[Elastic Agent] Drop privileges when managed by Elastic Agent #4571
Comments
simitt
changed the title
|
IMO we should not require APM Server to run with root privileges, so yes for GA |
|
As of this comment, the current version of agent can be run without |
|
related elastic/elastic-agent#147 |
|
After some investigation, the image that is used to to run $ docker inspect --format '{{ .Config.User }}' apm-server_fleet-server_1
elastic-agent
$ docker exec -ti apm-server_fleet-server_1 bash
bash-4.2$ ps auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
elastic+ 104 1.0 0.0 3676 2508 pts/0 Ss 10:26 0:00 bash
elastic+ 130 0.0 0.0 7748 2820 pts/0 R+ 10:26 0:00 \_ ps auxf
elastic+ 1 0.2 0.0 2008 344 ? Ss 10:25 0:00 /usr/bin/tini -- /usr/local/bin/docker-entrypoint
elastic+ 7 4.2 0.4 961668 53028 ? Sl 10:25 0:00 elastic-agent container
elastic+ 76 2.0 0.4 1035144 52104 ? Sl 10:26 0:00 \_ /usr/share/elastic-agent/data/elastic-agent-3a7557/elastic-agent enroll -f -c /usr/share/elastic-agent/state/elastic-agent.yml --path.home /u
elastic+ 84 9.6 0.4 1035556 57176 ? Sl 10:26 0:00 \_ /usr/share/elastic-agent/data/elastic-agent-3a7557/elastic-agent run -e -c /usr/share/elastic-agent/state/elastic-agent.yml --path.home /I also checked in ECE using a elastic@ip-192-168-44-10:~$ docker inspect --format '{{.Config.User}}' fac-6b398beb72a44165aee30d6730e1ae77-instance-0000000000
1000:1000
elastic@ip-192-168-44-10:~$ id
uid=1000(elastic) gid=1000(elastic) groups=1000(elastic),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(lxd),114(netdev),999(docker)
elastic@ip-192-168-44-10:~$ docker exec -ti fac-6b398beb72a44165aee30d6730e1ae77-instance-0000000000 bash
bash-4.2$ ps auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
elastic+ 105 0.5 0.0 11832 2900 pts/0 Ss 11:10 0:00 bash
elastic+ 110 0.0 0.0 51736 3528 pts/0 R+ 11:11 0:00 \_ ps auxf
elastic+ 1 0.0 0.0 4364 624 ? Ss Nov11 0:17 /usr/bin/tini -- /app/apm.sh
elastic+ 6 0.0 0.0 11700 2664 ? S Nov11 0:00 /bin/bash /app/apm.sh
elastic+ 16 0.0 0.1 985332 63264 ? Sl Nov11 0:48 \_ /usr/share/elastic-agent/elastic-agent container
elastic+ 26 0.1 0.3 1201172 101644 ? Sl Nov11 19:07 \_ /app/apm-server/apm-server-8.0.0-SNAPSHOT-linux-x86_64/apm-server --path.home /app --path.config /app/config --path.data /app/data --path
elastic+ 35 0.0 0.9 1395332 300472 ? Sl Nov11 6:18 \_ /usr/share/elastic-agent/data/elastic-agent-6dea6d/elastic-agent enroll -f -c /app/config/elastic-agent.yml --path.home /app/elastic-agen
elastic+ 43 0.0 0.8 1406420 289416 ? Sl Nov11 13:54 \_ /usr/share/elastic-agent/data/elastic-agent-6dea6d/elastic-agent run -e -c /app/config/elastic-agent.yml --path.home /app/elastic-age
elastic+ 54 0.2 0.0 1161692 28168 ? Sl Nov11 40:59 \_ /usr/share/elastic-agent/data/elastic-agent-6dea6d/install/fleet-server-8.0.0-SNAPSHOT-linux-x86_64/fleet-server --agent-mode -E
bash-4.2$ id
uid=1000(elastic-agent) gid=1000(elastic-agent) groups=1000(elastic-agent),0(root)This was changed a while ago on the image that is built by |
|
Elastic Agent doesn't need to run as root anymore and can run in unprivileged mode so this should not be needed: #12503 |
At the moment APM Server does not run with root privileges. When managed by Elastic Agent it by default has the same privilege level as the Agent itself.
Independent of the privileges the Elastic Agent requires to have, APM Server will not need to be
root. Following the principle of the least privileges, we should investigate how we can drop privileges of the APM Server.The server still needs to be able to communicate back to the Elastic Agebt via gRPC.
The text was updated successfully, but these errors were encountered: