Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document pre-requisites for running Elastic Agent in unprivileged mode #4705

Open
9 tasks
ycombinator opened this issue May 8, 2024 · 4 comments
Open
9 tasks

Document pre-requisites for running Elastic Agent in unprivileged mode #4705

ycombinator opened this issue May 8, 2024 · 4 comments
Assignees
@kaanyalti
Labels
documentation Improvements or additions to documentation Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Comments

@ycombinator
Copy link
Contributor

ycombinator commented May 8, 2024
edited

Background

Traditionally, privileged users (e.g. root on Linux) run Elastic Agent on a host. However, with #3598, #4362, #4264, and other follow-up PRs, it is now possible to run Elastic Agent with an unprivileged user.

Problem statement

Running Agent as an unprivileged user has consequences. Not only does the Agent itself run as an unprivileged user, but so do the process components it orchestrates, e.g. the various Beats. Consequently, any integrations being handled by such components, e.g. system, might not have the necessary access on the host to collect all the data they can when running as a privileged user. The result is that users do not see data they might be expecting in these integrations' dashboards. Some examples of this situation are:

Similarly, users might encounter other issues related to the installing or running of Elastic Agent in privileged mode. Some examples of this situation are:

Definition of done

Let's use this issue to collect any pre-requisites a user must perform to install and run Elastic Agent in unprivileged mode, as well as any other gotchas they might run into when using the system integration with an Elastic Agent running in unprivileged mode.

For each pre-requisite let's capture the following information:

  1. What steps does the user need to take as a prerequisite to running Elastic Agent in unprivileged mode?
  2. What would the impact be if these prerequisite steps were not taken? Or, put differently, what functionality is enabled as a result of taking these prerequisite steps?
  3. What symptoms (e.g. errors) will the user observe and where if these prerequisite steps were not taken?

MacOS
Beta Give feedback

Linux
Beta Give feedback

Windows
Beta Give feedback
@ycombinator ycombinator added documentation Improvements or additions to documentation Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels May 8, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

This was referenced May 8, 2024
Open
Open
Open
This was referenced May 8, 2024
Open
Closed
@ycombinator ycombinator assigned kaanyalti and unassigned cmacknz, blakerouse and pchila May 9, 2024
@ycombinator
Copy link
Contributor Author

cc: @kilfoyle

@kilfoyle
Copy link
Contributor

Thanks for opening this @ycombinator! I like the organization. Once we have all the pre-requisites info I can add a table into the docs mapping each function to the pre-requisite(s) associated with using it in unprivileged mode.

I'm thinking that we can also have a troubleshooting section with something like:

  • a list of possible error messages
  • for each message, a brief explanation of what it indicates: i.e., that the prerequisite for running Function X in unprivileged mode isn't satisfied
  • a link back to the "function to pre-requisites" table mentioned above

And thanks @kaanyalti for taking this one on!

@ycombinator ycombinator mentioned this issue May 22, 2024
Open
2 tasks
@ycombinator
Copy link
Contributor Author

In #4125 (comment), @kilfoyle said:

@kaanyalti I think the "pre-requisites and gotchas" could go in tables like these, but we can update the format once the list becomes more clear.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kaanyalti kaanyalti

Labels
documentation Improvements or additions to documentation Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ycombinator @cmacknz @blakerouse @elasticmachine @kaanyalti @kilfoyle @pchila