files:
# Defines if the HTTP endpoint is enabled.
#http.enabled: false

# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe.
# When using IP addresses, it is recommended to only use localhost.
#http.host: localhost

# Port on which the HTTP endpoint will bind. Default is 5066.
#http.port: 5066

# Define which user should be owning the named pipe.
#http.named_pipe.user:

# Define which the permissions that should be applied to the named pipe, use the Security
# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
# `http.user`.
#http.named_pipe.security_descriptor:

#============================= Process Security ================================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
13 changes: 11 additions & 2 deletions heartbeat/heartbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1214,7 +1214,7 @@ setup.template.settings:
#setup.ilm.enabled: auto

# Set the prefix used in the index lifecycle write alias name. The default alias
# name is 'heartbeat-%{[agent.version]}'.
# name is 'heartbeat-%{[agent.version]}'.
#setup.ilm.rollover_alias: "heartbeat"

# Set the rollover index pattern. The default is "%{now/d}-000001".
Expand Down Expand Up @@ -1477,12 +1477,21 @@ logging.files:
# Defines if the HTTP endpoint is enabled.
#http.enabled: false

# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe.
# When using IP addresses, it is recommended to only use localhost.
#http.host: localhost

# Port on which the HTTP endpoint will bind. Default is 5066.
#http.port: 5066

# Define which user should be owning the named pipe.
#http.named_pipe.user:

# Define which the permissions that should be applied to the named pipe, use the Security
# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
# `http.user`.
#http.named_pipe.security_descriptor:

#============================= Process Security ================================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
13 changes: 11 additions & 2 deletions journalbeat/journalbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1015,7 +1015,7 @@ setup.template.settings:
#setup.ilm.enabled: auto

# Set the prefix used in the index lifecycle write alias name. The default alias
# name is 'journalbeat-%{[agent.version]}'.
# name is 'journalbeat-%{[agent.version]}'.
#setup.ilm.rollover_alias: "journalbeat"

# Set the rollover index pattern. The default is "%{now/d}-000001".
Expand Down Expand Up @@ -1278,12 +1278,21 @@ logging.files:
# Defines if the HTTP endpoint is enabled.
#http.enabled: false

# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe.
# When using IP addresses, it is recommended to only use localhost.
#http.host: localhost

# Port on which the HTTP endpoint will bind. Default is 5066.
#http.port: 5066

# Define which user should be owning the named pipe.
#http.named_pipe.user:

# Define which the permissions that should be applied to the named pipe, use the Security
# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
# `http.user`.
#http.named_pipe.security_descriptor:

#============================= Process Security ================================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
13 changes: 11 additions & 2 deletions libbeat/_meta/config.reference.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -958,7 +958,7 @@ setup.template.settings:
#setup.ilm.enabled: auto

# Set the prefix used in the index lifecycle write alias name. The default alias
# name is 'beatname-%{[agent.version]}'.
# name is 'beatname-%{[agent.version]}'.
#setup.ilm.rollover_alias: "beat-index-prefix"

# Set the rollover index pattern. The default is "%{now/d}-000001".
Expand Down Expand Up @@ -1221,12 +1221,21 @@ logging.files:
# Defines if the HTTP endpoint is enabled.
#http.enabled: false

# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe.
# When using IP addresses, it is recommended to only use localhost.
#http.host: localhost

# Port on which the HTTP endpoint will bind. Default is 5066.
#http.port: 5066

# Define which user should be owning the named pipe.
#http.named_pipe.user:

# Define which the permissions that should be applied to the named pipe, use the Security
# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
# `http.user`.
#http.named_pipe.security_descriptor:

#============================= Process Security ================================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
15 changes: 12 additions & 3 deletions libbeat/api/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,25 @@

package api

import "os"

// Config is the configuration for the API endpoint.
type Config struct {
Enabled bool
Host string
Port int
Enabled bool `config:"enabled"`
Host string `config:"host"`
Port int `config:"port"`
User string `config:"named_pipe.user"`
SecurityDescriptor string `config:"named_pipe.security_descriptor"`
}

var (
// DefaultConfig is the default configuration used by the API endpoint.
DefaultConfig = Config{
Enabled: false,
Host: "localhost",
Port: 5066,
}
)

// File mode for the socket file, owner of the process can do everything, member of the group can read.
const socketFileMode = os.FileMode(0740)
83 changes: 83 additions & 0 deletions libbeat/api/make_listener_posix.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

//+build !windows

package api

import (
"fmt"
"net"
"os"

"github.com/pkg/errors"

"github.com/elastic/beats/libbeat/api/npipe"
)

func makeListener(cfg Config) (net.Listener, error) {
if len(cfg.User) > 0 {
return nil, errors.New("specifying a user is not supported under this platform")
}

if len(cfg.SecurityDescriptor) > 0 {
return nil, errors.New("security_descriptor option for the HTTP endpoint only work on Windows")
}

if npipe.IsNPipe(cfg.Host) {
return nil, fmt.Errorf(
"cannot use %s as the host, named pipes are only supported on Windows",
cfg.Host,
)
}

network, path, err := parse(cfg.Host, cfg.Port)
if err != nil {
return nil, err
}

if network == "unix" {
if _, err := os.Stat(path); !os.IsNotExist(err) {
if err := os.Remove(path); err != nil {
return nil, errors.Wrapf(
err,
"cannot remove existing unix socket file at location %s",
path,
)
}
}
}

l, err := net.Listen(network, path)
if err != nil {
return nil, err
}

// Ensure file mode
if network == "unix" {
if err := os.Chmod(path, socketFileMode); err != nil {
return nil, errors.Wrapf(
err,
"could not set mode %d for unix socket file at location %s",
socketFileMode,
path,
)
}
}

return l, nil
}
64 changes: 64 additions & 0 deletions libbeat/api/make_listener_windows.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

//+build windows

package api

import (
"fmt"
"net"

"github.com/pkg/errors"

"github.com/elastic/beats/libbeat/api/npipe"
)

func makeListener(cfg Config) (net.Listener, error) {
if len(cfg.User) > 0 && len(cfg.SecurityDescriptor) > 0 {
return nil, errors.New("user and security_descriptor are mutually exclusive, define only one of them")
}

if npipe.IsNPipe(cfg.Host) {
pipe := npipe.TransformString(cfg.Host)
var sd string
var err error
if len(cfg.SecurityDescriptor) == 0 {
sd, err = npipe.DefaultSD(cfg.User)
if err != nil {
return nil, errors.Wrap(err, "cannot generate security descriptor for the named pipe")
}
} else {
sd = cfg.SecurityDescriptor
}
return npipe.NewListener(pipe, sd)
}

network, path, err := parse(cfg.Host, cfg.Port)
if err != nil {
return nil, err
}

if network == "unix" {
return nil, fmt.Errorf(
"cannot use %s as the host, unix sockets are not supported on Windows, use npipe instead",
cfg.Host,
)
}

return net.Listen(network, path)
}
Loading

0 comments on commit 5d9aeb7

Please sign in to comment.