Libbeat's HTTP Server can now listen to unix socket. #13655
Conversation
There was a problem hiding this comment.
Happy to see this enhancement. Left a few questions.
Also does Windows have anything similar? I saw this article and wonder if any of this could be made to work https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/.
libbeat/api/server.go
Outdated
| @@ -51,16 +56,16 @@ func New(mux *http.ServeMux, config *common.Config) (*Server, error) { | |||
| return nil, err | |||
| } | |||
|
|
|||
| return &Server{mux: mux, l: l, config: cfg}, nil | |||
| return &Server{mux: mux, l: l, config: cfg, log: log.Named("API")}, nil | |||
There was a problem hiding this comment.
Could we do lowercase on the logger name? I'd like to keep all logger names lowercase. This will create a new logger and append .API to the existing logger's name (if it had a name).
There was a problem hiding this comment.
Would it be useful to include the listener address in logger statements? Something like log.Named("api").With("listener", l.Addr().String()) or log.Named("api").With("endpoint", l.Addr().String()).
There was a problem hiding this comment.
I've downcased the api.
This will create a new logger and append .API to the existing logger's name (if it had a name).
Do you find the append problematic?
Not sure adding the listener or endpoint is useful, we only have a single responder?
filebeat/filebeat.reference.yml
Outdated
| @@ -2034,7 +2034,8 @@ logging.files: | |||
| # Defines if the HTTP endpoint is enabled. | |||
| #http.enabled: false | |||
|
|
|||
| # The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost. | |||
| # The HTTP endpoint will bind to this hostname, IP address or unix socket. It is recommended | |||
| # to use only localhost. | |||
There was a problem hiding this comment.
Seems like we should reconsider this recommendation now.
There was a problem hiding this comment.
I was about to change it, but I wanted to bring it up with @elastic/stack-monitoring,I know they wanted to make http.enabled by default at some point.
There was a problem hiding this comment.
As far as the recommendation goes, what if it just said If binding to an IP address it is recommended to use only localhost.?
There was a problem hiding this comment.
@cachedout I think the wording is fine, but I presume @andrewkroh question was more should we default to npipe or Unix socket instead of TCP for the HTTP endpoint.
There was a problem hiding this comment.
My vote would be to default to the unix socket/npipe (starting 8.0.0 with deprecation warnings in 7.x, if possible) since its more secure (can only accept connections from local machine) and slightly faster than TCP. If users need the HTTP API to be callable from outside the local machine, they can take the deliberate step of configuring that.
There was a problem hiding this comment.
@ycombinator @cachedout What about the "beta" warning when starting the API?
There was a problem hiding this comment.
You mean this line?
2019-09-13T08:52:45.092-0700 WARN [cfgwarn] api/server.go:34 EXPERIMENTAL: Metrics endpoint is enabled.
If so, I vote for it to be taken out. As you said in another comment, this API has been around for a while now.
There was a problem hiding this comment.
I've removed the beta label but I didn't add a deprecation or changed the defaults.
ph
force-pushed
the
monitoring/support-socket
branch
from
1974a2f to
88e1232
Compare
|
@andrewkroh Thanks for the review, concerning windows support, I just added support for windows named pipe. I will address your concerns tomorrow 🤗 |
|
I built Filebeat with this PR and then added the following lines to my When I run Filebeat with Two questions:
|
|
|
@ycombinator lets pair on monday, I was not able to reproduce your error, are you using the latest commits? |
|
I need to add support for the helper.NewHTTP to connect to both unix socket and named pipe. |
I will try again and if I can still reproduce the same error, lets pair on Monday. |
I checked out this PR again and now things are working as expected. |
|
@ycombinator do you mind if I split server and client changes in another PR? That will make it smaller to review. |
Not at all, even better! Thanks @ph. |
ph
force-pushed
the
monitoring/support-socket
branch
from
4e61a64 to
f9975b9
Compare
|
I believe I have addressed the concerns of @ycombinator and @andrewkroh. Concerning the changing the default and adding a deprecation warning, I would prefer we have this out of the door with a few usage from users. So we can do it in 7.6 Do a final review and I am finishing a PR that that support for the http client to support both unix socket and named pipe. |
++ Also, we might want to separately discuss whether this needs to go into 8.0.0 only since we're changing the default behavior. It's not a breaking change per se but it may catch users by surprise. Anyway, let's discuss that in a separate issue/PR from this one. |
ph
force-pushed
the
monitoring/support-socket
branch
from
d44857f to
0938e0c
Compare
ph
force-pushed
the
monitoring/support-socket
branch
from
2a536d5 to
a53a2cb
Compare
|
The failures on TravisCI seems to be related to #13987 |
auditbeat/auditbeat.reference.yml
Outdated
| #http.host: localhost | ||
|
|
||
| # Port on which the HTTP endpoint will bind. Default is 5066. | ||
| #http.port: 5066 | ||
|
|
||
| # Define which user should be owning the named pipe. | ||
| #http.user: |
There was a problem hiding this comment.
Would it make sense to place this setting and the one right below it under a http.named_pipe (or similar) namespace?
There was a problem hiding this comment.
Make sense, I think it will make it more obvious for the user.
| } | ||
|
|
||
| if network == "unix" { | ||
| if _, err := os.Stat(path); !os.IsNotExist(err) { |
There was a problem hiding this comment.
The double negative if predicate, !os.IsNotExist(err) is a bit hard to parse. Any reason we couldn't do os.IsExist(err)?
There was a problem hiding this comment.
Just chatted with @ph off-PR about this change so wanted to summarize our discussion here. Apparently, if the double-negative check here is replaced with os.IsExist(err), things don't work as expected:
$ touch /tmp/foo
$ ./filebeat -c filebeat.dev.yml -E http.host=unix:///tmp/foo
Exiting: could not start the HTTP server for the API: listen unix /tmp/foo: bind: address already in use
But if we keep the double-negative check, everything works as expected. So we are bringing it back.
Allow to use a socket file using the `unix:///tmp/hello.sock` syntax to define an HTTP server that will listen HTTP request. Tasks: - Implements the host parsing. - Refactor the API handler to be reusable and testable. - Refactor the API Code so we can start and stop a server gracefully, this is require to clean up the socket after usage.
ph
force-pushed
the
monitoring/support-socket
branch
from
bcc6f06 to
3a9e984
Compare
|
@ycombinator updated with your comments. |
ph
force-pushed
the
monitoring/support-socket
branch
from
69f3063 to
3a9e984
Compare
|
Just stumbled over this, great to see this implemented. I wonder if this could allow us to have the endpoint enabled by default (if not already the case)? |
|
@ruflin I think it could be on by default but maybe it should be included in the 8.0 deprecation or changes issue? wdyt @ycombinator. |
|
So if we turn it on by default, I assume the default would be to listen on the socket. If so, what would the default socket name/path be? Maybe something including the PID so we don't have collisions between multiple beats running on the same host? |
|
Lets move the discussion in #12918 |
Allow to use a socket file using the
unix:///tmp/hello.socksyntaxto define an HTTP server that will listen HTTP request and add support for windows named pipe using the
npipe:///hellosyntax.Tasks:
this is require to clean up the socket after usage.
NOTES: I need to verify the SecurityDescriptor permission for the named pipe.
Fixes: #13577