-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove forcing localhost for insecure bootstrap #2198
Conversation
🌐 Coverage report
|
@@ -395,10 +395,6 @@ func (c *enrollCmd) prepareFleetTLS() error { | |||
} | |||
if c.options.FleetServer.Cert == "" && c.options.FleetServer.CertKey == "" { | |||
if c.options.FleetServer.Insecure { | |||
// running insecure, force the binding to localhost (unless specified) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What was the original reason this was done? Just covering the case where the host was unset? Is there a test we can add to keep this bug from happening again?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know why this was done here. I'll try to add a couple unit tests for this method.
I think we need to do some minor cleanup around bootstapping (in another pr) as we have both this method and createFleetServerBootstrapConfig
altering config at different locations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @blakerouse do you remember why we added it here?
introduced here: elastic/beats#24142
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was added for security reasons, we didn't want the Fleet Server to be exposed outside of localhost insecure mode.
We only allow it to be exposed in insecure mode when the user is specific and provide a host. I think we should really think about this before we make this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading the issue description it sounds like when it was explicitly configured to bind to 0.0.0.0
it binds to localhost anyway.
Does c.options.FleetServer.Host
evaluate to ""
when the host was set to 0.0.0.0
intentionally?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cmacknz to clarify, I ran into this issue by setting the host in the Fleet Server integration, through Kibana:
# kibana.yml
# ...
inputs:
- type: fleet-server
vars:
- name: host
value: 0.0.0.0
If I configure the host directly in the Elastic Agent, it works.
I think Kibana's value is ignored because Elastic Agent has no way to tell whether the user explicitly requested 0.0.0.0
or simply relied on the default, which happens to be 0.0.0.0
as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Kibana value is always ignored for Fleet Server, and it has always been that way. Only the values used during the bootstrap process is what is used for Fleet Server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@blakerouse in that case I'm fine with having to explicitly set the host in the Elastic Agent, since the root cause of the issue is my assumption that Kibana's values were actually taken into account.
It's still confusing to upgrade from 8.5 and 8.6 and realize that things aren't working anymore, but this could have easily been addressed with a changelog entry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we consider removing the ability to alter the host value in Kibana to make it clear that it's ignored?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO yes, since this isn't obvious at all.
babe889
to
d555bdc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confirmed that the new test fails if the fix is removed, thanks!
@@ -395,10 +395,6 @@ func (c *enrollCmd) prepareFleetTLS() error { | |||
} | |||
if c.options.FleetServer.Cert == "" && c.options.FleetServer.CertKey == "" { | |||
if c.options.FleetServer.Insecure { | |||
// running insecure, force the binding to localhost (unless specified) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was added for security reasons, we didn't want the Fleet Server to be exposed outside of localhost insecure mode.
We only allow it to be exposed in insecure mode when the user is specific and provide a host. I think we should really think about this before we make this change.
Required in insecure mode. The value from the Kibana policy gets ignored and the host is forced to localhost. elastic/elastic-agent#2198
Closing this pr, users should set the host with |
What does this PR do?
Remove the forced use of
localhost
as the host when bootstrapping and insecure fleet-server instance.Why is it important?
Bootstrapping process on 8.6.0+ forces a bind to localhost, this does not allow other agents to enroll with the server.
Checklist
I have commented my code, particularly in hard-to-understand areasI have made corresponding changes to the documentationI have made corresponding change to the default configuration files./changelog/fragments
using the changelog toolHow to test this PR locally
xpack.fleet.agents.fleet_server.hosts: [ http://HOSTNAME:8220 ]
in the kibana config--fleet-server-insecure-http
flagsudo lsof | grep 8220
-> verify that something likeTCP *:8220 (LISTEN)
appears in the output. Elastic agent logs will also contain:You can also test with a docker container:
The same log line will appear.
Related issues