Logstash improvements: auto pipeline reload. (#1668)

* Logstash improvements: auto pipeline reload, enable SSL between LS and agent, remove doc id in pipeline config to cover generic cases. * Revert SSL changes between agent and Logstash. * Make Logstash pipeline configs changeable. * Let's focus on Logstash integration plugin and avoid connection failures with ES. * Put back config changes and make overwritable config separating from Docker volumes which will be busy during the Logstash run. * Separate Logstash initialization script and define it as a resource. * Revise the comment to make the generic statement. * Test if permissions inherited on mounted fs. * Apply suggestions from code review Read-only mounted certificates, set proper permission to a Logstash startup shell script. Co-authored-by: Jaime Soriano Pastor <[email protected]> * Refining the logics applied by code review: same apply on serverless. * Revert the read-only mounting since it is failing on BK agent. * Enable SSL between LS and agent. * Make mounted files read-only except certs folder. --------- Co-authored-by: Jaime Soriano Pastor <[email protected]>
elastic · Feb 15, 2024 · b2ee264 · b2ee264
1 parent 81289fa
commit b2ee264
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 14 deletions.
diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl
@@ -170,16 +170,12 @@ services:
       interval: 60s
       timeout: 50s
       retries: 5
-    # logstash expects the key in pkcs8 format. Hence converting the key.pem to pkcs8 format using openssl.
-    # Also logstash-filter-elastic_integration plugin is installed by default to run ingest pipelines in logstash.
-    # elastic-package#1637 made improvements to enable logstash stats through port 9600.
-    command: bash -c 'openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /tmp/logstash.pkcs8.key && chmod +x /tmp/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) ==  *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin  logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install  logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf'
+    command: bash /usr/share/logstash/startup.sh
     volumes:
-      - "../certs/logstash/key.pem:/usr/share/logstash/config/certs/key.pem"
-      - "../certs/logstash/cert.pem:/usr/share/logstash/config/certs/cert.pem"
-      - "../certs/logstash/ca-cert.pem:/usr/share/logstash/config/certs/ca-cert.pem"
-      - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem"
-      - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro"
+      - "../certs/logstash:/usr/share/logstash/config/certs"
+      - "../certs/elasticsearch/cert.pem:/usr/share/logstash/config/certs/elasticsearch.pem:ro"
+      - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro"
+      - "./logstash_startup.sh:/usr/share/logstash/startup.sh"
     ports:
        - "127.0.0.1:5044:5044"
        - "127.0.0.1:9600:9600"

diff --git a/internal/stack/_static/logstash_startup.sh b/internal/stack/_static/logstash_startup.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -euo pipefail
+
+LOGSTASH_HOME="/usr/share/logstash/"
+
+# logstash expects the key in pkcs8 format.
+# Hence converting the key.pem to pkcs8 format using openssl.
+create_cert() {
+  ls_cert_path="$LOGSTASH_HOME/config/certs"
+  openssl pkcs8 -inform PEM -in "$ls_cert_path/key.pem" -topk8 -nocrypt -outform PEM -out "/tmp/logstash.pkcs8.key"
+  chmod 777 "/tmp/logstash.pkcs8.key"
+}
+
+# config copy is intentional that mounted volumes will be busy and cannot be overwritten
+overwrite_pipeline_config() {
+  ls_pipeline_config_path="$LOGSTASH_HOME/pipeline/"
+  cat "$ls_pipeline_config_path/generated_logstash.conf" > "$ls_pipeline_config_path/logstash.conf"
+}
+
+# installs the given plugin if it is not installed
+install_plugin_if_missing() {
+  plugin_name=$1
+  if [[ ! $(bin/logstash-plugin list) == *"$plugin_name"* ]]; then
+    echo "Missing plugin $plugin_name, installing now"
+    bin/logstash-plugin install "$plugin_name"
+  fi
+}
+
+# runs Logstash
+run() {
+  bin/logstash -f "$LOGSTASH_HOME/pipeline/logstash.conf" --config.reload.automatic
+}
+
+create_cert
+overwrite_pipeline_config
+install_plugin_if_missing "logstash-filter-elastic_integration"
+run
diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl
@@ -35,13 +35,11 @@ services:
       interval: 60s
       timeout: 50s
       retries: 5
-    # logstash expects the key in pkcs8 format. Hence converting the key.pem to pkcs8 format using openssl.
-    # Also logstash-filter-elastic_integration plugin is installed by default to run ingest pipelines in logstash.
-    # elastic-package#1637 made improvements to enable logstash stats through port 9600.
-    command: bash -c 'openssl pkcs8 -inform PEM -in /usr/share/logstash/config/certs/key.pem -topk8 -nocrypt -outform PEM -out /usr/share/logstash/config/certs/logstash.pkcs8.key && chmod 777 /usr/share/logstash/config/certs/logstash.pkcs8.key && if [[ ! $(bin/logstash-plugin list) ==  *"logstash-filter-elastic_integration"* ]]; then echo "Missing plugin  logstash-filter-elastic_integration, installing now" && bin/logstash-plugin install  logstash-filter-elastic_integration; fi && bin/logstash -f /usr/share/logstash/pipeline/logstash.conf'
+    command: bash /usr/share/logstash/startup.sh
     volumes:
       - "../certs/logstash:/usr/share/logstash/config/certs"
-      - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro"
+      - "./logstash.conf:/usr/share/logstash/pipeline/generated_logstash.conf:ro"
+      - "./logstash_startup.sh:/usr/share/logstash/startup.sh"
     ports:
        - "127.0.0.1:5044:5044"
        - "127.0.0.1:9600:9600"

diff --git a/internal/stack/resources.go b/internal/stack/resources.go
@@ -121,6 +121,12 @@ var (
 			Path:    ElasticAgentEnvFile,
 			Content: staticSource.Template("_static/elastic-agent.env.tmpl"),
 		},
+		&resource.File{
+			Path:         "logstash_startup.sh",
+			CreateParent: true,
+			Content:      staticSource.Template("_static/logstash_startup.sh"),
+			Mode:         resource.FileMode(0755),
+		},
 	}
 )
 

diff --git a/internal/stack/serverlessresources.go b/internal/stack/serverlessresources.go
@@ -32,6 +32,12 @@ var (
 			Path:    LogstashConfigFile,
 			Content: staticSource.Template("_static/serverless-logstash.conf.tmpl"),
 		},
+		&resource.File{
+			Path:         "logstash_startup.sh",
+			CreateParent: true,
+			Content:      staticSource.Template("_static/logstash_startup.sh"),
+			Mode:         resource.FileMode(0755),
+		},
 	}
 )