Stop running agent container as root by default (#21213)

jsoriano · web-flow · commit a9db1b1f9421 · 2020-09-24T13:50:22.000+02:00
Stop running Elastic Agent as root by default on docker image.
When root user or other privileges are required, they will need to
be explicitly configured at run time. This already happens now,
except for the root user.
Provided Kubernetes manifests already use security context to
run as user 0.
diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
@@ -340,7 +340,7 @@ shared:
       buildFrom: 'centos:7'
       dockerfile: 'Dockerfile.elastic-agent.tmpl'
       docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
-      user: 'root'
+      user: '{{ .BeatName }}'
       linux_capabilities: ''
     files:
       'elastic-agent.yml':
diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
@@ -12,6 +12,8 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s
     chown -R root:root {{ $beatHome }} && \
     find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \
     find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \
+    find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \
+    find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \
     rm {{ $beatBinary }} && \
     ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \
     chmod 0750 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \
@@ -21,7 +23,7 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s
 {{- range $i, $modulesd := .ModulesDirs }}
     chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \
 {{- end }}
-    chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs
+    true
 
 FROM {{ .from }}
 
@@ -69,6 +71,10 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint
 
 COPY --from=home {{ $beatHome }} {{ $beatHome }}
 
+# Elastic Agent needs group permissions in the home itself to be able to
+# create fleet.yml when running as non-root.
+RUN chmod 0770 {{ $beatHome }}
+
 RUN mkdir /licenses
 COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses
 COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses
diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc
@@ -7,6 +7,8 @@
 
 ==== Breaking changes
 
+- Docker container is not run as root by default. {pull}21213[21213]
+
 ==== Bugfixes
 
 ==== New features
diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go
@@ -336,7 +336,7 @@ func requiredPackagesPresent(basePath, beat, version string, requiredPackages []
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // RunGo runs go command and output the feedback to the stdout and the stderr.

Original file line number	Diff line number	Diff line change
`@@ -336,7 +336,7 @@ func requiredPackagesPresent(basePath, beat, version string, requiredPackages []`
`336`	`336`
`337`	`337`	`// TestPackages tests the generated packages (i.e. file modes, owners, groups).`
`338`	`338`	`func TestPackages() error {`
`339`		`- return devtools.TestPackages(devtools.WithRootUserContainer())`
	`339`	`+ return devtools.TestPackages()`
`340`	`340`	`}`
`341`	`341`
`342`	`342`	`// RunGo runs go command and output the feedback to the stdout and the stderr.`