Elasticsearch output does not recover after connection failure

[belimawr]

• Relates Add known issue that Beats do not recover from transient network errors ingest-docs#1312
• Relates Add known issue that Beats do not recover from transient network errors  #40767

For confirmed bugs, please report:

• Version: main, v8.15.1
• Operating System: Linux

Update: The problematic part of the change was reverted in #40776 and is targeted for release in 8.15.2.

Steps to reproduce

1. Deploy a Filebeat sending data to a remote Elasticsearch using a domain name in the configuration
2. Confirm Filebeat is running and sending data
3. Disable the network
4. Wait for a DNS lookup error and the publisher errors:

   {
     "log.level": "warn",
     "@timestamp": "2024-09-06T08:30:33.240-0400",
     "log.logger": "transport",
     "log.origin": {
       "function": "github.com/elastic/elastic-agent-libs/transport.TestNetDialer.func1",
       "file.name": "transport/tcp.go",
       "file.line": 53
     },
     "message": "DNS lookup failure \"remote-es.elastic.cloud\": lookup remote-es.elastic.cloud: Temporary failure in name resolution",
     "service.name": "filebeat",
     "ecs.version": "1.6.0"
   }

   {
     "log.level": "error",
     "@timestamp": "2024-09-06T15:50:15.140-0400",
     "log.logger": "publisher_pipeline_output",
     "log.origin": {
       "function": "github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run",
       "file.name": "pipeline/client_worker.go",
       "file.line": 148
     },
     "message": "Failed to connect to backoff(elasticsearch(https://remote-es.elastic.cloud:443)): Get \"https://remote-es.elastic.cloud:443\": context canceled",
     "service.name": "filebeat",
     "ecs.version": "1.6.0"
   }
   {
     "log.level": "info",
     "@timestamp": "2024-09-06T15:50:15.140-0400",
     "log.logger": "publisher_pipeline_output",
     "log.origin": {
       "function": "github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run",
       "file.name": "pipeline/client_worker.go",
       "file.line": 139
     },
     "message": "Attempting to reconnect to backoff(elasticsearch(https://remote-es.elastic.cloud:443)) with 475 reconnect attempt(s)",
     "service.name": "filebeat",
     "ecs.version": "1.6.0"
   }

5. Enable the network
6. Ensure the machine can reach the internet and the remote Elasticsearch
7. Filebeat will keep logging the same publisher errors and not sending data

The configuration I used:

filebeat.inputs:
  - type: filestream
    id: my-filestream-id
    paths:
      - /tmp/some-logs.txt

output.elasticsearch:
  hosts: ["https://remote-es.elastic.cloud:443"]
  username: elastic
  password: some-very-secret-password

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[cmacknz]

Get "https://remote-es.elastic.cloud:443\": context canceled

This isn't a DNS error, so to me it looks like we did recover from the DNS failure but something else is wrong, perhaps a context that expired when it shouldn't have somewhere in one of the initial connection callbacks. The Get \"https://remote-es.elastic.cloud:443\" is likely to get the version and deployment type.

beats/libbeat/cmd/instance/beat.go

Line 1099 in 8a56ef8

esVersion := conn.GetVersion()

beats/libbeat/esleg/eslegclient/connection.go

Lines 400 to 408 in 8a56ef8

	func (conn *Connection) execRequest(
	method, url string,
	body io.Reader,
	) (int, []byte, error) {
	req, err := http.NewRequestWithContext(conn.reqsContext, method, url, body)
	if err != nil {
	conn.log.Warnf("Failed to create request %+v", err)
	return 0, nil, err
	}

beats/libbeat/esleg/eslegclient/connection.go

Lines 326 to 332 in 8a56ef8

	// Close closes a connection.
	func (conn *Connection) Close() error {
	conn.HTTP.CloseIdleConnections()
	conn.cancelReqs()
	return nil
	}

Perhaps we are closing the connection after the DNS failure instead of reusing it.

[belimawr]

That makes sense. I didn't investigate the issue, I only managed to reproduce and report it and the DNS error seemed to be the trigger for not being able to connect to ES again.

[cmacknz]

Potentially related: #40572

[cmacknz]

^Looking at the changes there I see:

// Close closes a connection.
func (conn *Connection) Close() error {
	conn.HTTP.CloseIdleConnections()
+	conn.cancelReqs()
	return nil
}

Creating a new context only happens when NewConnection is called and there must be code paths that do not do that properly after close is called.

This change is only in 8.15.1 from what I can tell.

[cmacknz]

Linking the 8.15.0 backport: b19844f

git tag --contains b19844ffdae6861feaf2ee02ce11936d80b243cb
v8.15.1

[cmacknz]

The first thing we need to do is write a test that reproduces this problem.

[cmacknz]

I think we should revert #40572 once we double check removing it fixes the problem, then work on re-adding it back with a fix + test for this.

This issue is more severe than the original problem that PR was trying to fix.