From a9db1b1f9421eb7372ae74faa8f6cd455148de94 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Thu, 24 Sep 2020 13:50:22 +0200 Subject: [PATCH] Stop running agent container as root by default (#21213) Stop running Elastic Agent as root by default on docker image. When root user or other privileges are required, they will need to be explicitly configured at run time. This already happens now, except for the root user. Provided Kubernetes manifests already use security context to run as user 0. --- dev-tools/packaging/packages.yml | 2 +- .../templates/docker/Dockerfile.elastic-agent.tmpl | 8 +++++++- x-pack/elastic-agent/CHANGELOG.next.asciidoc | 2 ++ x-pack/elastic-agent/magefile.go | 2 +- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index 1cfd2402193..dbfbc9f4b7a 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -340,7 +340,7 @@ shared: buildFrom: 'centos:7' dockerfile: 'Dockerfile.elastic-agent.tmpl' docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl' - user: 'root' + user: '{{ .BeatName }}' linux_capabilities: '' files: 'elastic-agent.yml': diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 5e6c0fcd6cd..7ab87f6f3ec 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -12,6 +12,8 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s chown -R root:root {{ $beatHome }} && \ find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ + find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ + find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \ rm {{ $beatBinary }} && \ ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ chmod 0750 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ @@ -21,7 +23,7 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s {{- range $i, $modulesd := .ModulesDirs }} chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ {{- end }} - chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs + true FROM {{ .from }} @@ -69,6 +71,10 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint COPY --from=home {{ $beatHome }} {{ $beatHome }} +# Elastic Agent needs group permissions in the home itself to be able to +# create fleet.yml when running as non-root. +RUN chmod 0770 {{ $beatHome }} + RUN mkdir /licenses COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index d9475d35be3..4178cfcbf62 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -7,6 +7,8 @@ ==== Breaking changes +- Docker container is not run as root by default. {pull}21213[21213] + ==== Bugfixes ==== New features diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index a4a5f314869..7296e8189be 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -336,7 +336,7 @@ func requiredPackagesPresent(basePath, beat, version string, requiredPackages [] // TestPackages tests the generated packages (i.e. file modes, owners, groups). func TestPackages() error { - return devtools.TestPackages(devtools.WithRootUserContainer()) + return devtools.TestPackages() } // RunGo runs go command and output the feedback to the stdout and the stderr.