[Auditbeat/FIM/fsnotify]: prevent losing events for recursive mode on OS X #39362
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pkoutsovasilis
added
bug
backport-7.17
botelastic
bot
added
needs_team
pkoutsovasilis
force-pushed
the
pkoutsovasilis/fix_integ_tests_for_mac_osx
branch
from
33504f4 to
dbfd308
Compare
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
nicholasberlin
approved these changes
May 2, 2024
|
run docs-build |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
…causes losing events on mac
pkoutsovasilis
force-pushed
the
pkoutsovasilis/fix_integ_tests_for_mac_osx
branch
from
dbfd308 to
8ed3203
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
❕ Flaky test reportNo test was executed to be analysed. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
6 tasks
6 tasks
6 tasks
6 tasks
pkoutsovasilis
added a commit
that referenced
this pull request
May 7, 2024
…ts for recursive mode on OS X (#39374) * [Auditbeat/FIM/fsnotify]: prevent losing events for recursive mode on OS X (#39362) * fix(auditbeat/fim/fsnotify): do not return error immediately as this causes losing events on mac * doc: update CHANGELOG.next.asciidoc (cherry picked from commit bbf8746) * doc: remove redundant changes from CHANGELOG.next.asciidoc --------- Co-authored-by: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
This PR prevents FIM from losing events for recursive mode on Mac OS X even when the
watchFileof the root dir, added to be monitored, returns an error by always walking the dir. Specifically, this discrepancy, between Linux and OS X oses, is due to the fact that in the latter the underlying library, namely fsnotify, when you add a watch of a directory it walks the directory and adds the respective sub-dir watchers. If any of these fail, e.g. with EACCESS, it returns an error. However, auditbeat's wrapper of this library emits created events by walking the directory. So, in order not to lose any events we need to guarantee that we won't interrupt this flow - we will always walk the directory - and accumulate any errors during this process which we will return only at the end.Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
N/A
How to test this PR locally
Already tested here
Related issues
Use cases
N/A
Screenshots
N/A
Logs
N/A