524fe6dfe2
* [DOCS] Updates to thee Reporting docs * Adds the main sharing page * Final changes * Changed configuring-reporting link to secure-reporting * Updates from meeting with Tim and Larry * Moves reporting and sharing content above ML * Update docs/setup/configuring-reporting.asciidoc Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Review comments from Tim and Larry * Fixes broken links * Fixes redirect * Fixes broken link from ES docs * Adds metadata to changed pages * Review comments Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
36 lines
No EOL
2.4 KiB
Text
36 lines
No EOL
2.4 KiB
Text
[role="xpack"]
|
|
[[reporting-production-considerations]]
|
|
== Reporting production considerations
|
|
|
|
++++
|
|
<titleabbrev>Reporting</titleabbrev>
|
|
++++
|
|
:keywords: administrator, analyst, concept, setup, reporting
|
|
:description: Consider the production components that are used to generate reports.
|
|
|
|
To generate reports, {kib} uses a custom build of the Chromium web browser, which runs on the {kib} server in headless mode to load {kib} and capture the rendered {kib} visualizations as images. Chromium is an open-source project not related to Elastic, but the Chromium binary for {kib} has been custom-built by Elastic to make sure it works with minimal setup. The operating system that the {kib} server uses can require additional dependencies for Chromium.
|
|
|
|
[float]
|
|
[[reporting-chromium-sandbox]]
|
|
=== Chromium sandbox
|
|
For an additional layer of security, use the sandbox. The Chromium sandbox uses operating system-provided mechanisms to ensure that code execution cannot make persistent changes to the computer or access confidential information. The specific sandboxing techniques differ for each operating system.
|
|
|
|
[float]
|
|
[[reporting-linux-sandbox]]
|
|
==== Linux sandbox
|
|
The Linux sandbox depends on user namespaces, which were introduced with the 3.8 Linux kernel. However, many
|
|
distributions don't have user namespaces enabled by default, or they require the CAP_SYS_ADMIN capability. The {report-features}
|
|
automatically disable the sandbox when it is running on Debian and CentOS, as additional steps are required to enable
|
|
unprivileged usernamespaces. In these situations, you'll see the following message in your {kib} startup logs:
|
|
`Chromium sandbox provides an additional layer of protection, but is not supported for your OS.
|
|
Automatically setting 'xpack.reporting.capture.browser.chromium.disableSandbox: true'.`
|
|
|
|
Reporting automatically enables the Chromium sandbox at startup when a supported OS is detected. However, if your kernel is 3.8 or newer, it's
|
|
recommended to set `xpack.reporting.capture.browser.chromium.disableSandbox: false` in your `kibana.yml` to explicitly enable usernamespaces.
|
|
|
|
[float]
|
|
[[reporting-docker-sandbox]]
|
|
==== Docker
|
|
When running {kib} in a Docker container, all container processes are run within a usernamespace with seccomp-bpf and
|
|
AppArmor profiles that prevent the Chromium sandbox from being used. In these situations, disabling the sandbox is recommended,
|
|
as the container implements similar security mechanisms. |