[Heartbeat] Unpack beats to enable capabilities inside container

[emilioalvap]

What does this PR do?

This PR enables unpacking of beats inside the container at build time, so that required cap_net_raw, cap_setuid capabilities can be assigned to the binary.

Why is it important?

Without the required capabilities, heartbeat cannot execute ICMP pings or setuid calls. As it is now, agent is unpacking beats at runtime, most likely with a user that doesn't have permission to assign capabilities.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

• Build elastic-agent containers, from x-pack/elastic-agent run:
  env PLATFORMS="+all linux/amd64" mage dev:package
• Run one of the built containers and provide some heartbeat configuration:

docker run --name agent -it -u root --env FLEET_ENROLL=1 --env \
FLEET_URL=<url> --env \ 
FLEET_ENROLLMENT_TOKEN=<token> \ 
docker.elastic.co/beats/elastic-agent:8.1.0-SNAPSHOT

Related issues

• Relates [elastic-agent][heartbeat] Heartbeat binary should have setcap privs for ICMP ping #27651

Use cases

Screenshots

Logs

[mergify]

This pull request does not have a backport label. Could you fix it @emilioalvap? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-02-24T14:42:42.541+0000

• Duration: 229 min 34 sec

Test stats 🧪

Test	Results
Failed	0
Passed	38335
Skipped	3320
Total	41655

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[andrewvc]

If we're saying this is the default behavior, do we need this option, or should we just always do this?

[blakerouse]

I think we should make this the default and remove this option.

[emilioalvap]

Ok, removed the option and it's now unpacking by default

[blakerouse]

Overall looks acceptable, just some open questions and comments first.

[blakerouse]

I think we should make this the default and remove this option.

[blakerouse]

We should not remove this $beatPath. It's not going to save any space in the image anyway because it is included in a previous layer.

[emilioalvap]

True that, removed

[blakerouse]

What does this leave the group as?

[emilioalvap]

Group was root, changed that to be elastic-agent too.

[blakerouse]

What is the cap_setuid+p for? Why is that needed?

[emilioalvap]

Heartbeat requires it for switching user id at runtime

[andrewvc]

To add some detail here @blakerouse heartbeat runs node as a subprocess, and node hates to run as root. It's also just a best practice to setuid out of root if you can regardless.

[blakerouse]

Okay. It was just more of a question so I can understand. Thanks for the explanation.

[blakerouse]

@emilioalvap What is the status of this PR? Can we get it up for full review?

We believe this will also fix https://github.com/elastic/observability-dev/issues/1935.

[emilioalvap]

@blakerouse @andrewvc These two are workarounds for a couple of issues I've found, I'd welcome your suggestions on how to fix those.

First one is related to permission checking in libbeat. This method is checking that config file owner is either root or executing user, which is not the case if container is extracted as elastic-agent and executed as root. At the moment, k8s templates for elastic-agent containers in docs portal use root user to execute pods, possibly for ECK templates too. The workaround is to change config file ownership to root.

The second one is related to this post-build check. Config files extracted from beat .tars do not follow the specified permission mask:

package_test.go:258: file usr/share/elastic-agent/data/elastic-agent-d732b3/install/osquerybeat-8.2.0-linux-x86_64/osquerybeat.yml has wrong permissions: expected=-rw-r--r-- actual=-rw-------

I wasn't sure what the rationale is behind this check and what the impact could be for another beats.

[blakerouse]

@emilioalvap I think the first workaround is okay, as Elastic Agent never writes this file.

As for the post-build check I see you do a chmod 0644 for the *.yml, can that be changed to chmod 0600 or would that break it?

[emilioalvap]

@blakerouse Some of the beats' *.yml files come with 0600 and that is actually what breaks the test. 0644 seems to be the permission mask applied to *.yml files outside zipped beats. So now that we are unpacking beats, the test that used to check elastic.-agent *.yml files is also checking other beats config files.

[blakerouse]

@emilioalvap Still confused? So are you saying that its working with the change and the test is passing or we need to change either one?

[emilioalvap]

@blakerouse Sure, let me clarify. I added the following to make the test pass:

chmod 0644 {{ $beatHome }}/data/{{.BeatName}}-{{ commit_short }}/{{ .beats_install_path }}/*/*.yml

But I wanted to make sure that this change wouldn't impact other beats in a way that I cannot foresee, as its changing file permission for all beats unpacked in the build phase.