Currently fleet-server is also built for 32bit version: https://github.com/elastic/fleet-server/blob/master/Makefile#L3 I think for simplicity fleet-server is not required in 32bit and we should drop support for it. This issue is to discuss this.

This issue is to keep a list of all the things that should be documented for fleet-server.

• What is fleet-server. Describe architecture on a high level
• How is fleet-server run / setup
  • Prerequisites, eg. 7.13+, ECE 2.10+
  • What params exist
  • What environment variables exist
  • What needs to be done in Fleet?
  • How to enroll an Elastic Agent into fleet-server
• Existing config options
• Fleet-server in docker
  • How is it different? Non upgradable, different paths elastic/beats#24817
  • What environment variables exist
  • Example setup for docker-compose
• Monitoring of fleet-server
• Setup in Kubernetes
• Compatibility: Elasticsearch >= Fleet Server >= Elastic Agent. Bugfix releases might differ. Kibana is assumed to be on the same minor as Elasticsearch.

The fleet-server should be instrumented with our go apm Agent so we can use APM to get information out of fleet-server.

Two places we could start with:

• instrument http router https://github.com/elastic/apm-agent-go/blob/master/module/apmhttprouter/router.go
• instrument elasticsearch client: https://github.com/elastic/go-elasticsearch/blob/c653ef6811d294db6a7cb0efbeae96db24ead2da/_examples/instrumentation/apmelasticsearch.go#L66

Describe the enhancement:

Fleet Server relies on a set of indices to store operational data about Fleet. These indices must be created early in the system lifecycle. Currently the indices are instantiated in Kibana. This enhancement will move the instantiation to the Elastic Stack where the fleet indices will be treated as managed system indices. Moving forward, updates and migrations of these indices will be managed by the system indices plugins.

Describe a specific use case for the enhancement or feature:

We 7 indices we are dependent on, and one data stream with an ILM policy:

Indices

.fleet-actions
.fleet-agents
.fleet-enrollment-api-keys
.fleet-policies
.fleet-policies-leader
.fleet-servers
.fleet-artifacts

DataStream

.fleet-actions-results and ILM policy for the data stream.

Note: The indices creation had moved over to Kibana, however the data stream was still being created via package management. That was an oversight.

Known issues

• The indices/datastreams are not instantiated in the system indices plugin until the first document is written to them. The code in Kibana does not currently expect that. Is there a way to "touch" each of the indices at Kibana boot so we don't have to fix the reads of indices in Kibana to handle the "does not yet exist" case?
• System Indices does not yet support the concept of a system managed ILM policy. So the ILM policy for .fleet-action-results will likely remain in the package, or have to put into Kibana. Question on race condition: what happens if the package is installed before the data stream is instantiated? Does trying to add an ILM policy to a system managed data stream cause it to be created?

@jaymode will do the initial implementation in the Elastic Stack for this integration. Moving forward, the Fleet Team will pick up maintenance. This is expected to land for 7.13.

At the moment the newly added cache key is at the top-level of the configuration. It should have been added nested under the input:

inputs:
  - type: fleet-server
    cache:
       ...

Without it in this structure these values will never be able to be adjusted when running under Agent, which is the only officially supported way of running Fleet Server.

Description

Blocking elastic/beats#24725

When creating a policy without integrations, looks like Fleet server is in a stuck phase where it's not possible to create new policy change, new policy with integrations.

How to reproduce

1. create a policy without any integrations
2. Try to assign an agent to that policy or to trigger a policy change of a previous policy nothings happen.

The Fleet server URL is required to be set in Kibana before the Fleet server bootstraps itself. When the user installs Fleet server, we should check if the Fleet server URL has been set. If it has not, we should display an error message in the logs telling the user to set it up in Kibana. Ideally, it will also provide a link to the docs where they can learn more.

Related:

• Fleet server URL requirements elastic/kibana#89442

Some Fleet operators would like to ensure consistent performance for integrations running on hosted Elastic Agents. This is particularly important for Synthetics because a change in the underlying host resources may create noise that could impact the accuracy of website performance measurement. It is also important for APM server where operators want to ensure the performance for loading real time APM and Otel data. Some integrations like Fleet server and AWS will have spikey workloads so it makes sense to segregate them.

User stories:

• As a Fleet operator, I want to specify that some types of inputs are only allowed to run on dedicated hosts
• As a Fleet operator, I want Fleet to automatically assign inputs so that I don't need to manually update agent policies when they undergo maintenance or I add/remove nodes.

Open questions:

• How important is it to specify a number of hosts > 1?
• How important is to run a set of inputs on a dedicated host vs a single input?

We'd like to gracefully manage the capacity of the Fleet Server to prevent it from crashing. In the first phase, there will be hard limit(s) and users must manually adjust them. The overall meta issue defines the subsequent phases where we hope to make this more automatic.

We've already implemented a max connection limit here #122 and we've added this limit to the integration policy here elastic/integrations#803

Requirements:

• Users can update the limit(s) in the integration policy, and they are applied dynamically to the fleet server (they are "live" settings).
• Add docs on the limit(s) to the Fleet Server's operator's guide https://github.com/elastic/obs-dc-team/issues/147. Describe how users can edit the limit(s), guidance on what they should set the limit(s) to #134, how they know when the limit(s) are hit.

Curently old actions are not cleaned up. Actions should be cleaned up automatically after a certain time (2 weeks?)

Fleet-Server has a tight integration with Elasticsearch. Part of our tests suite should run against and actual version of Elasticsearch, for example the setup part.

Describe the enhancement:

To prevent a fleet server from allocating too many resources in a low resource environment, allow an optional hard limit on the number of concurrently accepted connections. The option will be disabled by default.

It needs to be defined which metrics from the fleet-server should be collected and how they are exposed.

Describe the enhancement:
Report degraded status from Fleet Server if there is an issue with indices monitoring and keep Fleet Server running.
The Fleet Server will not be able to detect new actions and the new policy changes in this state.
Follow up on #115

Describe a specific use case for the enhancement or feature:
The current implementation of the new actions and policy changes detection relies on the Elasticsearch index global checkpoint. In order for it to work properly we can only have one index/one shard for the documents, possibly until we get a more robust support for this feature at Elasticsearch level.
Presently the .fleet-actions and .fleet-policies indices are replaced with aliases.
Need to handle the situation were we have two or more indices by mistake behind the alias, log the error, indicated the degraded status back to the agent and keep Fleet Server running.

Adding the issue so we don't forget about this after coming back after holidays.

First noticed the intermittent CI failures with TestMonitor_NewPolicyExists test on master branch.
Then it randomly was failing blocking this PR:
#46

CI failure upon merging to master (the PR built ok).

Screenshot of CI build log

I could not reproduce the failure locally, and it looks like the timing issue that is more frequent with slower CI environment when starting the policy monitor in the test
If you add a small delay in the go routine that starts the monitor something like time.Sleep(100*time.Millisecond), here:
https://github.com/elastic/fleet-server/blob/master/internal/pkg/policy/monitor_test.go#L284
you would be able to reproduce the issue.

Picking up on async communication initiated by @ruflin the Fleet Server should run on a default port not likely to conflict with other ports. At the moment it runs on 8000.

This issue should reflect the decision about the port.

For sizing of the Fleet Server when running on Cloud, ensure that settings for internal cache instances can be configured, to be able to control the cache size.

See elastic/beats#24323 for more details.

Better index changes monitoring, that reduces the number of requests to Elasticsearch (due to global checkout checks). There was a discussion with the elasticsearch team about implementing the sequence number monitoring as a part of the system index plugin.

Checkpoint Monitoring is broken after a change in .fleet indices bootstrapping by kibana that replaced .fleet-policies and .fleet-actions indices with aliases.

For example the API call

GET .fleet-actions/_stats?level=shards

returns

  "indices" : {
    ".fleet-actions_1" : {
      "uuid" : "WdDo6Ji4Qva-ohKtQL3zPw",

and ".fleet-actions_1" doesn't match the index name as currently expected, so the global checkpoint is not found.

One possible issue down the road with aliasing the index is that there is nothing that enforces only one index under the given alias.
Adding the second index will break the seq_no based monitoring.

Dynamic mappings are a dangerous privilege to grant to an untrusted endpoint:

1. An attacker could overwhelm the index with a bunch of bogus mappings intended to prevent new valid mappings from being created, hitting the mapping limits.
2. An attacker could, if the timing is right, purposely mis-map a field such that subsequent valid documents would fail due to mapping exceptions.

To support only "create_doc" privileges, the dynamic mapping would need to be removed from the data stream templates, and all data streams would have to be created before the agents start streaming data.

The built-in index_templates for logs*,metrics*,synthetics*, etc, all contain a dynamic template:

 "dynamic_templates" : [
              {
                "strings_as_keyword" : {
                  "mapping" : {
                    "ignore_above" : 1024,
                    "type" : "keyword"
                  },
                  "match_mapping_type" : "string"
                }
              }
            ],

Dynamic mapping would need to be removed from the default index templates. Runtime queries should be used instead for generic indices, and explicit index templates for specific use cases.

We have a repo that we use to run Agent (and other Fleet related) tests:
https://github.com/elastic/e2e-testing

When Agent shifted to use Fleet server adjusted the available tests, here:
elastic/e2e-testing#438
Though we still need to flesh out and implement deeper actual Fleet Server tests:
elastic/e2e-testing#1266

Still, with the coverage we have, we can make use of those tests in the actual Fleet-Server repo CI, which is what this ticket is in support of. We need to itemize what details we need of:

• the Fleet Server repo compilation of the artifacts
• - does this include how to build a Docker image with an updated Fleet server from source?
• and how to make use of the newly compiled artifacts to be built into Elastic Agent artifact(s)
• Then, in the fleet-server repo we need to add more to the ci jenkins file, managed in the other issue

The ci hook will run a desired set of e2e-testing scenarios like what we have done for Agent and Kibana. Reference this groovy file for info:
https://github.com/mdelapenya/beats/blob/921a3d52e60db04e0c92712203f097157f290265/.ci/packaging.groovy

This ticket is for documenting the knowledge and steps / logistics.

There is a separate ticket for implementing e2e-testing side changes, here:
elastic/e2e-testing#1411

Description

In a docker container
While configuring the host to 0.0.0.0 through the fleet server integration elastic/integrations#806 the fleet server inside the container is still bind to localhost.

The Elasticsearch dsl in https://github.com/elastic/fleet-server/tree/master/internal/pkg/dsl was initially implemented for a POC. Tests should be added and the code reviewed for improvements.

It seems also quite a few of the methods are not used anymore and should be removed.

Initial Scale Testing Findings. February 17th, 2021.

Could not use https://staging.found.no/ due to the fleetServerEnabled flag that needs to be in kibana.yml config, lack of ssh access or ability to update that flag via deployment UI.

Had to build the cluster from scratch on GCP.
Did the first round of testing using the similar cluster configuration
that you get out of the box (without customizations) for io optimized deployment
which is 3 node cluster: 1 voting only, 2 8GB RAM, 240GB HDD data nodes.

n1-standard-2 (2 vCPUs, 7.5 GB memory)

Horde with 4 worker nodes:

Dedicated Fleet Server box:

n1-standard-2 (2 vCPUs, 7.5 GB memory)

This deployment configuration works ok for 20K (20 thousands) agents, smooth enrollment and checkins.
Peak of the load happens during enrollment phase, which be helped by rate limiting the enrollment speed with horde.
After that the checking in is fairly quiet, low CPU on Fleet Server box.

Fleet Server allocates more memory during enrollment:
After enrolling 11K agents: RES memory is at 1.5GB
After enrolling 20K agents: RES memory is at 2.7GB

Stopping all the agents, restarting Fleet Server and just deploying already enrolled agents:
After deploying 11K agents: RES memory is at 632MB
After deploying 20K agents: RES memory is at 1.2GB

ES load at 20K agents checking in:

Could push another 5K agents to 25K, but needs to be done slowly otherwise starting getting lots of 503s from ES and ACK failures with i/o timeouts:

Eventually 25K agents can be rolled out.
ES load at 25K agents checking in:

The ES data node at 20K agents checking in spikes at 100%, the load average is pretty much at full capacity

The Fleet Server at 25K agents, just checking in:

Conclusion

• 20K agents with not much activity besides checking seems to work ok with Fleet Server and the default io optimized deployment. The bottleneck at this point it seems the ES cluster.
• Need to test with the beefier ES cluster and see how far we can push it. Next on my list to do.
• Need to test how it holds with some activity like policy updates or actions.
• Need to research more on i/o timeout on ACKs under load, around over 24K agents. If this is caused by ES or Fleet Server of combination due to load.

Anything else that I forgot to mention?

Would be nice to have

Would be nice to have an ability to use https://staging.found.no/ for testing, to avoid manually setting up the clusters and get the actual parity with the configuration that customers get with Elastic Cloud deployments. Need to have additional setting in kibana.yml:

xpack.fleet.agents.fleetServerEnabled: true

Currently if you try to do that from UI you get an error:

An Elastic Agent with a Fleet Server inside must enroll itself.

This is a meta issue about all the tasks related to Phase 1 of the Fleet Server project.

• Fleet Server is run by Elastic Agent elastic/beats#22686 elastic/beats#23736 (@blakerouse )
• Elastic Agent with Fleet Server enrolls itself #55 (@blakerouse )
• Elastic Agents can connect to Fleet Server and receive policies
• Bootstrapping of Elasticsearch indices works #51 (@scunningham )
• Usage of same data structure by Fleet in Kibana and Fleet Server (@nchaulet )
• Define Data model (@blakerouse )
• Actions like unenroll, upgrade etc. should work. Support the token. (@aleksmaus )
• User permission definition #60 (@scunningham )
• Fleet Server package elastic/integrations#524 (@aleksmaus )
• Fleet Server onboarding flow elastic/kibana#89396 (@mostlyjason )

CI

• Fleet-Server is built as part of the release manager (@michalpristas )
• End to end tests exists for Elastic Agent startup, agent enrollment and receiving policy. elastic/e2e-testing#438 (@blakerouse )
• Scale testing setup #25 (@aleksmaus )

We'd like to provide updated scaling guidance for the new Fleet server on ESS. We currently publish scaling guidance to help users determine how many agents they can realistically expect to enroll into a given instance size for the hosted agent on cloud https://www.elastic.co/guide/en/fleet/current/fleet-limitations.html. This was based on Kibana so we should update it for Fleet Server.

We should identify how many agents can be enrolled into the APM & Fleet slider at each increment of memory up to the max node memory size (8GB). This will help the user identify how to set the connection limit in the Fleet Server integration policy. #153

I think we also need to make some assumptions about workload when giving our guidance. Fleet server is now bundled with APM server on the same instance, but not all users of Fleet server will necessarily be using APM server. I think it'd be more clear to assume minimal or no APM usage beyond the baseline, so we can isolate the requirements for Fleet Server capacity. The resource needs may also vary between the initial ramp up of enrolling agents and the steady state load of check ins once the agents are enrolled. We should at least cover the check in load requirements when setting a max.

Resource usage may vary in real world scenarios, so we'll also provide observability into resource usage to help users know when to scale their slider once in production.

Stretch goal:

• Guidance on whether the user should scale ES nodes to handle increased search traffic

Related discussions:

• Fleet server scale testing #95
• Instance type for cloud https://github.com/elastic/cloud/issues/72128
• Resource usage in one container https://github.com/elastic/obs-dc-team/issues/470

Currently all Elastic Agents enrolled into the fleet-server get the same permissions. To cover all the use cases these are the most permissive permissions. This proposal is to reduce the permissions given to an Elastic Agent based on the the policy. With this, each Elastic Agent would receive an API Key with the minimal permissions needed to get its job done.

Elastic Agent Policy contains permissions block

The fleet-server creates the API Keys for the Elastic Agents. Which permissions an Elastic Agent requires is based on the content of the policy. Because of this the policy should contain a section with the permissions it requires. This section could look similar to the following (inspired by Elasticsearch API Key permissions):

policy: A
permissions: [
  {
    "names": ["logs-*", "metrics-*"],
    "privileges": ["create_doc"]
  }
]

The above would give create_doc permissions for the logs-* and metrics-* data streams. If an Elastic Agent is enrolled for the policy A, an Elasticsearch output API Key would be created with only the above permissions and added to the policy.

The above model also works for more complex cases. Lets assume we have a case where only 2 indices should be allowed to be written to and one index should have read permissions. This could look as following:

policy: B
permissions: [
  {
    "names": ["logs-nginx.access-default", "logs-nginx.error-default"],
    "privileges": ["create_doc"]
  },
  {
    "names": ["state-docs"],
    "privileges": ["create_doc", "read"]
  }
]

If an Elastic Agent is enrolled for policy B, the permissions to write to the nginx indices is given and read from the state-docs index.

In general, this model can be used to be as permissive or restrive as needed based on the Elasticearch permission model. The limitation on the maximum permissions that can be given to an Elastic Agent is the permissions the fleet-server user itself has.

Change of policy

A change to a policy can mean the permission required on the Elastic Agent changes. For example at first only nginx access logs were collected but now also error logs. This means additional privileges for the error log data stream are required. The fleet-server must be able to hand out new API Keys with increased / reduced permissions in case of policy changes. In addition, old API Keys have to be invalidated.

Same permissions for all processes per Elastic Agent

The above assumes there are no sub permissions per input in an Elastic Agent. Whatever runs in an Elastic Agent, the input that requires the most permissions will defined the permissions of the API Key. If for example APM Integration is run together with the Endpoint integration and APM process requires read access to certain indices, the Endpoint process would also get the same permissions. This simplifies the permissions model.

On the policy creation side, it is important to notify the user about potential issues through concept likes Trusted / Untrusted integrations or similar, but this is not part of the privileges concept itself.

Fleet

The permissions which are part of the policy need to be created somewhere. It is expected that these are created in Fleet. Every integration should have the option to specify which permissions it needs. Based on this information and the user input like namespace, Fleet needs to generate the permission block. The UX and parts needed in Fleet should be discussed separately.

A username / password needs to be passed into the fleet-server to work. It needs to be defined what the permissions are that are required for this user.

For reference, the current permissions of the fleet-user can be found here: https://github.com/elastic/kibana/blob/master/x-pack/plugins/fleet/server/services/setup.ts#L140

Description

Currently the agent request timeout after 5 minute, if there is no action Fleet server send the request just at 5 minute causing timing issue and errors on the agent:

[elastic_agent][error] Could not communicate with Checking API will retry, error: fail to checkin to fleet: Post "http://localhost:8000/api/fleet/agents/c7b3cca1-737e-422e-87aa-5367d795a650/checkin?": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

Currently Elastic Agent talks to Kibana and verifies the version. In the future this will fleet-server. For Elastic Agent there are 2 compatibility parts:

• Standalone: Compatibility with Elasticsearch
• Managed: Compatibility with fleet-server

As the compatibility with Elasticsearch in the managed mode is enforced by fleet-server (#167) this should not be an issue. In general the compatibility looks as following:

Elastic Agent <= fleet-server <= Elasticsearch

The bugfix release might differ. The last minor or Elastic Agent in a major should be compatible with the first minor of the next major of fleet-server. Same for Elasticsearch. This means fleet-server / Elasticsearch must be upgraded first.

At the moment the ACK of an unenroll action does not invalidate the API keys for the Agent. It needs to invalidate both the API key used to communicate with Fleet Server as well as its output API key used for communication to Elasticsearch.

Overview

Fleet Server needs to be bootstrapped by the Elastic Agent and be running with TLS. At the moment the bootstrap is all HTTP, which is not secure.

The goal is for in the default case that security is priority #1 followed by a good user experience. We would rather communication between a remote Elastic Agent and Fleet Server fail due to invalid TLS configuration versus being successful with insecure TLS communication.

Cloud Solution

When Fleet Server is bootstrapped by the Cloud then all the certificates will be provided to the bootstrap command allowing Fleet Server to start with the required certificates that the Cloud expects.

./elastic-agent enroll --fleet-server <connection_str> --enrollment-token <token> --cert <path_to_cert> --cert-key <path_to_cert_key>

On-prem Solution

In a customer deployment outside of Cloud they will have options.

Option 1 (Production Custom Certs)

They generate there own certificates that are verifiable by the other Elastic Agents in there organization, they pass these in the same way Cloud does.

./elastic-agent enroll --fleet-server <connection_str> --enrollment-token <token> --cert <path_to_cert> --cert-key <path_to_cert_key>

Option 2 (Auto-generated)

If no --cert* flags are passed to Elastic Agent then Elastic Agent will auto-generate a self-signed certificate with the hostname of the machine.

./elastic-agent enroll --fleet-server <connection_str> --enrollment-token <token>

This means that another Elastic Agent that is enrolling to this Fleet Server, needs to be explicit that it accepts the fact that the certificate is self-generated.

./elastic-agent enroll --url <url_to_fleet_server> --enrollment-token <token> --insecure

If they do not provide the --insecure flag then it will fail to actually connect to the Fleet Server to enroll. We should update this printed message to make it clear that is why it did not work.

Option 3 (HTTP-only BAD)

This is the final option in which they only want to run the Elastic Agent and Fleet Server with only HTTP. This is not recommended but is useful for development or in maybe special cases. In this case it is also best to ensure the Fleet Server is bound to the localhost which Elastic Agent will do by default with the --fleet-server-insecure-http flag.

./elastic-agent enroll --fleet-server <connection_str> --enrollment-token <token> --fleet-server-insecure-http

If they really want it to run in HTTP and not on localhost --fleet-server-bind 0.0.0.0 can be used.

This is a reminder issue that early on we should start to test fleet-server at scale with many Elastic Agents connected to it and potentially more then a fleet-server at the time.

Currently the bootstrapping of the fleet-server indices happens in fleet-server. This issue is to come to a conclusion on where the bootstrapping should happen (fleet-server, Elasticsearch, Kibana) for the first phase.

Related issues / PRs:

• System index plugin in Elasticsearch elastic/elasticsearch#64971 elastic/elasticsearch#65275

Fleet Server is compatible with an Elasticsearch version >= the fleet-server version of the same major. The bugfix version differ. On majors, it is expected that the last minor of fleet-server is compatible with the first minor of the next major Elasticsearch version.

This issue is to document and verify that these restrictions are in place.

Kibana is expected to be on the same version as Elasticsearch. Upgrades work in the following order: Elasticsearch, Kibana, Fleet-server, Elastic Agents.

Few examples (made up versions):

• fleet-server 7.13.0, Elasticsearch 7.13.0: yes
• fleet-server 7.13.2, Elasticsearch 7.13.1: yes
• fleet-server 7.13.2, Elasticsearch 7.14.2: yes
• fleet-server 7.last, Elasticsearch 8.0.0: yes
• fleet-server 7.14.0, Elasticsearch 7.13.0: no
• fleet-server 8.0.0, Elasticsearch 7.last: no

Description

In Kibana We are currently creating an action INTERNAL_POLICY_REASSIGN to know when we need to fetch again the agent and distribute a new policy, this should probably handled in Fleet Server too.

As part of the fleet-server CI some of the test should be run against Elasticsearch. apm-server today already has a go based framework to do this for apm-server: https://github.com/elastic/apm-server/tree/master/systemtest We could reuse (copy) parts of it and use it for the fleet-server to test some of the parts.

From elastic/integrations#729 we need to ensure that Fleet Server is returning gzipped compressed responses to the Elastic Agent.

ES reference: elastic/elasticsearch#48182

The way actions work in Elastic Agent should be improved. Most of the work here probably must happen in the Elastic Agent itself. Filing it here for now as the new action implementation is driven by fleet server.

High level notes (needs more details):

• The agent side changes (as far as I understand):
  • action token exchange on checkin
  • agent actions routing (specifically for osquery in short term)
  • agent actions result/status/error forwarding from the "app" to the fleet server
  • the agent managing the Fleet Server launch

Description

Currently in Kibana we rely on the propert policy_revision of the agent to display the agent policy revision these field was populated when the agent ack the policy change action

Tested against that branch elastic/kibana#89372

Observability for Fleet Servers is important because operators are expected to scale them manually. They are also expected to troubleshoot operational issues and fix them. This is true in various degrees from self-managed environments, to ECE/ECK and ESS. As a result, we should provide users visibility to issues and documentation on how to address common ones.

As a Fleet operator, I need:

• Logs, metric and status information to help me scale and troubleshoot issues elastic/beats#24415
• Fleet Server integration dashboard elastic/integrations#812
• Documentation for Fleet Server operators on to observe it, scale it, scaling limits, restrictions, etc.

Out of scope:

• A notification in the Fleet app when Fleet Server is not healthy so I understand why updates are not being applied elastic/kibana#95572

Related issues:

• Agent integration dashboard https://github.com/elastic/beats/issues/23948
• Enable system metrics on Elastic Cloud agent policy elastic/kibana#96248

fleet-server should log by default in ecs format. Ideally it uses the ecs logging library: elastic/beats#17974 This important to make sure if all the logs are shipped into a single index for the Elastic Agent and its processes, there are no conflicts.

Related ECS logging for Elastic Agent: elastic/beats#23871

Background

In Kibana, when agents are enrolled and running Endpoint, the following KQL filter in the Agents list view is no longer displaying only the agents that are running endpoint integration:

packages : "endpoint"

Work is in progress to get auto backports into the beats repository: elastic/beats#24608 Same should be done for the fleet-server repo.

When incoming connections to Fleet server exceed the capacity for that server, we should gracefully reject those connections. This will allow the clients to be load balanced to other nodes, when available.

Currently, Fleet server will consume all available RAM as the number of connections increases until it triggers the OOM killer. This will have a negative impact on clients and other processes. When a fleet server is killed, it will drop all connections, which would require many thousands of clients to reconnect, using a lot of CPU and prevent users from making updates or trigger response actions during that period. It will also negatively affect other processes running in the same container, such as APM server or Beats.

Requirements:

• We should reject incoming connections rather than crash or trigger the OOM killer
• We should account for ESS and self-managed clusters. We should not solely rely on a proxy to enforce limits.
• The capacity should adjust based on the instance size in ESS/ECE and self-managed hosts
• We should provide some buffer for other processes in the same container, such as metricbeat which is essential to alert operators to scale capacity

Implementation phases:

• 1. Hard limit with manual adjustment in the integration policy #185
• 2. #466
• 3. Automatically accept more connections on larger instances https://github.com/elastic/fleet-server/issues/186
• 4. Autoscaling in ESS/ECE when limit is hit

Open questions:

1. What is the best approach to gracefully reject connections? Is it a hard limit, or can it intelligently reject connections if there is not enough free memory available?
   • Answer: Start with a hard limit and let the user adjust it. Make it more intelligent in a second phase.
2. Can we return an HTTP error code like 503 so the client knows why the request is rejected? It may be expensive to accept more TLS connections only to reject them. An alternative could be to give a tcp reset. This is not as clear when troubleshooting because tcp resets can also occur for other reasons like network connectivity.
   • Answer: Start with TCP reset because it doesn't require a TLS connection to be accepted, which would require more memory
3. If there is a limit, can we adjust it automatically so that the user does not need to manually adjust it, in ESS/ECE or self-managed hosts? Can it adjust so the cloud API doesn't need to alter the configuration? For example, the limit could be calculated based on the environment when the fleet server starts.
   • Answer: Lets target this for a second phase
4. Can we reject connections based on the amount of memory available? If other processes use too much memory, the fleet server might run out of memory before hitting a hard connection limit. This would lead us to use wider operating margins which are less cost efficient.
   • Answer from Steffen: The Agent would be in a better place to monitor and adapt limits dynamically if there is need. I don't think this is a short term goal.

Related issues:

• Fleet server should provide metrics on the number of rejected requests elastic/beats#24415

Goal of this phase is to bring Fleet-Server to beta stage. This is a meta tracking issue.

• Use Elasticsearch system indices (@scunningham)
  • Elasticsearch change: elastic/elasticsearch#68919
  • Fleet server system indices #135 (Jay)
  • Switch fleet-server over to system indices
• Elastic Agent with Fleet Server enrolls itself #55
• User permission definition #60 (@scunningham )
• Support TLS #90 (@blakerouse )
• Metrics of Fleet Server #99 (@scunningham )
• Handle existing actions like upgrade properly ( @blakerouse )
• Pull out saved object code ( @aleksmaus )
• More granular permissions #101 (@aleksmaus )
• Implement support for API Key metadata. ES reference: elastic/elasticsearch#48182 #193 (@aleksmaus )
• Add support for service tokens for fleet-server (@blakerouse )
• Validate Elasticsearch version for compatibility #167 (@blakerouse )
• Validate fleet-server compatibility in Elastic Agent https://github.com/elastic/beats/issues/24720 (@blakerouse )

Bugs

• .fleet-actions index not found #246

CI

• End to end tests exists for Elastic Agent startup, agent enrollment and receiving policy. elastic/e2e-testing#438 (@blakerouse )
• Scale testing setup #95 (@aleksmaus )
  • Basic APM Server testing in Cloud container (@simitt)
  • Basic fleet-server testing in Cloud container (@scunningham )

Docs (@ph )

Currently, the user is required to set the Fleet Server host in Fleet Settings before installing Fleet Server. If they do not, the agent will get a policy with no valid hosts and it will no longer receive updates. I'm worried that not all users will read the instructions carefully. It'd be nice if we designed our fleet server to be more resilient and able to recover in this scenario.

The agent already has the ability to check whether a fleet server host is valid by checking a status endpoint. If the status endpoint does not return 200, it does not accept the policy and it returns an unhealthy status.

Can we do the same during bootstrapping to allow the user to set the Fleet server host after installing Fleet server? If its valid, then the agent will finish bootstrapping and check in successfully. If not, then keep checking ES on regular interval until it is. This allows the user to fill in the Fleet Server host later. We can also set the agent status as unhealthy to indicate that setup is not complete.