Merge branch 'main' into dependabot/go_modules/github.com/elastic/go-…

…sysinfo-1.11.2
elastic · Dec 1, 2023 · 2be0625 · 2be0625
2 parents c934393 + 8d4e3da
commit 2be0625
Show file tree

Hide file tree

Showing 21 changed files with 172 additions and 77 deletions.
diff --git a/...elog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml b/...elog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml
@@ -0,0 +1,31 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug
+
+# Change summary; a 80ish characters long description of the change.
+summary: Elastic-Agent container runs on Azure Container Instances 
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+#description: 
+
+# Affected component; a word indicating the component this changeset affects.
+component: elastic-agent
+
+# PR number; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: 3576
+
+# Issue number; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: 82
diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
@@ -8,12 +8,14 @@ FROM {{ .buildFrom }} AS home
 
 COPY beat {{ $beatHome }}
 
-RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \
-    chown -R root:root {{ $beatHome }} && \
+RUN true && \
+    # ECE needs to create config here under non-1000 user
+    chmod 0777 {{ $beatHome}} && \
+    mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \
     find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \
     find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \
-    find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \
-    find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \
+    find {{ $beatHome }}/data -type d -exec chmod 0777 {} \; && \
+    find {{ $beatHome }}/data -type f -exec chmod 0666 {} \; && \
     rm {{ $beatBinary }} && \
     ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \
     chmod 0755 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \
@@ -27,7 +29,6 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-collector || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-symbolizer || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-host-agent || true) && \
-    find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown root:root {} \; && \
     find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chmod 0644 {} \; && \
 {{- range $i, $modulesd := .ModulesDirs }}
     chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \
@@ -111,13 +112,19 @@ RUN set -e ; \
   chmod +x /usr/bin/tini
 
 COPY docker-entrypoint /usr/local/bin/docker-entrypoint
-RUN chmod 755 /usr/local/bin/docker-entrypoint
+RUN groupadd --gid 1000 {{ .BeatName }} && \
+    useradd -M --uid 1000 --gid 1000 --groups 0 {{ .user }} && \
+    chmod 755 /usr/local/bin/docker-entrypoint && \
+    true
 
-COPY --from=home {{ $beatHome }} {{ $beatHome }}
+COPY --chown={{ .user }}:{{ .user }} --from=home {{ $beatHome }} {{ $beatHome }}
 
 # Elastic Agent needs group permissions in the home itself to be able to
 # create fleet.yml when running as non-root.
-RUN chmod 0770 {{ $beatHome }}
+RUN chmod 0777 {{ $beatHome }} && \
+    usermod -d {{ $beatHome}} {{ .user }} && \
+    find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown root:root {} \; && \
+    true
 
 RUN mkdir /licenses
 COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses
@@ -127,33 +134,23 @@ COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses
 COPY --from=home /opt /opt
 {{- end }}
 
+{{- if contains .image_name "-cloud" }}
+# Generate folder for a stub command that will be overwritten at runtime
+RUN mkdir /app && \
+    chown {{ .user }}:{{ .user }} /app
+{{- end }}
 
+# Keep this after any chown command, chown resets any applied capabilities
 RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \
 {{- if .linux_capabilities }}
 # Since the beat is stored at the other end of a symlink we must follow the symlink first
 # For security reasons setcap does not support symlinks. This is smart in the general case
 # but in our specific case since we're building a trusted image from trusted binaries this is
 # fine. Thus, we use readlink to follow the link and setcap on the actual binary
-    readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} && \
+   setcap {{ .linux_capabilities }}  $(readlink -f {{ $beatBinary }}) && \
 {{- end }}
 true
 
-{{- if eq .user "root" }}
-{{- if contains .image_name "-cloud" }}
-# Generate folder for a stub command that will be overwritten at runtime
-RUN mkdir /app
-{{- end }}
-{{- else }}
-RUN groupadd --gid 1000 {{ .BeatName }}
-RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
-
-{{- if contains .image_name "-cloud" }}
-# Generate folder for a stub command that will be overwritten at runtime
-RUN mkdir /app
-RUN chown {{ .user }} /app
-{{- end }}
-{{- end }}
-
 {{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal")))  }}
 USER root
 ENV NODE_PATH={{ $beatHome }}/.node
@@ -163,7 +160,7 @@ RUN echo \
     {{ $beatHome }}/.synthetics \
     {{ $beatHome }}/.npm \
     {{ $beatHome }}/.cache \
-    | xargs -IDIR sh -c 'mkdir -p DIR && chmod 0770 DIR'
+    | xargs -IDIR sh -c 'mkdir -p DIR && chmod 0775 DIR'
 
 # Setup synthetics env vars
 ENV ELASTIC_SYNTHETICS_CAPABLE=true
@@ -192,14 +189,14 @@ RUN cd {{$beatHome}}/.node \
      esac \
   && mkdir -p node \
   && curl ${NODE_DOWNLOAD_URL} | tar -xJ --strip 1 -C node \
-  && chmod ug+rwX -R $NODE_PATH
-
+  && chmod ugo+rwX -R $NODE_PATH \
 # Install synthetics as a regular user, installing npm deps as root odesn't work
-RUN chown -R {{ .user }} $NODE_PATH
+   # fix .node .npm and .synthetics
+   && chown -R {{ .user }}:{{ .user }} $NODE_PATH 
 USER {{ .user }}
 # If this fails dump the NPM logs
-RUN npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1'
-RUN chmod ug+rwX -R $NODE_PATH
+RUN (npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1') && \
+    chmod ugo+rwX -R $NODE_PATH
 USER root
 
 # Install the deps as needed by the exact version of playwright elastic synthetics uses
@@ -223,6 +220,7 @@ USER {{ .user }}
 EXPOSE {{ $port }}
 {{- end }}
 
+
 # When running under Docker, we must ensure libbeat monitoring pulls cgroup
 # metrics from /sys/fs/cgroup/<subsystem>/, ignoring any paths found in
 # /proc/self/cgroup.

diff --git a/pkg/testing/fixture.go b/pkg/testing/fixture.go
@@ -282,6 +282,10 @@ func (f *Fixture) RunBeat(ctx context.Context) error {
 		return errors.New("RunBeat() can't be run against elastic-agent")
 	}
 
+	if _, deadlineSet := ctx.Deadline(); !deadlineSet {
+		f.t.Fatal("Context passed to Fixture.RunBeat() has no deadline set.")
+	}
+
 	var err error
 	err = f.EnsurePrepared(ctx)
 	if err != nil {
@@ -366,6 +370,10 @@ func (f *Fixture) RunBeat(ctx context.Context) error {
 // The `elastic-agent.yml` generated by `Fixture.Configure` is ignored
 // when `Run` is called.
 func (f *Fixture) Run(ctx context.Context, states ...State) error {
+	if _, deadlineSet := ctx.Deadline(); !deadlineSet {
+		f.t.Fatal("Context passed to Fixture.Run() has no deadline set.")
+	}
+
 	if f.binaryName != "elastic-agent" {
 		return errors.New("Run() can only be used with elastic-agent, use RunBeat()")
 	}

diff --git a/testing/integration/diagnostics_test.go b/testing/integration/diagnostics_test.go
@@ -16,6 +16,7 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -24,6 +25,7 @@ import (
 	"github.com/elastic/elastic-agent/pkg/core/process"
 	integrationtest "github.com/elastic/elastic-agent/pkg/testing"
 	"github.com/elastic/elastic-agent/pkg/testing/define"
+	"github.com/elastic/elastic-agent/pkg/testing/tools/testcontext"
 )
 
 const diagnosticsArchiveGlobPattern = "elastic-agent-diagnostics-*.zip"
@@ -95,7 +97,7 @@ func TestDiagnosticsOptionalValues(t *testing.T) {
 	fixture, err := define.NewFixture(t, define.Version())
 	require.NoError(t, err)
 
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
 	defer cancel()
 	err = fixture.Prepare(ctx, fakeComponent, fakeShipper)
 	require.NoError(t, err)
@@ -121,14 +123,11 @@ func TestDiagnosticsCommand(t *testing.T) {
 	f, err := define.NewFixture(t, define.Version())
 	require.NoError(t, err)
 
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
 	defer cancel()
 	err = f.Prepare(ctx, fakeComponent, fakeShipper)
 	require.NoError(t, err)
 
-	ctx, cancel = context.WithCancel(context.Background())
-	defer cancel()
-
 	err = f.Run(ctx, integrationtest.State{
 		Configure:  simpleConfig2,
 		AgentState: integrationtest.NewClientState(client.Healthy),

diff --git a/testing/integration/endpoint_security_test.go b/testing/integration/endpoint_security_test.go
@@ -241,7 +241,7 @@ func testInstallAndUnenrollWithEndpointSecurity(t *testing.T, info *define.Info,
 		Force:          true,
 	}
 
-	ctx, cn := context.WithCancel(context.Background())
+	ctx, cn := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
 	defer cn()
 
 	policy, err := tools.InstallAgentWithPolicy(ctx, t, installOpts, fixture, info.KibanaClient, createPolicyReq)
@@ -353,7 +353,7 @@ func testInstallWithEndpointSecurityAndRemoveEndpointIntegration(t *testing.T, i
 		Force:          true,
 	}
 
-	ctx, cn := context.WithCancel(context.Background())
+	ctx, cn := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
 	defer cn()
 
 	policy, err := tools.InstallAgentWithPolicy(ctx, t, installOpts, fixture, info.KibanaClient, createPolicyReq)
@@ -497,7 +497,7 @@ func TestEndpointSecurityNonDefaultBasePath(t *testing.T) {
 		Sudo:  true,  // requires Agent installation
 	})
 
-	ctx, cn := context.WithCancel(context.Background())
+	ctx, cn := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
 	defer cn()
 
 	// Get path to agent executable.
@@ -527,7 +527,7 @@ func TestEndpointSecurityNonDefaultBasePath(t *testing.T) {
 	pkgPolicyResp, err := installElasticDefendPackage(t, info, policyResp.ID)
 	require.NoErrorf(t, err, "Policy Response was: %v", pkgPolicyResp)
 
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
 	defer cancel()
 
 	c := fixture.Client()

diff --git a/testing/integration/fake_test.go b/testing/integration/fake_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/elastic/elastic-agent/pkg/control/v2/client"
 	atesting "github.com/elastic/elastic-agent/pkg/testing"
 	"github.com/elastic/elastic-agent/pkg/testing/define"
+	"github.com/elastic/elastic-agent/pkg/testing/tools/testcontext"
 )
 
 var simpleConfig1 = `
@@ -51,7 +52,7 @@ func TestFakeComponent(t *testing.T) {
 	f, err := define.NewFixture(t, define.Version())
 	require.NoError(t, err)
 
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
 	defer cancel()
 	err = f.Prepare(ctx, fakeComponent, fakeShipper)
 	require.NoError(t, err)

diff --git a/testing/integration/fqdn_test.go b/testing/integration/fqdn_test.go
@@ -27,6 +27,7 @@ import (
 	"github.com/elastic/elastic-agent/pkg/testing/define"
 	"github.com/elastic/elastic-agent/pkg/testing/tools"
 	"github.com/elastic/elastic-agent/pkg/testing/tools/fleettools"
+	"github.com/elastic/elastic-agent/pkg/testing/tools/testcontext"
 	"github.com/elastic/go-elasticsearch/v8"
 )
 
@@ -52,11 +53,13 @@ func TestFQDN(t *testing.T) {
 	origEtcHosts, err := getEtcHosts()
 	require.NoError(t, err)
 
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
 	// Save original hostname so we can restore it at the end of each test
-	origHostname, err := getHostname(context.Background())
+	origHostname, err := getHostname(ctx)
 	require.NoError(t, err)
 
-	ctx := context.Background()
 	kibClient := info.KibanaClient
 
 	shortName := strings.ToLower(randStr(6))
@@ -93,7 +96,7 @@ func TestFQDN(t *testing.T) {
 		assert.NoError(t, fleettools.UnEnrollAgent(info.KibanaClient, policy.ID))
 
 		t.Log("Restoring hostname...")
-		err := setHostname(context.Background(), origHostname, t.Log)
+		err := setHostname(ctx, origHostname, t.Log)
 		require.NoError(t, err)
 
 		t.Log("Restoring original /etc/hosts...")

diff --git a/testing/integration/install_test.go b/testing/integration/install_test.go
@@ -18,6 +18,7 @@ import (
 
 	atesting "github.com/elastic/elastic-agent/pkg/testing"
 	"github.com/elastic/elastic-agent/pkg/testing/define"
+	"github.com/elastic/elastic-agent/pkg/testing/tools/testcontext"
 
 	"github.com/stretchr/testify/require"
 )
@@ -38,8 +39,11 @@ func TestInstallWithoutBasePath(t *testing.T) {
 	fixture, err := define.NewFixture(t, define.Version())
 	require.NoError(t, err)
 
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
 	// Prepare the Elastic Agent so the binary is extracted and ready to use.
-	err = fixture.Prepare(context.Background())
+	err = fixture.Prepare(ctx)
 	require.NoError(t, err)
 
 	// Check that default base path is clean
@@ -59,15 +63,15 @@ func TestInstallWithoutBasePath(t *testing.T) {
 
 	// Run `elastic-agent install`.  We use `--force` to prevent interactive
 	// execution.
-	out, err := fixture.Install(context.Background(), &atesting.InstallOpts{Force: true})
+	out, err := fixture.Install(ctx, &atesting.InstallOpts{Force: true})
 	if err != nil {
 		t.Logf("install output: %s", out)
 		require.NoError(t, err)
 	}
 
 	// Check that Agent was installed in default base path
 	checkInstallSuccess(t, topPath)
-	t.Run("check agent package version", testAgentPackageVersion(context.Background(), fixture, true))
+	t.Run("check agent package version", testAgentPackageVersion(ctx, fixture, true))
 }
 
 func TestInstallWithBasePath(t *testing.T) {
@@ -86,8 +90,11 @@ func TestInstallWithBasePath(t *testing.T) {
 	fixture, err := define.NewFixture(t, define.Version())
 	require.NoError(t, err)
 
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
 	// Prepare the Elastic Agent so the binary is extracted and ready to use.
-	err = fixture.Prepare(context.Background())
+	err = fixture.Prepare(ctx)
 	require.NoError(t, err)
 
 	// Set up random temporary directory to serve as base path for Elastic Agent
@@ -97,7 +104,7 @@ func TestInstallWithBasePath(t *testing.T) {
 
 	// Run `elastic-agent install`.  We use `--force` to prevent interactive
 	// execution.
-	out, err := fixture.Install(context.Background(), &atesting.InstallOpts{
+	out, err := fixture.Install(ctx, &atesting.InstallOpts{
 		BasePath: randomBasePath,
 		Force:    true,
 	})
@@ -109,7 +116,7 @@ func TestInstallWithBasePath(t *testing.T) {
 	// Check that Agent was installed in the custom base path
 	topPath := filepath.Join(randomBasePath, "Elastic", "Agent")
 	checkInstallSuccess(t, topPath)
-	t.Run("check agent package version", testAgentPackageVersion(context.Background(), fixture, true))
+	t.Run("check agent package version", testAgentPackageVersion(ctx, fixture, true))
 }
 
 func checkInstallSuccess(t *testing.T, topPath string) {