Elastic Agent/Beats macOS ARM support strategy

[ph]

Apple is transitioning from x86_64 to ARM64. They say possibly by the end of 2020. This shouldn't impact Agent/Beats/Endpoint very much because ARM64 macs will be able to run x86_64 binaries. Moreover, macOS will support "fat" binaries that contain x86_64 and ARM64 code inside them.

For beats we need to investigate:

• Fat binaries vs release specific artifacts.
• Golang support for macOS arm.
• Required build changes.
• Required CI changes
• Evaluate impacts on libraries that we depend.
• Evaluate impacts on engineering
• Testing
• What happen with Code signing?

[elasticmachine]

Pinging @elastic/integrations-platforms (Team:Platforms)

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[ph]

@andresrc @urso We will need to find an owner for this.

[ph]

@michalpristas is evaluating the emulation layer for the Elastic Agent.

[michalpristas]

seems like emulation layer works ok for agent, agent installs ok and is capable of running and handling beats and endpoint.

what we need to look at is detection that we're running on macos ARM as agent logic is based on compile time variables and agent thinks it's running regular darwin. dashboards looks ok, cpu memory... populated.

running agent on m1 results in Unhealthy deployment on fleet as endpoint (at the time of testin) is failing on applying configuration and reports Degraded state back.

in progress of trying this out with universal binary of endpoint.

[michalpristas]

talked to @ferullo about experienced behavior of Agent/Endpoint on M1 seems like everything is ok and for our purposes of install/uninstall it works. will retry experiment once properly signed endpoint is available with universal binary

[andresrc]

thanks!

[ph]

@michalpristas Great news. In our discussion and comment you mentioned a few things that will need modifications. Can you create issues for them?

[urso]

In case any of these might become interesting:

• Detect ARM/Rosetta2 via Go
• Build Go Universal Binary

[andresrc]

Related:

• https://github.com/elastic/gosigar/pull/152
• https://github.com/elastic/go-sysinfo/pull/91

Have we picked those changes in beats yet? Do we need for tests / expect more changes (besides those related to building / packaging)?

[andresrc]

/cc @fearful-symmetry

[fearful-symmetry]

@andresrc I'm going to have a PR in today to actually pick those changes up in beats. I've been testing metricbeat and go 1.16 beta, and with the new libraries, I haven't run into any issues. One thing I haven't looked into is universal binaries

[ph]

@michalpristas Have you followed "will retry experiment once properly signed endpoint is available with universal binary"

[EricDavisX]

Where are we with this, can we collect a list of [ ] tasks to track? I had understood it was out of scope for Agent for 7.12 and just wanted to double check. I'd like to add a 7.13 label, if so. @ph @michalpristas

[EricDavisX]

I have verified the signed BC4 Agent / Endpoint works seemingly well on the Mac Mini ARM M1 host PH offered. I verified:

• setup a policy with various integrations Windows / Linux / System / Fleet-server / Endpoint and monitor logs / errors
• all data_streams expected seemed to be coming in.
• spot check on a few docs to look at data
• remove Endpoint from policy, add Endpoint back into policy - still works
• restart the host and validate Agent comes back online

I did not cover stand-alone Metricbeat or Filebeat, note.

I'll track issues logged in a separate post.

[EricDavisX]

So I'm not sure what else we need to do to close this out? Are we done? @michalpristas

[mostlyjason]

@bradenlpreston it looks like we made some great progress and Eric has tested M1 support and it works with Endpoint. Would you consider either of those blockers to calling it supported? https://github.com/elastic/endpoint-dev/issues/8644 https://github.com/elastic/beats/issues/24610. The Docker one needs to be fixed, but I imagine running it on laptops is the main goal?

@EricDavisX did you also test the system package?

What else is needed to call this done?

[ferullo]

elastic/endpoint-dev#8644 should have been closed. I just did that.

[EricDavisX]

Yes, @mostlyjason we tested System Integration, it worked in our test.

I just realized Beats team does not have CI coverage for macOS workers for Agent yet - that is a best practice, but we can take the calculated risk and cite this as done still. That is a group decision I suppose? I have linked that ticket to this.

[mostlyjason]

@ph it sounds like this is done and passing manual tests. Do you feel CI coverage is requirement? If not, could this be a beta release for 7.13?

I just checked with Braden and he is ok releasing it without docker support since endpoint security for laptops is the main business driver. Could we document that on our limitations page and schedule a fix for the next release?

[elasticmachine]

Pinging @elastic/agent (Team:Agent)