Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add config option to attach pprof endpoints to http socket #28902

Merged
merged 4 commits into from
Nov 15, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Update kubernetes scheduler and controllermanager endpoints in elastic-agent-standalone-kubernetes.yaml with secure ports {pull}28675[28675]
- Add options to configure k8s client qps/burst. {pull}28151[28151]
- Update to ECS 8.0 fields. {pull}28620[28620]
- Add http.pprof.enabled option to libbeat to allow http/pprof endpoints on the socket that libbeat creates for metrics. {issue}21965[21965]

*Auditbeat*

Expand Down
4 changes: 4 additions & 0 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1632,6 +1632,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2544,6 +2544,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions heartbeat/heartbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1778,6 +1778,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions journalbeat/journalbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1575,6 +1575,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions libbeat/_meta/config/http.reference.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,7 @@
# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false
9 changes: 9 additions & 0 deletions libbeat/api/routes.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ package api
import (
"fmt"
"net/http"
_ "net/http/pprof"
"net/url"

"github.com/elastic/beats/v7/libbeat/common"
Expand Down Expand Up @@ -47,6 +48,14 @@ func NewWithDefaultRoutes(log *logp.Logger, config *common.Config, ns lookupFunc
return New(log, mux, config)
}

func (s *Server) AttachPprof() {
s.log.Info("Attaching pprof endpoints")
s.mux.HandleFunc("/debug/pprof/", func(w http.ResponseWriter, r *http.Request) {
efd6 marked this conversation as resolved.
Show resolved Hide resolved
http.DefaultServeMux.ServeHTTP(w, r)
})

}

func makeRootAPIHandler(handler handlerFunc) handlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/" {
Expand Down
4 changes: 4 additions & 0 deletions libbeat/cmd/instance/beat.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ type beatConfig struct {

// beat internal components configurations
HTTP *common.Config `config:"http"`
HTTPPprof *common.Config `config:"http.pprof"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At first I was thinking this would conflict with the HTTP config one line before but it seems we have the same pattern on line 110/111?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, i followed the same pattern

Path paths.Path `config:"path"`
Logging *common.Config `config:"logging"`
MetricLogging *common.Config `config:"logging.metrics"`
Expand Down Expand Up @@ -455,6 +456,9 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error {
}
s.Start()
defer s.Stop()
if b.Config.HTTPPprof.Enabled() {
s.AttachPprof()
}
}

if err = seccomp.LoadFilter(b.Config.Seccomp); err != nil {
Expand Down
1 change: 1 addition & 0 deletions libbeat/docs/http-endpoint.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ It is recommended to use only localhost. Default is `localhost`
current user.
`http.named_pipe.security_descriptor`:: (Optional) Windows Security descriptor string defined in the SDDL format. Default to
read and write permission for the current user.
`http.pprof.enabled`:: (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.

This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.

Expand Down
7 changes: 7 additions & 0 deletions libbeat/tests/system/test_http.py
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,10 @@ def test_error(self):
"""
r = requests.get("http://localhost:5066/not-exist")
assert r.status_code == 404

def test_pprof_disabled(self):
"""
Test /debug/pprof/ http endpoint
"""
r = requests.get("http://localhost:5066/debug/pprof/")
assert r.status_code == 404
39 changes: 39 additions & 0 deletions libbeat/tests/system/test_http_pprof.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
from base import BaseTest

import requests
import json


class Test(BaseTest):
def setUp(self):
super(BaseTest, self).setUp()
self.render_config_template()
self.proc = self.start_beat(extra_args=["-E", "http.enabled=true", "-E", "http.pprof.enabled=true"])
self.wait_until(lambda: self.log_contains("Starting stats endpoint"))

def tearDown(self):
super(BaseTest, self).tearDown()
# Wait till the beat is completely started so it can handle SIGTERM
self.wait_until(lambda: self.log_contains("mockbeat start running."))
self.proc.check_kill_and_wait()

def test_pprof(self):
"""
Test /debug/pprof/ http endpoint
"""
r = requests.get("http://localhost:5066/debug/pprof/")
assert r.status_code == 200

def test_pprof_cmdline(self):
"""
Test /debug/pprof/cmdline http endpoint
"""
r = requests.get("http://localhost:5066/debug/pprof/cmdline")
assert r.status_code == 200

def test_pprof_error(self):
"""
Test not existing http endpoint
"""
r = requests.get("http://localhost:5066/debug/pprof/not-exist")
assert r.status_code == 404
4 changes: 4 additions & 0 deletions metricbeat/metricbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2455,6 +2455,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions packetbeat/packetbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2127,6 +2127,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions winlogbeat/winlogbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1555,6 +1555,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions x-pack/auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1688,6 +1688,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4697,6 +4697,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions x-pack/functionbeat/functionbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1426,6 +1426,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions x-pack/heartbeat/heartbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1778,6 +1778,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions x-pack/metricbeat/metricbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2976,6 +2976,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions x-pack/osquerybeat/osquerybeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1145,6 +1145,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions x-pack/packetbeat/packetbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2127,6 +2127,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down
4 changes: 4 additions & 0 deletions x-pack/winlogbeat/winlogbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1598,6 +1598,10 @@ logging.files:
# `http.user`.
#http.named_pipe.security_descriptor:

# Defines if the HTTP pprof endpoints are enabled.
# It is recommended that this is only enabled on localhost as these endpoints may leak data.
#http.pprof.enabled: false

# ============================== Process Security ==============================

# Enable or disable seccomp system call filtering on Linux. Default is enabled.
Expand Down