Set user depending on agent.privileges.root field from manifest #1789
Conversation
mrodm
changed the title
💚 Build Succeeded
History
cc @mrodm |
mrodm
changed the title
| // If user is defined in configuration file has preference ? | ||
| if info.Agent.User == "" && packageManifest.Agent.Privileges.Root { | ||
| info.Agent.User = "root" | ||
| } |
There was a problem hiding this comment.
As it is, if one configuration defines another user, that user will have preference over what the package manifest sets.
Should it be set always according to what the package manifest sets ignoring the setting from the configuration file?
There was a problem hiding this comment.
Yes, configuration file should have preference. There may be a test that tries with a non-root user with additional capabilities.
| @@ -1,15 +1,17 @@ | |||
| format_version: 1.0.0 | |||
| format_version: 2.12.0 | |||
There was a problem hiding this comment.
Minimum version to define agent.privileges.root in the manifest
| // If user is defined in configuration file has preference ? | ||
| if info.Agent.User == "" && packageManifest.Agent.Privileges.Root { | ||
| info.Agent.User = "root" | ||
| } |
There was a problem hiding this comment.
Yes, configuration file should have preference. There may be a test that tries with a non-root user with additional capabilities.
| @@ -819,7 +824,7 @@ func (r *runner) prepareScenario(ctx context.Context, config *testConfig, svcInf | |||
| return nil | |||
| } | |||
|
|
|||
| agentDeployed, agentInfo, err := r.setupAgent(ctx, config, serviceStateData, policy) | |||
| agentDeployed, agentInfo, err := r.setupAgent(ctx, config, serviceStateData, policy, scenario.pkgManifest) | |||
There was a problem hiding this comment.
Nit. Maybe we can reduce the new dependecy here by passing only the agent options.
| agentDeployed, agentInfo, err := r.setupAgent(ctx, config, serviceStateData, policy, scenario.pkgManifest) | |
| agentDeployed, agentInfo, err := r.setupAgent(ctx, config, serviceStateData, policy, scenario.pkgManifest.Agent) |
There was a problem hiding this comment.
Sure, done this change in 1d65244
| @@ -5,7 +5,6 @@ data_stream: | |||
| preserve_original_event: true | |||
| agent: | |||
| runtime: docker | |||
| user: "root" | |||
There was a problem hiding this comment.
It would work the same if we keep the user here, right?
There was a problem hiding this comment.
Yes, that's right. I've tested it again locally keeping the user in the configuration file and it keeps the same behavior (sets root user).
Relates #787
Relates #1586
When using independent agents, if the package defines in its manifest that it requries root as:
elastic-packagewill automatically set the user root in the docker-compose scenario for the agent.Added this setting into the test package
auditid_manager_independent_agent. It can be checked that these settings are set for that agent container along with the capabilities: