Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enroll command doesn't support --unprivileged flag for deb and rpm agents. #4125

Open
2 tasks
amolnater-qasource opened this issue Jan 24, 2024 · 13 comments
Open
2 tasks

Enroll command doesn't support --unprivileged flag for deb and rpm agents. #4125

amolnater-qasource opened this issue Jan 24, 2024 · 13 comments
Assignees
@kilfoyle
Labels
bug Something isn't working impact:high Short-term priority; add to current release, or definitely next. QA:Ready For Testing Code is merged and ready for QA to validate Team:Docs Label for the Observability docs team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Comments

@amolnater-qasource
Copy link

amolnater-qasource commented Jan 24, 2024
edited by ycombinator
Loading

Kibana Build details:

VERSION: 8.13.0-SNAPSHOT
BUILD: 70749
COMMIT: a0f4897f7c04069faf2a86dbda1dabea78c161c1
Artifact Link: https://snapshots.elastic.co/8.13.0-l534sdis/downloads/beats/elastic-agent/elastic-agent-8.13.0-SNAPSHOT-x86_64.rpm
https://snapshots.elastic.co/8.13.0-l534sdis/downloads/beats/elastic-agent/elastic-agent-8.13.0-SNAPSHOT-amd64.deb

Host OS: Linux- SLES15, Ubuntu 22

Preconditions:

  1. 8.13.0 Snapshot should be available.

Steps to reproduce:

  1. Download and extract rpm/deb artifacts.
  2. Run below command:
    sudo ./elastic-agent enroll --url=<url> --enrollment-token=<token> --unprivileged
  3. Observe unprivileged flag not supported by enroll command error.

Screenshot:
image

Expected Result:
User should be able to enroll agents using --unprivileged flag.

Feature:
https://github.com/elastic/ingest-dev/issues/1766

Definition of done:
Taken from #4125 (comment):
@amolnater-qasource amolnater-qasource added bug Something isn't working Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team impact:high Short-term priority; add to current release, or definitely next. labels Jan 24, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@amolnater-qasource
Copy link
Author

@manishgupta-qasource Please review.

@manishgupta-qasource
Copy link

Secondary review for this ticket is Done

@blakerouse
Copy link
Contributor

I don't understand the ask here. --unprivileged is an installation option, not an enroll time option. The DEB installs the Elastic Agent as root, I don't believe it should be something the Elastic Agent can just change at enroll time. That doesn't really fit how DEB/RPM's work.

I know there was discussion about adding the ability to switch from privileged mode to unprivileged mode and back again with another command, that should be what is used here for this, not during enroll time. enroll means the Elastic Agent is already installed, that decision has been made.

@pierrehilbert
Copy link
Contributor

Thanks @blakerouse for your inputs.
@nimarezainia From a product perspective, is this flow okay for you?

@nimarezainia
Copy link
Contributor

I agree that the flag need not be available on the enroll. (apologies @amolnater-qasource i didn't fully understand your original question which prompted this issue)

@blakerouse RPMs always will need root priv to install - I don;t think theres an exception to this. However here the application that it installs needs to run without root priv. But I suspect that there's no way for us to pass this flag to RPM/DEB for the installation phase of the agent (i don;t even think such a thing exists).

If we can't pass a flag to the installation phase of the agent, then the only option is to allow for the conversion to happen after install. That issue we had deprioritized for now.

@pierrehilbert from a product perspective I see it simply as the same use case (as in the user needs the application to be running without root privileges). They're using a tool to install the agents.
We have a healthy set of users using RPM/DEB images we have, I suspect that a good percentage of them would be wanting to install without the agent needing root priv.

@ycombinator
Copy link
Contributor

Chatted with @blakerouse today. Summarizing:

@kilfoyle
Copy link
Contributor

kilfoyle commented May 27, 2024
edited
Loading

@ycombinator, @nimarezainia It's just an early draft, but I'm gathering the "unprivileged" docs together in this PR.

@blakerouse whenever you have them, if you'd like to just let me know the how-to steps I can look after adding them into the docs:

@kaanyalti I think the "pre-requisites and gotchas" could go in tables like these, but we can update the format once the list becomes more clear.

@ycombinator ycombinator mentioned this issue May 28, 2024
Closed
@ycombinator
Copy link
Contributor

Reading through the steps mentioned in #4125 (comment) needed to close this issue:

create a document somewhere under https://www.elastic.co/guide/en/fleet/current/index.html that introduces users to unprivileged mode: what it is, why/when it's useful, how to use it, and how to change between modes after Agent is installed.
This document can also then be used to document any #4705. cc: @kilfoyle @kaanyalti

This is something @kilfoyle already took care of in elastic/ingest-docs#1087.

link to this document from the "DEB" and "RPM" tabs in https://www.elastic.co/guide/en/fleet/current/install-standalone-elastic-agent.html

@kilfoyle would you mind taking care of this part as well, since it's docs-related, either as part of elastic/ingest-docs#1087 or in a follow up PR?

@ycombinator ycombinator assigned kilfoyle and unassigned blakerouse Jun 26, 2024
@ycombinator ycombinator added the Team:Docs Label for the Observability docs team label Jun 26, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest-docs (Team:Docs)

@kilfoyle kilfoyle mentioned this issue Jun 27, 2024
Closed
@kilfoyle
Copy link
Contributor

kilfoyle commented Jun 27, 2024
edited
Loading

@kilfoyle would you mind taking care of this part as well, since it's docs-related, either as part of elastic/ingest-docs#1087 or in a follow up PR?

@ycombinator Sure thing. Here's a docs PR: elastic/ingest-docs#1144

@kilfoyle kilfoyle mentioned this issue Jun 27, 2024
Closed
@blakerouse
Copy link
Contributor

I think there is one thing we need to validate, and that is an upgrade of the RPM/DEB doesn't revert some of the paths from unprivileged back to a privileged Elastic Agent. Once an Elastic Agent is switched it should remain that way even if upgraded from RPM/DEB.

That will be on me to check.

@kilfoyle
Copy link
Contributor

Just adding a note here that this docs PR should merge after this issue is resolved.

@amolnater-qasource amolnater-qasource added the QA:Ready For Testing Code is merged and ready for QA to validate label Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kilfoyle kilfoyle

Labels
bug Something isn't working impact:high Short-term priority; add to current release, or definitely next. QA:Ready For Testing Code is merged and ready for QA to validate Team:Docs Label for the Observability docs team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@ycombinator @pierrehilbert @blakerouse @nimarezainia @elasticmachine @kilfoyle @manishgupta-qasource @amolnater-qasource