[Fleet] Allow bundled installs to occur even if EPR is unreachable #125127
Conversation
kpollich
added
release_note:skip
|
Pinging @elastic/fleet (Team:Fleet) |
|
@kpollich Looks like this PR only cover the installation of the package but it still fail while trying to create a agent policy using that package with this in my config I get the following error I looks at the code and we fetch the last version of the package in |
|
Similar to the issue that @nchaulet identified, I am encountering a similar problem (likely same root cause) when attempting to install a package via the Also was there a reason we decided not to put this logic in the lower-level POST http://localhost:5601/api/fleet/epm/packages/_bulk HTTP/1.1
User-Agent: vscode-restclient
content-type: application/json
kbn-xsrf: x
accept-encoding: gzip, deflate
content-length: 36
{
"packages": [
"endpoint-1.4.1"
]
}
HTTP/1.1 200 OK
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
kbn-name: Joshs-MacBook-Pro.local
kbn-license-sig: eeb40cb14be51e184b25f7f502a421b572df03319f9f6ebdc53077b435c47b90
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, must-revalidate
content-length: 502
Date: Thu, 10 Feb 2022 12:05:59 GMT
Connection: close
{
"items": [
{
"name": "endpoint-1.4.1",
"statusCode": 502,
"error": "Error connecting to package registry: request to http://locahost:9000/search?package=endpoint-1.4.1&experimental=true&kibana.version=8.1.0 failed, reason: getaddrinfo ENOTFOUND locahost"
}
],
"response": [
{
"name": "endpoint-1.4.1",
"statusCode": 502,
"error": "Error connecting to package registry: request to http://locahost:9000/search?package=endpoint-1.4.1&experimental=true&kibana.version=8.1.0 failed, reason: getaddrinfo ENOTFOUND locahost"
}
]
} |
My thinking here was to limit the exposure of bundled packages to preconfiguration, but I'd be happy to take a pass in this PR of moving the logic down into The current issue I'm running into is tracking down the many, many places we call functions like The other issue that's surfaced as I've tried to update all preconfiguration/installation paths to account for bundled packages is our policy compilation logic, which relies on a kibana/x-pack/plugins/fleet/server/services/package_policy.ts Lines 800 to 817 in 580d61d Hopefully updating type definitions w/ a union and passing in a bundled package object in some way here will be enough to get this functional, but I am a bit concerned whether we're opening a can of worms here. I'll update here with progress. |
|
Okay I think I've roughly stiched enough things together to make the creation of preconfigured agent policies succeed when EPR is unreachable in aba45c7. The code needs some clean up and I had to touch a lot of one-off function calls to add a I'm wondering if we should implement a rule that we'll always use bundled packages for a given package version to avoid passing this option around to the entire universe. Or, we could alternatively always attempt to fall back to bundled packages in the case of an unreachable registry. |
After typing this out, this seems like a much better solution so I'm going to implement this. |
@kpollich Yes the It seems a non trivial change, but a better long term solution |
| @@ -162,16 +164,33 @@ class PackagePolicyService { | |||
| } | |||
| validatePackagePolicyOrThrow(packagePolicy, pkgInfo); | |||
|
|
|||
| const registryPkgInfo = await Registry.fetchInfo(pkgInfo.name, pkgInfo.version); | |||
| const installablePackage: InstallablePackage = await Registry.fetchInfo( | |||
There was a problem hiding this comment.
Here the package should be installed right? can we directly fetch from ES the package instead of relying on the registry or the bundled package?
There was a problem hiding this comment.
Yeah I believe you are correct. I'm not sure why, but all of the policy compilation logic expected a RegistryPackage object. I would've assumed we would be fine with PackageInfo here and so we could fetch from ES. I will take a look at this. You're right above that it's non-trivial but this is probably the "right" solution.
There was a problem hiding this comment.
So it wound up being pretty easy to replace the InstallablePackage stuff with a PackageInfo object - just needed to make a few changes here and there to support that. We only use a few fields here, and getPackageInfo will pull back an Installation object for installed packages, so I think we've pretty easily eliminated the registry call here. See e2f2fea
…ing-fleet-bulk-install
|
Pinging @elastic/apm-ui (Team:apm) |
|
Summarizing an issue with failing CI here. The version of the docker registry in tests did not contain endpoint version 1.3.1-dev.1. We're bundling 1.4.1 with Kibana's source. Because we call Fleet's setup process before the registry container is available, our "fall back to bundled packages" logic introduced in this PR was resolving the latest version of endpoint to the bundled version of 1.4.1 Then, when the registry came online, we were resolving a latest version of 1.3.1-dev.1 during tests from the registry. The solution here is to make sure the dockerized registry and the bundled versions are aligned. This does bring to mind a potential issue with our fallback logic. Would it make sense to add a check so that we include installed packages in our fall back logic when we check for the |
| @@ -65,34 +66,82 @@ export async function fetchList(params?: SearchParams): Promise<RegistrySearchRe | |||
| return fetchUrl(url.toString()).then(JSON.parse); | |||
| } | |||
|
|
|||
| // When `throwIfNotFound` is true or undefined, return type will never be undefined. | |||
There was a problem hiding this comment.
@joshdover I had to refactor these overrides you introduced in #125525 because I couldn't actually pass a boolean value to this function in fetchFindLatestPackageWithFallbackToBundled below. Navigating overrides and conditional types was proving very difficult (and the number of typescript docs/stack overflow browser tabs I was reaching was proving unsustainable...), so I opted to pull things out into separate methods w/ a shared _fetchFindLatestPackage underneath that contains the "meat" of implementation.
x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_list.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
APM changes LGTM, but it will no longer needed once this PR is merged #125724
💚 Build SucceededMetrics [docs]Public APIs missing comments
History
To update your PR or re-run it, just comment with: cc @kpollich |
kpollich
deleted the
125097-prevent-registry-network-errors-blocking-fleet-bulk-install
branch
💔 Backport failedThe pull request could not be backported due to the following error: How to fixRe-run the backport manually: Questions ?Please refer to the Backport tool documentation |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
kibanamachine
added
the
backport missing
kibanamachine
removed
the
backport missing
…lastic#125127) * Allow bundled installs to occur even if EPR is unreachable * Fix type errors in test * Fix failing test * fixup! Fix failing test * Remove unused object in mock * Make creation of preconfigured agent policy functional * Always fall back to bundled packages if available * Remove unused import * Use packageInfo object instead of RegistryPackage where possible * Fix type error in assets test * Fix test timeouts * Fix promise logic for registry fetch fallback * Use archive package as default in create package policy * Always install from bundled package if it exists - regardless of installation context * Clean up + refactor a bit * Default to cached package archive for policy updates * Update mock in get.test.ts * Add test for install from bundled package logic * Delete timeout call in security solution tests * Fix unused var in endpoint test * Fix another unused var in endpoint test * [Debug] Add some logging to test installation times in CI * Revert "[Debug] Add some logging to test installation times in CI" This reverts commit 513dcc1. * Update docker images for registry * Update docker image digest again * Refactor latest package fetching to fix broken logic/tests * Fix a bunch of type errors around renamed fetch latest package version methods * Remove unused import * Bump docker version to latest snapshot (again) * Revert changes to endpoint tests * Pass experimental flag in synthetics tests * Fix endpoint version in fleet api integration test Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit ba8c339) # Conflicts: # x-pack/plugins/fleet/server/integration_tests/docker_registry_helper.ts # x-pack/test/fleet_api_integration/apis/package_policy/create.ts # x-pack/test/fleet_api_integration/config.ts # x-pack/test/functional/config.js # x-pack/test/functional_synthetics/config.js
…125127) (#126523) * Allow bundled installs to occur even if EPR is unreachable * Fix type errors in test * Fix failing test * fixup! Fix failing test * Remove unused object in mock * Make creation of preconfigured agent policy functional * Always fall back to bundled packages if available * Remove unused import * Use packageInfo object instead of RegistryPackage where possible * Fix type error in assets test * Fix test timeouts * Fix promise logic for registry fetch fallback * Use archive package as default in create package policy * Always install from bundled package if it exists - regardless of installation context * Clean up + refactor a bit * Default to cached package archive for policy updates * Update mock in get.test.ts * Add test for install from bundled package logic * Delete timeout call in security solution tests * Fix unused var in endpoint test * Fix another unused var in endpoint test * [Debug] Add some logging to test installation times in CI * Revert "[Debug] Add some logging to test installation times in CI" This reverts commit 513dcc1. * Update docker images for registry * Update docker image digest again * Refactor latest package fetching to fix broken logic/tests * Fix a bunch of type errors around renamed fetch latest package version methods * Remove unused import * Bump docker version to latest snapshot (again) * Revert changes to endpoint tests * Pass experimental flag in synthetics tests * Fix endpoint version in fleet api integration test Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit ba8c339) # Conflicts: # x-pack/plugins/fleet/server/integration_tests/docker_registry_helper.ts # x-pack/test/fleet_api_integration/apis/package_policy/create.ts # x-pack/test/fleet_api_integration/config.ts # x-pack/test/functional/config.js # x-pack/test/functional_synthetics/config.js Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Summary
Fixes #125097
Ref #74614
Allows package installations to occur even if the registry is unreachable by falling back to bundled packages on disk if they exist. Previously, we relied on the registry to determine the latest version of a package. Now, if we don't receive a response from the registry, we'll install the version on disk as if it's the latest version and prevent the registry error from stopping the installation process.
To test
Download a
fleet_serverzip from EPR into yourfleet/server/bundled_packagesfolder and add afleet_serverentry to yourkibana.dev.ymlfile. Setxpack.fleet.registryUrlto an inaccessible network location. Startup Kibana and observe that the install succeeds despite the network error.