Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[meta] running java-attacher #7023

Closed
stuartnelson3 opened this issue Jan 10, 2022 · 6 comments
Closed

[meta] running java-attacher #7023

stuartnelson3 opened this issue Jan 10, 2022 · 6 comments
Assignees
@stuartnelson3
Labels
meta
Milestone
8.2

Comments

@stuartnelson3
Copy link
Contributor

stuartnelson3 commented Jan 10, 2022
edited by axw
Loading

Status

When running under linux, forking and running the java-attacher is not currently allowed, as APM Server uses seccomp to filter allowed syscalls.

Options

(A) Provide seccomp rules to allow the required syscalls

The fork/exec privileges added via seccomp-bpf need to be limited to the java-attacher process.

The below matrix tracks the status of forking and running the java-attacher with the listed operating system/architecture + apm-server mode pair.

standalone managed
linux/amd64 #7017
linux/386 #7018
linux/arm #7019
linux/arm64 #7020
darwin #7021
windows #7022

nb. Linux rows are split out by CPU architecture, because each will require an update to its own seccomp policy. seccomp is only supported in linux.

Related Issues:

(B) Investigate static analysis of fork/exec syscalls

Verify APM Server's dynamic call graph #7109

(C) Disable seccomp

#7305

Update: We decided to move forward with option (A) for now. Focusing on seccomp is more aligned with currently ongoing effort in the agent team. With option (B) it would be hard to ensure that all code paths are checked for restricted syscalls. Given some related conversations around moving subprocesses to their own Integration or Sub-Integration this might not be needed in the future.

Update the second: it turns out seccomp filters don't support our needs (i.e. allowing only some programs to be executed). After further consideration, we have decided it is safe to disable the current seccomp implementation in APM Server.
@stuartnelson3 stuartnelson3 added this to the 8.1 milestone Jan 10, 2022
@simitt simitt removed the v8.1.0 label Jan 12, 2022
@simitt
Copy link
Contributor

simitt commented Jan 12, 2022

This is blocked at the moment by elastic/elastic-agent#95 and figuring out how custom seccomp filters should be configured and applied when managed by Elastic Agent.

@simitt simitt added the blocked label Jan 12, 2022
@stuartnelson3 stuartnelson3 mentioned this issue Jan 12, 2022
Closed
@simitt simitt mentioned this issue Jan 12, 2022
Closed
@axw axw mentioned this issue Jan 24, 2022
Closed
@simitt
Copy link
Contributor

simitt commented Jan 25, 2022

2022-01-25: Updated description to reflect also the alternative option.

@simitt simitt modified the milestones: 8.1, 8.2 Feb 7, 2022
@axw axw mentioned this issue Feb 16, 2022
Closed
@graphaelli
Copy link
Member

Now that Option C has been selected and the changes for it have been merged, what is left to satisfy this issue?

@axw
Copy link
Member

axw commented Feb 24, 2022
edited
Loading

I think the only thing left to do is test across all supported platforms:

(Pretty sure Stuart has tested on Linux already, but maybe not since the seccomp changes were made?)

@stuartnelson3
Copy link
Contributor Author

I've tested on linux/amd64, but not 386

@ogupte ogupte mentioned this issue Mar 10, 2022
Closed
@simitt
Copy link
Contributor

simitt commented Mar 15, 2022

@stuartnelson3 please close this issue once you finished testing on linux.

@simitt simitt closed this as completed Mar 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stuartnelson3 stuartnelson3

Labels
meta
Projects
None yet
Milestone
8.2
Development

No branches or pull requests
4 participants
@graphaelli @axw @stuartnelson3 @simitt