-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Heartbeat] Unpack beats at build time on docker #202
Conversation
This pull request does not have a backport label. Could you fix it @emilioalvap? 🙏
NOTE: |
This pull request does not have a backport label. Could you fix it @emilioalvap? 🙏
NOTE: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This look OK to me
chown -R {{ .user }}:{{ .user }} {{ $beatHome }}/data/{{.BeatName}}-{{ commit_short }}/{{ .beats_install_path }} && \ | ||
chown -R root:root {{ $beatHome }}/data/{{.BeatName}}-{{ commit_short }}/{{ .beats_install_path }}/*/*.yml && \ | ||
chmod 0644 {{ $beatHome }}/data/{{.BeatName}}-{{ commit_short }}/{{ .beats_install_path }}/*/*.yml && \ | ||
setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/{{.BeatName}}-{{ commit_short }}/{{ .beats_install_path }}/heartbeat-*/heartbeat |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a comment about why these permission are necessary for heartbeat?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, added a short explanation on setcap
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
This should be backported to 7.17+
I've managed to run ICMP pings to my Even when pings timed out, there wasn't an error message about capabilities. Checking the binaries capability also seems correct as per my understanding of how capabilities work:
Reference: https://blog.container-solutions.com/linux-capabilities-in-practice |
What does this PR do?
This PR enables unpacking of beats inside the container at build time, so that required
cap_net_raw, cap_setuid
capabilities can be assigned to the binary.Why is it important?
Without the required capabilities, heartbeat cannot execute ICMP pings or setuid calls. As it is now, agent is unpacking beats at runtime, most likely with a user that doesn't have permission to assign capabilities.
Checklist
Author's Checklist
How to test this PR locally
DEV=true SNAPSHOT=true PLATFORMS=linux/amd64 TYPES=docker mage package
Related issues
Screenshots
Logs
15:38:37.323 elastic_agent.heartbeat [elastic_agent.heartbeat][info] heartbeat start running. 15:38:37.323 elastic_agent.heartbeat [elastic_agent.heartbeat][warn] BETA: Fleet management is enabled 15:38:37.323 elastic_agent.heartbeat [elastic_agent.heartbeat][info] Starting fleet management service 15:38:37.323 elastic_agent.heartbeat [elastic_agent.heartbeat][info] heartbeat is running! Hit CTRL-C to stop it. 15:38:37.323 elastic_agent.heartbeat [elastic_agent.heartbeat][info] Effective user/group ids: 1000/1000, with groups: [0]