Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[libbeat] APM Server does not start when running as an arbitrary user ID #28617

Closed
barkbay opened this issue Oct 25, 2021 · 4 comments
Closed

[libbeat] APM Server does not start when running as an arbitrary user ID #28617

barkbay opened this issue Oct 25, 2021 · 4 comments
Labels
bug Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Comments

@barkbay
Copy link
Contributor

barkbay commented Oct 25, 2021

#28265 added a call to user.Current(). Unfortunately user.Current() fails if the user UID does not exist in /etc/passwd, which is likely to be the case on K8S if user sets an arbitrary UID in the securityContext.

A workaround can be to catch this specific error and fall back to os.Getuid() and os.Getgid():

		if u, err := user.Current(); err != nil {
			// UnknownUserIdError may happen if the user UID does not exist in /etc/passwd. It might be the case on K8S
			// if the user set securityContext.runAsUser to an arbitrary value.
			_, ok := err.(user.UnknownUserIdError)
			if !ok {
				return err
			}
			monitoring.NewString(registry, "uid").Set(strconv.Itoa(os.Getuid()))
			monitoring.NewString(registry, "gid").Set(strconv.Itoa(os.Getgid()))
		} else {
			monitoring.NewString(registry, "username").Set(u.Username)
			monitoring.NewString(registry, "uid").Set(u.Uid)
			monitoring.NewString(registry, "gid").Set(u.Gid)
		}

Happy to raise the relevant PR if you agree with this approach.

For confirmed bugs, please report:

Deploy an APM Server using ECK and the following manifest, APM Server fails with message user: unknown userid 12345 :

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: es-apm-sample
spec:
  version: 7.16.0-SNAPSHOT
  nodeSets:
  - name: default
    count: 3
    config:
      node.store.allow_mmap: false
---
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kb-apm-sample
spec:
  version: 7.16.0-SNAPSHOT
  count: 1
  elasticsearchRef:
    name: "es-apm-sample"
---
apiVersion: apm.k8s.elastic.co/v1
kind: ApmServer
metadata:
  name: apm-apm-sample
spec:
  version: 7.16.0-SNAPSHOT
  count: 1
  elasticsearchRef:
    name: "es-apm-sample"
  kibanaRef:
    name: "kb-apm-sample"
  podTemplate:
    spec:
      securityContext:
        runAsUser: 12345
        runAsGroup: 12345
        fsGroup: 0
@barkbay barkbay added the bug label Oct 25, 2021
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 25, 2021
@jsoriano jsoriano added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Oct 26, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 26, 2021
@jlind23
Copy link
Collaborator

jlind23 commented Oct 26, 2021
edited
Loading

@michel-laterman would you mind taking care of it as you introduced the diagnostic command? Or if we agree with @barkbay would you review his PR?

@michel-laterman
Copy link
Contributor

@barkbay, thanks for catching this. your idea for catching this seems fine, please create the PR.

@david-kow
Copy link
Contributor

Fixed by #28696, hence closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jsoriano @barkbay @elasticmachine @jlind23 @david-kow @michel-laterman