Create fsnotify watcher only when starting file_integrity module #19505
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
botelastic
bot
added
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
|
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
removed
the
needs_team
| @@ -39,19 +39,19 @@ type reader struct { | |||
|
|
|||
| // NewEventReader creates a new EventProducer backed by fsnotify. | |||
| func NewEventReader(c Config) (EventProducer, error) { | |||
| watcher, err := monitor.New(c.Recursive) | |||
There was a problem hiding this comment.
I wonder if this was here to detect config mistakes early, @andrewkroh probably you can confirm
There was a problem hiding this comment.
I don't think much validation is gained with this particular instantiation from a config validation perspective. So moving it into Start should be OK.
vjsamuel
force-pushed
the
fix_watcher_leak
branch
from
ac701a4
to
c0c3de7
Compare
There was a problem hiding this comment.
It sounds like this problem could affect any Metricbeat or Auditbeat module. The CheckConfig function instantiates modules (and hence metricsets), but it never invokes the optionally implemented mb.Closer on the metricsets that it creates. I expect that this produces a leak in more places than Auditbeat FIM.
If this correct then I think the best solution would be to fix the root of the problem and ensure that the CheckConfig implementation in Metricbeat always closes the MetricSets that it creates. Perhaps something like
diff --git a/metricbeat/mb/module/factory.go b/metricbeat/mb/module/factory.go
index d5b342afe..d35ef24e3 100644
--- a/metricbeat/mb/module/factory.go
+++ b/metricbeat/mb/module/factory.go
@@ -75,10 +75,13 @@ func (r *Factory) Create(p beat.PipelineConnector, c *common.Config) (cfgfile.Ru
// CheckConfig checks if a config is valid or not
func (r *Factory) CheckConfig(config *common.Config) error {
- _, err := NewWrapper(config, mb.Registry, r.options...)
+ wrapper, err := NewWrapper(config, mb.Registry, r.options...)
if err != nil {
return err
}
+ for _, ms := range wrapper.MetricSets() {
+ ms.close()
+ }
return nil
}
|
I think there is also a potential resource leak within |
vjsamuel
force-pushed
the
fix_watcher_leak
branch
from
c0c3de7
to
042a502
Compare
|
ideally we need to add a |
vjsamuel
force-pushed
the
fix_watcher_leak
branch
from
042a502
to
f293c68
Compare
| @@ -39,19 +39,19 @@ type reader struct { | |||
|
|
|||
| // NewEventReader creates a new EventProducer backed by fsnotify. | |||
| func NewEventReader(c Config) (EventProducer, error) { | |||
| watcher, err := monitor.New(c.Recursive) | |||
There was a problem hiding this comment.
I don't think much validation is gained with this particular instantiation from a config validation perspective. So moving it into Start should be OK.
|
jenkins, run tests |
|
jenkins, run tests |
…stic#19505) * Create fsnotify watcher only when starting file_integrity module * Add close to Start() so that failed starts don't create resource leaks
Bug
What does this PR do?
It makes the creation of an FS notify watcher lazy. It is only set up when the metricset starts up.
Why is it important?
When FIM module is used with autodiscover, the Check function is called too many times where fsnotify watchers end up leaking and keeps increasing the number of file handles. It eventually causes auditbeat OOM.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesI have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
Use cases