I am having an issue with elastic-agent-complete:8.16.1.
We use self-signed certs on many of the internal sites we monitor, so I have to add these certs to the nssdb, however they need to be chown'd to elastic-agent:elastic-agent for them to be used by the browser agent. This worked well for elastic-agent-complete:<8.16.0. However, starting with 8.16.0, elastic-agent appears to chown everything in /usr/share/elastic-agent to root:root on startup, which breaks the certs in the nssdb (I'm running as root:root). In this particular situation, I don't have the option to build the certs and nssdb into the image, so I need to run as root:root in order to update the image cert store.
When I build my updated cert store and appropriately chown everything in an initContainer, then run my agent as elastic-agent, it won't start because it can't write the agent.lock file.
If I stand up a new instance that has NEVER run as root, I get the error that the agent is not able to create /usr/share/elastic-agent/state/data.
The ONLY thing I haven't tried to resolve this so far is to mount the agent-data share in my init container and do chown -R 1000:1000 ....
PS
I'm deploying through the Elastic Operator (ECK) using a deployment, if any of this makes a difference.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.