kubernetes deployment - inotify issue #168
Assignees
Labels
Milestone
Comments
mmguero
added
cloud
|
This is interesting, and I think this makes sense. I think we can do some kind of polling without actually having to rewrite all of our stuff that uses inotify. I set up this stupid test:
So this makes sense: if you're in the same kernel space as the thing doing the inotify when you make the changes, the changes are seen. I think what this means is this: I do need to introduce polling, but I can do it in a generic way abstracted from the processes that are using inotify themselves. If I set up some script to run in the background of these containers that are doing the inotify stuff to be given a list of directories to watch and some parameters to determine that a file is "done" being written to (I can't rely on inotify, as we've determined, and I can see that lsof has the same issue), so maybe how long ago is the modify time, etc., then just simply "touch" the file, then the rest of the inotify stuff will work as designed. |
|
The python library watchdog (github) might be a good choice for this without reinventing the wheel. It specifically has a pollingobserver designed for this exact scenario. |
mmguero
added a commit
that referenced
this issue
Mar 29, 2023
|
Files that need adjusted:
I think I will use watchdog directly in the .py scripts, and figure out a way to hook into what it's doing polling-wise and touch the files for the bash stuff. |
|
Hmm, although there might be some issue with the fact the close event doesn't happen with the polling observer. |
piercema
added a commit
that referenced
this issue
Apr 3, 2023
mmguero
added a commit
that referenced
this issue
Apr 3, 2023
mmguero
added a commit
that referenced
this issue
Apr 3, 2023
mmguero
added a commit
that referenced
this issue
Apr 5, 2023
mmguero
added a commit
that referenced
this issue
Apr 5, 2023
|
This has been a bit of a hassle due to trying to distinguish between "modify file attributes" (like access time) and "modify file contents" events (see gorakhargosh/watchdog#800 and gorakhargosh/watchdog#260) but I think I've got it working. It seems to all work in both polling and non-polling mode now. I will test it out in k3s with NFS storage using polling next week. |
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Apr 25, 2023
…econds of inactivity. wait for FileClosedEvent instead
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Apr 25, 2023
…econds of inactivity, be a little smarter
This was referenced May 1, 2023
Merged
mmguero
added a commit
that referenced
this issue
May 1, 2023
Malcolm v23.05.0 Malcolm v23.05.0 is a major release with new features, enhancements, component version updates and bug fixes. IMPORTANT NOTE: Malcolm v23.05.0 has completely changed the way it manages its settings: rather than using environment variables found at the top of the `docker-compose.yml` file, it uses environment variables in `.env` files inside of the `config` directory. The locations of a number of configuration files have also changed. It's not recommended to update to Malcolm v23.05.0 from a previous version of Malcolm. Instead, shut down Malcolm, rename your old Malcolm installation directory to something else, and reconfigure Malcolm using `./scripts/configure` and `./scripts/auth_setup`. v23.04.0...v23.05.0 * New features - integrate [ICSNPP-Synchrophasor](https://github.com/cisagov/icsnpp-synchrophasor/) parser (#190) - [End-to-end Malcolm and Hedgehog Linux ISO Installation]((https://idaholab.github.io/Malcolm/docs/malcolm-hedgehog-e2e-iso-install.html#InstallationExample) document (#181) - support Malcolm deployment with Kubernetes (#149) + see [Deploying Malcolm with Kubernetes](https://idaholab.github.io/Malcolm/docs/kubernetes.html#Kubernetes) + This could be considered a "beta" release for Malcolm deployment with Kubernetes, as there is still [some work](https://github.com/idaholab/Malcolm/issues?q=is%3Aissue+is%3Aopen+kubernetes) to be done in this area. Please let us know what issues or suggestions you have via the [issue tracker](https://github.com/idaholab/Malcolm/issues) or via email to [malcolm@inl.gov](mailto:malcolm@inl.gov?subject=Malcolm). + contributing issues: * inotify issue (#168) * htadmin/nginx and htpasswd (#169) * opensearch (#170) * uploading large PCAP files (#171) * script consolidation (#172) * documentation (#173) * user-defined persistent volumes (#174) * opensearch keystore (#176) * expose other TCP services (#183) * provide with filebeat access to nginx access and error logs (#186) * use Secrets for some environment variables instead of ConfigMaps (#189) * Enhancements and fixes * remove name-map-ui container (#165) in favor of using NetBox for asset identification * Python script refactoring, consolidation and cleanup * standardization of Docker container entrypoints * create `./scripts/configure` alias for `./scripts/install.py --configure` * Component version updates - Arkime to [v4.3.0](https://github.com/arkime/arkime/blob/fa0db2415bdc109be7a4dd8ee2c2838673980b5f/CHANGELOG#L33-L72) - Capa to [v5.1.0](https://github.com/mandiant/capa/releases/tag/v5.1.0) - Fluent Bit to [v2.1.2](https://fluentbit.io/announcements/v2.1.2/) - NetBox to [v3.5.0](https://github.com/netbox-community/netbox/releases/tag/v3.5.0) - NGINX to [v1.22.1](http://nginx.org/en/CHANGES-1.22) - Supercronic to [v0.2.24](https://github.com/aptible/supercronic/releases/tag/v0.2.24) - Suricata to [v6.0.10](https://suricata.io/2023/01/31/suricata-6-0-10-released/) - Yara to [v4.3.0](https://github.com/VirusTotal/yara/releases/tag/v4.3.0) - Zeek to [v5.2.1](https://github.com/zeek/zeek/releases/tag/v5.2.1)
mmguero
added a commit
to cisagov/Malcolm
that referenced
this issue
May 1, 2023
Malcolm v23.05.0 Malcolm v23.05.0 is a major release with new features, enhancements, component version updates and bug fixes. IMPORTANT NOTE: Malcolm v23.05.0 has completely changed the way it manages its settings: rather than using environment variables found at the top of the `docker-compose.yml` file, it uses environment variables in `.env` files inside of the `config` directory. The locations of a number of configuration files have also changed. It's not recommended to update to Malcolm v23.05.0 from a previous version of Malcolm. Instead, shut down Malcolm, rename your old Malcolm installation directory to something else, and reconfigure Malcolm using `./scripts/configure` and `./scripts/auth_setup`. v23.04.0...v23.05.0 * New features - integrate [ICSNPP-Synchrophasor](https://github.com/cisagov/icsnpp-synchrophasor/) parser (idaholab#190) - [End-to-end Malcolm and Hedgehog Linux ISO Installation((cisagov://cisagov.github.io/Malcolm/docs/malcolm-hedgehog-e2e-iso-install.html#InstallationExample) document (idaholab#181) - support Malcolm deployment with Kubernetes (idaholab#149) + see [Deploying Malcolm with Kubernetes](https://idaholab.github.io/Malcolm/docs/kubernetes.html#Kubernetes) + This could be considered a "beta" release for Malcolm deployment with Kubernetes, as there is still [some work](https://github.com/idaholab/Malcolm/issues?q=is%3Aissue+is%3Aopen+kubernetes) to be done in this area. Please let us know what issues or suggestions you have via the [issue tracker](https://github.com/idaholab/Malcolm/issues) or via email to [malcolm@inl.gov](mailto:malcolm@inl.gov?subject=Malcolm). + contributing issues: * inotify issue (idaholab#168) * htadmin/nginx and htpasswd (idaholab#169) * opensearch (idaholab#170) * uploading large PCAP files (idaholab#171) * script consolidation (idaholab#172) * documentation (idaholab#173) * user-defined persistent volumes (idaholab#174) * opensearch keystore (idaholab#176) * expose other TCP services (idaholab#183) * provide with filebeat access to nginx access and error logs (idaholab#186) * use Secrets for some environment variables instead of ConfigMaps (idaholab#189) * Enhancements and fixes * remove name-map-ui container (idaholab#165) in favor of using NetBox for asset identification * Python script refactoring, consolidation and cleanup * standardization of Docker container entrypoints * create `./scripts/configure` alias for `./scripts/install.py --configure` * Component version updates - Arkime to [v4.3.0](https://github.com/arkime/arkime/blob/fa0db2415bdc109be7a4dd8ee2c2838673980b5f/CHANGELOG#L33-L72) - Capa to [v5.1.0](https://github.com/mandiant/capa/releases/tag/v5.1.0) - Fluent Bit to [v2.1.2](https://fluentbit.io/announcements/v2.1.2/) - NetBox to [v3.5.0](https://github.com/netbox-community/netbox/releases/tag/v3.5.0) - NGINX to [v1.22.1](http://nginx.org/en/CHANGES-1.22) - Supercronic to [v0.2.24](https://github.com/aptible/supercronic/releases/tag/v0.2.24) - Suricata to [v6.0.10](https://suricata.io/2023/01/31/suricata-6-0-10-released/) - Yara to [v4.3.0](https://github.com/VirusTotal/yara/releases/tag/v4.3.0) - Zeek to [v5.2.1](https://github.com/zeek/zeek/releases/tag/v5.2.1)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sub-issue of #149.
A lot of the code in Malcolm that deals with processing PCAP, processing logs, processing extracted files, relies on inotify (here is one good example). However, with a PersistentVolume over NFS, it doesn't appear we're getting those events. That would make sense, as from what I understand inotify is a kernel thing and it may not be propogated over NFS. We need to figure out if this is something we can "fix" magically and make work everywhere with all types of persistentvolumes (which, unfortunately, I kind of doubt) or come up with something else (probably some kind of polling). Grepping
inotifyin the source code will show where we need to do it.The text was updated successfully, but these errors were encountered: