Enroll command doesn't support --unprivileged flag for deb and rpm agents.

[amolnater-qasource]

Kibana Build details:

VERSION: 8.13.0-SNAPSHOT
BUILD: 70749
COMMIT: a0f4897f7c04069faf2a86dbda1dabea78c161c1
Artifact Link: https://snapshots.elastic.co/8.13.0-l534sdis/downloads/beats/elastic-agent/elastic-agent-8.13.0-SNAPSHOT-x86_64.rpm
https://snapshots.elastic.co/8.13.0-l534sdis/downloads/beats/elastic-agent/elastic-agent-8.13.0-SNAPSHOT-amd64.deb

Host OS: Linux- SLES15, Ubuntu 22

Preconditions:

1. 8.13.0 Snapshot should be available.

Steps to reproduce:

1. Download and extract rpm/deb artifacts.
2. Run below command:
   sudo ./elastic-agent enroll --url=<url> --enrollment-token=<token> --unprivileged
3. Observe unprivileged flag not supported by enroll command error.

Screenshot:

Expected Result:
User should be able to enroll agents using --unprivileged flag.

Feature:
https://github.com/elastic/ingest-dev/issues/1766

Definition of done:
Taken from #4125 (comment):

• create a document somewhere under https://www.elastic.co/guide/en/fleet/current/index.html that introduces users to unprivileged mode: what it is, why/when it's useful, how to use it, and how to change between modes after Agent is installed.
• link to this document from the "DEB" and "RPM" tabs in https://www.elastic.co/guide/en/fleet/current/install-standalone-elastic-agent.html

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[amolnater-qasource]

@manishgupta-qasource Please review.

[manishgupta-qasource]

Secondary review for this ticket is Done

[blakerouse]

I don't understand the ask here. --unprivileged is an installation option, not an enroll time option. The DEB installs the Elastic Agent as root, I don't believe it should be something the Elastic Agent can just change at enroll time. That doesn't really fit how DEB/RPM's work.

I know there was discussion about adding the ability to switch from privileged mode to unprivileged mode and back again with another command, that should be what is used here for this, not during enroll time. enroll means the Elastic Agent is already installed, that decision has been made.

[pierrehilbert]

Thanks @blakerouse for your inputs.
@nimarezainia From a product perspective, is this flow okay for you?

[nimarezainia]

I agree that the flag need not be available on the enroll. (apologies @amolnater-qasource i didn't fully understand your original question which prompted this issue)

@blakerouse RPMs always will need root priv to install - I don;t think theres an exception to this. However here the application that it installs needs to run without root priv. But I suspect that there's no way for us to pass this flag to RPM/DEB for the installation phase of the agent (i don;t even think such a thing exists).

If we can't pass a flag to the installation phase of the agent, then the only option is to allow for the conversion to happen after install. That issue we had deprioritized for now.

@pierrehilbert from a product perspective I see it simply as the same use case (as in the user needs the application to be running without root privileges). They're using a tool to install the agents.
We have a healthy set of users using RPM/DEB images we have, I suspect that a good percentage of them would be wanting to install without the agent needing root priv.

[ycombinator]

Chatted with @blakerouse today. Summarizing:

• It's possible to have users set an environment variable while installing Agent via deb or rpm packages to install Agent in --unprivileged mode but apparently this is not a recommended practice.
• That, therefore, leaves us with this option:

  If we can't pass a flag to the installation phase of the agent, then the only option is to allow for the conversion to happen after install.

• @blakerouse will use this issue to
  • create a document somewhere under https://www.elastic.co/guide/en/fleet/current/index.html that introduces users to unprivileged mode: what it is, why/when it's useful, how to use it, and how to change between modes after Agent is installed.
    This document can also then be used to document any pre-requisites and gotchas for unprivileged mode. cc: @kilfoyle @kaanyalti
  • link to this document from the "DEB" and "RPM" tabs in https://www.elastic.co/guide/en/fleet/current/install-standalone-elastic-agent.html

[kilfoyle]

@ycombinator, @nimarezainia It's just an early draft, but I'm gathering the "unprivileged" docs together in this PR.

@blakerouse whenever you have them, if you'd like to just let me know the how-to steps I can look after adding them into the docs:

• Run Elastic Agent in unprivileged mode
• Changing and Elastic Agent's privilege mode

@kaanyalti I think the "pre-requisites and gotchas" could go in tables like these, but we can update the format once the list becomes more clear.

[ycombinator]

Reading through the steps mentioned in #4125 (comment) needed to close this issue:

create a document somewhere under https://www.elastic.co/guide/en/fleet/current/index.html that introduces users to unprivileged mode: what it is, why/when it's useful, how to use it, and how to change between modes after Agent is installed.
This document can also then be used to document any #4705. cc: @kilfoyle @kaanyalti

This is something @kilfoyle already took care of in elastic/ingest-docs#1087.

link to this document from the "DEB" and "RPM" tabs in https://www.elastic.co/guide/en/fleet/current/install-standalone-elastic-agent.html

@kilfoyle would you mind taking care of this part as well, since it's docs-related, either as part of elastic/ingest-docs#1087 or in a follow up PR?

[elasticmachine]

Pinging @elastic/ingest-docs (Team:Docs)

[kilfoyle]

@kilfoyle would you mind taking care of this part as well, since it's docs-related, either as part of elastic/ingest-docs#1087 or in a follow up PR?

@ycombinator Sure thing. Here's a docs PR: elastic/ingest-docs#1144

[blakerouse]

I think there is one thing we need to validate, and that is an upgrade of the RPM/DEB doesn't revert some of the paths from unprivileged back to a privileged Elastic Agent. Once an Elastic Agent is switched it should remain that way even if upgraded from RPM/DEB.

That will be on me to check.