Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] Retain compatibility with older Docker server versions #7542

Closed
kholia opened this issue Jul 9, 2018 · 17 comments
Closed

[Auditbeat] Retain compatibility with older Docker server versions #7542

kholia opened this issue Jul 9, 2018 · 17 comments

Comments

@kholia
Copy link

kholia commented Jul 9, 2018

Auditbeat version -> 6.3.1

My auditbeat.yml uses the add_docker_metadata processor.

Running auditbeat test config --strict.perms=false -c auditbeat.yml is giving me Exiting: error initializing publisher: error initializing processors: Error response from daemon: client is newer than server (client API version: 1.24, server API version: 1.23) on this box.

I believe that Auditbeat 6.3.1 was deployed on this box when this error message occured. After downgrading Auditbeat to version 6.3.0, things are working fine on this box.

Box details,

$ uname -a
Linux ip-172-23-180-123 4.4.0-1048-aws #57-Ubuntu... x86_64 x86_64 x86_64 GNU/Linux

$ dpkg -l | grep docker
hi  docker-engine                    1.11.2-0~xenial...

$ docker --version
Docker version 1.11.2, build b9f10c9

This is an Ubuntu 16.04.3 LTS 64-bit box (UPDATED!).

Please let me know if more details are required to reproduce/debug this issue.

@kholia
Copy link
Author

kholia commented Jul 9, 2018

CC @pmoust @exekias @urso.

@exekias
Copy link
Contributor

exekias commented Jul 9, 2018

If I understand Docker Maintenance Lifecycle correctly, Docker engine 1.11.2 end of life was on 2017-03-02. Still, it would be nice to improve our compatibility with old Docker versions, always keeping support for the newest.

I open to ideas here, not sure I have any 😞

Also pinging @andrewkroh

@andrewkroh
Copy link
Member

@exekias Shouldn't our client downgrade to 1.23 automatically? I thought that is what this code was for?

if versions.LessThan(ping.APIVersion, dockerAPIVersion) {
c.UpdateClientVersion(ping.APIVersion)
}

@exekias
Copy link
Contributor

exekias commented Jul 9, 2018

Old versions of Docker don't report their version number on ping, so Docker fallbacks to 1.24 in that case, I copied that code to:

ping.APIVersion = "1.24"

I wonder if this would work if we just write 1.23 there, @kholia would you test a custom build with that change?

@exekias
Copy link
Contributor

exekias commented Jul 9, 2018

For reference, original code is here: https://github.com/moby/moby/blob/master/client/client.go#L339

@andrewkroh
Copy link
Member

Manually setting it might 🤞 work based on their env client accepting a version string and this post on stack overflow.

@kholia
Copy link
Author

kholia commented Jul 10, 2018

I double-checked my results to be 100% sure. I can reproduce my observations.

# auditbeat test config --strict.perms=false -c /etc/auditbeat/auditbeat.yml
Exiting: error initializing publisher: error initializing processors: 
Error response from daemon: client is newer than server
(client API version: 1.24, server API version: 1.23)

$ dpkg -l | grep auditbeat
ii  auditbeat                        6.3.1                                      amd64...

$ dpkg -l | grep docker
hi  docker-engine                    1.11.2-0~xenial ...

If I understand Docker Maintenance Lifecycle correctly, Docker engine 1.11.2 end of life was on 2017-03-02. Still, it would be nice to improve our compatibility with old Docker versions, always keeping support for the newest.

@exekias This is the upstream lifecycle. Many commercial Linux distributions have much longer downstream lifecycles. Yes, it would be awesome to support these downstream lifecycles as well. Many of our enterprise customers will be using commercially supported Linux distributions with very long downstream lifecycles instead of fast-moving updated targets like Fedora, non-LTS Ubuntu and the likes.

I wonder if this would work if we just write 1.23 there, @kholia would you test a custom build with that change?

I will apply this change, create a new build, and test it soon. Thanks!

@kholia
Copy link
Author

kholia commented Jul 10, 2018

I applied the following patch to beats master,

diff --git a/libbeat/common/docker/client.go b/libbeat/common/docker/client.go
index 3470602e2..6e7114360 100644
--- a/libbeat/common/docker/client.go
+++ b/libbeat/common/docker/client.go
@@ -47,7 +47,7 @@ func NewClient(host string, httpClient *http.Client, httpHeaders map[string]stri
 
        // try the latest version before versioning headers existed
        if ping.APIVersion == "" {
-               ping.APIVersion = "1.24"
+               ping.APIVersion = "1.23"
        }
 
        // if server version is lower than the client version, downgrade

Running sudo auditbeat test config --strict.perms=false -c /etc/auditbeat/auditbeat.yml with this fresh patched build gives me Config OK. This was failing with Auditbeat 6.3.1.

This Auditbeat version also seems to be working after I do systemctl start auditbeat.

Do I need to do more testing (i.e. check if docker metadata extraction is working fine) or is this sanity check enough?

@exekias
Copy link
Contributor

exekias commented Jul 10, 2018

Thank you for testing that! 🎉

It would be really nice if you could test that's working, you can use -N -e -d publish flags to run without actually publishing to Elasticsearch.

I will prepare a patch to use 1.23 as the default version if headers are not present + accept DOCKER_API_VERSION env variable to hardcode it.

@kholia
Copy link
Author

kholia commented Jul 10, 2018

It would be really nice if you could test that's working, you can use -N -e -d publish flags to run without actually publishing to Elasticsearch.

I am on it. I think I can just use the file output module instead of the Elasticsearch or Logstash output modules for my testing.

@kholia
Copy link
Author

kholia commented Jul 10, 2018

I am on it. I think I can just use the file output module instead of the Elasticsearch or Logstash output modules for my testing.

The Docker metadata extraction seems to be working fine 👍 I was able to see the container image URL and name in the output Auditbeat data.

My custom patched build of Auditbeat says,

# auditbeat --version
Flag --version has been deprecated, use version subcommand
auditbeat version 7.0.0-alpha1 (amd64), libbeat 7.0.0-alpha

@kholia
Copy link
Author

kholia commented Jul 10, 2018

Here is the full output document,

{
	"@timestamp": "2018-07-10T09:30:35.232Z",
	"@metadata": {
		"beat": "auditbeat",
		"type": "doc",
		"version": "7.0.0-alpha1"
	},
	"auditd": {
		"result": "success",
		"session": "unset",
		"data": {
			"old_pp": "00000000a80425fb",
			"fp": "0000000000000000",
			"a1": "95d608",
			"exit": "0",
			"old_pe": "00000000a80425fb",
			"syscall": "execve",
			"fver": "0",
			"tty": "pts1",
			"new_pe": "00000000a80425fb",
			"fe": "0",
			"fi": "0000000000000000",
			"new_pi": "00000000a80425fb",
			"new_pp": "00000000a80425fb",
			"old_pi": "00000000a80425fb",
			"arch": "x86_64",
			"a0": "95d4a8",
			"argc": "2",
			"a2": "953e08",
			"a3": "7ffe1b7f05e0"
		},
		"summary": {
			"object": {
				"primary": "/usr/bin/curl",
				"type": "file"
			},
			"how": "/usr/bin/curl",
			"actor": {
				"primary": "unset",
				"secondary": "root"
			}
		},
		"paths": [{
			"mode": "0100755",
			"name": "/usr/bin/curl",
			"nametype": "NORMAL",
			"rdev": "00:00",
			"dev": "00:29",
			"inode": "3901",
			"item": "0",
			"ogid": "0",
			"ouid": "0"
		}, {
			"name": "/lib64/ld-linux-x86-64.so.2",
			"nametype": "NORMAL",
			"ogid": "0",
			"rdev": "00:00",
			"dev": "00:29",
			"inode": "32",
			"item": "1",
			"mode": "0100755",
			"ouid": "0"
		}],
		"sequence": 2074090
	},
	"event": {
		"module": "auditd",
		"category": "audit-rule",
		"type": "syscall",
		"action": "executed"
	},
	"user": {
		"auid": "unset",
		"gid": "0",
		"sgid": "0",
		"uid": "0",
		"euid": "0",
		"fsgid": "0",
		"name_map": {
			"uid": "root",
			"egid": "root",
			"euid": "root",
			"fsgid": "root",
			"fsuid": "root",
			"gid": "root",
			"sgid": "root",
			"suid": "root"
		},
		"egid": "0",
		"fsuid": "0",
		"suid": "0"
	},
	"process": {
		"exe": "/usr/bin/curl",
		"cwd": "/",
		"args": ["curl", "http://example.com/malware"],
		"pid": "15340",
		"ppid": "14776",
		"title": "curl http://example.com/malware",
		"name": "curl"
	},
	"docker": {
		"container": {
			"id": "dummy",
			"labels": {
				"io": {
					"dummy": {
						"app": "dummy-service",
						"availability_zone": "eu-dummy-1c",
						"environment": "dummy",
						"region": "eu-dummy-1",
						"version": "stable"
					}
				}
			},
			"image": "dummy",
			"name": "dummy-service"
		}
	},
	"file": {
		"path": "/usr/bin/curl",
		"device": "00:00",
		"inode": "3901",
		"mode": "0755",
		"uid": "0",
		"gid": "0",
		"owner": "root",
		"group": "root"
	},
	"tags": ["exec", "auditbeat"],
	"beat": {
		"version": "7.0.0-alpha1",
		"name": "auditbeat",
		"hostname": "ip-172-xxx-xxx-xxx"
	},
	"host": {
		"name": "auditbeat"
	}

@exekias
Copy link
Contributor

exekias commented Jul 10, 2018

that's perfect, thank you so much for doing the testing! Will open a PR soon, targeting 6.4 and 6.3.2

@exekias
Copy link
Contributor

exekias commented Jul 10, 2018

I opened #7553, just in case you want to give that a try. We will both negotiate to a lower API version (that should be compatible with your deploy) + allow to hardcode the API version using an env variable.

exekias pushed a commit to exekias/beats that referenced this issue Jul 10, 2018
Introducing API version negotiation (elastic#7165) brough support for new
Docker versions, but broke support for versions in EOL.

This change puts old API version (1.229 back on the default fallback,
plus introduces version hardcoding through `DOCKER_API_VERSION`
environment variable.

I added some integration tests to check things are working.

Fixes elastic#7542
@kholia
Copy link
Author

kholia commented Jul 10, 2018

Thanks! I will give that PR a try soon.

@kholia
Copy link
Author

kholia commented Jul 10, 2018

I will give that PR a try soon.

Without this PR (#7553) patch,

$ strings auditbeat | grep DOCKER_API_VERSION
<nothing>

After this PR patch,

$ strings auditbeat | grep DOCKER_API_VERSION
...Configuration pathDOCKER_API_VERSION...

$ strings /usr/share/auditbeat/bin/auditbeat | grep DOCKER_API_VERSION
...Configuration pathDOCKER_API_VERSION...

$ strings /usr/bin/auditbeat | grep DOCKER_API_VERSION
...Configuration pathDOCKER_API_VERSION...

This confirms that I have the right binary.

Auditbeat + Docker metadata extraction is working fine with this PR 👍

ruflin pushed a commit that referenced this issue Jul 11, 2018
Introducing API version negotiation (#7165) brough support for new
Docker versions, but broke support for versions in EOL.

This change puts old API version (1.229 back on the default fallback,
plus introduces version hardcoding through `DOCKER_API_VERSION`
environment variable.

I added some integration tests to check things are working.

Fixes #7542
exekias added a commit to exekias/beats that referenced this issue Jul 11, 2018
Introducing API version negotiation (elastic#7165) brough support for new
Docker versions, but broke support for versions in EOL.

This change puts old API version (1.229 back on the default fallback,
plus introduces version hardcoding through `DOCKER_API_VERSION`
environment variable.

I added some integration tests to check things are working.

Fixes elastic#7542

(cherry picked from commit 2215d24)
@exekias
Copy link
Contributor

exekias commented Jul 11, 2018

Thank you @kholia for all your input, you made this super easy to fix!

ruflin pushed a commit that referenced this issue Jul 12, 2018
…rsions (#7567)

Introducing API version negotiation (#7165) brough support for new
Docker versions, but broke support for versions in EOL.

This change puts old API version (1.229 back on the default fallback,
plus introduces version hardcoding through `DOCKER_API_VERSION`
environment variable.

I added some integration tests to check things are working.

Fixes #7542

(cherry picked from commit 2215d24)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
…cker versions (elastic#7567)

Introducing API version negotiation (elastic#7165) brough support for new
Docker versions, but broke support for versions in EOL.

This change puts old API version (1.229 back on the default fallback,
plus introduces version hardcoding through `DOCKER_API_VERSION`
environment variable.

I added some integration tests to check things are working.

Fixes elastic#7542

(cherry picked from commit cecb9a8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants