From 3ff02cbba4184957cf63cad3e3bf5e23d17bd0f2 Mon Sep 17 00:00:00 2001
From: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Date: Wed, 1 Jul 2020 16:59:47 +0200
Subject: [PATCH] Allow the Docker image to be run with a random user id
 (#12905) (#18873)

Prepare docker images to be run with arbitrary user ids. Following common practices
and recommendations, files that need to be read by Beats have now read permissions
for the group and belong to the root group. Also, the user included in the docker image
is added to the root group so it can read these files when run on docker with default
user and privileges.

Some changes are also added to Kubernetes reference manifests to help running beats
with arbitrary user ids, though this is not completely supported and it requires additional
setup.

Co-authored-by: Michael Morello <michael.morello@elastic.co>
---
 CHANGELOG.next.asciidoc                                 | 1 +
 deploy/kubernetes/auditbeat-kubernetes.yaml             | 5 +++--
 deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml    | 5 +++--
 deploy/kubernetes/filebeat-kubernetes.yaml              | 3 ++-
 deploy/kubernetes/filebeat/filebeat-daemonset.yaml      | 3 ++-
 deploy/kubernetes/metricbeat-kubernetes.yaml            | 9 +++++----
 deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml  | 5 +++--
 deploy/kubernetes/metricbeat/metricbeat-deployment.yaml | 4 ++--
 dev-tools/packaging/templates/docker/Dockerfile.tmpl    | 4 ++--
 9 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index b8f05a254c1..1e9a4eb011b 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -311,6 +311,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - When using the `decode_json_fields` processor, decoded fields are now deep-merged into existing event. {pull}17958[17958]
 - Add backoff configuration options for the Kafka output. {issue}16777[16777] {pull}17808[17808]
 - Add TLS support to Kerberos authentication in Elasticsearch. {pull}18607[18607]
+- Change ownership of files in docker images so they can be used in secured environments. {pull}12905[12905]
 - Upgrade k8s.io/client-go and k8s keystore tests. {pull}18817[18817]
 - Add support for multiple sets of hints on autodiscover {pull}18883[18883]
 
diff --git a/deploy/kubernetes/auditbeat-kubernetes.yaml b/deploy/kubernetes/auditbeat-kubernetes.yaml
index bd6c4736c8b..24492c50653 100644
--- a/deploy/kubernetes/auditbeat-kubernetes.yaml
+++ b/deploy/kubernetes/auditbeat-kubernetes.yaml
@@ -196,14 +196,15 @@ spec:
           path: /etc
       - name: config
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: auditbeat-config
       - name: modules
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: auditbeat-daemonset-modules
       - name: data
         hostPath:
+          # When auditbeat runs as non-root user, this directory needs to be writable by group (g+w).
           path: /var/lib/auditbeat-data
           type: DirectoryOrCreate
       - name: run-containerd
diff --git a/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml b/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml
index 21ffb167107..39eaf726eef 100644
--- a/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml
+++ b/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml
@@ -109,14 +109,15 @@ spec:
           path: /etc
       - name: config
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: auditbeat-config
       - name: modules
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: auditbeat-daemonset-modules
       - name: data
         hostPath:
+          # When auditbeat runs as non-root user, this directory needs to be writable by group (g+w).
           path: /var/lib/auditbeat-data
           type: DirectoryOrCreate
       - name: run-containerd
diff --git a/deploy/kubernetes/filebeat-kubernetes.yaml b/deploy/kubernetes/filebeat-kubernetes.yaml
index 49e4ff12f0b..7399635e42d 100644
--- a/deploy/kubernetes/filebeat-kubernetes.yaml
+++ b/deploy/kubernetes/filebeat-kubernetes.yaml
@@ -112,7 +112,7 @@ spec:
       volumes:
       - name: config
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: filebeat-config
       - name: varlibdockercontainers
         hostPath:
@@ -123,6 +123,7 @@ spec:
       # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
       - name: data
         hostPath:
+          # When filebeat runs as non-root user, this directory needs to be writable by group (g+w).
           path: /var/lib/filebeat-data
           type: DirectoryOrCreate
 ---
diff --git a/deploy/kubernetes/filebeat/filebeat-daemonset.yaml b/deploy/kubernetes/filebeat/filebeat-daemonset.yaml
index 20c742d518d..b6df8f31fdb 100644
--- a/deploy/kubernetes/filebeat/filebeat-daemonset.yaml
+++ b/deploy/kubernetes/filebeat/filebeat-daemonset.yaml
@@ -68,7 +68,7 @@ spec:
       volumes:
       - name: config
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: filebeat-config
       - name: varlibdockercontainers
         hostPath:
@@ -79,5 +79,6 @@ spec:
       # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
       - name: data
         hostPath:
+          # When filebeat runs as non-root user, this directory needs to be writable by group (g+w).
           path: /var/lib/filebeat-data
           type: DirectoryOrCreate
diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml
index 216bbc24f9f..9690b9cb84f 100644
--- a/deploy/kubernetes/metricbeat-kubernetes.yaml
+++ b/deploy/kubernetes/metricbeat-kubernetes.yaml
@@ -177,14 +177,15 @@ spec:
           path: /var/run/docker.sock
       - name: config
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: metricbeat-daemonset-config
       - name: modules
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: metricbeat-daemonset-modules
       - name: data
         hostPath:
+          # When metricbeat runs as non-root user, this directory needs to be writable by group (g+w)
           path: /var/lib/metricbeat-data
           type: DirectoryOrCreate
 ---
@@ -302,11 +303,11 @@ spec:
       volumes:
       - name: config
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: metricbeat-deployment-config
       - name: modules
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: metricbeat-deployment-modules
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml
index 96f841c4519..0197fe136b6 100644
--- a/deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml
+++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml
@@ -84,13 +84,14 @@ spec:
           path: /var/run/docker.sock
       - name: config
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: metricbeat-daemonset-config
       - name: modules
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: metricbeat-daemonset-modules
       - name: data
         hostPath:
+          # When metricbeat runs as non-root user, this directory needs to be writable by group (g+w)
           path: /var/lib/metricbeat-data
           type: DirectoryOrCreate
diff --git a/deploy/kubernetes/metricbeat/metricbeat-deployment.yaml b/deploy/kubernetes/metricbeat/metricbeat-deployment.yaml
index 8b0c5351ed0..0e11187cac3 100644
--- a/deploy/kubernetes/metricbeat/metricbeat-deployment.yaml
+++ b/deploy/kubernetes/metricbeat/metricbeat-deployment.yaml
@@ -61,9 +61,9 @@ spec:
       volumes:
       - name: config
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: metricbeat-deployment-config
       - name: modules
         configMap:
-          defaultMode: 0600
+          defaultMode: 0640
           name: metricbeat-deployment-modules
diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl
index 1123bb14f7b..9080b7c534d 100644
--- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl
+++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl
@@ -30,7 +30,7 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint
 RUN groupadd --gid 1000 {{ .BeatName }}
 
 RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
-    chown -R root:{{ .BeatName }} {{ $beatHome }} && \
+    chown -R root:root {{ $beatHome }} && \
     find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \
     find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \
     chmod 0750 {{ $beatBinary }} && \
@@ -43,7 +43,7 @@ RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
     chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs
 
 {{- if ne .user "root" }}
-RUN useradd -M --uid 1000 --gid 1000 --home {{ $beatHome }} {{ .user }}
+RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
 {{- end }}
 USER {{ .user }}