[Heartbeat] Unpack beats at build time on docker

[emilioalvap]

What does this PR do?

This PR enables unpacking of beats inside the container at build time, so that required cap_net_raw, cap_setuid capabilities can be assigned to the binary.

Why is it important?

Without the required capabilities, heartbeat cannot execute ICMP pings or setuid calls. As it is now, agent is unpacking beats at runtime, most likely with a user that doesn't have permission to assign capabilities.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files

Author's Checklist

• [ ]

How to test this PR locally

• Build elastic-agent containers, run:
  DEV=true SNAPSHOT=true PLATFORMS=linux/amd64 TYPES=docker mage package
• Run one of the built containers and provide some heartbeat configuration:

docker run --name agent -it -u root --env FLEET_ENROLL=1 --env \
FLEET_URL=<url> --env \ 
FLEET_ENROLLMENT_TOKEN=<token> \ 
docker.elastic.co/beats/elastic-agent:8.2.0-SNAPSHOT

Related issues

• Relates [elastic-agent][heartbeat] Heartbeat binary should have setcap privs for ICMP ping beats#27651

Screenshots

Logs

15:38:37.323
elastic_agent.heartbeat
[elastic_agent.heartbeat][info] heartbeat start running.
15:38:37.323
elastic_agent.heartbeat
[elastic_agent.heartbeat][warn] BETA: Fleet management is enabled
15:38:37.323
elastic_agent.heartbeat
[elastic_agent.heartbeat][info] Starting fleet management service
15:38:37.323
elastic_agent.heartbeat
[elastic_agent.heartbeat][info] heartbeat is running! Hit CTRL-C to stop it.
15:38:37.323
elastic_agent.heartbeat
[elastic_agent.heartbeat][info] Effective user/group ids: 1000/1000, with groups: [0]

[mergify]

This pull request does not have a backport label. Could you fix it @emilioalvap? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[mergify]

This pull request does not have a backport label. Could you fix it @emilioalvap? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-03-14T16:05:23.423+0000

• Duration: 37 min 43 sec

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages.

• run integration tests : Run the Elastic Agent Integration tests.

• run end-to-end tests : Generate the packages and run the E2E Tests.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[ph]

This look OK to me

[ph]

Can we add a comment about why these permission are necessary for heartbeat?

[emilioalvap]

Sure, added a short explanation on setcap

[blakerouse]

Looks good.

This should be backported to 7.17+

[lucasfcosta]

I've managed to run ICMP pings to my localhost from the container as @emilioalvap described.

Even when pings timed out, there wasn't an error message about capabilities.

Checking the binaries capability also seems correct as per my understanding of how capabilities work:

elastic-agent@a1eb84cf2c41:~$ getpcaps 58
58: = cap_net_raw+ep

Reference: https://blog.container-solutions.com/linux-capabilities-in-practice