[Enhanncement for host.ip and host.mac] Disabling netinfo.enabled option of add-host-metadata processor

[gizas]

• Enhancement

Proposed commit message

Relates to elastic/integrations#6674

Please explain:

• WHAT: We are disabling the netinfo.enabled option of add-host-metadata processor by checking the existence of and environmental variable in the Elastic Agent Pod
• WHY: Host.Ips and Host.Mac take a considerable size during indexing and affect both ingestion and visualisation process. As they dont provide meaningful infromation to the users we can disable them accordingly.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

1. Checkout this PR fix inside ~/beats folder of your system.
2. Clone elastic-agent repo in another folder ~/elastic-agent
3. Build elastic agent image with details provided in https:/elastic/elastic-agent#testing-elastic-agent-on-kubernetes. Command DEV=true SNAPSHOT=true PLATFORMS=linux/arm64 PACKAGES=docker mage package
4. Build the docker image of your custom agent that you will load later in your setup:

cd ~/elastic-agent
cd build/package/elastic-agent/elastic-agent-linux-arm64.docker/docker-build
docker build --platform linux/amd64 -t custom-agent-image .

5. Install kind
6. Load your custom build image into kind : kind load docker-image custom-agent-image:latest --name kind
7. Install your local ES stack : elastic-package stack up -d -vvv --version=8.11.0-SNAPSHOT
8. Use the the following manifests as samples to disable host.ip and host.mac

elastic-agent-standalone-kubernetesHostIPs.yml.txt
elastic-agent-standalone-kubernetesHostIPs.yml.txt

This is particular the piece of code that our manifests will need to have from now on:

# The following NETINNFO:false variable will disable the netinfo.enabled option of add-host-metadata processor. This will remove fields host.ip and host.mac.  
            # For more info: https://www.elastic.co/guide/en/beats/metricbeat/current/add-host-metadata.html
            # - name: NETINFO
            #   value: "false"

Related issues

• Relates #Consider not adding host.ip metadata to k8s container metrics by default integrations#6674

Screens

Default 8.11.SNAPSHOT with host.ips and host.mac

hots

Standalone Agent with NETINNFO:false

Managed Agent with NETINNFO:false

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @gizas? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fixinghostips upstream/fixinghostips
git merge upstream/main
git push upstream fixinghostips

[ruflin]

• This change seems to be only done in metricbeat. Doesn't the same happen in Filebeat and any other Beat?
• Do we need additional documentation around this how a user could enable it (again) if they wanted to?

[ruflin]

Lets have some more details here in the code docs. Jumping to the very long Github issue is not helpful. We can still leave the reference in, but lets add more details here.

[gizas]

Added some comments in beb7e85

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-09-07T08:49:47.976+0000

• Duration: 70 min 50 sec

Test stats 🧪

Test	Results
Failed	0
Passed	28237
Skipped	2013
Total	30250

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[gizas]

• This change seems to be only done in metricbeat. Doesn't the same happen in Filebeat and any other Beat?

Indeed eg. filebeat has the same configuration see

beats/x-pack/filebeat/cmd/root.go

Line 41 in 1c5541e

func defaultProcessors() []mapstr.M {

My first thought here is that we need it only for metricbeat and filestream (if we decide to) for now as these are related to kubernetes.

By a first look, auditbeat, osquerybeat and packetbeat initialise add_host_metadata processor as well, but dont need we need it for k8s.

@martijnvg do you think we need it also for filebeat? Our tests were run only for metrics that is why we focused only in metricbeat I guess

• Do we need additional documentation around this how a user could enable it (again) if they wanted to?

For now I added it only in the manifests https:/elastic/elastic-agent/pull/3354/files#diff-b85244108b202e9acc2f4eca1f918bb448bbd10a816a83123ec17f7cd3ca92b6

The other place I see that might feet is here: https://www.elastic.co/guide/en/fleet/current/agent-environment-variables.html

[martijnvg]

do you think we need it also for filebeat? Our tests were run only for metrics that is why we focused only in metricbeat I guess

I think this depends on whether local-link addresses add any value in the non metric use cases? I don't think so? But I think I'm not the person to answer this question.

[ruflin]

By a first look, auditbeat, osquerybeat and packetbeat initialise add_host_metadata processor as well, but dont need we need it for k8s.

My understanding is that when any of these Beats / Elastic Agent are run under k8s, the problem would exist. Is there anything special here around metrics? Is the assumption that the other beats are not run in k8s?

[ChrsMark]

Why to enable/disable this at this level and not inside the processor's implementation?
Wouldn't that be more generic without the need to configure every single Beat (also covering Agent)? And that would cover @ruflin 's concern at #36506 (comment), right?

[felixbarny]

👍 to do that inside the processor implementation. I think in the implementation we could even automatically check if this is running inside k8s or inside a container and either disable netinfo completely or filter out link-local addresses. See also elastic/integrations#6674 (comment).

[gizas]

Thank you all team.
Reverted changes per beat module and made those inside the processor. Building a new image and retesting and let you know

[gizas]

Adding the fix only to add-host-metadata processor (https:/elastic/beats/pull/36506/files#diff-03b979565735e6707425275586e3215f44192f46e1ac3b456516d93c653eba13R38) seems that works only for metricbeat. Somehow seems we override it for filestream? Will keep looking

[gizas]

Lessons learned, you need to remove both builds in order to force agent image to build from local code:
rm -rf x-pack/metricbeat/build/distributions/metricbeat-8.11.0-SNAPSHOT-linux-*
rm -rf x-pack/filebeat/build/distributions/filebeat-8.11.0-SNAPSHOT-linux-*

So all work by disabling netinfo in processor :
Filestream:

Metricbeat:

For documentation please review: elastic/ingest-docs#463

[ChrsMark]

The change LGTM. I left one comment about the env variable's name.

I think that skipping by default if k8s or containarized environment is detected would possibly be a breaking change at this point. Maybe some users want these data even in k8s envs.
So I think it's safer to go with the current approach.

[ChrsMark]

My only question would be the naming we want to choose here. Maybe sth like ELASTIC_NETINFO would be more explicit?

[gizas]

I agree lets not introduce a breaking change (I was thinking an old comment you had done).

For the naming you are killing me :) but I was expecting the debate , so seeing the page again https://www.elastic.co/guide/en/fleet/current/agent-environment-variables.html, I would go for ELASTIC_AGENT_NETINFO as strickly speaking this is a change on the agent side.

I would wait until tomorrow to see if others have any opinion and I would need to change all prs

[ruflin]

I think that skipping by default if k8s or containarized environment is detected would possibly be a breaking change at this point. Maybe some users want these data even in k8s envs.

I agree that this can potentially be considered a breaking change, at the same I'm not sure the use case where all these ip addresses would be used. If we don't change the default, most users will not get the benefits and have to make active changes to get the performance and storage benefits.

Do we agree false is the better default for most users? If we don't change it now, when would we change it? Maybe we can also separate the discussion and first get the change in to make it possible to disable and then figure out how we change the default in a good way. @felixbarny Thoughts?

[ruflin]

Lets make sure we have this documented. Can you expand the changelog to contain a mention of this env variable?

[gizas]

Let me know if this is ok, I added some info also there.

Also see elastic/ingest-docs#463

[ChrsMark]

Do we agree false is the better default for most users?

I believe we could just set ELASTIC_NETINFO to false by default within our k8s manifests as a first step. This has 2 main advantages:

1. The codebase itself does not introduce any possible breaking change.
2. We only affect the k8s use-case but from the configuration management point of view. This means that we have a reasonable default (to false) only for k8s deployments which can be easily changed from users by removing the variable definition from the k8s manifest (if needed).

If we agree on this here we can even change the manifests in this PR, or change those in a follow-up if we want to discuss it more. Whatever that fits better.

[felixbarny]

SGTM. The main thing that's important to me is that host.ip/host.mac is either truncated or removed from k8s data sets by default.

[gizas]

SGTM. The main thing that's important to me is that host.ip/host.mac is either truncated or removed from k8s data sets by default.

Thanks again all for the quick feedback. Default value in manifests is ELASTIC_NETINFO:false. So the host.ip and host.mac will be removed by default

[felixbarny]

So the host.ip and host.mac will be removed by default

I that also true for logs or just for metrics?

[gizas]

So the host.ip and host.mac will be removed by default

I that also true for logs or just for metrics?

Both . See tests #36506 (comment)

[ChrsMark]

The patch LGTM! Thanks!

[ruflin]

LGTM. Lets make sure we get this deployed directly in our test environments with the new configs and also get it into our cloud environments.

[felixbarny]

Optional suggestion to increase readability

Suggested change

	if valueNETINFO == "false" {
	return Config{
	NetInfoEnabled: false,
	CacheTTL: 5 * time.Minute,
	ExpireUpdateTimeout: time.Second * 10,
	ReplaceFields: true,
	}
	} else {
	return Config{
	NetInfoEnabled: true,
	CacheTTL: 5 * time.Minute,
	ExpireUpdateTimeout: time.Second * 10,
	ReplaceFields: true,
	}
	return Config{
	NetInfoEnabled: valueNETINFO == "true",
	CacheTTL: 5 * time.Minute,
	ExpireUpdateTimeout: time.Second * 10,
	ReplaceFields: true,
	}