[Heartbeat] Enable Heartbeat to run when elastic-agent container is executed as root #30869
Conversation
emilioalvap
added
bug
Team:obs-ds-hosted-services
botelastic
bot
added
needs_team
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
Pinging @elastic/uptime (Team:Uptime) |
emilioalvap
force-pushed
the
heartbeat-30171
branch
from
888f3ba to
c92ed60
Compare
| @@ -85,7 +85,7 @@ func (paths *Path) InitPaths(cfg *Path) error { | |||
| } | |||
|
|
|||
| // make sure the data path exists | |||
| err = os.MkdirAll(paths.Data, 0750) | |||
| err = os.MkdirAll(paths.Data, 0770) | |||
There was a problem hiding this comment.
I am not familiar with the directory/paths/permissions code yet, but my only thought is if it is possible to be more conservative with the permissions changes since this only affects heartbeat (as far as I know).
Should we make this change (and the umask change in the Dockerfile above) apply only to heartbeat, instead of every beat as it does now?
There was a problem hiding this comment.
Yes, I would also prefer a more localized change for heartbeat.
There was a problem hiding this comment.
To clarify, the issue fixed here applies to heartbeat running inside a elastic-agent container.
Path initialization is peformed by the first beat that kicks off inside elastic-agent. AFAIK, there's no way to specify a order. In that case, the alternative would be to move path initialization inside elastic-agent, before beats are spawned.
As for the entrypoint, I've followed the guideline here: #29708. As it stands, all umask operations are performed outside libbeat code. With this, we can restrict the change to docker containers without affecting other type of installs (systemd and others). These install methods still have the umask specified in the service configuration template (0027) and will continue to create files with the same permission level as it is today (0750).
There's also to note, some of the directories that are being generated from inside elastic-agent today are attempted with a higher permission level than the default mask allows. Here are a few examples:
$ grep mkdirat /tmp/agent.* | grep "state/data" | grep default\"
/tmp/agent.379:mkdirat(AT_FDCWD, "/usr/share/elastic-agent/state/data/logs/default", 0775) = 0
/tmp/agent.379:mkdirat(AT_FDCWD, "/usr/share/elastic-agent/state/data/tmp/default", 0775) = 0
If this permission level can be considered a security concern, I'm guessing we shouldn't be relying on an environmental umask to filer them out.
There was a problem hiding this comment.
Thanks for the explanation! I don't have major concerns about this change.
@rdner thoughts on this? You were the last person to touch anything to do with umask.
There was a problem hiding this comment.
I can confirm that this particular line should not affect other kinds of distribution since they all have their umask set in their respective scripts which would overwrite the permission set for this directory.
However, I have some concerns that we now have a different umask for all beats running under elastic-agent because of the change in the Docker template. If that's okay for everyone I'm okay with that too.
The whole umask story started with this security issue which was primarily about the access by all, I guess giving more access to the group is fine #14005
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
cmacknz
added
the
Team:Elastic-Agent-Control-Plane
|
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
|
LGTM, someone from the control plane team (@blakerouse?) should approve this though as I think this affects them the most. |
|
@Mergifyio update |
✅ Branch has been successfully updated |
| if localUserName := os.Getenv("BEAT_SETUID_AS"); localUserName != "" && syscall.Geteuid() == 0 { | ||
| sysInfo, err := sysinfo.Host() | ||
| isContainer := false | ||
| if err == nil && sysInfo.Info().Containerized != nil { |
There was a problem hiding this comment.
I'm just thinking about the distinction between this running in a container and running in our container. I think this check is fine given that we also check BEAT_SETUID_AS which wouldn't be in a custom container most likely.
There was a problem hiding this comment.
I concur, this check does not eliminate completely the risk of misusing this feature.
|
@Mergifyio update |
✅ Branch has been successfully updated |
There was a problem hiding this comment.
Looking at the change I am ok with that change @blakerouse Any concerns on your side?
|
@emilioalvap looks like the new linter we installed is now complaining about some stuff: |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
emilioalvap
force-pushed
the
heartbeat-30171
branch
from
30616e5 to
3939ad0
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
emilioalvap
force-pushed
the
heartbeat-30171
branch
from
0ab1266 to
d51aaa1
Compare
|
/package |
1 similar comment
|
/package |
|
/test |
|
@Mergifyio update |
✅ Branch has been successfully updated |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
… docker containers and restrict heartbeat setuid to containerized instances
emilioalvap
force-pushed
the
heartbeat-30171
branch
from
572ad02 to
a46ae2d
Compare
|
/test |
|
@Mergifyio update |
☑️ Nothing to do
|
|
/package |
|
/test |
…xecuted as root (#30869) (#31406) * Include group write permission in runtime directories, adapt umask on docker containers and restrict heartbeat setuid to containerized instances * Add CHANGELOG entries * Fix linter issues (cherry picked from commit 8906734) Co-authored-by: Emilio Alvarez Piñeiro <[email protected]>
…xecuted as root (elastic#30869) * Include group write permission in runtime directories, adapt umask on docker containers and restrict heartbeat setuid to containerized instances * Add CHANGELOG entries * Fix linter issues
…xecuted as root (#30869) * Include group write permission in runtime directories, adapt umask on docker containers and restrict heartbeat setuid to containerized instances * Add CHANGELOG entries * Fix linter issues
Since it's a bugfix, I'm including
elastic-agentchanges to be backported to8.2and I will create a separate PR onelastic-agentrepo for8.3.What does this PR do?
This PR:
umaskon docker containers,setuidto containerized instances.This PR works in tandem with elastic/elastic-agent#202.
Why is it important?
Heartbeat comes with
setuidfunctionality to be able to runnpmas a non-root user during synthetics checks inside anelastic-agentcontainer. Without it,npmwould complain when executed as root.When
elastic-agentis executed as root, all beats (filebeat, metricbeat, ...) run asrootandheartbeatwill run as user specified onBEAT_SETUID_ASenv variable,elastic-agentby default. This user needs permissions to write to local directories and we enable that by making the user belong torootgroup. But some of the directories that the user need access to, that are created during runtime, do not allow for group write permission, meaningheartbeatwon't be able to start and it will eventually report as degraded:These are the directories:
Most of our own documented examples to run
heartbeatandelastic-agentin k8s are configured to run asroot, check here and here for reference.Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
root:Related issues
Screenshots