Cherry-pick #18873 to 7.x: Allow the Docker image to be run with a random user id (#12905) #19555
+23
−16
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
elastic#18873) Prepare docker images to be run with arbitrary user ids. Following common practices and recommendations, files that need to be read by Beats have now read permissions for the group and belong to the root group. Also, the user included in the docker image is added to the root group so it can read these files when run on docker with default user and privileges. Some changes are also added to Kubernetes reference manifests to help running beats with arbitrary user ids, though this is not completely supported and it requires additional setup. Co-authored-by: Michael Morello <[email protected]> (cherry picked from commit 3ff02cb)
jsoriano
added
[zube]: In Review
backport
Team:Platforms
botelastic
bot
added
the
needs_team
|
Pinging @elastic/integrations-platforms (Team:Platforms) |
botelastic
bot
removed
the
needs_team
kaiyan-sheng
approved these changes
Jul 1, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-pick of PR #18873 to 7.x branch. Original message:
Apply changes on ownership proposed in #12905, but keep the permissions, to avoid the
issues reported in #18858.
I think this could be enough to run containers with arbitrary user ids, because beats don't need to write these files, only read them.
Make changes also to the kubernetes reference manifests to help running beats with arbitrary user ids. These manifests still won't work on restricted environments.
Fixes #18871
Changes were previously reverted in #18872
Co-authored-by: Michael Morello [email protected]
How to test
PLATFORMS=linux/amd64 mage package, or use one of the pre-built snapshots including this change.--privilegedand withoutBEAT_STRICT_PERMS.It should behave the same on these scenarios (auditbeat will fail to configure audit, this is expected unless
--privileged --user 0 --pid=hostis also used):docker run -it --rm docker.elastic.co/beats/filebeat:8.0.0docker run -it --rm --user 0 docker.elastic.co/beats/filebeat:8.0.0docker run -it --rm --user 1000 docker.elastic.co/beats/filebeat:8.0.0docker run -it --rm --user 100042 docker.elastic.co/beats/filebeat:8.0.0