[discuss] Support (fairly large) sample data set package

[majagrubic]

Context:

The shared-ux team is in the process of re-architecturing the way sample data works inside Kibana. We want to support larger datasets (1GB+ in size), and bundling them with Kibana distributable is not scalable. Our immediate goal is to support large Observability data set. We have considered a few options so far:

• host data externally, either make it a full-blown remote service (similar to what Maps does today) or simply load from a remote endpoint (like an S3 bucket)
• dynamically generate as much of the data as we can on install
• load the sample data from a side-loaded plugin, (e.g. not in the distro, have it available only on Cloud)
• have this as part of EPR

Is EPR a viable solution here?

Chatting with @joshdover, it seems that EPR already solved some of the problems we'd encounter with hosting data externally (scalability / latency / monitor). Also, seems like downloading a zip file with all the assets is exactly what we need here. However, it was pointed out that adding a new package of 1GB+ would cause serious performance concerns with the current Docker image. One thing to keep in mind is we'd likely like to add more datasets in the future (perhaps not every one will be as large though).

Naming scheme

One dataset we'd like to support immediately is Observability data set, which is a combination of filebeat + metricbeat indices and data views. Its naming scheme does not comply with the recommended elastic data stream naming scheme. Also, I am not sure if every sample data set we'd like to add in the future would need to follow this naming scheme?

Opening this issue so we can discuss if leveraging EPR here would be an option in the first place and how much effort it would require to workaround those problems.

Implementation plan

• Make data conform with https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme.
• Define a new dataset package type to include datasets, with optional dependencies to other packages (see Support "content-only" integrations #351)
• Add support for this new package type [Publication of packages will be blocked till storage v2 is ready].
  • In elastic-package.
  • In package-registry.
  • In Fleet.
    • [Discuss] Support for bulk upload API #406
• Start filtering out packages in the docker image of the package-registry distribution (see Add ability for users to download EPR image with a subset of integrations package-registry#724).

[joshdover]

However, it was pointed out that adding a new package of 1GB+ would cause serious performance concerns with the current Docker image. One thing to keep in mind is we'd likely like to add more datasets in the future (perhaps not every one will be as large though).

Since we're not targeting air-gapped customers with this sample data UX, I think we should consider creating a way to exclude these packages from the Docker image we ship for on-prem EPR. This would allow us to ship these packages in the near term in the production registry and leverage v2 storage as a long-term solution without creating a poor experience for on-prem EPR.

Its naming scheme does not comply with the recommended elastic data stream naming scheme. Also, I am not sure if every sample data set we'd like to add in the future would need to follow this naming scheme?

I do think we need to update this data set regardless to use the new naming scheme, though I understand why that may not be an option in the short-term. In general, we're building a lot of tooling and application features around this new naming scheme and I think it would best to not allow exceptions in the long-term. I can't think of any reason why we couldn't extend this naming scheme to accommodate future data sets as well.

If we want to move forward with the current data set to install index templates and ingest data for metricbeat and filebeat indices, I think we should only do this as a one-time temporary exception that will not be supported once we've updated this dataset for the data stream naming scheme.

---

More generally, I think we need to create a new package type for this use case that is separate from integration and input packages. This would allow us to offer a different UX in the Integrations UI in Kibana, such as:

• Installing and uninstalling data
• Hiding all of the integration policy UX (policy editor, policies tab, etc.)
• Excluding this package from UX that doesn't apply
• Dependencies on other packages (eg. nginx package)
• Providing standard naming conventions around sample data sets (eg. logs-nginx.access-sample.observability)
• Provide standard UI elements for including or excluding sample data based on this naming scheme

[ruflin]

Its naming scheme does not comply with the recommended elastic data stream naming scheme.

I consider it a must to convert any observability data in packages to the data stream naming scheme. Can you elaborate on why we would not convert it now?

For the large data, I think there is also an option to have the package but that the data itself is pulled down separately. The data is referenced in the package and still stored in EPR somehow. In the early days of the packages we considered adding short movies to each package to explain the integration and for this scenario these would also not have been directly part of the package but reference. I'm sure we can come up with good ideas here.

[ruflin]

As reference, data packages were discussed in the past here: #37

[LucaWintergerst]

we did not want to convert an old dataset into the new schema as we worried that this would lead to issues and be more work, but we already agreed that we will just re-record the dataset on the latest version, so we will have datastreams for all sources as well as an up to date mapping for everything

[ruflin]

There is a difference between having data streams and the data stream naming scheme. As this is new data and we want to teach our users about the new and more efficient way of managing data, it should not just be data streams but data stream naming scheme.

[majagrubic]

If I'm understanding this correctly:

1. with some work around reorganizing the Observability's dataset to use data streams and those data streams would conform to Elastic's naming policy. with this work, naming would no longer be an issue
2. sample data would be a package, but the actual data would live in another package, to avoid building the data in a Docker image. a new package type would need to be added to support this.

[joshdover]

2. sample data would be a package, but the actual data would live in another package, to avoid building the data in a Docker image. a new package type would need to be added to support this.

I believe the idea is there would still be a single package for each sample data set, but the data itself would not be contained in the package's zip file, but instead it'd be served on a separate endpoint from EPR. I'm not sure what the benefits of this would be. It seems to me it would make distributing the package more complicated and having everything contained in a single file is quite useful.

@jsoriano do you have any input here? How could we optimize the memory overhead of serving such packages from the registry?

[jsoriano]

2. sample data would be a package, but the actual data would live in another package, to avoid building the data in a Docker image. a new package type would need to be added to support this.

I believe the idea is there would still be a single package for each sample data set, but the data itself would not be contained in the package's zip file, but instead it'd be served on a separate endpoint from EPR. I'm not sure what the benefits of this would be. It seems to me it would make distributing the package more complicated and having everything contained in a single file is quite useful.

@jsoriano do you have any input here? How could we optimize the memory overhead of serving such packages from the registry?

With the package storage v2 design, serving large files from current EPR endpoints shouldn't be a problem, at some point the package zip files will be served directly from CDNs and/or redirected to S3-like object storages.

I also don't see any advantage on serving these datasets from a different endpoint, when we are already designing EPR to support large files. We would only need to define a new package type for these assets, and we could reuse everything we are building to publish and distribute packages.
There can be an advantage during development, that is to don't need to keep the large files in the same repository where the code of the package is, but this could be solved with build-time dependencies, as we do with fields imported from ECS.

The only [temporary] blocker I see with including large files in packages, is that we would need to wait to have the storage v2 up and running. If serving datasets through packages is required before that, then serving the large files from the registry is not an option. But I would recommend to wait for storage v2, so we have a simpler solution for this (simpler because it doesn't require to deploy another service to resolve install-time dependencies).

Regarding the package-registry distributions in docker images, we know that at some point we have to start selecting the packages included, it doesn't scale to include everything. We could exclude from the beginning the dataset packages, what I think should be acceptable for air-gapped production environments, the main use case of these docker images.
If someone in an air-gapped environment wants to try some dataset, there can be still options for them (as downloading the zip from the public EPR, and use elastic/kibana#70582).

Btw, I opened #348 for different use cases of sample data sets, more specifically coupled to integrations, but the solution may be the same for both issues at the end.

[jsoriano]

Summarizing, I think that this could be done with these overall efforts:

• Make data conform with https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme.
• Define a new dataset package type to include datasets, with optional dependencies to other packages.
• Add support for this new package type [This would be blocked till storage v2 is ready].
• Start filtering out packages in the docker image of the package-registry distribution. This is going to be done in any case, see Add ability for users to download EPR image with a subset of integrations package-registry#724.

[majagrubic]

The only [temporary] blocker I see with including large files in packages, is that we would need to wait to have the storage v2 up and running

What is your timeline for v2?

[jsoriano]

The only [temporary] blocker I see with including large files in packages, is that we would need to wait to have the storage v2 up and running

What is your timeline for v2?

This is currently one of our priorities, we expect it to be ready "soon", but it can still take some weeks. We keep track of progress about this on this (internal) issue: https://github.com/elastic/ingest-dev/issues/1040.