Install systemd on Filebeat Docker images

[belimawr]

Proposed commit message

The journald input from Filebeat requires the journalctl binary to ingest journal logs, this commit adds it by installing systemd in all Filebeat Docker container images

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

## Disruptive User Impact
## Author's Checklist

How to test this PR locally

1. Package Filebeat

   DEV=true SNAPSHOT=true PACKAGES="docker" PLATFORMS=linux/amd64 mage -v package

2. Ensure journalctl is present in the containers (adjust the image name/tag according to the version you built, oss or not)

   docker run --rm -it --user root --entrypoint "journalctl" docker.elastic.co/beats/filebeat-wolfi:9.1.0-SNAPSHOT --version
   docker run --rm -it --user root --entrypoint "journalctl" docker.elastic.co/beats/filebeat-ubi:9.1.0-SNAPSHOT --version
   # Only for x-pack
   docker run --rm -it --user root --entrypoint "journalctl" docker.elastic.co/beats/filebeat:9.1.0-SNAPSHOT --version

3. Start a stack. E.g: using elastic-package: elastic-package stack up --version=9.1.0-SNAPSHOT -v -d

4. Create the following filebeat.yml (adjust the IP address/ES host as needed)

   filebeat.yml

   filebeat.inputs:
     - type: journald
       id: foo-bar
       paths:
         - /var/log/journal/*/*.journal
   
   output.elasticsearch:
     hosts:
       - https://192.168.42.42:9200
     username: elastic
     password: changeme
     ssl.verification_mode: none

5. Then run Filebeat from the docker image (adjust the journald folder if needed)

   docker run --rm \
     --name=filebeat \
     --user=root \
     --volume="/var/log/journal:/var/log/journal:ro" \
     --volume="$(pwd)/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro" \
     --volume="registry:/usr/share/filebeat/data:rw" \
     docker.elastic.co/beats/filebeat-wolfi:9.1.0-SNAPSHOT filebeat -e --strict.perms=false setup

6. Ensure there are no errors and data is ingested

Related issues

• Relates Add journalctl to Filebeat and Elastic-Agent docker images #44040
• Fixes [Filebeat] Journald input doesn't work in container #41278

## Use cases
## Screenshots
## Logs

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @belimawr? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[leehinman]

FYI opened #44062 for us to improve updating of packages.

[kilfoyle]

LGTM for the docs! 🏎️
(I added just a small suggestion.)

[rdner]

This is very helpful, thanks!

[rdner]

@belimawr I see this PR is marked to close #44040 I don't think it's correct.

This PR only addresses the standalone Filebeat container, not running integrations under Elastic Agent, right?

[belimawr]

@belimawr I see this PR is marked to close #44040 I don't think it's correct.

This PR only addresses the standalone Filebeat container, not running integrations under Elastic Agent, right?

Yes, you're correct. Thanks for catching this. I updated the PR description.

[belimawr]

FYI opened #44062 for us to improve updating of packages.

Thanks Lee!

[github-actions]

@Mergifyio backport 8.17 8.18 8.19 9.0

[mergify]

backport 8.17 8.18 8.19 9.0

✅ Backports have been created

Details

• #44085 [8.17](backport #44056) Install systemd on Filebeat Docker images has been created for branch 8.17 but encountered conflicts
• #44086 [8.18](backport #44056) Install systemd on Filebeat Docker images has been created for branch 8.18 but encountered conflicts
• #44087 [8.19](backport #44056) Install systemd on Filebeat Docker images has been created for branch 8.19 but encountered conflicts
• #44088 [9.0](backport #44056) Install systemd on Filebeat Docker images has been created for branch 9.0

[rdner]

@belimawr could you document the image size increase in the description of this PR?

[cmacknz]

What systemd version does this install and how compatible is it with debian?

I ask because I expect users will frequently use this to read journald logs from debian or ubuntu based k8s nodes so if it isn't compatible we need to clearly document that.

[cmacknz]

UBI at least already exposes us to CVEs in the rest of the OS packages so it doesn't have the same concerns as Wolfi for that problem.

[rdner]

What systemd version does this install and how compatible is it with debian?

I ask because I expect users will frequently use this to read journald logs from debian or ubuntu based k8s nodes so if it isn't compatible we need to clearly document that.

Is not it sufficiently documented here? https://github.com/elastic/beats/pull/44056/files#diff-7a8b715909f505c1dc033e00d9fb48d50576d9c128e1c50538fe697218b97ff7R11-R21

[cmacknz]

I think almost, that doesn't explain why this is important or what the compatibility rules are. It just says users should check.

What is journactl's version compatibility policy? Backwards compatibility (new versions can read old versions) I assume, but does it also provide forward compatibility (old versions can read new versions of journal files)?

If the Filebeat version is 255 but the host system is 257 what does that mean for users?

[cmacknz]

This is going to have the side effect of exposing us to CVEs in the entirety of systemd which might turn out to be a significant problem. We probably want to keep this out of the wolfi image whose point is to minimize exposure to OS based CVEs.

In general it would actually be better to build only what we need or find a way to include just journalctl and nothing else but I'm not sure how possible that is.

[rdner]

#44108

[rdner]

PR to remove systemd from Wolfi #44108