From 44606e875cd6d7f6816321f139b2ce9101ef6e41 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 22 Sep 2020 12:15:30 +0200 Subject: [PATCH 1/2] Stop running agent container as root by default --- dev-tools/packaging/packages.yml | 2 +- .../templates/docker/Dockerfile.elastic-agent.tmpl | 8 +++++++- x-pack/elastic-agent/magefile.go | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index 1cfd24021932..dbfbc9f4b7aa 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -340,7 +340,7 @@ shared: buildFrom: 'centos:7' dockerfile: 'Dockerfile.elastic-agent.tmpl' docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl' - user: 'root' + user: '{{ .BeatName }}' linux_capabilities: '' files: 'elastic-agent.yml': diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 5e6c0fcd6cd5..7ab87f6f3ecc 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -12,6 +12,8 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s chown -R root:root {{ $beatHome }} && \ find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ + find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ + find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \ rm {{ $beatBinary }} && \ ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ chmod 0750 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ @@ -21,7 +23,7 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s {{- range $i, $modulesd := .ModulesDirs }} chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ {{- end }} - chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs + true FROM {{ .from }} @@ -69,6 +71,10 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint COPY --from=home {{ $beatHome }} {{ $beatHome }} +# Elastic Agent needs group permissions in the home itself to be able to +# create fleet.yml when running as non-root. +RUN chmod 0770 {{ $beatHome }} + RUN mkdir /licenses COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index 499e1d251a22..931bbd9cf600 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -311,7 +311,7 @@ func requiredPackagesPresent(basePath, beat, version string, requiredPackages [] // TestPackages tests the generated packages (i.e. file modes, owners, groups). func TestPackages() error { - return devtools.TestPackages(devtools.WithRootUserContainer()) + return devtools.TestPackages() } // RunGo runs go command and output the feedback to the stdout and the stderr. From 2214889ab381f0e2915d2879a61f5b1fc2a057ee Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 22 Sep 2020 15:27:17 +0200 Subject: [PATCH 2/2] Add changelog --- x-pack/elastic-agent/CHANGELOG.next.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index d9475d35be30..4178cfcbf625 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -7,6 +7,8 @@ ==== Breaking changes +- Docker container is not run as root by default. {pull}21213[21213] + ==== Bugfixes ==== New features