Currently Docker creates the directory with owner root:root (✅) and permissions 0640 (group read-only ❌) while mounting the volume, which prevents the default elastic-agent:root user/group from writing inside of it.
Run the elastic-agent image and mount the volume at the location of the state directory. Observe that it fails because the elastic-agent user doesn't have permissions to write in this directory:
Build the image with the change from this PR, then run the agent like above, this time with the new image. Observe that the agent starts and populates the state directory:
$ docker container run --rm -v fleet-state:/usr/share/elastic-agent/state newimage:latest
(it works)
Follow up from https://github.com/elastic/elastic-agent/pull/1727 where the initial change had an issue and had to be reverted. The request is valid and this should work.
Request
Allow the state directory to be mounted from a named volume.
Currently Docker creates the directory with owner
root:root
(✅) and permissions0640
(group read-only ❌) while mounting the volume, which prevents the defaultelastic-agent:root
user/group from writing inside of it.This approach is also used in the container image for Elasticsearch to permit writes to the the
data/
directory.How to test this
Create a named volume:
Run the elastic-agent image and mount the volume at the location of the
state
directory. Observe that it fails because theelastic-agent
user doesn't have permissions to write in this directory:Build the image with the change from this PR, then run the agent like above, this time with the new image. Observe that the agent starts and populates the
state
directory: