From 5cd6efe7c2b69187012b7ecb027cbad2cc061224 Mon Sep 17 00:00:00 2001 From: Craig MacKenzie Date: Mon, 6 Nov 2023 20:25:00 -0500 Subject: [PATCH] Revert "[Fix] Agent incapable of running on Azure Container Instances (#3576) (#3614)" (#3712) This reverts commit 7eb6e4a84d7bed65536c9abf7fc30ddf5206787f. --- ...er-runs-on-Azure-Container-Instances-.yaml | 31 ------------------- .../docker/Dockerfile.elastic-agent.tmpl | 29 +++++++++-------- 2 files changed, 14 insertions(+), 46 deletions(-) delete mode 100644 changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml diff --git a/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml b/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml deleted file mode 100644 index df24e655971..00000000000 --- a/changelog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Kind can be one of: -# - breaking-change: a change to previously-documented behavior -# - deprecation: functionality that is being removed in a later release -# - bug-fix: fixes a problem in a previous version -# - enhancement: extends functionality but does not break or fix existing behavior -# - feature: new functionality -# - known-issue: problems that we are aware of in a given version -# - security: impacts on the security of a product or a user’s deployment. -# - upgrade: important information for someone upgrading from a prior version -# - other: does not fit into any of the other categories -kind: bug - -# Change summary; a 80ish characters long description of the change. -summary: Elastic-Agent container runs on Azure Container Instances - -# Long description; in case the summary is not enough to describe the change -# this field accommodate a description without length limits. -#description: - -# Affected component; a word indicating the component this changeset affects. -component: elastic-agent - -# PR number; optional; the PR number that added the changeset. -# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. -# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. -# Please provide it if you are adding a fragment for a different PR. -pr: 3576 - -# Issue number; optional; the GitHub issue related to this changeset (either closes or is part of). -# If not present is automatically filled by the tooling with the issue linked to the PR number. -issue: 82 diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 314aa20d150..da49b14092b 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -9,6 +9,7 @@ FROM {{ .buildFrom }} AS home COPY beat {{ $beatHome }} RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ + chown -R root:root {{ $beatHome }} && \ find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \ find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ @@ -126,16 +127,25 @@ COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses COPY --from=home /opt /opt {{- end }} + +RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \ +{{- if .linux_capabilities }} +# Since the beat is stored at the other end of a symlink we must follow the symlink first +# For security reasons setcap does not support symlinks. This is smart in the general case +# but in our specific case since we're building a trusted image from trusted binaries this is +# fine. Thus, we use readlink to follow the link and setcap on the actual binary + readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} && \ +{{- end }} +true + {{- if eq .user "root" }} {{- if contains .image_name "-cloud" }} # Generate folder for a stub command that will be overwritten at runtime RUN mkdir /app {{- end }} {{- else }} -RUN groupadd --gid 1000 {{ .BeatName }} && \ - useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} && \ - chown -R {{ .user }}:{{ .user }} {{ $beatHome }} && \ - true +RUN groupadd --gid 1000 {{ .BeatName }} +RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} {{- if contains .image_name "-cloud" }} # Generate folder for a stub command that will be overwritten at runtime @@ -144,17 +154,6 @@ RUN chown {{ .user }} /app {{- end }} {{- end }} -# Keep this after any chown command, chown resets any applied capabilities -RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \ -{{- if .linux_capabilities }} -# Since the beat is stored at the other end of a symlink we must follow the symlink first -# For security reasons setcap does not support symlinks. This is smart in the general case -# but in our specific case since we're building a trusted image from trusted binaries this is -# fine. Thus, we use readlink to follow the link and setcap on the actual binary - setcap {{ .linux_capabilities }} $(readlink -f {{ $beatBinary }}) && \ -{{- end }} -true - {{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }} USER root ENV NODE_PATH={{ $beatHome }}/.node