From bb214ff2bb551ad993caf413bf4463ca67ff7781 Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Fri, 10 Nov 2023 08:40:14 +0100 Subject: [PATCH 1/6] Revert "Revert "[Fix] Agent incapable of running on Azure Container Instances (#3576)" (#3723)" This reverts commit 29386eb727f7644824de1119aef4c8be5eadeb50. --- ...er-runs-on-Azure-Container-Instances-.yaml | 31 +++++++++++++++++++ .../docker/Dockerfile.elastic-agent.tmpl | 29 ++++++++--------- 2 files changed, 46 insertions(+), 14 deletions(-) create mode 100644 changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml diff --git a/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml b/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml new file mode 100644 index 00000000000..df24e655971 --- /dev/null +++ b/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml @@ -0,0 +1,31 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: bug + +# Change summary; a 80ish characters long description of the change. +summary: Elastic-Agent container runs on Azure Container Instances + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +#description: + +# Affected component; a word indicating the component this changeset affects. +component: elastic-agent + +# PR number; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: 3576 + +# Issue number; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +issue: 82 diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 1a89be1eaca..f69933ca225 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -9,7 +9,6 @@ FROM {{ .buildFrom }} AS home COPY beat {{ $beatHome }} RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ - chown -R root:root {{ $beatHome }} && \ find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \ find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ @@ -127,25 +126,16 @@ COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses COPY --from=home /opt /opt {{- end }} - -RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \ -{{- if .linux_capabilities }} -# Since the beat is stored at the other end of a symlink we must follow the symlink first -# For security reasons setcap does not support symlinks. This is smart in the general case -# but in our specific case since we're building a trusted image from trusted binaries this is -# fine. Thus, we use readlink to follow the link and setcap on the actual binary - readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} && \ -{{- end }} -true - {{- if eq .user "root" }} {{- if contains .image_name "-cloud" }} # Generate folder for a stub command that will be overwritten at runtime RUN mkdir /app {{- end }} {{- else }} -RUN groupadd --gid 1000 {{ .BeatName }} -RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} +RUN groupadd --gid 1000 {{ .BeatName }} && \ + useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} && \ + chown -R {{ .user }}:{{ .user }} {{ $beatHome }} && \ + true {{- if contains .image_name "-cloud" }} # Generate folder for a stub command that will be overwritten at runtime @@ -154,6 +144,17 @@ RUN chown {{ .user }} /app {{- end }} {{- end }} +# Keep this after any chown command, chown resets any applied capabilities +RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \ +{{- if .linux_capabilities }} +# Since the beat is stored at the other end of a symlink we must follow the symlink first +# For security reasons setcap does not support symlinks. This is smart in the general case +# but in our specific case since we're building a trusted image from trusted binaries this is +# fine. Thus, we use readlink to follow the link and setcap on the actual binary + setcap {{ .linux_capabilities }} $(readlink -f {{ $beatBinary }}) && \ +{{- end }} +true + {{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }} USER root ENV NODE_PATH={{ $beatHome }}/.node From 78ceea423b25726173d898b2a777004ffc0544b9 Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Mon, 13 Nov 2023 09:09:40 +0100 Subject: [PATCH 2/6] Saved 1GB --- .../docker/Dockerfile.elastic-agent.tmpl | 40 +++++++++++++------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index f69933ca225..d043fa16650 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -6,9 +6,19 @@ # the final image because of permission changes. FROM {{ .buildFrom }} AS home -COPY beat {{ $beatHome }} +{{- if ne .user "root" }} +RUN groupadd --gid 1000 {{ .BeatName }} && \ + useradd -M --uid 1000 --gid 1000 --groups 0 {{ .user }} && \ + true +{{- end }} + +COPY --chown={{ .user }}:{{ .user }} beat {{ $beatHome }} -RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ +RUN true && \ +{{- if ne .user "root" }} + usermod -d {{ $beatHome}} {{ .user }} && \ +{{- end}} + mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \ find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ @@ -26,7 +36,7 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-collector || true) && \ (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-symbolizer || true) && \ (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-host-agent || true) && \ - find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown root:root {} \; && \ + find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown {{ .user }}:{{ .user }} {} \; && \ find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chmod 0644 {} \; && \ {{- range $i, $modulesd := .ModulesDirs }} chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \ @@ -112,11 +122,22 @@ RUN set -e ; \ COPY docker-entrypoint /usr/local/bin/docker-entrypoint RUN chmod 755 /usr/local/bin/docker-entrypoint -COPY --from=home {{ $beatHome }} {{ $beatHome }} + +{{- if ne .user "root" }} +RUN groupadd --gid 1000 {{ .BeatName }} && \ + useradd -M --uid 1000 --gid 1000 --groups 0 {{ .user }} && \ + true +{{- end }} + +COPY --chown={{ .user }}:{{ .user }} --from=home {{ $beatHome }} {{ $beatHome }} # Elastic Agent needs group permissions in the home itself to be able to # create fleet.yml when running as non-root. -RUN chmod 0770 {{ $beatHome }} +RUN chmod 0770 {{ $beatHome }} && \ +{{- if ne .user "root" }} + usermod -d {{ $beatHome}} {{ .user }} && \ +{{- end}} + true RUN mkdir /licenses COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses @@ -132,15 +153,10 @@ COPY --from=home /opt /opt RUN mkdir /app {{- end }} {{- else }} -RUN groupadd --gid 1000 {{ .BeatName }} && \ - useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} && \ - chown -R {{ .user }}:{{ .user }} {{ $beatHome }} && \ - true - {{- if contains .image_name "-cloud" }} # Generate folder for a stub command that will be overwritten at runtime -RUN mkdir /app -RUN chown {{ .user }} /app +RUN mkdir /app && \ + chown {{ .user }} /app {{- end }} {{- end }} From 78367421aae0b9caf6b3f0a49cd37d959ff5fb21 Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Wed, 15 Nov 2023 14:39:24 +0100 Subject: [PATCH 3/6] permissions seems ok --- .../docker/Dockerfile.elastic-agent.tmpl | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index d043fa16650..1d8d9da84bd 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -18,11 +18,13 @@ RUN true && \ {{- if ne .user "root" }} usermod -d {{ $beatHome}} {{ .user }} && \ {{- end}} + # ECE needs to create config here under non-1000 user + chmod 0777 {{ $beatHome}} && \ mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \ - find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ - find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \ + find {{ $beatHome }}/data -type d -exec chmod 0777 {} \; && \ + find {{ $beatHome }}/data -type f -exec chmod 0666 {} \; && \ rm {{ $beatBinary }} && \ ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ chmod 0755 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ @@ -133,7 +135,7 @@ COPY --chown={{ .user }}:{{ .user }} --from=home {{ $beatHome }} {{ $beatHome }} # Elastic Agent needs group permissions in the home itself to be able to # create fleet.yml when running as non-root. -RUN chmod 0770 {{ $beatHome }} && \ +RUN chmod 0777 {{ $beatHome }} && \ {{- if ne .user "root" }} usermod -d {{ $beatHome}} {{ .user }} && \ {{- end}} @@ -156,7 +158,7 @@ RUN mkdir /app {{- if contains .image_name "-cloud" }} # Generate folder for a stub command that will be overwritten at runtime RUN mkdir /app && \ - chown {{ .user }} /app + chown {{ .user }}:{{ .user }} /app {{- end }} {{- end }} @@ -180,7 +182,7 @@ RUN echo \ {{ $beatHome }}/.synthetics \ {{ $beatHome }}/.npm \ {{ $beatHome }}/.cache \ - | xargs -IDIR sh -c 'mkdir -p DIR && chmod 0770 DIR' + | xargs -IDIR sh -c 'mkdir -p DIR && chmod 0775 DIR' # Setup synthetics env vars ENV ELASTIC_SYNTHETICS_CAPABLE=true @@ -209,20 +211,22 @@ RUN cd {{$beatHome}}/.node \ esac \ && mkdir -p node \ && curl ${NODE_DOWNLOAD_URL} | tar -xJ --strip 1 -C node \ - && chmod ug+rwX -R $NODE_PATH - + && chmod ug+rwX -R $NODE_PATH \ # Install synthetics as a regular user, installing npm deps as root odesn't work -RUN chown -R {{ .user }} $NODE_PATH + && chown -R {{ .user }}:{{ .user }} $NODE_PATH \ + # fix .node .npm and .synthetics + && chown -R {{ .user }}:{{ .user }} {{$beatHome}} USER {{ .user }} # If this fails dump the NPM logs -RUN npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1' -RUN chmod ug+rwX -R $NODE_PATH +RUN (npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1') && \ + chmod ug+rwX -R $NODE_PATH USER root # Install the deps as needed by the exact version of playwright elastic synthetics uses # We don't use npx playwright install-deps because that could pull a newer version # Install additional fonts as well -RUN for iter in {1..10}; do \ +RUN chown -R {{ .user }}:{{ .user }} {{$beatHome}} && \ + for iter in {1..10}; do \ apt-get update -y && \ $NODE_PATH/node/lib/node_modules/@elastic/synthetics/node_modules/.bin/playwright install-deps chromium && \ DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \ @@ -240,6 +244,7 @@ USER {{ .user }} EXPOSE {{ $port }} {{- end }} + # When running under Docker, we must ensure libbeat monitoring pulls cgroup # metrics from /sys/fs/cgroup//, ignoring any paths found in # /proc/self/cgroup. From 924b14bc885f2777c401e28bae0cbf624d7b432a Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Thu, 16 Nov 2023 12:39:25 +0100 Subject: [PATCH 4/6] reduce complete image --- .../packaging/templates/docker/Dockerfile.elastic-agent.tmpl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 1d8d9da84bd..6903f0a5ee4 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -225,8 +225,7 @@ USER root # Install the deps as needed by the exact version of playwright elastic synthetics uses # We don't use npx playwright install-deps because that could pull a newer version # Install additional fonts as well -RUN chown -R {{ .user }}:{{ .user }} {{$beatHome}} && \ - for iter in {1..10}; do \ +RUN for iter in {1..10}; do \ apt-get update -y && \ $NODE_PATH/node/lib/node_modules/@elastic/synthetics/node_modules/.bin/playwright install-deps chromium && \ DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \ From 2e646992259335821ffb1d354f76b17ba16f9807 Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Thu, 16 Nov 2023 14:08:44 +0100 Subject: [PATCH 5/6] complete compact --- .../templates/docker/Dockerfile.elastic-agent.tmpl | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 6903f0a5ee4..cac30725149 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -211,15 +211,14 @@ RUN cd {{$beatHome}}/.node \ esac \ && mkdir -p node \ && curl ${NODE_DOWNLOAD_URL} | tar -xJ --strip 1 -C node \ - && chmod ug+rwX -R $NODE_PATH \ + && chmod ugo+rwX -R $NODE_PATH \ # Install synthetics as a regular user, installing npm deps as root odesn't work - && chown -R {{ .user }}:{{ .user }} $NODE_PATH \ # fix .node .npm and .synthetics - && chown -R {{ .user }}:{{ .user }} {{$beatHome}} + && chown -R {{ .user }}:{{ .user }} $NODE_PATH USER {{ .user }} # If this fails dump the NPM logs RUN (npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1') && \ - chmod ug+rwX -R $NODE_PATH + chmod ugo+rwX -R $NODE_PATH USER root # Install the deps as needed by the exact version of playwright elastic synthetics uses From ede4e4df4ff8821f9e50a28445c8906a86ae3225 Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Thu, 23 Nov 2023 15:00:41 +0100 Subject: [PATCH 6/6] simplify dockerfile --- .../docker/Dockerfile.elastic-agent.tmpl | 28 ++----------------- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index cac30725149..9d659fe9cd7 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -6,18 +6,9 @@ # the final image because of permission changes. FROM {{ .buildFrom }} AS home -{{- if ne .user "root" }} -RUN groupadd --gid 1000 {{ .BeatName }} && \ - useradd -M --uid 1000 --gid 1000 --groups 0 {{ .user }} && \ - true -{{- end }} - -COPY --chown={{ .user }}:{{ .user }} beat {{ $beatHome }} +COPY beat {{ $beatHome }} RUN true && \ -{{- if ne .user "root" }} - usermod -d {{ $beatHome}} {{ .user }} && \ -{{- end}} # ECE needs to create config here under non-1000 user chmod 0777 {{ $beatHome}} && \ mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ @@ -38,7 +29,6 @@ RUN true && \ (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-collector || true) && \ (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-symbolizer || true) && \ (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-host-agent || true) && \ - find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown {{ .user }}:{{ .user }} {} \; && \ find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chmod 0644 {} \; && \ {{- range $i, $modulesd := .ModulesDirs }} chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \ @@ -122,23 +112,18 @@ RUN set -e ; \ chmod +x /usr/bin/tini COPY docker-entrypoint /usr/local/bin/docker-entrypoint -RUN chmod 755 /usr/local/bin/docker-entrypoint - - -{{- if ne .user "root" }} RUN groupadd --gid 1000 {{ .BeatName }} && \ useradd -M --uid 1000 --gid 1000 --groups 0 {{ .user }} && \ + chmod 755 /usr/local/bin/docker-entrypoint && \ true -{{- end }} COPY --chown={{ .user }}:{{ .user }} --from=home {{ $beatHome }} {{ $beatHome }} # Elastic Agent needs group permissions in the home itself to be able to # create fleet.yml when running as non-root. RUN chmod 0777 {{ $beatHome }} && \ -{{- if ne .user "root" }} usermod -d {{ $beatHome}} {{ .user }} && \ -{{- end}} + find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown root:root {} \; && \ true RUN mkdir /licenses @@ -149,18 +134,11 @@ COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses COPY --from=home /opt /opt {{- end }} -{{- if eq .user "root" }} -{{- if contains .image_name "-cloud" }} -# Generate folder for a stub command that will be overwritten at runtime -RUN mkdir /app -{{- end }} -{{- else }} {{- if contains .image_name "-cloud" }} # Generate folder for a stub command that will be overwritten at runtime RUN mkdir /app && \ chown {{ .user }}:{{ .user }} /app {{- end }} -{{- end }} # Keep this after any chown command, chown resets any applied capabilities RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \