search

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Other
127 stars 136 forks source link

Allow mounting named volumes to the container state path #2435

Open cmacknz opened 1 year ago

cmacknz commented 1 year ago

Follow up from https://github.com/elastic/elastic-agent/pull/1727 where the initial change had an issue and had to be reverted. The request is valid and this should work.

Request

Allow the state directory to be mounted from a named volume.

Currently Docker creates the directory with owner root:root (✅) and permissions 0640 (group read-only ❌) while mounting the volume, which prevents the default elastic-agent:root user/group from writing inside of it.

This approach is also used in the container image for Elasticsearch to permit writes to the the data/ directory.

How to test this

  1. Create a named volume:

    $ docker volume create fleet-state
fleet-state

  2. Run the elastic-agent image and mount the volume at the location of the state directory. Observe that it fails because the elastic-agent user doesn't have permissions to write in this directory:

    $ docker container run --rm -v fleet-state:/usr/share/elastic-agent/state docker.elastic.co/beats/elastic-agent:8.5.0
Error: preparing STATE_PATH(/usr/share/elastic-agent/state) failed: mkdir /usr/share/elastic-agent/state/data: permission denied

  3. Build the image with the change from this PR, then run the agent like above, this time with the new image. Observe that the agent starts and populates the state directory:

    $ docker container run --rm -v fleet-state:/usr/share/elastic-agent/state newimage:latest
(it works)
mmahacek commented 4 months ago

Any update on this? This is still an issue with 8.13.x