Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop running agent container as root by default #21213

Merged
merged 3 commits into from
Sep 24, 2020

Conversation

jsoriano
Copy link
Member

@jsoriano jsoriano commented Sep 22, 2020

What does this PR do?

Stop running Elastic Agent as root by default on docker image. When root user or other privileges are required, they will need to be explicitly configured at run time. This already happens now, except for the root user.
Provided Kubernetes manifests already use security context to run as user 0.

Why is it important?

Using USER root in docker images is not a very good practice, and is not allowed in some certification processes (see #20996).

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

Related issues

@jsoriano jsoriano added Team:Platforms Label for the Integrations - Platforms team Team:Ingest Management labels Sep 22, 2020
@jsoriano jsoriano self-assigned this Sep 22, 2020
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Sep 22, 2020
@jsoriano
Copy link
Member Author

/package

@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 22, 2020

💔 Build Failed

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #21213 updated]

  • Start Time: 2020-09-24T08:33:39.572+0000

  • Duration: 75 min 1 sec

Test stats 🧪

Test Results
Failed 0
Passed 17401
Skipped 1817
Total 19218

Steps errors

Expand to view the steps failures

  • Name: Mage build test

    • Description: mage build test

    • Duration: 9 min 35 sec

    • Start Time: 2020-09-24T08:58:17.113+0000

    • log

  • Name: Mage build test

    • Description: mage build test

    • Duration: 7 min 21 sec

    • Start Time: 2020-09-24T08:58:19.384+0000

    • log

Log output

Expand to view the last 100 lines of log output

[2020-09-24T09:48:00.658Z] + tar -xpf source.tgz
[2020-09-24T09:48:10.992Z] + rm source.tgz
[2020-09-24T09:48:11.005Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats
[2020-09-24T09:48:11.042Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Lint
[2020-09-24T09:48:11.192Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Winlogbeat-oss
[2020-09-24T09:48:11.312Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-09-24T09:48:11.473Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-09-24T09:48:11.592Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Journalbeat
[2020-09-24T09:48:11.731Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/dockerlogbeat
[2020-09-24T09:48:11.860Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-09-24T09:48:11.996Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-09-24T09:48:12.124Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Packetbeat-Linux
[2020-09-24T09:48:12.245Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-09-24T09:48:12.371Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-09-24T09:48:12.612Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Libbeat-oss
[2020-09-24T09:48:12.766Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-09-24T09:48:12.896Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Heartbeat-oss
[2020-09-24T09:48:13.008Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Heartbeat-Windows
[2020-09-24T09:48:13.162Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Filebeat-oss
[2020-09-24T09:48:13.294Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-09-24T09:48:13.423Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Auditbeat-oss-Windows
[2020-09-24T09:48:13.568Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Auditbeat-x-pack-Windows
[2020-09-24T09:48:13.745Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-09-24T09:48:13.927Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Libbeat-x-pack
[2020-09-24T09:48:14.086Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-09-24T09:48:14.362Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-09-24T09:48:14.533Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Functionbeat-Windows
[2020-09-24T09:48:14.663Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Auditbeat-oss-Linux
[2020-09-24T09:48:14.787Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Filebeat-Windows
[2020-09-24T09:48:14.923Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Packetbeat-Windows
[2020-09-24T09:48:15.038Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Elastic-Agent-Mac-OS-X
[2020-09-24T09:48:15.161Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-09-24T09:48:15.417Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-Windows
[2020-09-24T09:48:15.586Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Auditbeat-oss-Mac-OS-X
[2020-09-24T09:48:15.731Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Auditbeat-x-pack-Mac-OS-X
[2020-09-24T09:48:15.862Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Heartbeat-Mac-OS-X
[2020-09-24T09:48:15.996Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Generators-Beat-Linux
[2020-09-24T09:48:16.126Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-x-pack-Mac-OS-X
[2020-09-24T09:48:16.262Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-09-24T09:48:16.365Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Generators-Metricbeat-Mac-OS-X
[2020-09-24T09:48:16.472Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Functionbeat-Mac-OS-X-x-pack
[2020-09-24T09:48:16.584Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Packetbeat-Mac-OS-X
[2020-09-24T09:48:16.687Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Generators-Beat-Mac-OS-X
[2020-09-24T09:48:16.821Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Filebeat-x-pack
[2020-09-24T09:48:16.953Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-Mac-OS-X
[2020-09-24T09:48:17.063Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests
[2020-09-24T09:48:17.168Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-OSS-Python-Integration-tests
[2020-09-24T09:48:17.270Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-09-24T09:48:17.389Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-09-24T09:48:17.873Z] + cat
[2020-09-24T09:48:17.873Z] + /usr/local/bin/runbld ./runbld-script --job-name elastic+beats+pull-request
[2020-09-24T09:48:17.873Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-09-24T09:48:24.495Z] runbld>>> runbld started
[2020-09-24T09:48:24.495Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-09-24T09:48:25.875Z] runbld>>> The following profiles matched the job 'elastic+beats+pull-request' in order of occurrence in the config (last value wins).
[2020-09-24T09:48:25.875Z] runbld>>> Matches in the system config:
[2020-09-24T09:48:25.876Z] runbld>>> - Matched ^elastic\+beats
[2020-09-24T09:48:25.876Z] runbld>>> - Matched ^elastic\+beats\+pull-request
[2020-09-24T09:48:27.254Z] runbld>>> Debug logging enabled.
[2020-09-24T09:48:27.254Z] runbld>>> Storing result
[2020-09-24T09:48:27.514Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-09-24T09:48:27.514Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1597739501209/t/20200924094827-454F70A4
[2020-09-24T09:48:27.514Z] runbld>>> Adding system facts.
[2020-09-24T09:48:28.451Z] runbld>>> Adding vcs info for the latest commit:  16f96511fc4edbfd3e1102bda42818bf9cb8b6c3
[2020-09-24T09:48:28.451Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-09-24T09:48:28.451Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-09-24T09:48:28.451Z] Processing JUnit reports with runbld...
[2020-09-24T09:48:28.451Z] + echo 'Processing JUnit reports with runbld...'
[2020-09-24T09:48:29.021Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-09-24T09:48:29.021Z] runbld>>> DURATION: 24ms
[2020-09-24T09:48:29.021Z] runbld>>> STDOUT: 40 bytes
[2020-09-24T09:48:29.021Z] runbld>>> STDERR: 49 bytes
[2020-09-24T09:48:29.021Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-09-24T09:48:29.021Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-21213
[2020-09-24T09:48:29.965Z] runbld>>> Storing build metadata: 
[2020-09-24T09:48:29.965Z] runbld>>> Adding test report.
[2020-09-24T09:48:29.965Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats
[2020-09-24T09:48:30.535Z] runbld>>> Found 136 test output files
[2020-09-24T09:48:31.129Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-09-24T09:48:31.129Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-09-24T09:48:31.129Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-09-24T09:48:31.129Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-09-24T09:48:31.129Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-09-24T09:48:32.516Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-09-24T09:48:32.516Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-21213/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-09-24T09:48:33.893Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 19061 Skipped: 1555
[2020-09-24T09:48:34.152Z] runbld>>> Storing result
[2020-09-24T09:48:34.152Z] runbld>>> FAILURES: 0
[2020-09-24T09:48:34.411Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-09-24T09:48:34.411Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1597739501209/t/20200924094827-454F70A4
[2020-09-24T09:48:34.411Z] runbld>>> Email notification disabled by environment variable.
[2020-09-24T09:48:34.411Z] runbld>>> Slack notification disabled by environment variable.
[2020-09-24T09:48:40.047Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-21213
[2020-09-24T09:48:40.151Z] [INFO] getVaultSecret: Getting secrets
[2020-09-24T09:48:40.233Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-09-24T09:48:41.075Z] + chmod 755 generate-build-data.sh
[2020-09-24T09:48:41.075Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-21213/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-21213/runs/3 FAILURE 4501244
[2020-09-24T09:48:41.075Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-21213/runs/3/steps/?limit=10000 -o steps-info.json
[2020-09-24T09:48:43.584Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-21213/runs/3/tests/?status=FAILED -o tests-errors.json
[2020-09-24T09:48:44.495Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-21213/runs/3/log/ -o pipeline-log.txt

@jsoriano jsoriano force-pushed the elastic-agent-docker-root-user branch from 2dd6988 to 2214889 Compare September 22, 2020 13:28
@jsoriano jsoriano marked this pull request as ready for review September 22, 2020 13:37
@elasticmachine
Copy link
Collaborator

Pinging @elastic/ingest-management (Team:Ingest Management)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@michalpristas
Copy link
Contributor

@blakerouse is this ok from endpoint perspective?

@jsoriano
Copy link
Member Author

jsoriano commented Sep 22, 2020

@michalpristas take into account that after this change is still possible to use --user 0, --privileged and similar configurations. It is only not made by default now, what is forbidden in some certification processes. With the changes in this PR, the default configuration included in the image works (at least it starts Metricbeat and Filebeat).

When running Endpoint (or Packetbeat, Auditbeat, or some features in other beats), if more privileges are required, these privileges have to be provided on runtime. This already happens now, running a container as root doesn't guarantee full privileges.

@jsoriano
Copy link
Member Author

/package

@blakerouse
Copy link
Contributor

@michalpristas It is not possible to run Endpoint in a container at the moment, so this will change will not affect Endpoint when it comes to Agent inside of a container.

@jsoriano
Copy link
Member Author

Failing tests are flaky ones, packaging failure seems to be unrelated to this change as also affects other PRs.

@jsoriano jsoriano added :Packaging needs_backport PR is waiting to be backported to other branches. v7.10.0 labels Sep 23, 2020
@jsoriano
Copy link
Member Author

/package

@jsoriano
Copy link
Member Author

Packaging builds passing, other failures are flaky tests.

@jsoriano jsoriano merged commit a9db1b1 into elastic:master Sep 24, 2020
@jsoriano jsoriano deleted the elastic-agent-docker-root-user branch September 24, 2020 11:50
jsoriano added a commit to jsoriano/beats that referenced this pull request Sep 24, 2020
Stop running Elastic Agent as root by default on docker image.
When root user or other privileges are required, they will need to
be explicitly configured at run time. This already happens now,
except for the root user.
Provided Kubernetes manifests already use security context to
run as user 0.

(cherry picked from commit a9db1b1)
@jsoriano jsoriano removed the needs_backport PR is waiting to be backported to other branches. label Sep 24, 2020
v1v added a commit to v1v/beats that referenced this pull request Sep 24, 2020
…ne-2.0

* upstream/master: (33 commits)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
  Add recursive split to httpjson (elastic#21214)
  [DOCS] Add beat specific start widgets (elastic#21217)
  Fix timestamp handling in remote_write (elastic#21166)
  Fix aws, azure and googlecloud compute dashboards (elastic#21098)
  Add acceptable event log keys to winlog (elastic#21205)
  Add elastic-agent to gitignore (elastic#21219)
  Add cloudfoundry tags to events (elastic#21177)
  [Ingest Manager] Agent includes pgp file (elastic#19480)
  Add compatibility note about ingress-controller-v0.34.1 (elastic#21209)
  [Ingest Manager] Support for UPGRADE_ACTION (elastic#21002)
  ...
v1v added a commit to v1v/beats that referenced this pull request Sep 24, 2020
…ne-2.0-arm

* upstream/master:
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
v1v added a commit to v1v/beats that referenced this pull request Sep 24, 2020
…-refactor

* upstream/master:
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
v1v added a commit to v1v/beats that referenced this pull request Sep 28, 2020
* upstream/master: (417 commits)
  libbeat/cmd/instance: report cgroup stats (elastic#21113)
  Configurable index template loading (elastic#21212)
  [Ingest Manager] Thread safe sorted set (elastic#21290)
  Change mirror of kafka download (elastic#19645)
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
  Add recursive split to httpjson (elastic#21214)
  [DOCS] Add beat specific start widgets (elastic#21217)
  Fix timestamp handling in remote_write (elastic#21166)
  Fix aws, azure and googlecloud compute dashboards (elastic#21098)
  ...
v1v added a commit to v1v/beats that referenced this pull request Sep 28, 2020
* upstream/master: (399 commits)
  libbeat/cmd/instance: report cgroup stats (elastic#21113)
  Configurable index template loading (elastic#21212)
  [Ingest Manager] Thread safe sorted set (elastic#21290)
  Change mirror of kafka download (elastic#19645)
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
  Add recursive split to httpjson (elastic#21214)
  [DOCS] Add beat specific start widgets (elastic#21217)
  Fix timestamp handling in remote_write (elastic#21166)
  Fix aws, azure and googlecloud compute dashboards (elastic#21098)
  ...
v1v added a commit to v1v/beats that referenced this pull request Sep 28, 2020
* upstream/master: (60 commits)
  libbeat/cmd/instance: report cgroup stats (elastic#21113)
  Configurable index template loading (elastic#21212)
  [Ingest Manager] Thread safe sorted set (elastic#21290)
  Change mirror of kafka download (elastic#19645)
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
  Add recursive split to httpjson (elastic#21214)
  [DOCS] Add beat specific start widgets (elastic#21217)
  Fix timestamp handling in remote_write (elastic#21166)
  Fix aws, azure and googlecloud compute dashboards (elastic#21098)
  ...
jsoriano added a commit that referenced this pull request Sep 28, 2020
Stop running Elastic Agent as root by default on docker image.
When root user or other privileges are required, they will need to
be explicitly configured at run time. This already happens now,
except for the root user.
Provided Kubernetes manifests already use security context to
run as user 0.

(cherry picked from commit a9db1b1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Packaging Team:Platforms Label for the Integrations - Platforms team v7.10.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants