search

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Other
114 stars 127 forks source link

Actionable error message when attempting to `enroll` an unprivileged Agent as a privileged user #4889

Open kaanyalti opened 1 month ago

kaanyalti commented 1 month ago

Version: 8.14.0 Operating System: Ubuntu 24.04 LTS Platform: arm64

While working on this issue comparing root and unprivileged elastic agents, I encountered an error with the enroll command when using unprivileged agent.

Steps to Reproduce:

  1. Deploy ESS v8.14.0
  2. Create agent policy with system integration
  3. Install fleet managed agent with the unprivileged flag sudo ./elastic-agent install --unprivileged --url=<fleet url> --enrollment-token=<token>
  4. Unenroll the agent
  5. Enroll the agent sudo elastic-agent enroll --url=<fleet url> --enrollment-token=<token>
  6. Agent enrollment gets confirmed, but incoming data does not get confirmed
  7. Agent status in fleet ui is stuck in updating
  8. Running sudo elastic-agent status we get the following error
Error: failed to communicate with Elastic Agent daemon: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial unix /opt/Elastic/Agent/elastic-agent.sock: connect: connection refused"
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.14/fleet-troubleshooting.html

Definition of Done

Based on discussion in the comments:

kaanyalti commented 1 month ago

cc: @ycombinator @cmacknz

elasticmachine commented 1 month ago

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

blakerouse commented 1 month ago

If you installed the Elastic Agent with --unprivileged then running sudo elastic-agent enroll should fail as you are seeing. sudo is trying to run the command as root, but your Elastic Agent is not running as root.

You have a few options to make this work:

  1. sudo -u elastic-agent-user elastic-agent enroll ...
  2. Add your user to the elastic-agent group, create a new shell or use newgrp to ensure that the system knows that your user is now in that group. Then you can just call elastic-agent enroll.
cmacknz commented 1 month ago

When we are unprivileged, can we put that suggestion directly in the error here? I don't think this is the last time we'll see this problem from users otherwise.

blakerouse commented 1 month ago

Updating the error message to have a standard message about permissions would be helpful. Pointing to documentation with more information on permissions in this mode would also be helpful.

pierrehilbert commented 1 month ago

I have the same feeling than @cmacknz here. In the same way we are having a warning message when we are not using sudo in privileged mode we should have a warning message when we are using sudo in unprivileged. And of course, we should make it obvious in the unprivileged doc.

ycombinator commented 1 month ago

I updated the title of this issue and added a Definition of Done to reflect the discussion about improving the error message. As for documentation, I've brought that to @kilfoyle's attention via https://github.com/elastic/ingest-docs/pull/1087#issuecomment-2159456944.