Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filebeat: Ensure module pipelines compatibility with previous versions of Elasticsearch #26737

Merged
merged 8 commits into from
Jul 7, 2021

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Jul 6, 2021

What does this PR do?

This PR makes two changes:

  • Improve the pipeline/compatibility code so that all processors in a pipeline are scanned and acted-upon to ensure compatibility. This means:

    • Scan processors in on_failure section (both the pipeline's and each individual processor on-failure handler).
    • Scan the inner processor in a foreach processor.
  • Add a new CI stage, module-compat-7.11, to filebeat/Jenkinsfile.yml and x-pack/filebeat/Jenkinsfile.yml, in order to run Filebeat modules tests under ES 7.11.2 to ensure that all pipelines are functional.

This test uses a new flag, TESTING_FILEBEAT_SKIP_DIFF, to instruct the integration test to skip the comparison between the generated documents and the golden/expected files. The test will ensure that the pipeline loads, there are no ingest errors, the fields in the generated documents are valid and the number of returned documents matches the expected. This is intended to avoid having to maintain multiple versions of the golden files due to differences between ES versions and available processors.

Why is it important?

To ensure that Filebeat is backwards-compatible with 7.x releases of ES.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • [ ] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@adriansr adriansr requested a review from v1v July 6, 2021 13:42
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 6, 2021
@adriansr adriansr marked this pull request as draft July 6, 2021 13:42
@adriansr adriansr added Filebeat Filebeat in progress Pull request is currently in progress. Team:Security-External Integrations labels Jul 6, 2021
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 6, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 6, 2021

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-07-07T08:49:51.021+0000

  • Duration: 136 min 33 sec

  • Commit: 956de5d

Test stats 🧪

Test Results
Failed 0
Passed 49191
Skipped 5395
Total 54586

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 49191
Skipped 5395
Total 54586

adriansr added 4 commits July 6, 2021 17:33
While testing those modules in 7.11-compat mode, the tests would fail
because the pipelines leave some unexpected fields behind. This cleans
them up.

This is caused by the uri_parts processor being removed and leaving
behind a temporary field that is cleaned up by the
`remove_if_successful` flag.
@adriansr adriansr marked this pull request as ready for review July 7, 2021 09:06
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@adriansr adriansr added review and removed in progress Pull request is currently in progress. labels Jul 7, 2021
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. This will help a lot in catching future problems. 🥇

// adaptPipelineForCompatibility iterates over all processors in the pipeline
// and adapts them for version of Elasticsearch used. Adapt can mean modifying
// processor options or removing the processor.
func adaptPipelineForCompatibility(esVersion common.Version, pipelineID string, content map[string]interface{}, log *logp.Logger) (err error) {
p, ok := content["processors"]
log = log.With("pipelineID", pipelineID)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think lower snake case has been used almost everywhere else for key names passed to the logger. Recommend change for consistency.

@adriansr adriansr merged commit 181cf69 into elastic:master Jul 7, 2021
@adriansr adriansr deleted the fb_pipeline_compat branch July 7, 2021 13:30
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-07-07T13:18:14.051+0000

  • Duration: 137 min 46 sec

  • Commit: 9ee4d68

Test stats 🧪

Test Results
Failed 0
Passed 49191
Skipped 5395
Total 54586

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 49191
Skipped 5395
Total 54586

v1v added a commit to v1v/beats that referenced this pull request Jul 8, 2021
* upstream/master: (430 commits)
  CI: increase timeout (elastic#26764)
  Heartbeat: add datastream fields to synthetics (elastic#26774)
  Osquerybeat: Change the query timeout from 3 secs to 60 secs (elastic#26775)
  Remove experimental warning for inputs with variables. (elastic#26762)
  Add latest k8s versions in testing (elastic#26729)
  change type of max_bytes to ByteType (elastic#26699)
  [Elastic Agent] Fix broken enrollment command (elastic#26749)
  Update agent managed manifest to include enrolment token variable (elastic#26756)
  Filebeat: Ensure module pipelines compatibility with previous versions of Elasticsearch (elastic#26737)
  Forward port changelog for 7.13.3 (elastic#26731) to master (elastic#26754)
  Upgrade PyYAML dependency used for tests (elastic#26746)
  Add agent fleet enrolment k8s manifest (elastic#26566)
  CI: retry the step only (elastic#26736)
  Osquerybeat: Fix the configuration poll interval setting (elastic#26739)
  [Filebeat] Replace copy_from with templated value (elastic#26631)
  Reduce the verbosity of the debug log for monitoring (elastic#26583)
  Add instructions on testing metricbeat kubernetes module (elastic#26643)
  Revert "[CI] fight the flakiness with some retry option in the CI only for the Pull Requests (elastic#26617)" (elastic#26704)
  Packaging: linux/armv7 is not supported (elastic#26706)
  Cyberarkpas: Link to official docs on how to setup TLS (elastic#26614)
  ...
@andrewkroh
Copy link
Member

@Mergifyio backport 7.x

mergify bot pushed a commit that referenced this pull request Sep 9, 2021
…s of Elasticsearch (#26737)

Improve the pipeline/compatibility code so that all processors in a pipeline
are scanned and acted-upon to ensure compatibility. This means:
 - Scan processors in on_failure section (both the pipeline's and each
   individual processor on-failure handler).
 - Scan the inner processor in a foreach processor.

Add a new CI stage, module-compat-7.11, to filebeat/Jenkinsfile.yml
and x-pack/filebeat/Jenkinsfile.yml, in order to run Filebeat modules tests
under ES 7.11.2 to ensure that all pipelines are functional.

This test uses a new flag, TESTING_FILEBEAT_SKIP_DIFF, to instruct the
integration test to skip the comparison between the generated documents and
the golden/expected files. The test will ensure that the pipeline loads,
there are no ingest errors, the fields in the generated documents are valid
and the number of returned documents matches the expected. This is intended
to avoid having to maintain multiple versions of the golden files due to
differences between ES versions and available processors.

Also fixes the fortinet and threatintel modules pipelines so that they pass
the new test, as some fields were left behind due to the uri_parts
processor being removed.

(cherry picked from commit 181cf69)

# Conflicts:
#	x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
#	x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
@mergify
Copy link
Contributor

mergify bot commented Sep 9, 2021

Command backport 7.x: success

Backports have been created

andrewkroh added a commit that referenced this pull request Sep 9, 2021
…s of Elasticsearch (backport #26737) (#27841)

* Filebeat: Ensure module pipelines compatibility with previous versions of Elasticsearch (#26737)

Improve the pipeline/compatibility code so that all processors in a pipeline
are scanned and acted-upon to ensure compatibility. This means:
 - Scan processors in on_failure section (both the pipeline's and each
   individual processor on-failure handler).
 - Scan the inner processor in a foreach processor.

Add a new CI stage, module-compat-7.11, to filebeat/Jenkinsfile.yml
and x-pack/filebeat/Jenkinsfile.yml, in order to run Filebeat modules tests
under ES 7.11.2 to ensure that all pipelines are functional.

This test uses a new flag, TESTING_FILEBEAT_SKIP_DIFF, to instruct the
integration test to skip the comparison between the generated documents and
the golden/expected files. The test will ensure that the pipeline loads,
there are no ingest errors, the fields in the generated documents are valid
and the number of returned documents matches the expected. This is intended
to avoid having to maintain multiple versions of the golden files due to
differences between ES versions and available processors.

Also fixes the fortinet and threatintel modules pipelines so that they pass
the new test, as some fields were left behind due to the uri_parts
processor being removed.

(cherry picked from commit 181cf69)

* Remove script.cache.max_size / script.max_compilations_rate from Filebeat tests (#19896)

These setting has been removed as per elastic/elasticsearch#59262 causing the ES container to not launch.

    elasticsearch_1  | java.lang.IllegalArgumentException: unknown setting [script.cache.max_size] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

* Configure ingest node options in env and not in FB test_modules.py

Co-authored-by: Adrian Serrano <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants