-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[System tests] Run system tests for integrations with a non root Elastic Agent #1586
Comments
Pinging @elastic/fleet (Team:Fleet) |
@blakerouse I guess we will need elastic/elastic-agent#3799 to be reverted before being able to run these tests right? @mrodm @jsoriano I guess we will have to add this flag to the Elastic Agent docker image we use right? |
@jlind23 the flag is only hidden so I think there is no problem to run these tests |
@jsoriano @kpollich After chatting with @blakerouse it seems that we should already be able to do it by changing the user that the docker image relies on. |
One challenge we will face is that We have though a number of issues that would be solved if we move the Elastic Agent management from the The kubernetes and custom agent service deployers, used by some integrations, circumvent this limitation by managing their own agents, but this exceeds their responsibilities, and cannot be generalized to all integrations. I think we should take the opportunity to dedicate some time to solve #787. It would help on this issue and other similar ones, and it would allow to pay off some technical debt. If we cannot dedicate time to this now, we could add a temporary profile setting, that makes |
I'll be more than happy to see @jen-huang prioritising #787 😄 Anyway this is something we should tackle rather soonish to make the unprivileged agents fully testable. |
This is probably an L-sized task.
If we are in a hurry, we could go in the way of adding a temporary profile setting by now, at least to have coverage in CI. |
@jen-huang @jlind23 should we consider prioritizing #787 as part of the quality work? However it's also tempting to add the temp profile as suggested to move forward with testing for unprivileged agents. |
I think we should do it anyway and work on the long term plan at the same time. |
Sounds good to me. |
I think there are a few complications to keep in mind if we were to rely completely on the integration system tests to detect if an integration can correctly run with a non-root Elastic Agent:
That isn't to say this isn't valuable, it just isn't going to test the worst edge cases. Technically the tests are already running as a non-root user, and once we fix elastic/elastic-agent#4087 the elastic-agent user in our Docker container will have no root permissions at all. |
Another point in favour of #787 🙂 This issue was originally motivated exactly by the lack of testing on different platform configurations. |
I'm moving this issue to a future sprint and pulling in #787 for the next one. |
This is blocked on #787 in the current sprint, but can be worked on once the custom agent image work is completed. |
With this PR #1815 , those packages that have If these new Elastic Agents (containers) are created (no custom agents), they are going to define services:
elastic-agent:
hostname: ${AGENT_HOSTNAME}
image: ${ELASTIC_AGENT_IMAGE_REF}
user: root
... |
With the addition of the two features below, integrations will now be able to run on non root Elastic Agent. If not specified otherwise, an integration will be runnable on a non root Agent. In order to ensure that integrations are properly running without problems we need to update Elastic Package system test in order to run a non root Elastic Agent.
Related issues
Blocked on #787
cc @nimarezainia @pierrehilbert
The text was updated successfully, but these errors were encountered: