From 41450fcef0998addd123dbc9a13d0f9941c4e5ec Mon Sep 17 00:00:00 2001 From: Andrew Cholakian Date: Wed, 18 Dec 2019 13:00:06 -0600 Subject: [PATCH 1/6] [Heartbeat] Add docs for rootless pings We missed adding these docs in https://github.com/elastic/beats/pull/13795 --- heartbeat/docs/heartbeat-options.asciidoc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc index 3aa6356e45bd..4e0f1412f8d1 100644 --- a/heartbeat/docs/heartbeat-options.asciidoc +++ b/heartbeat/docs/heartbeat-options.asciidoc @@ -87,7 +87,7 @@ options that are specific to that monitor type. The type of monitor to run. One of: * `icmp`: Uses an ICMP (v4 and v6) Echo Request to ping the configured hosts. -Requires root access. See <>. +Requires special permissions or root access. See <>. * `tcp`: Connects via TCP and optionally verifies the endpoint by sending and/or receiving a custom payload. See <>. * `http`: Connects via HTTP and optionally verifies that the host returns the @@ -231,7 +231,15 @@ the output document. By default, `keep_null` is set to `false`. These options configure {beatname_uc} to use ICMP (v4 and v6) Echo Requests to check the configured hosts. These options are valid when the <> is -`icmp`. +`icmp`. Please not that on most platforms one must execute Heartbeat with elevated permissions +to perform ICMP pings. + +On Linux regular users may perform pings if the right file capabilities are set. You can run +`sudo setcap cap_net_raw+eip /path/to/heartbeat` to grant {beatname_uc} ping capabilities on Linux. +Alternatively, one may grant ping permissions the user {beatname_uc} runs as. To grant ping permissions +in this way run `sudo sysctl -w net.ipv4.ping_group_range='myuserid myuserid'`. + +On other platforms running {beatname_uc} as root or administrator may be required to execute pings. [float] [[monitor-icmp-hosts]] From 5f7d3313004d9a5df9473cc8391454dbb54a2a6b Mon Sep 17 00:00:00 2001 From: Andrew Cholakian Date: Wed, 18 Dec 2019 20:07:04 -0600 Subject: [PATCH 2/6] Update heartbeat/docs/heartbeat-options.asciidoc Co-Authored-By: Brandon Morelli --- heartbeat/docs/heartbeat-options.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc index 4e0f1412f8d1..2570fe657359 100644 --- a/heartbeat/docs/heartbeat-options.asciidoc +++ b/heartbeat/docs/heartbeat-options.asciidoc @@ -231,7 +231,7 @@ the output document. By default, `keep_null` is set to `false`. These options configure {beatname_uc} to use ICMP (v4 and v6) Echo Requests to check the configured hosts. These options are valid when the <> is -`icmp`. Please not that on most platforms one must execute Heartbeat with elevated permissions +`icmp`. Please note that on most platforms you must execute Heartbeat with elevated permissions to perform ICMP pings. On Linux regular users may perform pings if the right file capabilities are set. You can run @@ -706,4 +706,3 @@ restarts it with a schedule of 15 seconds between checks. <2> {beatname_uc} starts a new monitor that uses a TLS-based connection with a custom CA certificate. - From 1b951e8a42da1a98dcb2ff143c6c99cf968b35ac Mon Sep 17 00:00:00 2001 From: Andrew Cholakian Date: Wed, 18 Dec 2019 20:07:16 -0600 Subject: [PATCH 3/6] Update heartbeat/docs/heartbeat-options.asciidoc Co-Authored-By: Brandon Morelli --- heartbeat/docs/heartbeat-options.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc index 2570fe657359..8a77dbfd33d5 100644 --- a/heartbeat/docs/heartbeat-options.asciidoc +++ b/heartbeat/docs/heartbeat-options.asciidoc @@ -237,7 +237,7 @@ to perform ICMP pings. On Linux regular users may perform pings if the right file capabilities are set. You can run `sudo setcap cap_net_raw+eip /path/to/heartbeat` to grant {beatname_uc} ping capabilities on Linux. Alternatively, one may grant ping permissions the user {beatname_uc} runs as. To grant ping permissions -in this way run `sudo sysctl -w net.ipv4.ping_group_range='myuserid myuserid'`. +in this way, run `sudo sysctl -w net.ipv4.ping_group_range='myuserid myuserid'`. On other platforms running {beatname_uc} as root or administrator may be required to execute pings. @@ -705,4 +705,3 @@ the following JSON objects in `dynamic.json`: restarts it with a schedule of 15 seconds between checks. <2> {beatname_uc} starts a new monitor that uses a TLS-based connection with a custom CA certificate. - From 2e5bd8d38dbffe1b66b50d2f26d76246344bb122 Mon Sep 17 00:00:00 2001 From: Andrew Cholakian Date: Wed, 18 Dec 2019 20:07:24 -0600 Subject: [PATCH 4/6] Update heartbeat/docs/heartbeat-options.asciidoc Co-Authored-By: Brandon Morelli --- heartbeat/docs/heartbeat-options.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc index 8a77dbfd33d5..011bd6cad483 100644 --- a/heartbeat/docs/heartbeat-options.asciidoc +++ b/heartbeat/docs/heartbeat-options.asciidoc @@ -239,7 +239,7 @@ On Linux regular users may perform pings if the right file capabilities are set. Alternatively, one may grant ping permissions the user {beatname_uc} runs as. To grant ping permissions in this way, run `sudo sysctl -w net.ipv4.ping_group_range='myuserid myuserid'`. -On other platforms running {beatname_uc} as root or administrator may be required to execute pings. +Other platforms may require {beatname_uc} to run as root or administrator to execute pings. [float] [[monitor-icmp-hosts]] From 8a6375482634527ded8c5018d44538d2ebbfe7a4 Mon Sep 17 00:00:00 2001 From: Andrew Cholakian Date: Wed, 18 Dec 2019 20:07:41 -0600 Subject: [PATCH 5/6] Update heartbeat/docs/heartbeat-options.asciidoc Co-Authored-By: Brandon Morelli --- heartbeat/docs/heartbeat-options.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc index 011bd6cad483..86a77cc0ba87 100644 --- a/heartbeat/docs/heartbeat-options.asciidoc +++ b/heartbeat/docs/heartbeat-options.asciidoc @@ -234,7 +234,7 @@ the configured hosts. These options are valid when the <> i `icmp`. Please note that on most platforms you must execute Heartbeat with elevated permissions to perform ICMP pings. -On Linux regular users may perform pings if the right file capabilities are set. You can run +On Linux, regular users may perform pings if the right file capabilities are set. Run `sudo setcap cap_net_raw+eip /path/to/heartbeat` to grant {beatname_uc} ping capabilities on Linux. Alternatively, one may grant ping permissions the user {beatname_uc} runs as. To grant ping permissions in this way, run `sudo sysctl -w net.ipv4.ping_group_range='myuserid myuserid'`. From f5383f9226611548c513eb74ed46938a58143e36 Mon Sep 17 00:00:00 2001 From: Andrew Cholakian Date: Wed, 18 Dec 2019 20:07:54 -0600 Subject: [PATCH 6/6] Apply suggestions from code review Co-Authored-By: Brandon Morelli --- heartbeat/docs/heartbeat-options.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc index 86a77cc0ba87..f72e631781d2 100644 --- a/heartbeat/docs/heartbeat-options.asciidoc +++ b/heartbeat/docs/heartbeat-options.asciidoc @@ -236,7 +236,7 @@ to perform ICMP pings. On Linux, regular users may perform pings if the right file capabilities are set. Run `sudo setcap cap_net_raw+eip /path/to/heartbeat` to grant {beatname_uc} ping capabilities on Linux. -Alternatively, one may grant ping permissions the user {beatname_uc} runs as. To grant ping permissions +Alternatively, one may grant ping permissions to the user {beatname_uc} runs as. To grant ping permissions in this way, run `sudo sysctl -w net.ipv4.ping_group_range='myuserid myuserid'`. Other platforms may require {beatname_uc} to run as root or administrator to execute pings.