search

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Other
121 stars 131 forks source link

Enroll command doesn't support `--unprivileged` flag for deb and rpm agents. #4125

Open amolnater-qasource opened 7 months ago

amolnater-qasource commented 7 months ago

Kibana Build details:

VERSION: 8.13.0-SNAPSHOT
BUILD: 70749
COMMIT: a0f4897f7c04069faf2a86dbda1dabea78c161c1
Artifact Link: https://snapshots.elastic.co/8.13.0-l534sdis/downloads/beats/elastic-agent/elastic-agent-8.13.0-SNAPSHOT-x86_64.rpm
https://snapshots.elastic.co/8.13.0-l534sdis/downloads/beats/elastic-agent/elastic-agent-8.13.0-SNAPSHOT-amd64.deb

Host OS: Linux- SLES15, Ubuntu 22

Preconditions:

  1. 8.13.0 Snapshot should be available.

Steps to reproduce:

  1. Download and extract rpm/deb artifacts.
  2. Run below command: sudo ./elastic-agent enroll --url=<url> --enrollment-token=<token> --unprivileged
  3. Observe unprivileged flag not supported by enroll command error.

Screenshot: image

Expected Result: User should be able to enroll agents using --unprivileged flag.

Feature: https://github.com/elastic/ingest-dev/issues/1766

Definition of done: Taken from https://github.com/elastic/elastic-agent/issues/4125#issuecomment-2125798370:

elasticmachine commented 7 months ago

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

amolnater-qasource commented 7 months ago

@manishgupta-qasource Please review.

manishgupta-qasource commented 7 months ago

Secondary review for this ticket is Done

blakerouse commented 7 months ago

I don't understand the ask here. --unprivileged is an installation option, not an enroll time option. The DEB installs the Elastic Agent as root, I don't believe it should be something the Elastic Agent can just change at enroll time. That doesn't really fit how DEB/RPM's work.

I know there was discussion about adding the ability to switch from privileged mode to unprivileged mode and back again with another command, that should be what is used here for this, not during enroll time. enroll means the Elastic Agent is already installed, that decision has been made.

pierrehilbert commented 7 months ago

Thanks @blakerouse for your inputs. @nimarezainia From a product perspective, is this flow okay for you?

nimarezainia commented 7 months ago

I agree that the flag need not be available on the enroll. (apologies @amolnater-qasource i didn't fully understand your original question which prompted this issue)

@blakerouse RPMs always will need root priv to install - I don;t think theres an exception to this. However here the application that it installs needs to run without root priv. But I suspect that there's no way for us to pass this flag to RPM/DEB for the installation phase of the agent (i don;t even think such a thing exists).

If we can't pass a flag to the installation phase of the agent, then the only option is to allow for the conversion to happen after install. That issue we had deprioritized for now.

@pierrehilbert from a product perspective I see it simply as the same use case (as in the user needs the application to be running without root privileges). They're using a tool to install the agents. We have a healthy set of users using RPM/DEB images we have, I suspect that a good percentage of them would be wanting to install without the agent needing root priv.

ycombinator commented 3 months ago

Chatted with @blakerouse today. Summarizing:

kilfoyle commented 3 months ago

@ycombinator, @nimarezainia It's just an early draft, but I'm gathering the "unprivileged" docs together in this PR.

@blakerouse whenever you have them, if you'd like to just let me know the how-to steps I can look after adding them into the docs:

@kaanyalti I think the "pre-requisites and gotchas" could go in tables like these, but we can update the format once the list becomes more clear.

ycombinator commented 2 months ago

Reading through the steps mentioned in https://github.com/elastic/elastic-agent/issues/4125#issuecomment-2125798370 needed to close this issue:

create a document somewhere under https://www.elastic.co/guide/en/fleet/current/index.html that introduces users to unprivileged mode: what it is, why/when it's useful, how to use it, and how to change between modes after Agent is installed. This document can also then be used to document any https://github.com/elastic/elastic-agent/issues/4705. cc: @kilfoyle @kaanyalti

This is something @kilfoyle already took care of in https://github.com/elastic/ingest-docs/pull/1087.

link to this document from the "DEB" and "RPM" tabs in https://www.elastic.co/guide/en/fleet/current/install-standalone-elastic-agent.html

@kilfoyle would you mind taking care of this part as well, since it's docs-related, either as part of https://github.com/elastic/ingest-docs/pull/1087 or in a follow up PR?

elasticmachine commented 2 months ago

Pinging @elastic/ingest-docs (Team:Docs)

kilfoyle commented 2 months ago

@kilfoyle would you mind taking care of this part as well, since it's docs-related, either as part of https://github.com/elastic/ingest-docs/pull/1087 or in a follow up PR?

@ycombinator Sure thing. Here's a docs PR: https://github.com/elastic/ingest-docs/pull/1144

blakerouse commented 2 months ago

I think there is one thing we need to validate, and that is an upgrade of the RPM/DEB doesn't revert some of the paths from unprivileged back to a privileged Elastic Agent. Once an Elastic Agent is switched it should remain that way even if upgraded from RPM/DEB.

That will be on me to check.