From 8d4e3daeca867ea8ad6b4959788adf178f3a2c08 Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Fri, 1 Dec 2023 10:51:45 +0100 Subject: [PATCH] Elastic Agent ACI compliant image (#3778) --- ...er-runs-on-Azure-Container-Instances-.yaml | 31 ++++++++++ .../docker/Dockerfile.elastic-agent.tmpl | 60 +++++++++---------- 2 files changed, 60 insertions(+), 31 deletions(-) create mode 100644 changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml diff --git a/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml b/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml new file mode 100644 index 00000000000..df24e655971 --- /dev/null +++ b/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml @@ -0,0 +1,31 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: bug + +# Change summary; a 80ish characters long description of the change. +summary: Elastic-Agent container runs on Azure Container Instances + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +#description: + +# Affected component; a word indicating the component this changeset affects. +component: elastic-agent + +# PR number; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: 3576 + +# Issue number; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +issue: 82 diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 1a89be1eaca..9d659fe9cd7 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -8,12 +8,14 @@ FROM {{ .buildFrom }} AS home COPY beat {{ $beatHome }} -RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ - chown -R root:root {{ $beatHome }} && \ +RUN true && \ + # ECE needs to create config here under non-1000 user + chmod 0777 {{ $beatHome}} && \ + mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \ - find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ - find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \ + find {{ $beatHome }}/data -type d -exec chmod 0777 {} \; && \ + find {{ $beatHome }}/data -type f -exec chmod 0666 {} \; && \ rm {{ $beatBinary }} && \ ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ chmod 0755 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ @@ -27,7 +29,6 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-collector || true) && \ (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-symbolizer || true) && \ (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-host-agent || true) && \ - find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown root:root {} \; && \ find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chmod 0644 {} \; && \ {{- range $i, $modulesd := .ModulesDirs }} chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \ @@ -111,13 +112,19 @@ RUN set -e ; \ chmod +x /usr/bin/tini COPY docker-entrypoint /usr/local/bin/docker-entrypoint -RUN chmod 755 /usr/local/bin/docker-entrypoint +RUN groupadd --gid 1000 {{ .BeatName }} && \ + useradd -M --uid 1000 --gid 1000 --groups 0 {{ .user }} && \ + chmod 755 /usr/local/bin/docker-entrypoint && \ + true -COPY --from=home {{ $beatHome }} {{ $beatHome }} +COPY --chown={{ .user }}:{{ .user }} --from=home {{ $beatHome }} {{ $beatHome }} # Elastic Agent needs group permissions in the home itself to be able to # create fleet.yml when running as non-root. -RUN chmod 0770 {{ $beatHome }} +RUN chmod 0777 {{ $beatHome }} && \ + usermod -d {{ $beatHome}} {{ .user }} && \ + find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown root:root {} \; && \ + true RUN mkdir /licenses COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses @@ -127,33 +134,23 @@ COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses COPY --from=home /opt /opt {{- end }} +{{- if contains .image_name "-cloud" }} +# Generate folder for a stub command that will be overwritten at runtime +RUN mkdir /app && \ + chown {{ .user }}:{{ .user }} /app +{{- end }} +# Keep this after any chown command, chown resets any applied capabilities RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \ {{- if .linux_capabilities }} # Since the beat is stored at the other end of a symlink we must follow the symlink first # For security reasons setcap does not support symlinks. This is smart in the general case # but in our specific case since we're building a trusted image from trusted binaries this is # fine. Thus, we use readlink to follow the link and setcap on the actual binary - readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} && \ + setcap {{ .linux_capabilities }} $(readlink -f {{ $beatBinary }}) && \ {{- end }} true -{{- if eq .user "root" }} -{{- if contains .image_name "-cloud" }} -# Generate folder for a stub command that will be overwritten at runtime -RUN mkdir /app -{{- end }} -{{- else }} -RUN groupadd --gid 1000 {{ .BeatName }} -RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} - -{{- if contains .image_name "-cloud" }} -# Generate folder for a stub command that will be overwritten at runtime -RUN mkdir /app -RUN chown {{ .user }} /app -{{- end }} -{{- end }} - {{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }} USER root ENV NODE_PATH={{ $beatHome }}/.node @@ -163,7 +160,7 @@ RUN echo \ {{ $beatHome }}/.synthetics \ {{ $beatHome }}/.npm \ {{ $beatHome }}/.cache \ - | xargs -IDIR sh -c 'mkdir -p DIR && chmod 0770 DIR' + | xargs -IDIR sh -c 'mkdir -p DIR && chmod 0775 DIR' # Setup synthetics env vars ENV ELASTIC_SYNTHETICS_CAPABLE=true @@ -192,14 +189,14 @@ RUN cd {{$beatHome}}/.node \ esac \ && mkdir -p node \ && curl ${NODE_DOWNLOAD_URL} | tar -xJ --strip 1 -C node \ - && chmod ug+rwX -R $NODE_PATH - + && chmod ugo+rwX -R $NODE_PATH \ # Install synthetics as a regular user, installing npm deps as root odesn't work -RUN chown -R {{ .user }} $NODE_PATH + # fix .node .npm and .synthetics + && chown -R {{ .user }}:{{ .user }} $NODE_PATH USER {{ .user }} # If this fails dump the NPM logs -RUN npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1' -RUN chmod ug+rwX -R $NODE_PATH +RUN (npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1') && \ + chmod ugo+rwX -R $NODE_PATH USER root # Install the deps as needed by the exact version of playwright elastic synthetics uses @@ -223,6 +220,7 @@ USER {{ .user }} EXPOSE {{ $port }} {{- end }} + # When running under Docker, we must ensure libbeat monitoring pulls cgroup # metrics from /sys/fs/cgroup//, ignoring any paths found in # /proc/self/cgroup.