Unable to install mac agent at custom path using --base-path and --unprivilege command.

[amolnater-qasource]

Kibana Build details:

VERSION: 8.14.0 BC3
BUILD: 73762
COMMIT: 2a492e1625f24336f3259b2b8df62b2b18127e81

Artifact Link: https://staging.elastic.co/8.14.0-7c638435/downloads/beats/elastic-agent/elastic-agent-8.14.0-darwin-aarch64.tar.gz

Preconditions:

1. 8.14.0-BC3 Kibana cloud environment should be available.

Steps to reproduce:

1. Run agent install command with --base-path and --unprivileged.
2. Observe agent installation failed with an error.

Expected Result:
User should be able to install mac agent at custom path using --base-path and --unprivilege command.

Screenshot:

CLI error:

Unprivileged installation mode enabled; this is an experimental and currently unsupported feature.
Elastic Agent will be installed at /Users/anater/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:
[== ] Service Started [3s] Elastic Agent successfully installed, starting enrollment.
[  =] Uninstalled [4s] Error uninstalling. Printing logs
2024-05-07T10:19:44.751Z	DEBUG	[install]	Loaded configuration from /Users/anater/Downloads/elastic-agent-8.14.0-darwin-aarch64/elastic-agent.yml
2024-05-07T10:19:44.751Z	DEBUG	[install]	Merged configuration from /Users/anater/Downloads/elastic-agent-8.14.0-darwin-aarch64/elastic-agent.yml into result
2024-05-07T10:19:44.751Z	DEBUG	[install]	Merged all configuration files from [/Users/anater/Downloads/elastic-agent-8.14.0-darwin-aarch64/elastic-agent.yml], no external input files
2024-05-07T10:19:44.751Z	DEBUG	[install.composable]	Starting controller for composable inputs
2024-05-07T10:19:44.751Z	DEBUG	[install.composable]	Started controller for composable inputs
2024-05-07T10:19:44.751Z	DEBUG	[install.composable]	Variable state changed for composable inputs; debounce started
2024-05-07T10:19:44.751Z	DEBUG	[install.composable.providers.kubernetes]	Kubernetes provider for resource pod skipped, unable to connect: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2024-05-07T10:19:44.751Z	DEBUG	[install.composable]	kubernetes_secrets provider skipped, unable to connect: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2024-05-07T10:19:44.751Z	DEBUG	[install.composable.providers.kubernetes]	Kubernetes provider for resource node skipped, unable to connect: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2024-05-07T10:19:44.751Z	DEBUG	[install.composable]	Kubernetes leaderelection provider skipped, unable to connect: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2024-05-07T10:19:44.752Z	INFO	[install.composable.providers.docker]	Docker provider skipped, unable to connect: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
2024-05-07T10:19:44.852Z	DEBUG	[install.composable]	Computing new variable state for composable inputs
2024-05-07T10:19:44.852Z	DEBUG	[install.composable]	Stopping controller for composable inputs
2024-05-07T10:19:44.953Z	DEBUG	[install.composable]	Stopped controller for composable inputs
Error: failed to execute enroll command: fork/exec /usr/local/bin/elastic-agent: permission denied
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.14/fleet-troubleshooting.html

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[amolnater-qasource]

@manishgupta-qasource Please review.

[manishgupta-qasource]

Secondary review for this ticket is Done

[pchila]

@amolnater-qasource I just tested this on my Mac and I assume that your home directory /User/anater does not have any permission for anyone outside of your user and staff group...
When installing elastic-agent unprivileged a new user and group elastic-agent are created but obviously the new user does not have access to the install location so when agent tries to execute the enroll command as elastic-agent:elastic-agent user and group it fails.

Could you please retest choosing a base-path that is traversable (needs the world x permission) by everybody?

I just tested on my machine using /tmp/install as base path which has permissions as shown below

➜  /tmp ll
total 295016
...
drwxr-xr-x   3 root    wheel    96B May  7 18:44 install
...

and the install works correctly

➜  elastic-agent-8.15.0-SNAPSHOT-darwin-aarch64 git:(main) ✗ sudo ./elastic-agent install --unprivileged --base-path /tmp/install --url=<redacted> --enrollment-token=<redacted>                                                                                                                                                                                                                            
                                                                   
                                                                                                                                       
Unprivileged installation mode enabled; this is an experimental and currently unsupported feature.
Elastic Agent will be installed at /tmp/install/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[=== ] Service Started  [3s] Elastic Agent successfully installed, starting enrollment.
[=== ] Enrolling Elastic Agent with Fleet  [3s] enrollment command: /usr/local/bin/elastic-agent enroll --from-install --url https://997cfd1736434d5bb4fe8fcc21fbbe4d.fleet.us-west2.gcp.elastic-cloud.com:443 --enrollment-token M3N1QVU0OEJxYXVtOUt1aUlRNVI6V3ZNakxFT3JTTUtw
[==  ] Waiting For Enroll...  [4s] {"log.level":"info","@timestamp":"2024-05-07T18:44:33.525+0200","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":506},"message":"Starting enrollment to URL: https://997cfd1736434d5bb4fe8fcc21fbbe4d.fleet.us-west2.gcp.elastic-c
loud.com:443/","ecs.version":"1.6.0"}
[ ===] Waiting For Enroll...  [6s] {"log.level":"info","@timestamp":"2024-05-07T18:44:35.620+0200","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":469},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-07T18:44:35.623+0200","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":287},"message":"Successfully triggered restart on running Elastic Agent.","ecs.version":"1.6.0"}
Successfully enrolled the Elastic Agent.
[ ===] Done  [6s]                               
Elastic Agent has been successfully installed.

[amolnater-qasource]

Hi @pchila

Thank you for looking into this issue and sharing the detailed information.

We have revalidated this issue at our end and we are able to install the agent to the /tmp and /etc locations using basepath and unprivileged flag.

Directory Permissions:

Screenshot:

Please let us know if this is expected, so that we can close this issue.

Thanks!

[amolnater-qasource]

Related issue: #4703

[pchila]

Hello @amolnater-qasource

Please let us know if this is expected, so that we can close this issue.

Thanks!

The path where the agent is installed needs to be accessible for elastic-agent user, so this is expected and the issue can be closed.
It's probably a good idea to add a step to the test scripts where it's specified that the base path must be accessible by elastic-agent when installing/running as unprivileged

[ycombinator]

@pchila would you mind adding your path permissions recommendations from this issue to #4705? I'm trying to use that issue as a single place to capture all prerequisites required for successfully running Agent in unprivileged mode. Thanks!