Distributed API

[mgmacias95]

Hello team,

This PR fixes #670 and adds framework support for wazuh/wazuh-api#126.

Best regards,
Marta

[mgmacias95]

Testing with 1K agents and 3 nodes. Found errors:

• Error when filtering by node name in cluster control:

  # /var/ossec/bin/cluster_control -a -fn wazuh-cluster-client1 -d
  ERROR: 'list' object has no attribute 'split'
  Traceback (most recent call last):
  File "/var/ossec/bin/cluster_control", line 356, in <module>
      print_agents(args.filter_status, args.filter_node, is_master)
  File "/var/ossec/bin/cluster_control", line 250, in print_agents
      agents = get_agents(filter_status, filter_node, is_master)
  File "/var/ossec/bin/../framework/wazuh/cluster/control.py", line 102, in get_agents
      select={'fields':['id','ip','name','status','node_name']})
  File "/var/ossec/bin/../framework/wazuh/agent.py", line 802, in get_agents_overview
      data = db_query.run()
  File "/var/ossec/bin/../framework/wazuh/utils.py", line 810, in run
      self._add_filters_to_query()
  File "/var/ossec/bin/../framework/wazuh/utils.py", line 756, in _add_filters_to_query
      self._parse_filters()
  File "/var/ossec/bin/../framework/wazuh/utils.py", line 727, in _parse_filters
      self._parse_legacy_filters()
  File "/var/ossec/bin/../framework/wazuh/agent.py", line 137, in _parse_legacy_filters
      WazuhDBQuery._parse_legacy_filters(self)
  File "/var/ossec/bin/../framework/wazuh/utils.py", line 719, in _parse_legacy_filters
      for name, value in self.legacy_filters.items() for subvalue in value.split(',') if not self._pass_filter(subvalue)]
  AttributeError: 'list' object has no attribute 'split'

• Error when registering an agent with authd enabled:

  # curl -u foo:bar "localhost:55000/agents/test_agent1?pretty" -XPUT
  {
  "error": 1014,
  "message": "Error communicating with socket: /var/ossec/queue/ossec/auth"
  }

• The syscollector API call times out but every API call done after this one will time out as well:

  # curl -u foo:bar "localhost:55000/experimental/syscollector/packages?pretty"
  {
  "error": 3009,
  "message": "Error executing request to internal socket: Timeout expired while waiting for a response"
  }

• After doing a request to restart all agents, only one of the workers receives the request:

  2018-09-17 11:25:36,744 DEBUG   : [Worker] [Request-R  ]: 'dapi'.
  2018-09-17 11:25:36,744 DEBUG   : [DistributedAPI] Receiving request: None 3829636576 {"function": "PUT/agents/restart", "ossec_path": "/var/ossec", "from_cluster": true, "arguments": {"restart_all": "True"}}
  

[mgmacias95]

Yesterday's errors summary:

• The error using cluster_control has been fixed in commits da5b655 f35904e 2a93cc6 d808f6e.
• The error using authd has been fixed in Fix the communication between manage_agents and ossec-authd #1272.
• The error where a restart request was forwarded to only one manager has been fixed in commits 649b44b 50e39ab.
• The error that blocked the API after doing an experimental syscollector request has been found. It gets blocked in line 261:
  

  wazuh/framework/wazuh/cluster/dapi/dapi.py

  Lines 258 to 265 in d808f6e

  	def run(self):
  	while not self.stopper.is_set() and self.running:
  	name, id, request = self.request_queue.get(block=True).split(' ', 2)
  	result = distribute_function(json.loads(request), from_master=True)
  	try:
  	self.send_string(result, id, name)
  	except Exception as e:
  	self.send_request(command='err-is', data=str(e), id=id, name=name)

  
  More precisely, when it executes the function locally. Since it has to retrieve information from 1000 different agents, the function takes a long time to complete and it makes the API requests queue to remain blocked. This error has not been fixed yet.

[jesuslinares]

Why do you need to get all the information? You can forward the current limit and offset, then in the merge function, you will need to do it again, right?

[jesuslinares]

Duplicated code?. Is it in 'forward_list'?

[jesuslinares]

Improve description.

[jesuslinares]

Comment: Describe every type.

[jesuslinares]

It should be "AbstractClient". Then, use Worker for Worker nodes, and Client for InternalSocket.

[jesuslinares]

Change AbstractWorker

[jesuslinares]

It should be AbstractClient

[jesuslinares]

The queue will be blocked until this function ends. What happens if it never ends (long time)?.

• Add a timeout would require to change every framework function to add an "exit condition" in every part of the code that could be blocked (io wait, db, etc).
• The queue could create a thread for every request:
  • After a time, continue with the next request (returning a timeout error)
  • Log a warning
  • Problem: The previous thread will not be killed. What will happen when it ends?.
  • Set a limit of 20 "zombie threads" -> Warning and block queue? -> Next requests: "queue is blocked".

[mgmacias95]

The same API call (PUT/agents/restart):

• With threads: 1.0136449337 seconds
• Without threads: 0.634363174438 seconds

Is this really worth it? I don't think so.