V2 command work dir

internal/pkg/agent/application/paths/common.go

@@ -136,6 +136,11 @@ func Data() string {
 	return filepath.Join(Top(), "data")
 }
 
+// Run returns the run directory for Agent
+func Run() string {
+	return filepath.Join(Home(), "run")
+}
+
 // Components returns the component directory for Agent
 func Components() string {
 	return filepath.Join(Home(), "components")

internal/pkg/agent/application/periodic.go

@@ -108,7 +108,7 @@ func (p *periodic) work() error {
 		return nil
 	}
 
-	p.log.Info("No configuration change")
+	p.log.Debug("No configuration change")
 	return nil
 }
 

internal/pkg/agent/cmd/install.go

@@ -16,6 +16,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/install"
 	"github.com/elastic/elastic-agent/internal/pkg/cli"
+	"github.com/elastic/elastic-agent/pkg/utils"
 )
 
 func newInstallCommandWithArgs(_ []string, streams *cli.IOStreams) *cobra.Command {
@@ -48,12 +49,12 @@ func installCmd(streams *cli.IOStreams, cmd *cobra.Command) error {
 		return err
 	}
 
-	isAdmin, err := install.HasRoot()
+	isAdmin, err := utils.HasRoot()
 	if err != nil {
 		return fmt.Errorf("unable to perform install command while checking for administrator rights, %w", err)
 	}
 	if !isAdmin {
-		return fmt.Errorf("unable to perform install command, not executed with %s permissions", install.PermissionUser)
+		return fmt.Errorf("unable to perform install command, not executed with %s permissions", utils.PermissionUser)
 	}
 	status, reason := install.Status()
 	force, _ := cmd.Flags().GetBool("force")

internal/pkg/agent/cmd/run.go

@@ -134,7 +134,7 @@ func run(override cfgOverrider, modifiers ...component.PlatformModifier) error {
 	}
 
 	if allowEmptyPgp, _ := release.PGP(); allowEmptyPgp {
-		logger.Info("Artifact has been built with security disabled. Elastic Agent will not verify signatures of the artifacts.")
+		logger.Info("Elastic Agent has been built with security disabled. Elastic Agent will not verify signatures of upgrade artifact.")
 	}
 
 	execPath, err := reexecPath()

internal/pkg/agent/cmd/uninstall.go

@@ -14,6 +14,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/install"
 	"github.com/elastic/elastic-agent/internal/pkg/cli"
+	"github.com/elastic/elastic-agent/pkg/utils"
 )
 
 func newUninstallCommandWithArgs(_ []string, streams *cli.IOStreams) *cobra.Command {
@@ -38,12 +39,12 @@ Unless -f is used this command will ask confirmation before performing removal.
 }
 
 func uninstallCmd(streams *cli.IOStreams, cmd *cobra.Command) error {
-	isAdmin, err := install.HasRoot()
+	isAdmin, err := utils.HasRoot()
 	if err != nil {
 		return fmt.Errorf("unable to perform command while checking for administrator rights, %w", err)
 	}
 	if !isAdmin {
-		return fmt.Errorf("unable to perform command, not executed with %s permissions", install.PermissionUser)
+		return fmt.Errorf("unable to perform command, not executed with %s permissions", utils.PermissionUser)
 	}
 	status, reason := install.Status()
 	if status == install.NotInstalled {

pkg/component/component.go

@@ -6,8 +6,11 @@ package component
 
 import (
 	"fmt"
+	"os"
 	"strings"
 
+	"github.com/elastic/elastic-agent/pkg/utils"
+
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
 	"github.com/elastic/elastic-agent-client/v7/pkg/proto"
 
@@ -87,6 +90,10 @@ func (r *RuntimeSpecs) ToComponents(policy map[string]interface{}) ([]Component,
 	}
 
 	// set the runtime variables that are available in the input specification runtime checks
+	hasRoot, err := utils.HasRoot()
+	if err != nil {
+		return nil, err
+	}
 	vars, err := transpiler.NewVars(map[string]interface{}{
 		"runtime": map[string]interface{}{
 			"platform": r.platform.String(),
@@ -96,6 +103,11 @@ func (r *RuntimeSpecs) ToComponents(policy map[string]interface{}) ([]Component,
 			"major":    r.platform.Major,
 			"minor":    r.platform.Minor,
 		},
+		"user": map[string]interface{}{
+			"uid":  os.Geteuid(),
+			"gid":  os.Getgid(),
+			"root": hasRoot,
+		},
 	}, nil)
 	if err != nil {
 		return nil, err
@@ -260,12 +272,16 @@ func toIntermediate(policy map[string]interface{}) (map[string]outputI, error) {
 		}
 		idRaw, ok := input[idKey]
 		if !ok {
-			return nil, fmt.Errorf("invalid 'inputs.%d', 'id' missing", idx)
+			// no ID; fallback to type
+			idRaw = t
 		}
 		id, ok := idRaw.(string)
 		if !ok {
 			return nil, fmt.Errorf("invalid 'inputs.%d.id', expected a string not a %T", idx, idRaw)
 		}
+		if hasDuplicate(outputsMap, id) {
+			return nil, fmt.Errorf("invalid 'inputs.%d.id', has a duplicate id (id is required to be unique)", idx)
+		}
 		outputName := "default"
 		if outputRaw, ok := input[useKey]; ok {
 			outputNameVal, ok := outputRaw.(string)
@@ -346,6 +362,19 @@ func validateRuntimeChecks(spec *InputSpec, store eql.VarStore) error {
 	return nil
 }
 
+func hasDuplicate(outputsMap map[string]outputI, id string) bool {
+	for _, o := range outputsMap {
+		for _, i := range o.inputs {
+			for _, j := range i {
+				if j.id == id {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
 func getLogLevel(val map[string]interface{}) (client.UnitLogLevel, error) {
 	const logLevelKey = "log_level"
 

pkg/component/component_test.go

@@ -171,7 +171,7 @@ func TestToComponents(t *testing.T) {
 			Err: "invalid 'inputs.0.type', expected a string not a int",
 		},
 		{
-			Name:     "Invalid: inputs entry missing id",
+			Name:     "Invalid: inputs entry duplicate because of missing id",
 			Platform: linuxAMD64Platform,
 			Policy: map[string]interface{}{
 				"outputs": map[string]interface{}{
@@ -184,9 +184,12 @@ func TestToComponents(t *testing.T) {
 					map[string]interface{}{
 						"type": "filestream",
 					},
+					map[string]interface{}{
+						"type": "filestream",
+					},
 				},
 			},
-			Err: "invalid 'inputs.0', 'id' missing",
+			Err: "invalid 'inputs.1.id', has a duplicate id (id is required to be unique)",
 		},
 		{
 			Name:     "Invalid: inputs entry id not a string",

pkg/component/runtime/command.go

@@ -10,8 +10,12 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"time"
 
+	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
+	"github.com/elastic/elastic-agent/pkg/utils"
+
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
 	"github.com/elastic/elastic-agent/pkg/component"
 	"github.com/elastic/elastic-agent/pkg/core/process"
@@ -22,6 +26,11 @@ type actionMode int
 const (
 	actionStart = actionMode(0)
 	actionStop  = actionMode(1)
+
+	runDirMod = 0770
+
+	envAgentComponentID        = "AGENT_COMPONENT_ID"
+	envAgentComponentInputType = "AGENT_COMPONENT_INPUT_TYPE"
 )
 
 type procState struct {
@@ -69,6 +78,7 @@ func NewCommandRuntime(comp component.Component) (ComponentRuntime, error) {
 // ever be called again.
 func (c *CommandRuntime) Run(ctx context.Context, comm Communicator) error {
 	checkinPeriod := c.current.Spec.Spec.Command.Timeouts.Checkin
+	restartPeriod := c.current.Spec.Spec.Command.Timeouts.Restart
 	c.forceCompState(client.UnitStateStarting, "Starting")
 	t := time.NewTicker(checkinPeriod)
 	defer t.Stop()
@@ -81,25 +91,22 @@ func (c *CommandRuntime) Run(ctx context.Context, comm Communicator) error {
 			switch as {
 			case actionStart:
 				if err := c.start(comm); err != nil {
-					c.forceCompState(client.UnitStateFailed, err.Error())
+					c.forceCompState(client.UnitStateFailed, fmt.Sprintf("Failed: %s", err))
 				}
 				t.Reset(checkinPeriod)
 			case actionStop:
 				if err := c.stop(ctx); err != nil {
-					c.forceCompState(client.UnitStateFailed, err.Error())
+					c.forceCompState(client.UnitStateFailed, fmt.Sprintf("Failed: %s", err))
 				}
 			}
 		case ps := <-c.procCh:
 			// ignores old processes
 			if ps.proc == c.proc {
 				c.proc = nil
 				if c.handleProc(ps.state) {
-					// start again
-					if err := c.start(comm); err != nil {
-						c.forceCompState(client.UnitStateFailed, err.Error())
-					}
+					// start again after restart period
+					t.Reset(restartPeriod)
 				}
-				t.Reset(checkinPeriod)
 			}
 		case newComp := <-c.compCh:
 			sendExpected := c.state.syncExpected(&newComp)
@@ -140,30 +147,37 @@ func (c *CommandRuntime) Run(ctx context.Context, comm Communicator) error {
 				c.sendObserved()
 			}
 		case <-t.C:
-			if c.proc != nil && c.actionState == actionStart {
-				// running and should be running
-				now := time.Now().UTC()
-				if c.lastCheckin.IsZero() {
-					// never checked-in
-					c.missedCheckins++
-				} else if now.Sub(c.lastCheckin) > checkinPeriod {
-					// missed check-in during required period
-					c.missedCheckins++
-				} else if now.Sub(c.lastCheckin) <= checkinPeriod {
-					c.missedCheckins = 0
-				}
-				if c.missedCheckins == 0 {
-					c.compState(client.UnitStateHealthy)
-				} else if c.missedCheckins > 0 && c.missedCheckins < maxCheckinMisses {
-					c.compState(client.UnitStateDegraded)
-				} else if c.missedCheckins >= maxCheckinMisses {
-					// something is wrong; the command should be checking in
-					//
-					// at this point it is assumed the sub-process has locked up and will not respond to a nice
-					// termination signal, so we jump directly to killing the process
-					msg := fmt.Sprintf("Failed: pid '%d' missed %d check-ins and will be killed", c.proc.PID, maxCheckinMisses)
-					c.forceCompState(client.UnitStateFailed, msg)
-					_ = c.proc.Kill() // watcher will handle it from here
+			if c.actionState == actionStart {
+				if c.proc == nil {
+					// not running, but should be running
+					if err := c.start(comm); err != nil {
+						c.forceCompState(client.UnitStateFailed, fmt.Sprintf("Failed: %s", err))
+					}
+				} else {
+					// running and should be running
+					now := time.Now().UTC()
+					if c.lastCheckin.IsZero() {
+						// never checked-in
+						c.missedCheckins++
+					} else if now.Sub(c.lastCheckin) > checkinPeriod {
+						// missed check-in during required period
+						c.missedCheckins++
+					} else if now.Sub(c.lastCheckin) <= checkinPeriod {
+						c.missedCheckins = 0
+					}
+					if c.missedCheckins == 0 {
+						c.compState(client.UnitStateHealthy)
+					} else if c.missedCheckins > 0 && c.missedCheckins < maxCheckinMisses {
+						c.compState(client.UnitStateDegraded)
+					} else if c.missedCheckins >= maxCheckinMisses {
+						// something is wrong; the command should be checking in
+						//
+						// at this point it is assumed the sub-process has locked up and will not respond to a nice
+						// termination signal, so we jump directly to killing the process
+						msg := fmt.Sprintf("Failed: pid '%d' missed %d check-ins and will be killed", c.proc.PID, maxCheckinMisses)
+						c.forceCompState(client.UnitStateFailed, msg)
+						_ = c.proc.Kill() // watcher will handle it from here
+					}
 				}
 			}
 		}
@@ -243,11 +257,26 @@ func (c *CommandRuntime) start(comm Communicator) error {
 		return nil
 	}
 	cmdSpec := c.current.Spec.Spec.Command
-	env := make([]string, 0, len(cmdSpec.Env))
+	env := make([]string, 0, len(cmdSpec.Env)+2)
 	for _, e := range cmdSpec.Env {
 		env = append(env, fmt.Sprintf("%s=%s", e.Name, e.Value))
 	}
-	proc, err := process.Start(c.current.Spec.BinaryPath, os.Geteuid(), os.Getgid(), cmdSpec.Args, env, attachOutErr)
+	env = append(env, fmt.Sprintf("%s=%s", envAgentComponentID, c.current.ID))
+	env = append(env, fmt.Sprintf("%s=%s", envAgentComponentInputType, c.current.Spec.InputType))
+	uid, gid := os.Geteuid(), os.Getgid()
+	workDir, err := c.workDir(uid, gid)
+	if err != nil {
+		return err
+	}
+	path, err := filepath.Abs(c.current.Spec.BinaryPath)
+	if err != nil {
+		return fmt.Errorf("failed to determine absolute path: %w", err)
+	}
+	err = utils.HasStrictExecPerms(path, uid)
+	if err != nil {
+		return fmt.Errorf("execution of component prevented: %w", err)
+	}
+	proc, err := process.Start(path, uid, gid, cmdSpec.Args, env, attachOutErr, dirPath(workDir))
 	if err != nil {
 		return err
 	}
@@ -261,7 +290,14 @@ func (c *CommandRuntime) start(comm Communicator) error {
 
 func (c *CommandRuntime) stop(ctx context.Context) error {
 	if c.proc == nil {
-		// already stopped
+		// already stopped ensure that state of the component is also stopped
+		if c.state.State != client.UnitStateStopped {
+			if c.state.State == client.UnitStateFailed {
+				c.forceCompState(client.UnitStateStopped, "Stopped: never started successfully")
+			} else {
+				c.forceCompState(client.UnitStateStopped, "Stopped: already stopped")
+			}
+		}
 		return nil
 	}
 	cmdSpec := c.current.Spec.Spec.Command
@@ -314,8 +350,32 @@ func (c *CommandRuntime) handleProc(state *os.ProcessState) bool {
 	return false
 }
 
+func (c *CommandRuntime) workDir(uid int, gid int) (string, error) {
+	path := filepath.Join(paths.Run(), c.current.ID)
+	err := os.MkdirAll(path, runDirMod)
+	if err != nil {
+		return "", fmt.Errorf("failed to create path: %s, %w", path, err)
+	}
+	err = os.Chown(path, uid, gid)
+	if err != nil {
+		return "", fmt.Errorf("failed to chown %s: %w", path, err)
+	}
+	err = os.Chmod(path, runDirMod)
+	if err != nil {
+		return "", fmt.Errorf("failed to chmod: %s, %w", path, err)
+	}
+	return path, nil
+}
+
 func attachOutErr(cmd *exec.Cmd) error {
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	return nil
 }
+
+func dirPath(path string) process.Option {
+	return func(cmd *exec.Cmd) error {
+		cmd.Dir = path
+		return nil
+	}
+}