-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Elastic Agent ACI compliant image #3778
Merged
Merged
Changes from 10 commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
bb214ff
Revert "Revert "[Fix] Agent incapable of running on Azure Container I…
michalpristas 78ceea4
Saved 1GB
michalpristas cc02083
Merge branch 'main' of github.com:elastic/elastic-agent into image-cu…
michalpristas 7836742
permissions seems ok
michalpristas 577a9b3
Merge branch 'main' of github.com:elastic/elastic-agent into image-cu…
michalpristas 924b14b
reduce complete image
michalpristas 2e64699
complete compact
michalpristas 88b1bc5
Merge branch 'main' of github.com:elastic/elastic-agent into image-cu…
michalpristas f4eb9ea
Merge branch 'main' of github.com:elastic/elastic-agent into image-cu…
michalpristas aaeacba
Merge branch 'main' of github.com:elastic/elastic-agent into image-cu…
michalpristas 90566a2
Merge branch 'main' into image-custom-uid
pierrehilbert ede4e4d
simplify dockerfile
michalpristas db60d7f
Merge branch 'main' of github.com:elastic/elastic-agent into image-cu…
michalpristas bc7e298
Merge branch 'image-custom-uid' of github.com:michalpristas/elastic-a…
michalpristas 666cb98
Merge branch 'main' into image-custom-uid
michalpristas 9fddf26
Merge branch 'main' into image-custom-uid
michalpristas 15bd418
Merge branch 'main' of github.com:elastic/elastic-agent into image-cu…
michalpristas 55b0367
Merge branch 'image-custom-uid' of github.com:michalpristas/elastic-a…
michalpristas e453c5c
Merge branch 'main' into image-custom-uid
michalpristas File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
...elog/fragments/1689328899-Elastic-Agent-container-runs-on-Azure-Container-Instances-.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Kind can be one of: | ||
# - breaking-change: a change to previously-documented behavior | ||
# - deprecation: functionality that is being removed in a later release | ||
# - bug-fix: fixes a problem in a previous version | ||
# - enhancement: extends functionality but does not break or fix existing behavior | ||
# - feature: new functionality | ||
# - known-issue: problems that we are aware of in a given version | ||
# - security: impacts on the security of a product or a user’s deployment. | ||
# - upgrade: important information for someone upgrading from a prior version | ||
# - other: does not fit into any of the other categories | ||
kind: bug | ||
|
||
# Change summary; a 80ish characters long description of the change. | ||
summary: Elastic-Agent container runs on Azure Container Instances | ||
|
||
# Long description; in case the summary is not enough to describe the change | ||
# this field accommodate a description without length limits. | ||
#description: | ||
|
||
# Affected component; a word indicating the component this changeset affects. | ||
component: elastic-agent | ||
|
||
# PR number; optional; the PR number that added the changeset. | ||
# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. | ||
# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. | ||
# Please provide it if you are adding a fragment for a different PR. | ||
pr: 3576 | ||
|
||
# Issue number; optional; the GitHub issue related to this changeset (either closes or is part of). | ||
# If not present is automatically filled by the tooling with the issue linked to the PR number. | ||
issue: 82 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,14 +6,25 @@ | |
# the final image because of permission changes. | ||
FROM {{ .buildFrom }} AS home | ||
|
||
COPY beat {{ $beatHome }} | ||
{{- if ne .user "root" }} | ||
RUN groupadd --gid 1000 {{ .BeatName }} && \ | ||
useradd -M --uid 1000 --gid 1000 --groups 0 {{ .user }} && \ | ||
true | ||
{{- end }} | ||
|
||
RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ | ||
chown -R root:root {{ $beatHome }} && \ | ||
COPY --chown={{ .user }}:{{ .user }} beat {{ $beatHome }} | ||
|
||
RUN true && \ | ||
{{- if ne .user "root" }} | ||
usermod -d {{ $beatHome}} {{ .user }} && \ | ||
{{- end}} | ||
# ECE needs to create config here under non-1000 user | ||
chmod 0777 {{ $beatHome}} && \ | ||
mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ | ||
find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \ | ||
find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \ | ||
find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ | ||
find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \ | ||
find {{ $beatHome }}/data -type d -exec chmod 0777 {} \; && \ | ||
find {{ $beatHome }}/data -type f -exec chmod 0666 {} \; && \ | ||
rm {{ $beatBinary }} && \ | ||
ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ | ||
chmod 0755 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ | ||
|
@@ -27,7 +38,7 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s | |
(chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-collector || true) && \ | ||
(chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-symbolizer || true) && \ | ||
(chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-host-agent || true) && \ | ||
find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown root:root {} \; && \ | ||
find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chown {{ .user }}:{{ .user }} {} \; && \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is a no, modules permissions are checked to be owned by root |
||
find {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components -name "*.yml*" -type f -exec chmod 0644 {} \; && \ | ||
{{- range $i, $modulesd := .ModulesDirs }} | ||
chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \ | ||
|
@@ -113,11 +124,22 @@ RUN set -e ; \ | |
COPY docker-entrypoint /usr/local/bin/docker-entrypoint | ||
RUN chmod 755 /usr/local/bin/docker-entrypoint | ||
|
||
COPY --from=home {{ $beatHome }} {{ $beatHome }} | ||
|
||
{{- if ne .user "root" }} | ||
RUN groupadd --gid 1000 {{ .BeatName }} && \ | ||
useradd -M --uid 1000 --gid 1000 --groups 0 {{ .user }} && \ | ||
true | ||
{{- end }} | ||
|
||
COPY --chown={{ .user }}:{{ .user }} --from=home {{ $beatHome }} {{ $beatHome }} | ||
|
||
# Elastic Agent needs group permissions in the home itself to be able to | ||
# create fleet.yml when running as non-root. | ||
RUN chmod 0770 {{ $beatHome }} | ||
RUN chmod 0777 {{ $beatHome }} && \ | ||
{{- if ne .user "root" }} | ||
usermod -d {{ $beatHome}} {{ .user }} && \ | ||
{{- end}} | ||
true | ||
|
||
RUN mkdir /licenses | ||
COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses | ||
|
@@ -127,33 +149,30 @@ COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses | |
COPY --from=home /opt /opt | ||
{{- end }} | ||
|
||
|
||
RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \ | ||
{{- if .linux_capabilities }} | ||
# Since the beat is stored at the other end of a symlink we must follow the symlink first | ||
# For security reasons setcap does not support symlinks. This is smart in the general case | ||
# but in our specific case since we're building a trusted image from trusted binaries this is | ||
# fine. Thus, we use readlink to follow the link and setcap on the actual binary | ||
readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} && \ | ||
{{- end }} | ||
true | ||
|
||
{{- if eq .user "root" }} | ||
{{- if contains .image_name "-cloud" }} | ||
# Generate folder for a stub command that will be overwritten at runtime | ||
RUN mkdir /app | ||
{{- end }} | ||
{{- else }} | ||
RUN groupadd --gid 1000 {{ .BeatName }} | ||
RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} | ||
|
||
{{- if contains .image_name "-cloud" }} | ||
# Generate folder for a stub command that will be overwritten at runtime | ||
RUN mkdir /app | ||
RUN chown {{ .user }} /app | ||
RUN mkdir /app && \ | ||
chown {{ .user }}:{{ .user }} /app | ||
{{- end }} | ||
{{- end }} | ||
|
||
# Keep this after any chown command, chown resets any applied capabilities | ||
RUN setcap cap_net_raw,cap_setuid+p {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/components/heartbeat && \ | ||
{{- if .linux_capabilities }} | ||
# Since the beat is stored at the other end of a symlink we must follow the symlink first | ||
# For security reasons setcap does not support symlinks. This is smart in the general case | ||
# but in our specific case since we're building a trusted image from trusted binaries this is | ||
# fine. Thus, we use readlink to follow the link and setcap on the actual binary | ||
setcap {{ .linux_capabilities }} $(readlink -f {{ $beatBinary }}) && \ | ||
{{- end }} | ||
true | ||
|
||
{{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }} | ||
USER root | ||
ENV NODE_PATH={{ $beatHome }}/.node | ||
|
@@ -163,7 +182,7 @@ RUN echo \ | |
{{ $beatHome }}/.synthetics \ | ||
{{ $beatHome }}/.npm \ | ||
{{ $beatHome }}/.cache \ | ||
| xargs -IDIR sh -c 'mkdir -p DIR && chmod 0770 DIR' | ||
| xargs -IDIR sh -c 'mkdir -p DIR && chmod 0775 DIR' | ||
|
||
# Setup synthetics env vars | ||
ENV ELASTIC_SYNTHETICS_CAPABLE=true | ||
|
@@ -192,14 +211,14 @@ RUN cd {{$beatHome}}/.node \ | |
esac \ | ||
&& mkdir -p node \ | ||
&& curl ${NODE_DOWNLOAD_URL} | tar -xJ --strip 1 -C node \ | ||
&& chmod ug+rwX -R $NODE_PATH | ||
|
||
&& chmod ugo+rwX -R $NODE_PATH \ | ||
# Install synthetics as a regular user, installing npm deps as root odesn't work | ||
RUN chown -R {{ .user }} $NODE_PATH | ||
# fix .node .npm and .synthetics | ||
&& chown -R {{ .user }}:{{ .user }} $NODE_PATH | ||
USER {{ .user }} | ||
# If this fails dump the NPM logs | ||
RUN npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1' | ||
RUN chmod ug+rwX -R $NODE_PATH | ||
RUN (npm i -g --loglevel verbose --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1') && \ | ||
chmod ugo+rwX -R $NODE_PATH | ||
USER root | ||
|
||
# Install the deps as needed by the exact version of playwright elastic synthetics uses | ||
|
@@ -223,6 +242,7 @@ USER {{ .user }} | |
EXPOSE {{ $port }} | ||
{{- end }} | ||
|
||
|
||
# When running under Docker, we must ensure libbeat monitoring pulls cgroup | ||
# metrics from /sys/fs/cgroup/<subsystem>/, ignoring any paths found in | ||
# /proc/self/cgroup. | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need to create the user and the correct ownership in the intermediate stage ? Wouldn't it be enough to copy with the correct ownership and user in the last stage (line ~127) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm that;s a nice idea, will check, not sure it will let us differentiate /d/f though