Allow the Docker image to be run with a random user id (#12905) #18873

jsoriano · 2020-05-31T15:30:13Z

Apply changes on ownership proposed in #12905, but keep the permissions, to avoid the
issues reported in #18858.

I think this could be enough to run containers with arbitrary user ids, because beats don't need to write these files, only read them.

Make changes also to the kubernetes reference manifests to help running beats with arbitrary user ids. These manifests still won't work on restricted environments.

Fixes #18871
Changes were previously reverted in #18872

Co-authored-by: Michael Morello [email protected]

How to test

Do it with auditbeat (that uses the root user by default), and with some other beat like metricbeat or filebeat (that use a non-root user by default):
- Build the docker image for the beat with PLATFORMS=linux/amd64 mage package, or use one of the pre-built snapshots including this change.
- Run the docker container with and without explicit user id, and check that beat is able to start and read configuration without --privileged and without BEAT_STRICT_PERMS.
  It should behave the same on these scenarios (auditbeat will fail to configure audit, this is expected unless --privileged --user 0 --pid=host is also used):
  - Default user: docker run -it --rm docker.elastic.co/beats/filebeat:8.0.0
  - Root: docker run -it --rm --user 0 docker.elastic.co/beats/filebeat:8.0.0
  - Beat user: docker run -it --rm --user 1000 docker.elastic.co/beats/filebeat:8.0.0
  - Arbitrary user (use any other user id): docker run -it --rm --user 100042 docker.elastic.co/beats/filebeat:8.0.0
- Check that reference kubernetes manifests continue working as they are (using arbitrary user ids there will require more changes).

elasticmachine · 2020-05-31T15:30:15Z

Pinging @elastic/integrations-platforms (Team:Platforms)

jsoriano · 2020-05-31T15:30:47Z

run beats-ci/package

elasticmachine · 2020-05-31T16:48:18Z

💔 Tests Failed

Expand to view the summary

Build stats

Build Cause: [Branch indexing]
Start Time: 2020-06-02T13:40:38.840+0000
Duration: 123 min 45 sec

Test stats 🧪

Test	Results
Failed	6
Passed	8380
Skipped	1555
Total	9941

Test errors

Expand to view the tests failures

Name: Build and Test / Metricbeat x-pack / Metricbeat x-pack / TestFetch – channels
- Age: 1
- Duration: 9.15
- Error Details: Failed
Name: Build and Test / Metricbeat x-pack / Metricbeat x-pack / TestFetch – stats
- Age: 1
- Duration: 29.31
- Error Details: Failed
Name: Build and Test / Metricbeat x-pack / Metricbeat x-pack / TestFetch – subscriptions
- Age: 1
- Duration: 11.12
- Error Details: Failed
Name: Build and Test / Metricbeat x-pack / Metricbeat x-pack / TestData – channels
- Age: 3
- Duration: 54.52
- Error Details: Failed
Name: Build and Test / Metricbeat x-pack / Metricbeat x-pack / TestData – stats
- Age: 3
- Duration: 44.53
- Error Details: Failed
Name: Build and Test / Metricbeat x-pack / Metricbeat x-pack / TestData – subscriptions
- Age: 3
- Duration: 22.05
- Error Details: Failed

Steps errors

Expand to view the steps failures

Name: Fix permissions
- Description:
- Duration: 0 min 16 sec
- Start Time: 2020-06-02T14:09:41.657+0000
- log
Name: Fix permissions
- Description:
- Duration: 1 min 37 sec
- Start Time: 2020-06-02T14:13:32.318+0000
- log
Name: Mage build test
- Description: mage build test
- Duration: 26 min 14 sec
- Start Time: 2020-06-02T14:23:01.970+0000
- log

Log output

Expand to view the last 100 lines of log output

[2020-06-02T15:14:13.929Z] Stashed 2 file(s)
[2020-06-02T15:14:13.939Z] Archiving artifacts
[2020-06-02T15:42:54.037Z] Cancelling nested steps due to timeout
[2020-06-02T15:42:54.190Z] Stage "Heartbeat Windows" skipped due to earlier failure(s)
[2020-06-02T15:42:54.193Z] Stage "Generators Beat Mac OS X" skipped due to earlier failure(s)
[2020-06-02T15:42:54.195Z] Stage "Functionbeat Windows" skipped due to earlier failure(s)
[2020-06-02T15:42:54.469Z] Failed in branch Heartbeat
[2020-06-02T15:42:54.471Z] Failed in branch Functionbeat
[2020-06-02T15:42:54.472Z] Failed in branch Generators
[2020-06-02T15:42:54.637Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats
[2020-06-02T15:42:54.952Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-06-02T15:42:54.962Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Lint
[2020-06-02T15:42:55.071Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Winlogbeat-oss
[2020-06-02T15:42:55.194Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-06-02T15:42:55.320Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-06-02T15:42:55.420Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Dockerlogbeat
[2020-06-02T15:42:55.524Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Journalbeat-oss
[2020-06-02T15:42:55.637Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Elastic-Agent-Mac-OS-X
[2020-06-02T15:42:55.773Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-06-02T15:42:55.885Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-06-02T15:42:56.009Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-06-02T15:42:56.112Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Auditbeat-oss-Mac-OS-X
[2020-06-02T15:42:56.235Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-06-02T15:42:56.338Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-06-02T15:42:56.441Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-06-02T15:42:56.561Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-06-02T15:42:56.745Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Auditbeat-x-pack-Mac-OS-X
[2020-06-02T15:42:56.888Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Auditbeat-oss-Windows
[2020-06-02T15:42:57.014Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Heartbeat-oss
[2020-06-02T15:42:57.156Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-06-02T15:42:57.285Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-06-02T15:42:57.418Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Auditbeat-x-pack-Windows
[2020-06-02T15:42:57.544Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Libbeat-x-pack
[2020-06-02T15:42:57.684Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Auditbeat-oss-Linux
[2020-06-02T15:42:57.802Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-06-02T15:42:57.911Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Filebeat-Windows
[2020-06-02T15:42:58.065Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-Mac-OS-X
[2020-06-02T15:42:58.165Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Packetbeat-oss
[2020-06-02T15:42:58.261Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack-Mac-OS-X
[2020-06-02T15:42:58.363Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-Windows
[2020-06-02T15:42:58.459Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-06-02T15:42:58.546Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Generators-Beat-Linux
[2020-06-02T15:42:58.634Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Filebeat-x-pack
[2020-06-02T15:42:58.719Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Filebeat-oss
[2020-06-02T15:42:58.825Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-06-02T15:42:58.928Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-06-02T15:42:59.050Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Libbeat-oss
[2020-06-02T15:42:59.148Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-06-02T15:42:59.248Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Libbeat-crosscompile
[2020-06-02T15:42:59.346Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Libbeat-stress-tests
[2020-06-02T15:42:59.444Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-06-02T15:42:59.832Z] + cat
[2020-06-02T15:42:59.832Z] + /usr/local/bin/runbld ./runbld-script
[2020-06-02T15:42:59.832Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-06-02T15:43:06.530Z] runbld>>> runbld started
[2020-06-02T15:43:06.530Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-06-02T15:43:07.483Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-18873' in order of occurrence in the config (last value wins).
[2020-06-02T15:43:08.886Z] runbld>>> Debug logging enabled.
[2020-06-02T15:43:08.886Z] runbld>>> Storing result
[2020-06-02T15:43:09.146Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-06-02T15:43:09.146Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200602154308-6179D8D4
[2020-06-02T15:43:09.146Z] runbld>>> Adding system facts.
[2020-06-02T15:43:10.108Z] runbld>>> Adding vcs info for the latest commit:  81c041bb0ad5a26c54431ab2cb0d7310c6a6784c
[2020-06-02T15:43:10.108Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-06-02T15:43:10.108Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-06-02T15:43:10.108Z] + echo 'Processing JUnit reports with runbld...'
[2020-06-02T15:43:10.108Z] Processing JUnit reports with runbld...
[2020-06-02T15:43:10.683Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-06-02T15:43:10.683Z] runbld>>> DURATION: 14ms
[2020-06-02T15:43:10.683Z] runbld>>> STDOUT: 40 bytes
[2020-06-02T15:43:10.683Z] runbld>>> STDERR: 49 bytes
[2020-06-02T15:43:10.683Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-06-02T15:43:10.683Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats
[2020-06-02T15:43:12.059Z] runbld>>> Storing build metadata: 
[2020-06-02T15:43:12.059Z] runbld>>> Adding test report.
[2020-06-02T15:43:12.059Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats
[2020-06-02T15:43:12.996Z] runbld>>> Found 106 test output files
[2020-06-02T15:43:13.265Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-06-02T15:43:13.525Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-06-02T15:43:13.525Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-06-02T15:43:13.525Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-cloudfoundry.xml
[2020-06-02T15:43:13.788Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-06-02T15:43:13.788Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-06-02T15:43:13.788Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-06-02T15:43:13.788Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-06-02T15:43:15.693Z] runbld>>> Test output logs contained: Errors: 0 Failures: 6 Tests: 9791 Skipped: 1321
[2020-06-02T15:43:15.693Z] runbld>>> Storing result
[2020-06-02T15:43:15.693Z] runbld>>> FAILURES: 6
[2020-06-02T15:43:17.076Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-06-02T15:43:17.077Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200602154308-6179D8D4
[2020-06-02T15:43:17.077Z] runbld>>> Email notification disabled by environment variable.
[2020-06-02T15:43:17.077Z] runbld>>> Slack notification disabled by environment variable.
[2020-06-02T15:43:22.586Z] Running on worker-395930 in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873
[2020-06-02T15:43:22.827Z] [INFO] getVaultSecret: Getting secrets
[2020-06-02T15:43:22.904Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-06-02T15:43:24.901Z] + chmod 755 generate-build-data.sh
[2020-06-02T15:43:24.902Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/2 FAILURE 7364663
[2020-06-02T15:43:24.902Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/2/steps/?limit=10000 -o steps-info.json
[2020-06-02T15:43:26.352Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/2/tests/?status=FAILED -o tests-errors.json
[2020-06-02T15:43:28.612Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/2/log/ -o pipeline-log.txt

barkbay · 2020-06-02T06:18:53Z

@jsoriano Thanks for the PR, and sorry for breaking your CI 😞

Could you tell me where I can find a docker image of the APM Server from this PR. I'll do a quick test to check if it fixes the arbitrary UID issue.

Otherwise I'm fine with merging #18872 in order to unlock the situation.

jsoriano · 2020-06-02T12:25:15Z

@jsoriano Thanks for the PR, and sorry for breaking your CI 😞

No worries, I should have seen these issues with strict perms come 😬

Could you tell me where I can find a docker image of the APM Server from this PR. I'll do a quick test to check if it fixes the arbitrary UID issue.

Not sure how to do this, I guess you would need to update libbeat in apm-server, or at least the packaging templates.

Otherwise I'm fine with merging #18872 in order to unlock the situation.

Yeah, I think we can merge the revert, and go on here.

Apply the ownership changes of elastic#12905, without applying the permission changes, so it still satisfies strict perms checks.

jsoriano · 2020-06-02T16:05:50Z

run beats-ci/package

elasticmachine · 2020-06-02T19:14:56Z

❕ Build Aborted

There is a new build on-going so the previous on-going builds have been aborted.

Expand to view the summary

Build stats

Build Cause: [Pull request #18873 updated]
Reason: Aborted from #6
Start Time: 2020-06-02T19:14:15.334+0000
Duration: 3 min 44 sec
Commit: 012220130b660abcead3dba0557ddee5f7240239

Steps errors

Expand to view the steps failures

Name: Check out from version control
- Description: [2020-06-02T19:15:16.003Z] using credential f6c7695a-671e-4f4f-a331-acdce44ff9ba
  [2020-06-02T19:15:
- Duration: 0 min 25 sec
- Start Time: 2020-06-02T19:15:13.550+0000
- log
Name: Check out from version control
- Description: [2020-06-02T19:15:58.864Z] using credential f6c7695a-671e-4f4f-a331-acdce44ff9ba
  [2020-06-02T19:15:
- Duration: 0 min 17 sec
- Start Time: 2020-06-02T19:15:58.846+0000
- log

Log output

Expand to view the last 100 lines of log output

[2020-06-02T19:15:38.835Z] Sleeping for 20 sec
[2020-06-02T19:15:37.493Z]  > git config remote.origin.url [email protected]:elastic/beats.git # timeout=10
[2020-06-02T19:15:37.502Z]  > git rev-parse --verify HEAD # timeout=10
[2020-06-02T19:15:37.511Z] No valid HEAD. Skipping the resetting
[2020-06-02T19:15:37.511Z]  > git clean -fdx # timeout=10
[2020-06-02T19:15:37.525Z] Fetching upstream changes from [email protected]:elastic/beats.git
[2020-06-02T19:15:37.525Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-06-02T19:15:37.529Z]  > git fetch --no-tags --progress --prune [email protected]:elastic/beats.git +refs/pull/18873/head:refs/remotes/origin/PR-18873 +refs/heads/master:refs/remotes/origin/master # timeout=15
[2020-06-02T19:15:38.778Z]  > git config core.sparsecheckout # timeout=10
[2020-06-02T19:15:38.782Z]  > git checkout -f 012220130b660abcead3dba0557ddee5f7240239 # timeout=15
[2020-06-02T19:15:58.864Z] using credential f6c7695a-671e-4f4f-a331-acdce44ff9ba
[2020-06-02T19:15:58.878Z] Wiping out workspace first.
[2020-06-02T19:15:58.938Z] Cloning the remote Git repository
[2020-06-02T19:15:58.938Z] Using shallow clone with depth 3
[2020-06-02T19:15:58.938Z] Avoid fetching tags
[2020-06-02T19:15:58.943Z] Cloning repository [email protected]:elastic/beats.git
[2020-06-02T19:15:58.944Z]  > git init /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873 # timeout=10
[2020-06-02T19:15:58.955Z] Fetching upstream changes from [email protected]:elastic/beats.git
[2020-06-02T19:15:58.955Z]  > git --version # timeout=10
[2020-06-02T19:15:58.966Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-06-02T19:15:58.970Z]  > git fetch --no-tags --progress [email protected]:elastic/beats.git +refs/heads/*:refs/remotes/origin/* # timeout=15
[2020-06-02T19:16:14.088Z] Cleaning workspace
[2020-06-02T19:16:14.105Z] Using shallow fetch with depth 3
[2020-06-02T19:16:14.105Z] Pruning obsolete local branches
[2020-06-02T19:16:14.068Z]  > git config remote.origin.url [email protected]:elastic/beats.git # timeout=10
[2020-06-02T19:16:14.072Z]  > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10
[2020-06-02T19:16:14.081Z]  > git config remote.origin.url [email protected]:elastic/beats.git # timeout=10
[2020-06-02T19:16:14.091Z]  > git rev-parse --verify HEAD # timeout=10
[2020-06-02T19:16:14.097Z] No valid HEAD. Skipping the resetting
[2020-06-02T19:16:14.097Z]  > git clean -fdx # timeout=10
[2020-06-02T19:16:14.108Z] Fetching upstream changes from [email protected]:elastic/beats.git
[2020-06-02T19:16:14.108Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-06-02T19:16:14.112Z]  > git fetch --no-tags --progress --prune [email protected]:elastic/beats.git +refs/pull/18873/head:refs/remotes/origin/PR-18873 +refs/heads/master:refs/remotes/origin/master # timeout=15
[2020-06-02T19:16:16.186Z] Merging remotes/origin/master commit 6c774441827a05d463d3fbba76d1d4b4ac972fca into PR head commit 012220130b660abcead3dba0557ddee5f7240239
[2020-06-02T19:16:16.205Z] ERROR: Execution failed
[2020-06-02T19:16:16.205Z] hudson.plugins.git.GitException: Command "git checkout -f 012220130b660abcead3dba0557ddee5f7240239" returned status code 128:
[2020-06-02T19:16:16.205Z] stdout: 
[2020-06-02T19:16:16.205Z] stderr: fatal: reference is not a tree: 012220130b660abcead3dba0557ddee5f7240239
[2020-06-02T19:16:16.205Z] 
[2020-06-02T19:16:16.205Z] 	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2430)
[2020-06-02T19:16:16.205Z] 	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$1100(CliGitAPIImpl.java:81)
[2020-06-02T19:16:16.205Z] 	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$9.execute(CliGitAPIImpl.java:2743)
[2020-06-02T19:16:16.205Z] Also:   hudson.remoting.Channel$CallSiteStackTrace: Remote call to JNLP4-connect connection from beats-ci-immutable-ubuntu-1604-1591125263377601820.c.elastic-ci-prod.internal/10.224.0.101:47784
[2020-06-02T19:16:16.205Z] 		at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1788)
[2020-06-02T19:16:16.205Z] 		at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
[2020-06-02T19:16:16.205Z] 		at hudson.remoting.Channel.call(Channel.java:998)
[2020-06-02T19:16:16.205Z] 		at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146)
[2020-06-02T19:16:16.205Z] 		at sun.reflect.GeneratedMethodAccessor1595.invoke(Unknown Source)
[2020-06-02T19:16:16.205Z] 		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2020-06-02T19:16:16.205Z] 		at java.lang.reflect.Method.invoke(Method.java:498)
[2020-06-02T19:16:16.205Z] 		at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132)
[2020-06-02T19:16:16.205Z] 		at com.sun.proxy.$Proxy112.execute(Unknown Source)
[2020-06-02T19:16:16.205Z] 		at jenkins.plugins.git.MergeWithGitSCMExtension.checkout(MergeWithGitSCMExtension.java:144)
[2020-06-02T19:16:16.205Z] 		at jenkins.plugins.git.MergeWithGitSCMExtension.decorateRevisionToBuild(MergeWithGitSCMExtension.java:110)
[2020-06-02T19:16:16.205Z] 		at hudson.plugins.git.GitSCM.determineRevisionToBuild(GitSCM.java:1063)
[2020-06-02T19:16:16.205Z] 		at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1168)
[2020-06-02T19:16:16.205Z] 		at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:125)
[2020-06-02T19:16:16.205Z] 		at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93)
[2020-06-02T19:16:16.205Z] 		at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80)
[2020-06-02T19:16:16.205Z] 		at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
[2020-06-02T19:16:16.205Z] 		at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[2020-06-02T19:16:16.205Z] 		at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-06-02T19:16:16.205Z] 		at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-06-02T19:16:16.205Z] 		at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-06-02T19:16:16.205Z] Caused: hudson.plugins.git.GitException: Could not checkout 012220130b660abcead3dba0557ddee5f7240239
[2020-06-02T19:16:16.205Z] 	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$9.execute(CliGitAPIImpl.java:2767)
[2020-06-02T19:16:16.205Z] 	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:161)
[2020-06-02T19:16:16.205Z] 	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:154)
[2020-06-02T19:16:16.205Z] 	at hudson.remoting.UserRequest.perform(UserRequest.java:212)
[2020-06-02T19:16:16.205Z] 	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
[2020-06-02T19:16:16.205Z] 	at hudson.remoting.Request$2.run(Request.java:369)
[2020-06-02T19:16:16.205Z] 	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
[2020-06-02T19:16:16.205Z] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-06-02T19:16:16.205Z] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-06-02T19:16:16.205Z] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-06-02T19:16:16.205Z] 	at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
[2020-06-02T19:16:16.205Z] 	at java.lang.Thread.run(Thread.java:748)
[2020-06-02T19:16:16.205Z] Retrying
[2020-06-02T19:16:16.241Z] Sleeping for 30 sec
[2020-06-02T19:16:16.188Z]  > git config core.sparsecheckout # timeout=10
[2020-06-02T19:16:16.195Z]  > git checkout -f 012220130b660abcead3dba0557ddee5f7240239 # timeout=15
[2020-06-02T19:16:46.273Z] using credential f6c7695a-671e-4f4f-a331-acdce44ff9ba
[2020-06-02T19:16:46.287Z] Wiping out workspace first.
[2020-06-02T19:16:46.351Z] Cloning the remote Git repository
[2020-06-02T19:16:46.351Z] Using shallow clone with depth 3
[2020-06-02T19:16:46.351Z] Avoid fetching tags
[2020-06-02T19:16:46.357Z] Cloning repository [email protected]:elastic/beats.git
[2020-06-02T19:16:46.357Z]  > git init /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873 # timeout=10
[2020-06-02T19:16:46.364Z] Fetching upstream changes from [email protected]:elastic/beats.git
[2020-06-02T19:16:46.364Z]  > git --version # timeout=10
[2020-06-02T19:16:46.371Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-06-02T19:16:46.376Z]  > git fetch --no-tags --progress [email protected]:elastic/beats.git +refs/heads/*:refs/remotes/origin/* # timeout=15
[2020-06-02T19:16:58.667Z] Running on worker-395930 in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873
[2020-06-02T19:16:58.767Z] �[39;49m[INFO] getVaultSecret: Getting secrets�[0m
[2020-06-02T19:16:58.815Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-06-02T19:17:01.017Z] + chmod 755 generate-build-data.sh
[2020-06-02T19:17:01.017Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/5 ABORTED 164046
[2020-06-02T19:17:01.017Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/5/steps/?limit=10000 -o steps-info.json
[2020-06-02T19:17:04.163Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/5/tests/?status=FAILED -o tests-errors.json
[2020-06-02T19:17:04.862Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/5/log/ -o pipeline-log.txt

elasticmachine · 2020-06-03T10:48:24Z

💔 Build Failed

Expand to view the summary

Build stats

Build Cause: [Pull request #18873 updated]
Start Time: 2020-07-01T08:28:01.648+0000
Duration: 21 min 13 sec

Steps errors

Expand to view the steps failures

Name: Make check
- Description: make check
- Duration: 15 min 53 sec
- Start Time: 2020-07-01T08:33:56.134+0000
- log

Log output

Expand to view the last 100 lines of log output

[2020-07-01T08:48:52.708Z] Stage "Kubernetes" skipped due to earlier failure(s)
[2020-07-01T08:48:52.791Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:52.793Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:52.793Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-07-01T08:48:52.794Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:52.795Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:52.796Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:52.797Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:52.798Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:52.798Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-01T08:48:53.365Z] Failed in branch Elastic Agent x-pack
[2020-07-01T08:48:53.365Z] Failed in branch Elastic Agent x-pack Windows
[2020-07-01T08:48:53.366Z] Failed in branch Elastic Agent Mac OS X
[2020-07-01T08:48:53.367Z] Failed in branch Filebeat oss
[2020-07-01T08:48:53.367Z] Failed in branch Filebeat x-pack
[2020-07-01T08:48:53.368Z] Failed in branch Filebeat Mac OS X
[2020-07-01T08:48:53.369Z] Failed in branch Filebeat x-pack Mac OS X
[2020-07-01T08:48:53.369Z] Failed in branch Filebeat Windows
[2020-07-01T08:48:53.370Z] Failed in branch Filebeat x-pack Windows
[2020-07-01T08:48:53.370Z] Failed in branch Auditbeat oss Linux
[2020-07-01T08:48:53.371Z] Failed in branch Auditbeat crosscompile
[2020-07-01T08:48:53.371Z] Failed in branch Auditbeat oss Mac OS X
[2020-07-01T08:48:53.372Z] Failed in branch Auditbeat oss Windows
[2020-07-01T08:48:53.372Z] Failed in branch Auditbeat x-pack
[2020-07-01T08:48:53.373Z] Failed in branch Auditbeat x-pack Mac OS X
[2020-07-01T08:48:53.374Z] Failed in branch Auditbeat x-pack Windows
[2020-07-01T08:48:53.374Z] Failed in branch Libbeat x-pack
[2020-07-01T08:48:53.375Z] Failed in branch Metricbeat OSS Unit tests
[2020-07-01T08:48:53.375Z] Failed in branch Metricbeat OSS Integration tests
[2020-07-01T08:48:53.376Z] Failed in branch Metricbeat Python integration tests
[2020-07-01T08:48:53.377Z] Failed in branch Metricbeat crosscompile
[2020-07-01T08:48:53.377Z] Failed in branch Metricbeat Mac OS X
[2020-07-01T08:48:53.378Z] Failed in branch Metricbeat x-pack Mac OS X
[2020-07-01T08:48:53.378Z] Failed in branch Metricbeat Windows
[2020-07-01T08:48:53.379Z] Failed in branch Metricbeat x-pack Windows
[2020-07-01T08:48:53.379Z] Failed in branch Winlogbeat Windows x-pack
[2020-07-01T08:48:53.380Z] Failed in branch Kubernetes
[2020-07-01T08:48:53.667Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:53.668Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:53.669Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-07-01T08:48:53.671Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:53.671Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:53.672Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-01T08:48:53.732Z] Failed in branch Packetbeat
[2020-07-01T08:48:53.732Z] Failed in branch dockerlogbeat
[2020-07-01T08:48:53.733Z] Failed in branch Journalbeat
[2020-07-01T08:48:53.920Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:53.921Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:53.922Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-01T08:48:53.923Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-01T08:48:53.964Z] Failed in branch Metricbeat x-pack
[2020-07-01T08:48:53.964Z] Failed in branch Winlogbeat
[2020-07-01T08:48:54.136Z] Failed in branch Heartbeat
[2020-07-01T08:48:54.137Z] Failed in branch Libbeat
[2020-07-01T08:48:54.137Z] Failed in branch Functionbeat
[2020-07-01T08:48:54.138Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-01T08:48:54.214Z] Failed in branch Generators
[2020-07-01T08:48:54.348Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats
[2020-07-01T08:48:54.657Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-01T08:48:54.670Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats/Lint
[2020-07-01T08:48:55.030Z] + cat
[2020-07-01T08:48:55.030Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-01T08:48:55.030Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-01T08:49:01.616Z] runbld>>> runbld started
[2020-07-01T08:49:01.616Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-01T08:49:03.529Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-18873' in order of occurrence in the config (last value wins).
[2020-07-01T08:49:04.478Z] runbld>>> Debug logging enabled.
[2020-07-01T08:49:04.478Z] runbld>>> Storing result
[2020-07-01T08:49:04.739Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-01T08:49:04.739Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200701084904-84D64F0F
[2020-07-01T08:49:04.739Z] runbld>>> Adding system facts.
[2020-07-01T08:49:05.681Z] runbld>>> Adding vcs info for the latest commit:  0796910386ed76d1ded5a800f056e6a7c6b6dbb8
[2020-07-01T08:49:05.681Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-01T08:49:05.681Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-01T08:49:05.681Z] Processing JUnit reports with runbld...
[2020-07-01T08:49:05.681Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-01T08:49:06.253Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-01T08:49:06.253Z] runbld>>> DURATION: 37ms
[2020-07-01T08:49:06.253Z] runbld>>> STDOUT: 40 bytes
[2020-07-01T08:49:06.253Z] runbld>>> STDERR: 49 bytes
[2020-07-01T08:49:06.253Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-01T08:49:06.253Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats
[2020-07-01T08:49:06.827Z] runbld>>> Storing build metadata: 
[2020-07-01T08:49:06.827Z] runbld>>> Adding test report.
[2020-07-01T08:49:06.827Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873/src/github.com/elastic/beats
[2020-07-01T08:49:07.769Z] runbld>>> Found 0 test output files
[2020-07-01T08:49:07.769Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 0 Skipped: 0
[2020-07-01T08:49:07.769Z] runbld>>> Storing result
[2020-07-01T08:49:08.030Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-01T08:49:08.030Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200701084904-84D64F0F
[2020-07-01T08:49:08.030Z] runbld>>> Email notification disabled by environment variable.
[2020-07-01T08:49:08.030Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-01T08:49:13.593Z] Running on worker-395930 in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18873
[2020-07-01T08:49:13.742Z] [INFO] getVaultSecret: Getting secrets
[2020-07-01T08:49:13.813Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-01T08:49:15.806Z] + chmod 755 generate-build-data.sh
[2020-07-01T08:49:15.806Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/22 FAILURE 1272730
[2020-07-01T08:49:15.806Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/22/steps/?limit=10000 -o steps-info.json
[2020-07-01T08:49:16.517Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/22/tests/?status=FAILED -o tests-errors.json
[2020-07-01T08:49:17.227Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18873/runs/22/log/ -o pipeline-log.txt

jsoriano · 2020-06-24T17:29:07Z

run beats-ci/package

jsoriano · 2020-06-25T14:41:37Z

@barkbay sorry for the delay, I am back with this. I have updated the branch with master.

You can build an apm-server docker image with this branch running these commands from the apm-server working directory:

go mod edit -replace github.com/elastic/beats/v7=github.com/jsoriano/beats/v7@fix-18858
PLATFORMS=linux/amd64 mage package

I did some smoke tests and it seems to start correctly with and without random user ids. Could you also confirm? thanks!

barkbay · 2020-06-25T14:47:21Z

@jsoriano no worries ! I was quite busy myself...

Thanks a lot for this PR 🙇
I will do some tests and get back to you asap.

barkbay

LGTM, I did some tests on Openshift and on K8S with a restricted PSP.

The only issue I have is this test which is failing and I don't understand why:

>> Testing package contents
--- FAIL: TestDocker (13.81s)
    --- FAIL: TestDocker/apm-server-7.9.0-linux-amd64.docker.tar.gz_config_file_permissions (0.00s)
        package_test.go:206: file usr/share/apm-server/apm-server.yml has wrong permissions: expected=-rw-r----- actual=-rw-rw----
    --- FAIL: TestDocker/apm-server-oss-7.9.0-linux-amd64.docker.tar.gz_config_file_permissions (0.00s)
        package_test.go:206: file usr/share/apm-server/apm-server.yml has wrong permissions: expected=-rw-r----- actual=-rw-rw---

jsoriano · 2020-06-29T14:21:58Z

/packaging

barkbay · 2020-07-01T06:45:17Z

@barkbay were you using some volume from the host in your tests?

No, when the APM Server is run with ECK the data dir is an emptyDir.

@barkbay another question about your tests. Do you set a non-root user ID with runAsUser? or the user ID is somehow given randomly by OpenShift/GKE?

The UID is randomly assigned by Openshift: you can find here the Pod as it is created with ECK on Openshift (and here the ECK manifest).

jsoriano · 2020-07-01T09:13:33Z

I have been doing several tests and I think we can go on with merging this. As summary of my tests:

Main conclusion: I think we don't introduce regressions and this unblocks APM server needings.
Docker containers can be used with arbitrary ids, but it may not make sense with some beats (auditing for example seens to require 0 uid, apart of being run on host pid namespace and with additional capabilities). We will have to continue evolving this as we find possible use cases to support.
Reference Kubernetes manifests can be used to run Beats with arbitrary user ids, but:
- Data path directory has to be externally managed (DirectoryOrCreate creates the directory without write permissions for the group).
- They cannot be used on restricted environments (they need to mount local paths, they need to run on host namespaces, and so on). If required to deploy on restricted environments, monitoring capabilities will be limited, and a quite different configuration will be needed.

jsoriano · 2020-07-01T10:31:16Z

/packaging

elastic#18873) Prepare docker images to be run with arbitrary user ids. Following common practices and recommendations, files that need to be read by Beats have now read permissions for the group and belong to the root group. Also, the user included in the docker image is added to the root group so it can read these files when run on docker with default user and privileges. Some changes are also added to Kubernetes reference manifests to help running beats with arbitrary user ids, though this is not completely supported and it requires additional setup. Co-authored-by: Michael Morello <[email protected]> (cherry picked from commit 3ff02cb)

jsoriano · 2020-07-02T11:34:24Z

I have created an issue to keep track of some issues I found trying to run Beats on restricted environments: #19600

…) (#19555) Prepare docker images to be run with arbitrary user ids. Following common practices and recommendations, files that need to be read by Beats have now read permissions for the group and belong to the root group. Also, the user included in the docker image is added to the root group so it can read these files when run on docker with default user and privileges. Some changes are also added to Kubernetes reference manifests to help running beats with arbitrary user ids, though this is not completely supported and it requires additional setup. (cherry picked from commit 3ff02cb) Co-authored-by: Michael Morello <[email protected]>

jsoriano · 2020-07-02T11:58:04Z

@barkbay @simitt I have merged this on master and 7.x, please let me know if you find any issue with the docker images when updating beats on apm-server. Thanks!

Add an additional docker build that builds images based on Red Hat UBI, following Red Hat requirements for certified images. Additional checks have been added to packaging tests for labels and licenses. Additional changes done to support it also in Elastic Agent images: * Home directory is prepared in a different stage (#20356). * Allow the docker image to be run with random user ids (#18873). * Explicitly select a Dockerfile and entry point template. * Add NOTICE.txt file to all agent packages. * Actually run package tests after building packages, added flag to allow root user. * Improved checks on required packages, so they are not re-built if they already are.

Add an additional docker build that builds images based on Red Hat UBI, following Red Hat requirements for certified images. Additional checks have been added to packaging tests for labels and licenses. Additional changes done to support it also in Elastic Agent images: * Home directory is prepared in a different stage (elastic#20356). * Allow the docker image to be run with random user ids (elastic#18873). * Explicitly select a Dockerfile and entry point template. * Add NOTICE.txt file to all agent packages. * Actually run package tests after building packages, added flag to allow root user. * Improved checks on required packages, so they are not re-built if they already are. (cherry picked from commit e31794d)

Add an additional docker build that builds images based on Red Hat UBI, following Red Hat requirements for certified images. Additional checks have been added to packaging tests for labels and licenses. Additional changes done to support it also in Elastic Agent images: * Home directory is prepared in a different stage (#20356). * Allow the docker image to be run with random user ids (#18873). * Explicitly select a Dockerfile and entry point template. * Add NOTICE.txt file to all agent packages. * Actually run package tests after building packages, added flag to allow root user. * Improved checks on required packages, so they are not re-built if they already are. (cherry picked from commit e31794d)

elastic#18873) Prepare docker images to be run with arbitrary user ids. Following common practices and recommendations, files that need to be read by Beats have now read permissions for the group and belong to the root group. Also, the user included in the docker image is added to the root group so it can read these files when run on docker with default user and privileges. Some changes are also added to Kubernetes reference manifests to help running beats with arbitrary user ids, though this is not completely supported and it requires additional setup. Co-authored-by: Michael Morello <[email protected]>

Add an additional docker build that builds images based on Red Hat UBI, following Red Hat requirements for certified images. Additional checks have been added to packaging tests for labels and licenses. Additional changes done to support it also in Elastic Agent images: * Home directory is prepared in a different stage (elastic#20356). * Allow the docker image to be run with random user ids (elastic#18873). * Explicitly select a Dockerfile and entry point template. * Add NOTICE.txt file to all agent packages. * Actually run package tests after building packages, added flag to allow root user. * Improved checks on required packages, so they are not re-built if they already are.

jsoriano added review [zube]: In Review Team:Platforms Label for the Integrations - Platforms team labels May 31, 2020

jsoriano requested a review from barkbay May 31, 2020 15:30

jsoriano self-assigned this May 31, 2020

botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels May 31, 2020

jsoriano mentioned this pull request May 31, 2020

docker images for APM Server failing with permission issues #18858

Closed

Allow the Docker image to be run with a random user id

cb49c13

Apply the ownership changes of elastic#12905, without applying the permission changes, so it still satisfies strict perms checks.

jsoriano force-pushed the fix-18858 branch from c3fa145 to cb49c13 Compare June 2, 2020 16:03

jsoriano changed the title ~~Revert permissions changes of #12905~~ Allow the Docker image to be run with a random user id (#12905) Jun 2, 2020

jsoriano force-pushed the fix-18858 branch from 0122201 to cb49c13 Compare June 2, 2020 19:14

Merge remote-tracking branch 'origin/master' into fix-18858

56d007b

jsoriano added v7.9.0 needs_backport PR is waiting to be backported to other branches. labels Jun 9, 2020

Merge remote-tracking branch 'origin/master' into fix-18858

859aded

barkbay reviewed Jun 29, 2020

View reviewed changes

Merge remote-tracking branch 'origin/master' into fix-18858

75273c4

Merge remote-tracking branch 'origin/master' into fix-18858

0796910

jsoriano added 2 commits July 1, 2020 11:36

Merge remote-tracking branch 'origin/master' into fix-18858

47aae01

Make check

60eba1a

exekias approved these changes Jul 1, 2020

View reviewed changes

jsoriano merged commit 3ff02cb into elastic:master Jul 1, 2020

jsoriano deleted the fix-18858 branch July 1, 2020 14:59

zube bot added [zube]: Done and removed [zube]: In Review labels Jul 1, 2020

jsoriano mentioned this pull request Jul 1, 2020

Cherry-pick #18873 to 7.x: Allow the Docker image to be run with a random user id (#12905) #19555

Merged

jsoriano removed the needs_backport PR is waiting to be backported to other branches. label Jul 1, 2020

andresrc removed the [zube]: Done label Jul 2, 2020

simitt mentioned this pull request Jul 2, 2020

Update to elastic/beats@794ed81680a9 elastic/apm-server#3941

Merged

1 task

andresrc added the test-plan-added This PR has been added to the test plan label Jul 14, 2020

jsoriano mentioned this pull request Aug 17, 2020

Build docker images based on Red Hat UBI #20576

Merged

15 tasks

jsoriano mentioned this pull request Aug 24, 2020

Cherry-pick #20576 to 7.x: Build docker images based on Red Hat UBI #20753

Merged

15 tasks

jsoriano mentioned this pull request Sep 5, 2020

Support running Auditbeat and Elastic Agent docker images without root #20996

Closed

jsoriano mentioned this pull request Jan 27, 2022

[DESIGN][Agent] Minimizing Elastic-Agent privileges elastic/elastic-agent#147

Closed

4 tasks

jsoriano mentioned this pull request Apr 17, 2024

Remove the Docker elastic-agent user from the root group elastic/elastic-agent#4087

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow the Docker image to be run with a random user id (#12905) #18873

Allow the Docker image to be run with a random user id (#12905) #18873

jsoriano commented May 31, 2020 •

edited by zube bot

Loading

elasticmachine commented May 31, 2020

jsoriano commented May 31, 2020

elasticmachine commented May 31, 2020 •

edited

Loading

Build stats

Test stats 🧪

barkbay commented Jun 2, 2020

jsoriano commented Jun 2, 2020

jsoriano commented Jun 2, 2020

elasticmachine commented Jun 2, 2020 •

edited

Loading

Build stats

elasticmachine commented Jun 3, 2020 •

edited

Loading

Build stats

jsoriano commented Jun 24, 2020

jsoriano commented Jun 25, 2020

barkbay commented Jun 25, 2020

barkbay left a comment

jsoriano commented Jun 29, 2020

barkbay commented Jul 1, 2020

jsoriano commented Jul 1, 2020 •

edited

Loading

jsoriano commented Jul 1, 2020

jsoriano commented Jul 2, 2020

jsoriano commented Jul 2, 2020

Allow the Docker image to be run with a random user id (#12905) #18873

Allow the Docker image to be run with a random user id (#12905) #18873

Conversation

jsoriano commented May 31, 2020 • edited by zube bot Loading

How to test

elasticmachine commented May 31, 2020

jsoriano commented May 31, 2020

elasticmachine commented May 31, 2020 • edited Loading

💔 Tests Failed

Build stats

Test stats 🧪

Test errors

Steps errors

Log output

barkbay commented Jun 2, 2020

jsoriano commented Jun 2, 2020

jsoriano commented Jun 2, 2020

elasticmachine commented Jun 2, 2020 • edited Loading

❕ Build Aborted

Build stats

Steps errors

Log output

elasticmachine commented Jun 3, 2020 • edited Loading

💔 Build Failed

Build stats

Steps errors

Log output

jsoriano commented Jun 24, 2020

jsoriano commented Jun 25, 2020

barkbay commented Jun 25, 2020

barkbay left a comment

Choose a reason for hiding this comment

jsoriano commented Jun 29, 2020

barkbay commented Jul 1, 2020

jsoriano commented Jul 1, 2020 • edited Loading

jsoriano commented Jul 1, 2020

jsoriano commented Jul 2, 2020

jsoriano commented Jul 2, 2020

jsoriano commented May 31, 2020 •

edited by zube bot

Loading

elasticmachine commented May 31, 2020 •

edited

Loading

elasticmachine commented Jun 2, 2020 •

edited

Loading

elasticmachine commented Jun 3, 2020 •

edited

Loading

jsoriano commented Jul 1, 2020 •

edited

Loading