Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Elastic Agent Docker: agent always picks up the newest policy #23928

Closed
mtojek opened this issue Feb 9, 2021 · 13 comments
Closed

Elastic Agent Docker: agent always picks up the newest policy #23928

mtojek opened this issue Feb 9, 2021 · 13 comments
Labels
Team:Elastic-Agent Label for the Agent team

Comments

@mtojek
Copy link
Contributor

mtojek commented Feb 9, 2021

Hi,

I'm working on the Kubernetes integration and just spotted a weird issue. Steps to reproduce:

  1. Create a policy A.
  2. Run new Docker container with Elastic Agent. The agent will get enrolled and will be assigned the newest available policy (policy A, not Default).

If I'm working on a policy which is not ready yet and suddenly a new agent boots up, it should pick up the Default policy.

@mtojek mtojek added the Team:Fleet Label for the Fleet team label Feb 9, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/fleet (Team:Fleet)

@mtojek
Copy link
Contributor Author

mtojek commented Feb 9, 2021

I have also found that Elastic Agent is trying to use non-active enrollment token by default.

Zrzut ekranu 2021-02-9 o 16 33 16

Zrzut ekranu 2021-02-9 o 16 33 31

@ph
Copy link
Contributor

ph commented Feb 9, 2021

@mtojek Are you using the token associated with the Default policy?

@mtojek
Copy link
Contributor Author

mtojek commented Feb 9, 2021

No, I'm not passing any enrollment key and I expect from the Dockerized app to pick up the default one.

@ph
Copy link
Contributor

ph commented Feb 9, 2021

I've talked with @mtojek on slack, and the logic defined in our shell script lead to inconsistent behavior.

The pseudo logic should be something like this.

  • Get the list of agent policies.
  • Get id of the Default Agent policy
  • If the Default Agent policy is not found raise an error and suggest using the API key instead.

@mtojek WDYT ^?

@mtojek
Copy link
Contributor Author

mtojek commented Feb 9, 2021

Yes, this would be the ideal flow.

@nchaulet
Copy link
Member

nchaulet commented Feb 9, 2021

There is for sure a bug in the docker script but I am wondering if it’s the docker image we publicly distribute if yes, I think we should really avoid the user to provide the Kibana username and password and we should probably only allow to provide the enrollment token.

@mtojek
Copy link
Contributor Author

mtojek commented Feb 9, 2021

One more point about tooling. We use auto-enrollment feature in elastic-package to test integrations, so it would be backward-incompatible to enforce providing the enrollment token.
Please keep in mind that it's a convenient option to quickly boot up the Agent in Docker or Kubernetes cluster using static resources: https://github.com/elastic/beats/blob/master/deploy/kubernetes/elastic-agent-kubernetes.yaml /cc @ycombinator @ruflin (let's collect some comments here)

@ycombinator
Copy link
Contributor

++ to pseudo-logic suggested by @ph in #23928 (comment). It will lead to deterministic behavior, which is a good thing.

@mtojek
Copy link
Contributor Author

mtojek commented Feb 10, 2021

@ph @nchaulet could you please provide ETA on this issue? I'd like to know whether I should introduce a workaround for this bug in elastic/elastic-package#246 . I'm fine with keeping the discussion whether the option is good or not, but it would be convenient to detach it from fixing for the reported issue.

@ph ph added the Team:Elastic-Agent Label for the Agent team label Feb 10, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/agent (Team:Agent)

@ph ph removed the Team:Fleet Label for the Fleet team label Feb 10, 2021
@ph
Copy link
Contributor

ph commented Feb 10, 2021

@mtojek I agree that fixing the behavior and doing the right think are separate discussion. @mtojek I think implementing the workaround and fixing the issue would take a similar amount of time, can you make a PR?

@ph
Copy link
Contributor

ph commented Apr 30, 2021

I think we can close this will the recent changes for the Elastic Agent and Fleet server?

@jlind23 jlind23 closed this as completed Apr 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Elastic-Agent Label for the Agent team
Projects
None yet
Development

No branches or pull requests

6 participants